Removes Rejuvinate and adds restricted proc logs (#3853)

# About the pull request
Removes R_REJUVINATE as it's only used in two places and we don't need
it.
Adds some alerts where procs are blocked from being force called, and
informs staff if someone attempts to brute force them.
<!-- Remove this text and explain what the purpose of your PR is.

Mention if you have tested your changes. If you changed a map, make sure
you used the mapmerge tool.
If this is an Issue Correction, you can type "Fixes Issue #169420" to
link the PR to the corresponding Issue number #169420.

Remember: something that is self-evident to you might not be to others.
Explain your rationale fully, even if you feel it goes without saying.
-->

# Explain why it's good for the game
# Testing Photographs and Procedure
<details>
<summary>Screenshots & Videos</summary>

Put screenshots and videos here with an empty line between the
screenshots and the `<details>` tags.

</details>


# Changelog
:cl:
admin: Removed the R_REJUVINATE permissions flag and replaces instances
where it is used with R_MOD.
admin: Added logs if a restricted proc is proccalled.
/:cl:

---------

Co-authored-by: harryob <[email protected]>

code/__DEFINES/admin.dm

@@ -71,3 +71,6 @@ var/global/list/note_categories = list("Admin", "Merit", "Commanding Officer", "
 #define ANTIGRIEF_NEW_PLAYERS 1
 /// Enables antigrief entirely: Nobody can activate explosives on the Almayer, unless the ship crashed.
 #define ANTIGRIEF_ENABLED 2
+
+/// Proc has been blocked by IsAdminAdvancedProcCall()
+#define PROC_BLOCKED "PROCCALL BLOCKED"

code/__HELPERS/type2type.dm

@@ -226,7 +226,6 @@
 	if(rights & R_POSSESS) . += "[seperator]+POSSESS"
 	if(rights & R_PERMISSIONS) . += "[seperator]+PERMISSIONS"
 	if(rights & R_STEALTH) . += "[seperator]+STEALTH"
-	if(rights & R_REJUVINATE) . += "[seperator]+REJUVINATE"
 	if(rights & R_COLOR) . += "[seperator]+COLOR"
 	if(rights & R_VAREDIT) . += "[seperator]+VAREDIT"
 	if(rights & R_SOUNDS) . += "[seperator]+SOUND"

code/__HELPERS/verb_helpers.dm

@@ -10,7 +10,7 @@
 	if(!target)
 		CRASH("add_verb called without a target")
 	if(IsAdminAdvancedProcCall())
-		return
+		return PROC_BLOCKED
 	var/mob/mob_target = null
 
 	if(ismob(target))
@@ -56,7 +56,7 @@
  */
 /proc/remove_verb(client/target, verb_or_list_to_remove)
 	if(IsAdminAdvancedProcCall())
-		return
+		return PROC_BLOCKED
 
 	var/mob/mob_target = null
 	if(ismob(target))

code/_globalvars/bitfields.dm

@@ -25,7 +25,6 @@ DEFINE_BITFIELD(rights, list(
 	"POSSESS" = R_POSSESS,
 	"PERMISSIONS" = R_PERMISSIONS,
 	"STEALTH" = R_STEALTH,
-	"REJUVENATE" = R_REJUVINATE,
 	"COLOR" = R_COLOR,
 	"VAREDIT" = R_VAREDIT,
 	"SOUNDS" = R_SOUNDS,

code/controllers/configuration/configuration.dm

@@ -24,7 +24,8 @@
 
 /datum/controller/configuration/proc/admin_reload()
 	if(IsAdminAdvancedProcCall())
-		return
+		alert_proccall("configuration admin_reload")
+		return PROC_BLOCKED
 	log_admin("[key_name(usr)] has forcefully reloaded the configuration from disk.")
 	message_admins("[key_name_admin(usr)] has forcefully reloaded the configuration from disk.")
 	full_wipe()
@@ -33,7 +34,8 @@
 
 /datum/controller/configuration/proc/Load(_directory)
 	if(IsAdminAdvancedProcCall()) //If admin proccall is detected down the line it will horribly break everything.
-		return
+		alert_proccall("configuration Load")
+		return PROC_BLOCKED
 	if(_directory)
 		directory = _directory
 	if(entries)
@@ -117,7 +119,8 @@
 
 /datum/controller/configuration/proc/full_wipe()
 	if(IsAdminAdvancedProcCall())
-		return
+		alert_proccall("configuration full_wipe")
+		return PROC_BLOCKED
 	entries_by_type.Cut()
 	QDEL_LIST_ASSOC_VAL(entries)
 	entries = null
@@ -163,7 +166,8 @@
 
