From 64e61b8ed9a3e948dcc91701a4c476829570b5bb Mon Sep 17 00:00:00 2001
From: Patrikkk <patrikveres@hotmail.com>
Date: Fri, 19 Jun 2020 14:21:45 +0200
Subject: [PATCH] Add DisplayDollItemSyncHandler

In a previous PR I have added the tile entity request packet handler which checks for building permissions to prevent the unauthorized player to open a DisplayDoll and see its content.

This Handler is being added to prevent *Hackers* from modifying a DisplayDoll through direct/crafted packet sending, or by sending raw byte data to the server.
In a valid enviroment, the player couldn't even get to see the content of the doll in the first place, to then try to modify it's items.

Because of this,  I do not bother with making sure the player gets their item back.
---
 .../Handlers/DisplayDollItemSyncHandler.cs    | 27 +++++++++++++++++++
 TShockAPI/TShockAPI.csproj                    |  1 +
 2 files changed, 28 insertions(+)
 create mode 100644 TShockAPI/Handlers/DisplayDollItemSyncHandler.cs

diff --git a/TShockAPI/Handlers/DisplayDollItemSyncHandler.cs b/TShockAPI/Handlers/DisplayDollItemSyncHandler.cs
new file mode 100644
index 00000000..71cdc2eb
--- /dev/null
+++ b/TShockAPI/Handlers/DisplayDollItemSyncHandler.cs
@@ -0,0 +1,27 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using static TShockAPI.GetDataHandlers;
+
+namespace TShockAPI.Handlers
+{
+	/// <summary>
+	/// Handles the TileEntityDisplayDollItemSync packets and checks for permissions.
+	/// </summary>
+	public class DisplayDollItemSyncHandler : IPacketHandler<DisplayDollItemSyncEventArgs>
+	{
+		public void OnReceive(object sender, DisplayDollItemSyncEventArgs args)
+		{
+			/// If the player has no building permissions means that they couldn't even see the content of the doll in the first place.
+			/// Thus, they would not be able to modify its content. This means that a hacker attempted to send this packet directly, or through raw bytes to tamper with the DisplayDoll. This is why I do not bother with making sure the player gets their item back.
+			if (!args.Player.HasBuildPermission(args.DisplayDollEntity.Position.X, args.DisplayDollEntity.Position.Y, false))
+			{
+				args.Player.SendErrorMessage("You do not have permission to modify a Mannequin in a protected area!");
+				args.Handled = true;
+				return;
+			}
+		}
+	}
+}
diff --git a/TShockAPI/TShockAPI.csproj b/TShockAPI/TShockAPI.csproj
index f9885393..3afe3d0d 100644
--- a/TShockAPI/TShockAPI.csproj
+++ b/TShockAPI/TShockAPI.csproj
@@ -88,6 +88,7 @@
     <Compile Include="DB\ResearchDatastore.cs" />
     <Compile Include="DB\TileManager.cs" />
     <Compile Include="Extensions\ExceptionExt.cs" />
+    <Compile Include="Handlers\DisplayDollItemSyncHandler.cs" />
     <Compile Include="Handlers\IPacketHandler.cs" />
     <Compile Include="Handlers\NetModules\AmbienceHandler.cs" />
     <Compile Include="Handlers\NetModules\BestiaryHandler.cs" />