From 7255275fd3e985210e982d8a36b03fbf43aac43b Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 22 Mar 2026 12:28:05 +0000 Subject: [PATCH] feat: Add WorldEdit staff-only permissions configuration CRITICAL SECURITY: WorldEdit is now restricted to staff only. Changes: - Created Builder group (for Holly) with full WorldEdit access - Created Owner group (for Michael) with all permissions - Explicitly DENIED worldedit.* to ALL subscriber groups (including Sovereign) - Added gamemode, unlimited chunks/homes to staff - Updated both deployment guides with staff group creation Why this matters: - Prevents subscribers from using WorldEdit to duplicate items - Prevents WorldEdit-based griefing and chunk bypass exploits - Even $499 Sovereign tier does NOT get WorldEdit - Only Holly (Builder) and Michael (Owner) have access Commands added to LuckPerms group creation section in both guides. Chronicler #40 --- .../server-side-mod-deployment-guide.md | 84 +++++++++++++++++-- docs/guides/subscription-automation-guide.md | 79 +++++++++++++++++ 2 files changed, 157 insertions(+), 6 deletions(-) diff --git a/docs/guides/server-side-mod-deployment-guide.md b/docs/guides/server-side-mod-deployment-guide.md index eea770f..0a6c423 100644 --- a/docs/guides/server-side-mod-deployment-guide.md +++ b/docs/guides/server-side-mod-deployment-guide.md @@ -518,25 +518,97 @@ The default config works, but you'll set limits via LuckPerms permissions instea **Default settings are fine for most servers.** +#### CRITICAL: WorldEdit Permissions via LuckPerms + +**WorldEdit is a POWERFUL tool that can destroy or duplicate items/blocks. Only staff should have access.** + +**After creating LuckPerms groups (Part 3), configure WorldEdit permissions:** + +**On ONE server console (syncs to all via MySQL):** + +``` +# Deny WorldEdit to ALL subscriber groups +/lp group wanderer permission set worldedit.* false +/lp group awakened permission set worldedit.* false +/lp group fire_elemental permission set worldedit.* false +/lp group frost_elemental permission set worldedit.* false +/lp group fire_knight permission set worldedit.* false +/lp group frost_knight permission set worldedit.* false +/lp group fire_master permission set worldedit.* false +/lp group frost_master permission set worldedit.* false +/lp group fire_legend permission set worldedit.* false +/lp group frost_legend permission set worldedit.* false +/lp group sovereign permission set worldedit.* false + +# Create Builder staff group (for Holly) +/lp creategroup builder +/lp group builder parent add default +/lp group builder setweight 1000 +/lp group builder meta setprefix "&6[🔨 Builder] " +/lp group builder permission set worldedit.* true +/lp group builder permission set worldedit.navigation.* true +/lp group builder permission set worldedit.selection.* true +/lp group builder permission set worldedit.region.* true +/lp group builder permission set worldedit.analysis.* true +/lp group builder permission set worldedit.butcher true +/lp group builder permission set worldedit.clipboard.* true +/lp group builder permission set worldedit.generation.* true +/lp group builder permission set worldedit.history.* true +/lp group builder permission set worldedit.schematic.* true +/lp group builder permission set worldedit.scripting.* true +/lp group builder permission set worldedit.snapshots.* true +/lp group builder permission set worldedit.superpickaxe.* true +/lp group builder permission set worldedit.tool.* true +/lp group builder permission set worldedit.brush.* true +/lp group builder permission set minecraft.command.gamemode true +/lp group builder permission set ftbchunks.