 /datum/controller/configuration/proc/LoadEntries(filename, list/stack = list())
 	if(IsAdminAdvancedProcCall())
-		return
+		alert_proccall("configuration LoadEntries")
+		return PROC_BLOCKED
 
 	var/filename_to_test = world.system_type == MS_WINDOWS ? lowertext(filename) : filename
 	if(filename_to_test in stack)
@@ -264,7 +268,7 @@
 		CRASH("Missing config entry for [entry_type]!")
 	if((E.protection & CONFIG_ENTRY_HIDDEN) && IsAdminAdvancedProcCall() && GLOB.LastAdminCalledProc == "Get" && GLOB.LastAdminCalledTargetRef == "[REF(src)]")
 		log_admin_private("Config access of [entry_type] attempted by [key_name(usr)]")
-		return
+		return PROC_BLOCKED
 	return E.config_entry_value
 
 
@@ -278,7 +282,7 @@
 		CRASH("Missing config entry for [entry_type]!")
 	if((E.protection & CONFIG_ENTRY_LOCKED) && IsAdminAdvancedProcCall() && GLOB.LastAdminCalledProc == "Set" && GLOB.LastAdminCalledTargetRef == "[REF(src)]")
 		log_admin_private("Config rewrite of [entry_type] to [new_val] attempted by [key_name(usr)]")
-		return
+		return PROC_BLOCKED
 	return E.ValidateAndSet("[new_val]")
 
 

code/game/verbs/who.dm

@@ -158,7 +158,7 @@
 	var/dat = ""
 	var/list/mappings
 	if(CONFIG_GET(flag/show_manager))
-		LAZYSET(mappings, "<B style='color:purple'>Management</B>", R_HOST)
+		LAZYSET(mappings, "<B style='color:purple'>Management</B>", R_PERMISSIONS)
 	if(CONFIG_GET(flag/show_devs))
 		LAZYSET(mappings, "<B style='color:blue'>Maintainers</B>", R_PROFILER)
 	LAZYSET(mappings, "<B style='color:red'>Admins</B>", R_ADMIN)

code/global.dm

@@ -12,21 +12,21 @@
 #define R_POSSESS (1<<5)
 #define R_PERMISSIONS (1<<6)
 #define R_STEALTH (1<<7)
-#define R_REJUVINATE (1<<8)
-#define R_COLOR (1<<9)
-#define R_VAREDIT (1<<10)
-#define R_SOUNDS (1<<11)
-#define R_SPAWN (1<<12)
-#define R_MOD (1<<13)
-#define R_MENTOR (1<<14)
-#define R_HOST (1<<15)
-#define R_PROFILER (1<<16)
-#define R_NOLOCK (1<<17)
-#define R_EVENT (1<<18)
-
-/// The sum of all other rank permissions.
-#define R_EVERYTHING ((1<<19)-1)
-
+#define R_COLOR (1<<8)
+#define R_VAREDIT (1<<9)
+#define R_SOUNDS (1<<10)
+#define R_SPAWN (1<<11)
+#define R_MOD (1<<12)
+#define R_MENTOR (1<<13)
+#define R_HOST (1<<14)
+#define R_PROFILER (1<<15)
+#define R_NOLOCK (1<<16)
+#define R_EVENT (1<<17)
+
+/// The sum of all other rank permissions, other than host or profiler.
+#define RL_EVERYTHING (R_BUILDMODE|R_ADMIN|R_BAN|R_SERVER|R_DEBUG|R_PERMISSIONS|R_POSSESS|R_STEALTH|R_COLOR|R_VAREDIT|R_EVENT|R_SOUNDS|R_NOLOCK|R_SPAWN|R_MOD|R_MENTOR)
+/// Truely everything
+#define RL_HOST (RL_EVERYTHING|R_HOST|R_PROFILER)
 // 512.1430 increases maximum bit flags from 16 to 24, so the following flags should be available for future changes:
 //=================================================
 

code/modules/admin/NewBan.dm

@@ -226,6 +226,9 @@ var/savefile/Banlist
 		RemoveBan(A)
 
 /client/proc/cmd_admin_do_ban(mob/M)
+	if(IsAdminAdvancedProcCall())
+		alert_proccall("cmd_admin_do_ban")
+		return PROC_BLOCKED
 	if(!check_rights(R_BAN|R_MOD))  return
 
