prevent hacked viewers from being able to delete arbitrary items from any

prim. Allow friends with perms and shared group members to move or copy
things out of prims

1 files changed, 18 insertions, 3 deletions

diff --git a/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs b/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs
index e1674be..4575068 100644
--- a/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs
+++ b/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs
@@ -935,6 +935,9 @@ namespace OpenSim.Region.Framework.Scenes
             }            
             if (part != null && group != null)
             {
+                if (!Permissions.CanEditObjectInventory(part.UUID, remoteClient.AgentId))
+                    return;
+                
                 TaskInventoryItem item = group.GetInventoryItem(localID, itemID);
                 if (item == null)
                     return;
@@ -1074,9 +1077,21 @@ namespace OpenSim.Region.Framework.Scenes
                 return;
             }
 
-            // Only owner can copy
-            if (remoteClient.AgentId != taskItem.OwnerID)
-                return;
+            TaskInventoryItem item = part.Inventory.GetInventoryItem(itemId);
+            if ((item.CurrentPermissions & (uint)PermissionMask.Copy) == 0)
+            {
+                // If the item to be moved is no copy, we need to be able to
+                // edit the prim.
+                if (!Permissions.CanEditObjectInventory(part.UUID, remoteClient.AgentId))
+                    return;
+            }
+            else
+            {
+                // If the item is copiable, then we just need to have perms
+                // on it. The delete check is a pure rights check
+                if (!Permissions.CanDeleteObject(part.UUID, remoteClient.AgentId))
+                    return;
+            }
 
             MoveTaskInventoryItem(remoteClient, folderId, part, itemId);
         }