* true +/lp group builder meta setmeta max-homes 100 + +# Create Owner group (for Michael/Frostystyle) +/lp creategroup owner +/lp group owner parent add builder +/lp group owner setweight 10000 +/lp group owner meta setprefix "&c[👑 Owner] " +/lp group owner permission set * true + +# Assign Holly to Builder group +/lp user unicorn20089 parent set builder + +# Assign Michael to Owner group (use your Minecraft username) +/lp user Frostystyle parent set owner +``` + +**What this does:** +- ✅ **Holly (Builder):** Full WorldEdit access, gamemode, unlimited chunks/homes +- ✅ **Michael (Owner):** All permissions (full admin) +- ❌ **ALL subscribers (even Sovereign $499):** NO WorldEdit access + +**This prevents:** +- Subscribers using WorldEdit to duplicate items +- Subscribers using WorldEdit to bypass chunk claims +- Subscribers using WorldEdit to grief or crash servers + #### Optional: Increase Max Blocks for Staff -**If you want staff (Builder rank) to have higher limits:** +**If you want staff (Builder rank) to have higher WorldEdit limits:** + +Edit `/config/worldedit/worldedit.properties`: ```properties # Maximum number of blocks that can be changed at once -max-blocks-changed=1000000 +max-blocks-changed=10000000 # 10 million for staff (default is 1 million) # Maximum number of polygonal points -max-polygon-points=20 +max-polygon-points=50 # Higher for complex selections # Maximum radius for commands -max-radius=1000 +max-radius=5000 # Larger radius for staff # Maximum super pickaxe size -max-super-pickaxe-size=100 +max-super-pickaxe-size=500 ``` -**For regular subscribers, limits are set via LuckPerms permissions.** +**Note:** These limits apply to everyone with WorldEdit access (Builder and Owner ranks only). --- diff --git a/docs/guides/subscription-automation-guide.md b/docs/guides/subscription-automation-guide.md index 6bae2e8..83a79e7 100644 --- a/docs/guides/subscription-automation-guide.md +++ b/docs/guides/subscription-automation-guide.md @@ -1002,6 +1002,85 @@ journalctl -u firefrost-discord-bot -f # No rtp cooldown for Sovereign ``` +--- + +#### Create Staff Groups (Builder & Owner) + +**IMPORTANT: WorldEdit is a powerful tool. Only staff should have access.** + +**Create Builder Group (for Holly):** + +``` +/lp creategroup builder +/lp group builder parent add default +/lp group builder setweight 1000 +/lp group builder meta setprefix "&6[🔨 Builder] " + +# WorldEdit permissions +/lp group builder permission set worldedit.* true +/lp group builder permission set worldedit.navigation.* true +/lp group builder permission set worldedit.selection.* true +/lp group builder permission set worldedit.region.* true +/lp group builder permission set worldedit.clipboard.* true +/lp group builder permission set worldedit.generation.* true +/lp group builder permission set worldedit.history.* true +/lp group builder permission set worldedit.schematic.* true +/lp group builder permission set worldedit.brush.* true +/lp group builder permission set worldedit.tool.* true + +# Other staff permissions +/lp group builder permission set minecraft.command.gamemode true +/lp group builder permission set ftbchunks.* true +/lp group builder meta setmeta max-homes 100 +/lp group builder meta setmeta max-claimed-chunks 1000 +/lp group builder meta setmeta max-force-loaded-chunks 100 +``` + +**Create Owner Group (for Michael/Frostystyle):** + +``` +/lp creategroup owner +/lp group owner parent add builder +/lp group owner setweight 10000 +/lp group owner meta setprefix "&c[👑 Owner] " + +# Full permissions +/lp group owner permission set * true +``` + +**Assign Users to Staff Groups:** + +``` +# Assign Holly to Builder +/lp user unicorn20089 parent set builder + +# Assign Michael to Owner (replace with your actual Minecraft username) +/lp user Frostystyle parent set owner +``` + +**CRITICAL: Deny WorldEdit to ALL Subscriber Groups:** + +``` +# Prevent subscribers from using WorldEdit (even Sovereign) +/lp group wanderer permission set worldedit.* false +/lp group awakened permission set worldedit.* false +/lp group fire_elemental permission set worldedit.* false +/lp group frost_elemental permission set worldedit.* false +/lp group fire_knight permission set worldedit.* false +/lp group frost_knight permission set worldedit.* false +/lp group fire_master permission set worldedit.* false +/lp group frost_master permission set worldedit.* false +/lp group fire_legend permission set worldedit.* false +/lp group frost_legend permission set worldedit.* false +/lp group sovereign permission set worldedit.* false +``` + +**This ensures:** +- ✅ Holly (Builder) has full WorldEdit access +- ✅ Michael (Owner) has all permissions +- ❌ NO subscribers (even $499 Sovereign) can use WorldEdit +- ❌ Prevents duplication exploits and griefing via WorldEdit + ### Step 2: Verify Groups Created ```