 	if(!ismob(M)) return

code/modules/admin/admin_ranks.dm

@@ -34,17 +34,17 @@ var/list/admin_ranks = list() //list of all ranks with associated rights
 				if("permissions","rights") rights |= R_PERMISSIONS
 				if("possess") rights |= R_POSSESS
 				if("stealth") rights |= R_STEALTH
-				if("rejuv","rejuvinate") rights |= R_REJUVINATE
 				if("color") rights |= R_COLOR
 				if("varedit") rights |= R_VAREDIT
 				if("event") rights |= R_EVENT
-				if("everything","host","all") rights |= (R_HOST|R_BUILDMODE|R_ADMIN|R_BAN|R_SERVER|R_DEBUG|R_PERMISSIONS|R_POSSESS|R_STEALTH|R_REJUVINATE|R_COLOR|R_VAREDIT|R_EVENT|R_SOUNDS|R_NOLOCK|R_SPAWN|R_MOD|R_MENTOR)
 				if("sound","sounds") rights |= R_SOUNDS
 				if("nolock") rights |= R_NOLOCK
 				if("spawn","create") rights |= R_SPAWN
 				if("mod") rights |= R_MOD
 				if("mentor") rights |= R_MENTOR
 				if("profiler") rights |= R_PROFILER
+				if("host") rights |= RL_HOST
+				if("everything") rights |= RL_EVERYTHING
 
 		admin_ranks[rank] = rights
 		previous_rights = rights

code/modules/admin/callproc.dm

@@ -72,7 +72,8 @@ GLOBAL_PROTECT(LastAdminCalledProc)
  */
 /proc/HandleUserlessProcCall(user, datum/target, procname, list/arguments)
 	if(IsAdminAdvancedProcCall())
-		return
+		alert_proccall("HandleUserlessProcCall")
+		return PROC_BLOCKED
 	var/mob/proccall_handler/handler = GLOB.AdminProcCallHandler
 	handler.add_caller(user)
 	var/lastusr = usr
@@ -90,7 +91,8 @@ GLOBAL_PROTECT(LastAdminCalledProc)
  */
 /proc/HandleUserlessSDQL(user, query_text)
 	if(IsAdminAdvancedProcCall())
-		return
+		alert_proccall("HandleUserlessSDQL")
+		return PROC_BLOCKED
 
 	var/mob/proccall_handler/handler = GLOB.AdminProcCallHandler
 	handler.add_caller(user)
@@ -224,6 +226,10 @@ GLOBAL_PROTECT(LastAdminCalledProc)
 /proc/IsAdminAdvancedProcCall()
 	return (GLOB.AdminProcCaller && GLOB.AdminProcCaller == usr?.client?.ckey) || (GLOB.AdminProcCallHandler && usr == GLOB.AdminProcCallHandler)
 
+/proc/alert_proccall(procname = "Unknown")
+	to_chat(usr, SPAN_BOLDWARNING("Warning: Force attempt has been logged."))
+	message_admins("[key_name(usr)] has attempted to execute a restricted proc. ([procname])")
+
 /client/proc/callproc_datum(datum/called_datum as null|area|mob|obj|turf)
 	set category = "Debug"
 	set name = "Datum ProcCall"

code/modules/admin/holder2.dm

@@ -129,15 +129,18 @@ you will have to do something like if(client.admin_holder.rights & R_ADMIN) your
 	return 0
 
 /client/proc/deadmin()
+	if(IsAdminAdvancedProcCall())
+		alert_proccall("deadmin")
+		return PROC_BLOCKED
 	if(admin_holder)
 		admin_holder.disassociate()
 		QDEL_NULL(admin_holder)
-	return 1
+	return TRUE
 
 /client/proc/readmin()
 	if(admin_datums[ckey])
 		admin_datums[ckey].associate(src)
-	return 1
+	return TRUE
 
 /datum/admins/proc/check_for_rights(rights_required)
 	if(rights_required && !(rights_required & rights))

code/modules/admin/topic/topic.dm

@@ -982,7 +982,8 @@
 		message_admins("[key_name_admin(usr)] has sent [key_name_admin(M)] to the thunderdome. (Observer.)", 1)
 
 	else if(href_list["revive"])
-		if(!check_rights(R_REJUVINATE)) return
+		if(!check_rights(R_MOD)) 
+			return
 
 		var/mob/living/L = locate(href_list["revive"])
 		if(!istype(L))

code/modules/admin/verbs/SDQL2/SDQL_2.dm

@@ -345,7 +345,7 @@ GLOBAL_DATUM_INIT(sdql2_vv_statobj, /obj/effect/statclick/sdql2_vv_all, new(null
 /datum/sdql2_query/New(list/tree, SU = FALSE, admin_interact = TRUE, _options = SDQL2_OPTIONS_DEFAULT, finished_qdel = FALSE)
 	if(IsAdminAdvancedProcCall() || !LAZYLEN(tree))
 		qdel(src)
-		return
+		return PROC_BLOCKED
 	LAZYADD(GLOB.sdql2_queries, src)
 	superuser = SU
 	allow_admin_interact = admin_interact
@@ -602,7 +602,7 @@ GLOBAL_DATUM_INIT(sdql2_vv_statobj, /obj/effect/statclick/sdql2_vv_all, new(null
 			var/text = "[key_name(usr)] attempted to grab world with a procedure call to a SDQL datum."
 			message_admins(text)
 			log_admin(text)
-			return
+			return PROC_BLOCKED
 	if("world" in tree)
 		return world
 	return SDQL_expression(world, tree)

