id,summary,reporter,owner,description,type,status,priority,milestone,component,resolution,keywords,cc,phab_field 3551,[PATCH] Prohibit developer overlay cheats in rated games,elexis,,"'''Problem:''' There are some bugs which can be abused to enable the developer overlay in rated games (#3547, #3550 and likely others). As long as we only use a client-side check to disable the developer overlay, users can just remove that and abuse the feature. Should be a release blocker as it has been abused way too often by people using proxies and making new accounts after being banned. '''What needs to be done:''' * We have to prohibit the worst effects of the dev overlay in the simulation. These are: * Control all units (cheat) * Reveal map (cheat) * Promote units (cheat) * Sending commands for other players (change perspective, to be done in #3552) I.e. we should not execute developer overlay cheats in the simulation code if the game is rated. * ~~Furthermore unadulterated clients should display a warning message stating that this user attempted to cheat.~~ (Not implementing the message as itself might be used to troll and blame innocent users as a malicious server.) '''Why prohibiting cheats can be done securely:''' Those three developer overlay cheats should not be executed if ratings are enabled. If a malicious player (no matter if host or client) will remove that check, the game will become out-of-sync instantaneously and only the malicious user will execute cheat. Thus the malicious user will not be able to participate anymore in that game. {{{ #!div style=""font-size: 80%"" '''Why we can't prohibit the actual overlays:''' I don't see a way how to securely remove the prohibiting of the actual '''overlays''' (like the pathfinder overlay). This is local code, thus it can always be replicated/reverted after an attempted fix. The damage of those overlays is limited to revealing the map, which will always be possible for malicious clients. }}} '''How to implement:''' (Probably about 20 lines) 1. '''Add the check:''' The commands available in the simulation, including those three cheats are coded in `Commands.js` and reside in the `commands` variable: {{{ ""reveal-map"": function(player, cmd, data) { // Reveal the map for all players, not just the current player, // primarily to make it obvious to everyone that the player is cheating var cmpRangeManager = Engine.QueryInterface(SYSTEM_ENTITY, IID_RangeManager); cmpRangeManager.SetLosRevealAll(-1, cmd.enable); }, ""promote"": function(player, cmd, data) { // No need to do checks here since this is a cheat anyway var cmpGuiInterface = Engine.QueryInterface(SYSTEM_ENTITY, IID_GuiInterface); cmpGuiInterface.PushNotification({""type"": ""chat"", ""players"": [player], ""message"": ""(Cheat - promoted units)""}); for each (var ent in cmd.entities) { var cmpPromotion = Engine.QueryInterface(ent, IID_Promotion); if (cmpPromotion) cmpPromotion.IncreaseXp(cmpPromotion.GetRequiredXp() - cmpPromotion.GetCurrentXp()); } }, ""control-all"": function(player, cmd, data) { data.cmpPlayer.SetControlAllUnits(cmd.flag); }, }}} Notice the regular cheats are executed in `Cheats.js` and there we prohibit the cheat securely by checking `if (!cmpPlayer.GetCheatsEnabled())`. For those three developer overlay cheats we need to check if ratings are enabled. ~~2. '''Show the cheat notification:''' If ratings are disabled and the cheat was attempted to be executed, we should display the notification. It must be sent similar to the chat simulation command: {{{ ""chat"": function(player, cmd, data) { var cmpGuiInterface = Engine.QueryInterface(SYSTEM_ENTITY, IID_GuiInterface); cmpGuiInterface.PushNotification({""type"": cmd.type, ""players"": [player], ""message"": cmd.message}); }, }}} ~~A new notification type has to be added to `g_NotificationsTypes` in `messages.js`. It should display a message box. Find examples in the code by searching for `messageBox`. (Please test if having two message boxes simultaneously causes trouble, as we might get a second one due to the resulting out-of-sync in that case).",defect,new,Release Blocker,Alpha 19,UI & Simulation,,patch review,,