Diego Nehab wrote:
[...]
If the object's metatable has a "__metatable" field,
getmetatable() returns the associated value. Can't you use
this trick to protect the datastructure? setmetatable() will
also honor __metatable by raising an error.
I was not previously aware of this feature --- rather useful.
Having just rummaged through the documentation for this stuff, I am now
struck with rawget() and rawset(), that allow you to access table
entries bypassing the metatable...
t = create_secure_table_with_public_api()
local oldfn = t.apifunction
rawset(t, "apifunction", function(self, capability)
print("Stolen capability "..capability.."!")
return oldfn(self, capability)
end
Is there a way of disabling these as well?