code/modules/client/client_procs.dm

@@ -315,7 +315,7 @@ GLOBAL_LIST_INIT(whitelisted_client_procs, list(
 	if(!CONFIG_GET(flag/no_localhost_rank))
 		var/static/list/localhost_addresses = list("127.0.0.1", "::1")
 		if(isnull(address) || (address in localhost_addresses))
-			var/datum/admins/admin = new("!localhost!", R_EVERYTHING, ckey)
+			var/datum/admins/admin = new("!localhost!", RL_HOST, ckey)
 			admin.associate(src)
 			RoleAuthority.roles_whitelist[ckey] = WHITELIST_EVERYTHING
 
@@ -617,7 +617,8 @@ GLOBAL_LIST_INIT(whitelisted_client_procs, list(
 */
 /client/proc/init_verbs()
 	if(IsAdminAdvancedProcCall())
-		return
+		alert_proccall("init_verbs")
+		return PROC_BLOCKED
 	var/list/verblist = list()
 	var/list/verbstoprocess = verbs.Copy()
 	if(mob)

config/example/admin_ranks.txt

@@ -19,7 +19,6 @@
 # +BAN = the ability to ban, jobban and fullban
 # +STEALTH = the ability to stealthmin (make yourself appear with a fake name to everyone but other admins
 # +POSSESS = the ability to possess objects
-# +REJUV (or +REJUVINATE) = the ability to heal, respawn, modify damage and use godmode
 # +COLOR = the ability to use the OOC > "Set OOC Color - Self" verb
 # +BUILD (or +BUILDMODE) = the ability to use buildmode
 # +SERVER = higher-risk admin verbs and abilities, such as those which affect the server configuration.
@@ -36,16 +35,16 @@ Mentor      	+MENTOR +COLOR
 
 
 Trial Moderator +MOD +SERVER +COLOR
-Moderator 		+MOD +SERVER +BAN +REJUV +COLOR +NOLOCK
-Trial Admin 	+ADMIN +MOD +SERVER +BAN +REJUV +SPAWN +STEALTH +VAREDIT +COLOR
-Admin 			+ADMIN +MOD +SERVER +BAN +REJUV +SPAWN +STEALTH +VAREDIT +POSSESS +SOUND +COLOR +BUILDMODE
+Moderator 		+MOD +SERVER +BAN +COLOR +NOLOCK
+Trial Admin 	+ADMIN +MOD +SERVER +BAN +SPAWN +STEALTH +VAREDIT +COLOR
+Admin 			+ADMIN +MOD +SERVER +BAN +SPAWN +STEALTH +VAREDIT +POSSESS +SOUND +COLOR +BUILDMODE
 
 
 Coder			+MOD +SERVER +BAN +VAREDIT +SPAWN +DEBUG +COLOR
 Mapper 			+MOD +VAREDIT +COLOR +BUILDMODE +SPAWN
 Spriter			+MOD +VAREDIT +SPAWN +COLOR
-Developer		+ADMIN +MOD +SERVER +BAN +VAREDIT +SPAWN +DEBUG +REJUV +POSSESS +BUILDMODE +SOUND +COLOR
-Lead Spriter    +ADMIN +MOD +SERVER +REJUV +VAREDIT +BUILDMODE +SPAWN +DEBUG +COLOR
+Developer		+ADMIN +MOD +SERVER +BAN +VAREDIT +SPAWN +DEBUG +POSSESS +BUILDMODE +SOUND +COLOR
+Lead Spriter    +ADMIN +MOD +SERVER +VAREDIT +BUILDMODE +SPAWN +DEBUG +COLOR
 
 
 Host 			+EVERYTHING
@@ -55,6 +54,6 @@ Head Dev		+EVERYTHING
 
 
 Legacy Mentor 	 +MENTOR +COLOR
-Senior Moderator +ADMIN +MOD +SERVER +BAN +REJUV +SPAWN +STEALTH +VAREDIT +POSSESS +SOUND +COLOR +BUILDMODE
-Senior Admin  	 +ADMIN +MOD +SERVER +BAN +REJUV +SPAWN +STEALTH +VAREDIT +POSSESS +SOUND +COLOR +BUILDMODE +DEBUG
+Senior Moderator +ADMIN +MOD +SERVER +BAN +SPAWN +STEALTH +VAREDIT +POSSESS +SOUND +COLOR +BUILDMODE
+Senior Admin  	 +ADMIN +MOD +SERVER +BAN +SPAWN +STEALTH +VAREDIT +POSSESS +SOUND +COLOR +BUILDMODE +DEBUG