feat: Add WorldEdit staff-only permissions configuration

CRITICAL SECURITY: WorldEdit is now restricted to staff only. Changes: - Created Builder group (for Holly) with full WorldEdit access - Created Owner group (for Michael) with all permissions - Explicitly DENIED worldedit.* to ALL subscriber groups (including Sovereign) - Added gamemode, unlimited chunks/homes to staff - Updated both deployment guides with staff group creation Why this matters: - Prevents subscribers from using WorldEdit to duplicate items - Prevents WorldEdit-based griefing and chunk bypass exploits - Even $499 Sovereign tier does NOT get WorldEdit - Only Holly (Builder) and Michael (Owner) have access Commands added to LuckPerms group creation section in both guides. Chronicler #40
2026-03-22 12:28:05 +00:00
parent 1bc50370b0
commit 7255275fd3
2 changed files with 157 additions and 6 deletions
--- a/docs/guides/server-side-mod-deployment-guide.md
+++ b/docs/guides/server-side-mod-deployment-guide.md
@@ -518,25 +518,97 @@ The default config works, but you'll set limits via LuckPerms permissions instea

 **Default settings are fine for most servers.**

+#### CRITICAL: WorldEdit Permissions via LuckPerms
+
+**WorldEdit is a POWERFUL tool that can destroy or duplicate items/blocks. Only staff should have access.**
+
+**After creating LuckPerms groups (Part 3), configure WorldEdit permissions:**
+
+**On ONE server console (syncs to all via MySQL):**
+
+```
+# Deny WorldEdit to ALL subscriber groups
+/lp group wanderer permission set worldedit.* false
+/lp group awakened permission set worldedit.* false
+/lp group fire_elemental permission set worldedit.* false
+/lp group frost_elemental permission set worldedit.* false
+/lp group fire_knight permission set worldedit.* false
+/lp group frost_knight permission set worldedit.* false
+/lp group fire_master permission set worldedit.* false
+/lp group frost_master permission set worldedit.* false
+/lp group fire_legend permission set worldedit.* false
+/lp group frost_legend permission set worldedit.* false
+/lp group sovereign permission set worldedit.* false
+
+# Create Builder staff group (for Holly)
+/lp creategroup builder
+/lp group builder parent add default
+/lp group builder setweight 1000
+/lp group builder meta setprefix "&6[🔨 Builder] "
+/lp group builder permission set worldedit.* true
+/lp group builder permission set worldedit.navigation.* true
+/lp group builder permission set worldedit.selection.* true
+/lp group builder permission set worldedit.region.* true
+/lp group builder permission set worldedit.analysis.* true
+/lp group builder permission set worldedit.butcher true
+/lp group builder permission set worldedit.clipboard.* true
+/lp group builder permission set worldedit.generation.* true
+/lp group builder permission set worldedit.history.* true
+/lp group builder permission set worldedit.schematic.* true
+/lp group builder permission set worldedit.scripting.* true
+/lp group builder permission set worldedit.snapshots.* true
+/lp group builder permission set worldedit.superpickaxe.* true
+/lp group builder permission set worldedit.tool.* true
+/lp group builder permission set worldedit.brush.* true
+/lp group builder permission set minecraft.command.gamemode true
+/lp group builder permission set ftbchunks.* true
+/lp group builder meta setmeta max-homes 100
+
+# Create Owner group (for Michael/Frostystyle)
+/lp creategroup owner
+/lp group owner parent add builder
+/lp group owner setweight 10000
+/lp group owner meta setprefix "&c[👑 Owner] "
+/lp group owner permission set * true
+
+# Assign Holly to Builder group
+/lp user unicorn20089 parent set builder
+
+# Assign Michael to Owner group (use your Minecraft username)
+/lp user Frostystyle parent set owner
+```
+
+**What this does:**
+- ✅ **Holly (Builder):** Full WorldEdit access, gamemode, unlimited chunks/homes
+- ✅ **Michael (Owner):** All permissions (full admin)
+- ❌ **ALL subscribers (even Sovereign $499):** NO WorldEdit access
+
+**This prevents:**
+- Subscribers using WorldEdit to duplicate items
+- Subscribers using WorldEdit to bypass chunk claims
+- Subscribers using WorldEdit to grief or crash servers
+
 #### Optional: Increase Max Blocks for Staff

