Fix news management console access checks (#31160)

* Fix news management console access checks using manifest instead of AccessReader component

* Fix one tiny mistake

* Fix one tiny mistake, properly this time

* Revert accidental changes unrelated to this PR

* Add missing .Owner on delete check

diff --git a/Content.Server/MassMedia/Systems/NewsSystem.cs b/Content.Server/MassMedia/Systems/NewsSystem.cs
index 9f917d6dbfaf7317920e3b6257f0a9f65882309e..652c3dae897915245e6c7518b76d97b97e682a13 100644 (file)
--- a/Content.Server/MassMedia/Systems/NewsSystem.cs
+++ b/Content.Server/MassMedia/Systems/NewsSystem.cs
@@ -1,11 +1,14 @@
-using System.Linq;
+using System.Diagnostics.CodeAnalysis;
+using Content.Server.Access.Systems;
 using Content.Server.Administration.Logs;
 using Content.Server.CartridgeLoader;
 using Content.Server.CartridgeLoader.Cartridges;
+using Content.Server.Chat.Managers;
 using Content.Server.GameTicking;
-using System.Diagnostics.CodeAnalysis;
-using Content.Server.Access.Systems;
+using Content.Server.Interaction;
+using Content.Server.MassMedia.Components;
 using Content.Server.Popups;
+using Content.Server.Station.Systems;
 using Content.Shared.Access.Components;
 using Content.Shared.Access.Systems;
 using Content.Shared.CartridgeLoader;
@@ -13,20 +16,18 @@ using Content.Shared.CartridgeLoader.Cartridges;
 using Content.Shared.Database;
 using Content.Shared.MassMedia.Components;
 using Content.Shared.MassMedia.Systems;
-using Robust.Server.GameObjects;
-using Content.Server.MassMedia.Components;
-using Robust.Shared.Timing;
-using Content.Server.Station.Systems;
 using Content.Shared.Popups;
-using Content.Shared.StationRecords;
+using Robust.Server.GameObjects;
 using Robust.Shared.Audio.Systems;
-using Content.Server.Chat.Managers;
+using Robust.Shared.Timing;
 
 namespace Content.Server.MassMedia.Systems;
 
 public sealed class NewsSystem : SharedNewsSystem
 {
+    [Dependency] private readonly AccessReaderSystem _accessReaderSystem = default!;
     [Dependency] private readonly IGameTiming _timing = default!;
+    [Dependency] private readonly InteractionSystem _interaction = default!;
     [Dependency] private readonly IAdminLogManager _adminLogger = default!;
     [Dependency] private readonly UserInterfaceSystem _ui = default!;
     [Dependency] private readonly CartridgeLoaderSystem _cartridgeLoaderSystem = default!;
@@ -95,7 +96,7 @@ public sealed class NewsSystem : SharedNewsSystem
             return;
 
         var article = articles[msg.ArticleNum];
-        if (CheckDeleteAccess(article, ent, msg.Actor))
+        if (CanUse(msg.Actor, ent.Owner))
         {
             _adminLogger.Add(
                 LogType.Chat, LogImpact.Medium,
@@ -137,7 +138,7 @@ public sealed class NewsSystem : SharedNewsSystem
         if (!TryGetArticles(ent, out var articles))
             return;
 
-        if (!_accessReader.FindStationRecordKeys(msg.Actor, out _))
+        if (!CanUse(msg.Actor, ent.Owner))
             return;
 
         string? authorName = null;
@@ -305,21 +306,17 @@ public sealed class NewsSystem : SharedNewsSystem
         }
     }
 
-    private bool CheckDeleteAccess(NewsArticle articleToDelete, EntityUid device, EntityUid user)
+    private bool CanUse(EntityUid user, EntityUid console)
     {
-        if (TryComp<AccessReaderComponent>(device, out var accessReader) &&
-            _accessReader.IsAllowed(user, device, accessReader))
-            return true;
-
-        if (articleToDelete.AuthorStationRecordKeyIds == null || articleToDelete.AuthorStationRecordKeyIds.Count == 0)
-            return true;
+        // This shouldn't technically be possible because of BUI but don't trust client.
+        if (!_interaction.InRangeUnobstructed(console, user))
+            return false;
 
-        return _accessReader.FindStationRecordKeys(user, out var recordKeys)
-               && StationRecordsToNetEntities(recordKeys).Intersect(articleToDelete.AuthorStationRecordKeyIds).Any();
+        if (TryComp<AccessReaderComponent>(console, out var accessReaderComponent))
+        {
+            return _accessReaderSystem.IsAllowed(user, console, accessReaderComponent);
+        }
+        return true;
     }
 
-    private ICollection<(NetEntity, uint)> StationRecordsToNetEntities(IEnumerable<StationRecordKey> records)
-    {
-        return records.Select(record => (GetNetEntity(record.OriginStation), record.Id)).ToList();
-    }
 }

diff --git a/Resources/Prototypes/Entities/Structures/Machines/Computers/computers.yml b/Resources/Prototypes/Entities/Structures/Machines/Computers/computers.yml
index e5fd87ef2a40f2346e4b5317f69c5f2cde4ddeab..ed9d3afece72b037a5d07a367f26085a09300f20 100644 (file)
--- a/Resources/Prototypes/Entities/Structures/Machines/Computers/computers.yml
+++ b/Resources/Prototypes/Entities/Structures/Machines/Computers/computers.yml
@@ -1025,7 +1025,7 @@
   - type: DeviceNetworkRequiresPower
   - type: NewsWriter
   - type: AccessReader
-    access: [[ "Command" ]]
+    access: [[ "Service" ]]
   - type: ActivatableUI
     key: enum.NewsWriterUiKey.Key
   - type: ActivatableUIRequiresVision