@all autohosts admins:
please set AllowSpectatorJoin to false as it allows everyone to connect using any username which breaks permission checking of spads (and possible other stuff like stats on replays.springrts.com)
for some reason (which i don't really understand) its not wanted that the default value is changed to false:
https://github.com/spring/spring/commit ... dc016c85aa
this basicly applies to self-hosted games, too.
the default of AllowSpectatorJoin is true, so if you didn't change this value, your autohost is affected!
related bug reports:
https://springrts.com/mantis/view.php?id=3662
https://springrts.com/mantis/view.php?id=4949
AllowSpectatorJoin set to true (default) makes autohosts insecure
Moderators: Moderators, Lobby Developers
Re: AllowSpectatorJoin set to true (default) makes autohosts insecure
Small update:
atm its not clear if spads implemented adding spectators correctly to a running game when spring is already running.
atm its not clear if spads implemented adding spectators correctly to a running game when spring is already running.
Re: AllowSpectatorJoin set to true (default) makes autohosts insecure
What is unclear exactly?
Re: AllowSpectatorJoin set to true (default) makes autohosts insecure
it was unclear for me if specs can join when AllowSpectatorJoin is set to false as i can't test it easily / or check if an autohost has AllowSpectatorJoin disabled.bibim wrote:What is unclear exactly?
- Silentwings
- Posts: 3720
- Joined: 25 Oct 2008, 00:23
Re: AllowSpectatorJoin set to true (default) makes autohosts insecure
They can, the BlackHoleHosts have it disabled, and specs are able to join them midgame. The name of the tag is obviously misleading for autohost owners.
- FabriceFABS
- Posts: 354
- Joined: 28 Jul 2010, 16:20
Re: AllowSpectatorJoin set to true (default) makes autohosts insecure
Thank you Abma for posting the message right there and on Mantis regards this problem we've both talk yesterday.abma wrote:@all autohosts admins...
Consequent to this, a fix will be surely made.
I got some ideas with logs and the replay, but I would like to know how if it's possible, with the replay to have IP extraction from the player that abusively connect with the [ACE]YopYop_BOT account.