security: require distinct permission to enchant another player's item#1382
security: require distinct permission to enchant another player's item#1382Jakubk15 wants to merge 1 commit into
Conversation
Both /enchant execute overloads were gated only by the class-level @Permission("eternalcore.enchant"), so anyone allowed to enchant their own item could also modify other players' held items. Follow the FlyCommand convention: drop the class-level permission and gate each overload individually — eternalcore.enchant for the self variant and eternalcore.enchant.other for the "<player>" variant. Note: servers that previously granted eternalcore.enchant to allow enchanting others must now also grant eternalcore.enchant.other. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01JrkLFxzmmn7BpB9y6vMTeg
There was a problem hiding this comment.
Code Review
This pull request refines permission handling in the EnchantCommand class. The class-level @Permission("eternalcore.enchant") annotation has been removed, and more granular permissions have been applied directly to the execution methods: @Permission("eternalcore.enchant") for self-enchanting and @Permission("eternalcore.enchant.other") for enchanting other players' items. Additionally, the description for enchanting other players' items has been updated. I have no feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Both /enchant execute overloads were gated only by the class-level
@Permission("eternalcore.enchant"), so anyone allowed to enchant their own
item could also modify other players' held items.
Follow the FlyCommand convention: drop the class-level permission and gate
each overload individually — eternalcore.enchant for the self variant and
eternalcore.enchant.other for the "" variant.
Note: servers that previously granted eternalcore.enchant to allow enchanting
others must now also grant eternalcore.enchant.other.