-**If you want staff (Builder rank) to have higher limits:**
+**If you want staff (Builder rank) to have higher WorldEdit limits:**
+
+Edit `/config/worldedit/worldedit.properties`:

 ```properties
 # Maximum number of blocks that can be changed at once
-max-blocks-changed=1000000
+max-blocks-changed=10000000  # 10 million for staff (default is 1 million)

 # Maximum number of polygonal points
-max-polygon-points=20
+max-polygon-points=50  # Higher for complex selections

 # Maximum radius for commands
-max-radius=1000
+max-radius=5000  # Larger radius for staff

 # Maximum super pickaxe size
-max-super-pickaxe-size=100
+max-super-pickaxe-size=500
 ```

-**For regular subscribers, limits are set via LuckPerms permissions.**
+**Note:** These limits apply to everyone with WorldEdit access (Builder and Owner ranks only).

 ---

--- a/docs/guides/subscription-automation-guide.md
+++ b/docs/guides/subscription-automation-guide.md
@@ -1002,6 +1002,85 @@ journalctl -u firefrost-discord-bot -f
 # No rtp cooldown for Sovereign
 ```

+---
+
+#### Create Staff Groups (Builder & Owner)
+
+**IMPORTANT: WorldEdit is a powerful tool. Only staff should have access.**
+
+**Create Builder Group (for Holly):**
+
+```
+/lp creategroup builder
+/lp group builder parent add default
+/lp group builder setweight 1000
+/lp group builder meta setprefix "&6[🔨 Builder] "
+
+# WorldEdit permissions
+/lp group builder permission set worldedit.* true
+/lp group builder permission set worldedit.navigation.* true
+/lp group builder permission set worldedit.selection.* true
+/lp group builder permission set worldedit.region.* true
+/lp group builder permission set worldedit.clipboard.* true
+/lp group builder permission set worldedit.generation.* true
+/lp group builder permission set worldedit.history.* true
+/lp group builder permission set worldedit.schematic.* true
+/lp group builder permission set worldedit.brush.* true
+/lp group builder permission set worldedit.tool.* true
+
+# Other staff permissions
+/lp group builder permission set minecraft.command.gamemode true
+/lp group builder permission set ftbchunks.* true
+/lp group builder meta setmeta max-homes 100
+/lp group builder meta setmeta max-claimed-chunks 1000
+/lp group builder meta setmeta max-force-loaded-chunks 100
+```
+
+**Create Owner Group (for Michael/Frostystyle):**
+
+```
+/lp creategroup owner
+/lp group owner parent add builder
+/lp group owner setweight 10000
+/lp group owner meta setprefix "&c[👑 Owner] "
+
+# Full permissions
+/lp group owner permission set * true
+```
+
+**Assign Users to Staff Groups:**
+
+```
+# Assign Holly to Builder
+/lp user unicorn20089 parent set builder
+
+# Assign Michael to Owner (replace with your actual Minecraft username)
+/lp user Frostystyle parent set owner
+```
+
+**CRITICAL: Deny WorldEdit to ALL Subscriber Groups:**
+
+```
+# Prevent subscribers from using WorldEdit (even Sovereign)
+/lp group wanderer permission set worldedit.* false
+/lp group awakened permission set worldedit.* false
+/lp group fire_elemental permission set worldedit.* false
+/lp group frost_elemental permission set worldedit.* false
+/lp group fire_knight permission set worldedit.* false
+/lp group frost_knight permission set worldedit.* false
+/lp group fire_master permission set worldedit.* false
+/lp group frost_master permission set worldedit.* false
+/lp group fire_legend permission set worldedit.* false
+/lp group frost_legend permission set worldedit.* false
+/lp group sovereign permission set worldedit.* false
+```
+
+**This ensures:**
+- ✅ Holly (Builder) has full WorldEdit access
+- ✅ Michael (Owner) has all permissions
+- ❌ NO subscribers (even $499 Sovereign) can use WorldEdit
+- ❌ Prevents duplication exploits and griefing via WorldEdit
+
 ### Step 2: Verify Groups Created

 ```