Suggestion Free Resource Guidelines

Discussion in 'Community Feedback and Suggestions' started by ShaneBee, May 15, 2019.

  1. Choco

    Junior Mod

    because according to VirusTotal (or any other malware checker), seemingly anything that is a .jar is considered malicious. The amount of false positives from those types of software is unacceptable. They are not guided towards Bukkit, so calls to #setOp() or what-have-you are not going to be caught and will slip by anyways.
     
  2. Doesn't help people abuse setOp when running commands...though as far as i'm aware that's the only way to bypass the permissions check when running a command as a player
    There's dispatching the command as a ConsoleSender but that's as the console, not the player..

    Edit: Honestly the main and only reason my force-op check fails is because of https://github.com/OpticFusion1/MCAntiMalware/issues/22 I tried a fix my self, but i completely broke the check :/
     
    #22 Optic_Fusion1, May 24, 2019
    Last edited: May 24, 2019
  3. The thing about VirusTotal is, not many people seem to realize they keep a copy of each and every file submitted to their service around for security researchers to examine. Many undetected zero days were famously caught this way because uninformed malware devs uploaded their malicious proof of concepts. It's a great honeypot, but I wouldn't recommend VirusTotal as a general file scanner.
     
  4. What if the premium plugin also continues working perfectly fine? The inactivity rule still applies.
     
  5. The inactivity rules make sense for premium resources because people pay money for access. Meanwhile, a free resource written 4 years ago could still potentially run on the latest server version, and if it doesn't, it surely didn't cost you anything to find out. If I'm buying a premium resource, I expect it to work, whereas my expectations for free resources are inherently more lenient.
     
    #25 Rezz, May 25, 2019
    Last edited: May 25, 2019
  6. I would hope that there is a button or something similar that lets authors "bump" a resource and keep it out of inactivity without forcing an update. And if an author were to stop coming online, perhaps something like download count and views per week could also help determine the state of a plugin.
     
  7. MiniDigger

    Supporter

    No it's not. You can create a delegate and override the has permission method, aka the proper way to do stuff.
     
  8. How would one do that exactly? After googling i was unable to figure that out.
    Creating a thread explaining this, while also explaining why abusing setOp to bypass the perm check would be a good idea, since it would explain everything as well as be easy to share to those who do abuse setOp
     
  9. Implement the Player or CommandSender interface and return true for permission checks.

    Although, I consider this worse than simply going the lazy route and setting op: the player interface changes surprisingly often and it's tedious to maintain. Perhaps plugin devs should just avoid trying to get around permissions, they exist for a reason after all.
     
  10. MiniDigger

    Supporter

    google delegate, lol
     
  11. i suck at google then xD
    As of right now there's no proper way to bypass permissions checks when running commands, besides either abusing setOp or using a delegate.
    It's not like there's a method to run a command as a player without checking if they have the right perms...
     
  12. And what I described to you would be... a delegate. :p

    Dispatch a command using your own CommandSender implementation (which would likely internally delegate to an actual, server-provided CommandSender) and you can override all the permission checks you like.
     
  13. This would be cool. But also add a requirement for the jar size (for example 10kb), because many low-effort and useless plugins are being uploaded. I also dislike the skripts section, its not about spigot nor bukkit, why's it here?
     
    • Agree Agree x 1
    • Funny Funny x 1
  14. i meant something like Player#methodThatBypassesPermCheck, one line instead of having to make an entirely new implementation for it
     
    • Like Like x 1
  15. The skript section is a thing because so many people upload skripts to spigot, so the Skript section was added so it was easier to find skripts.

    Edit:
    https://www.spigotmc.org/threads/please-no-dont-become-skunity.168542/#post-1786375
    https://www.spigotmc.org/threads/please-no-dont-become-skunity.168542/#post-1786381
    https://www.spigotmc.org/threads/skript-section-in-resources.286996/#post-2768218
    https://www.spigotmc.org/threads/skript-section-in-resources.286996/#post-2768412
    https://www.spigotmc.org/threads/skripts-whats-all-the-hate-about.168546/page-4#post-1788375
     
    #35 Optic_Fusion1, May 25, 2019
    Last edited: May 25, 2019
  16. A well-defined plugin which properly uses the Bukkit/Spigot API could very well work for years without any updates. I wrote a plugin for 1.7.9 which continued to work through 1.12+. And even then it didn't generate errors, but 1.12.2 added an additional circumstance it should check for.
     
    • Agree Agree x 1
  17. also helps when you barely touch the spigot/bukkit api, or only touch things that most likely will never change
     
  18. There is a reason for that, to protect buyers. Using the same guidelines for payed and free doesn't seem quite right to me. There are lots of free plugins out there that still work perfectly fine, you just don't know which update will break them.
     
    • Agree Agree x 1

Share This Page