Skip to content

feat(eval): implement sysadmin eval permissions #884

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
electron271 merged 3 commits into from
Jun 3, 2025
Merged

feat(eval): implement sysadmin eval permissions #884

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
aa96f49
feat(eval): implement sysadmin eval permissions and update config han…
electron271 Jun 3, 2025
3946224
Merge branch 'main' into eval
electron271 Jun 3, 2025
c5533a8
fix(eval): resolve issues with eval command permissions and logging
electron271 Jun 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 19 additions & 2 deletions config/settings.yml.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,12 +34,29 @@ BOT_INFO:
{"type": "streaming", "name": "SuperTuxKart", "url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ"}
]

# This allows sysadmins to use the eval and jsk commands which can execute arbitrary code.
# Do enable if:
# - Tux is dockerized
# - You trust your sysadmins with anything that the docker container can do (e.g if they already can access the host system)
# - You are a small server
# DO NOT ENABLE IF:
# - Tux is not dockerized and you do not trust your sysadmins with the host system
# - You are a large server and Tux has full permissions
# - You do not trust your sysadmins with anything that the docker container can do
# - IF YOU ARE A MULTIPLE SERVER INSTANCE, DO NOT ENABLE IT FOR THE LOVE OF GOD
# If you are not sure, do not enable this.
ALLOW_SYSADMINS_EVAL: false

USER_IDS:
SYSADMINS: # WARNING! This grants dangerous permissions such as eval and jsk which can be used to execute arbitrary code.
# These have access to all permissions in all servers, except for $eval and $jsk commands (unless set to true).
# Only give these to people you trust with the bot and who are able to handle the responsibilities that come with it.
SYSADMINS:
- 123456789012345679
- 123456789012345679
BOT_OWNER: 123456789012345679 # This is the user who has the highest level of control over the bot. Only one user can be the bot owner.

# This should be the person who owns the bot and nobody else unless you ABSOLUTELY know what you are doing.
# This person has access to all permissions in all servers, including $eval and $jsk commands.
BOT_OWNER: 123456789012345679

# This adds a temporary voice channel feature to the bot, you can join the channel to create a channel called /tmp/<username> and move to it.
# Channels are deleted when the last person leaves them.
Expand Down
14 changes: 13 additions & 1 deletion tux/app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,12 +102,24 @@ async def start(self) -> None:
if not self.validate_config():
return

owner_ids = {CONFIG.BOT_OWNER_ID}
if CONFIG.ALLOW_SYSADMINS_EVAL:
logger.warning(
"Sysadmins are allowed to use eval commands. This can be potentially dangerous if you have not fully read the comments about this in settings.yml.",
)
owner_ids.update(CONFIG.SYSADMIN_IDS)
else:
logger.warning(
"Sysadmins are not allowed to use eval commands. Read settings.yml for more info on this. You can safely ignore this warning if you are not a sysadmin.",
)

self.bot = Tux(
command_prefix=get_prefix,
strip_after_prefix=True,
case_insensitive=True,
intents=discord.Intents.all(),
owner_ids={CONFIG.BOT_OWNER_ID, *CONFIG.SYSADMIN_IDS},
# owner_ids={CONFIG.BOT_OWNER_ID, *CONFIG.SYSADMIN_IDS},
owner_ids=owner_ids,
allowed_mentions=discord.AllowedMentions(everyone=False),
help_command=TuxHelp(),
activity=None,
Expand Down
18 changes: 16 additions & 2 deletions tux/cogs/admin/eval.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
from tux.bot import Tux
from tux.ui.embeds import EmbedCreator
from tux.utils import checks
from tux.utils.config import CONFIG
from tux.utils.functions import generate_usage


Expand Down Expand Up @@ -70,10 +71,23 @@ async def eval(self, ctx: commands.Context[Tux], *, expression: str) -> None:
return

if ctx.author.id not in self.bot.owner_ids:
if not CONFIG.ALLOW_SYSADMINS_EVAL and ctx.author.id in CONFIG.SYSADMIN_IDS:
logger.warning(
f"{ctx.author} tried to run eval but is not the bot owner. (User ID: {ctx.author.id})",
)
await ctx.send(
"You are not the bot owner and sysadmins are not allowed to use eval. Please contact your bot owner if you need assistance.",
delete_after=30,
)
return

logger.warning(
f"{ctx.author} tried to run eval but is not the bot owner. (User ID: {ctx.author.id})",
f"{ctx.author} tried to run eval but is not the bot owner or sysadmin. (User ID: {ctx.author.id})",
)
await ctx.send(
"You are not the bot owner. Better luck next time! (hint: if you are looking for the regular run command its $run)",
delete_after=30,
)
await ctx.send("You are not the bot owner. Better luck next time!", ephemeral=True, delete_after=30)
return

try:
Expand Down
1 change: 1 addition & 0 deletions tux/utils/config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ class Config:
# Permissions
BOT_OWNER_ID: Final[int] = config["USER_IDS"]["BOT_OWNER"]
SYSADMIN_IDS: Final[list[int]] = config["USER_IDS"]["SYSADMINS"]
ALLOW_SYSADMINS_EVAL: Final[bool] = config["ALLOW_SYSADMINS_EVAL"]

# Production env
DEFAULT_PROD_PREFIX: Final[str] = config["BOT_INFO"]["PROD_PREFIX"]
Expand Down