You are able to view the properties of an Instance, regardless of that properties script security. Because of the impact this bug may have, i’ve added the relevant information to the Private content to staff-only subject.
It is worth noting, the information you get is formatted as a string and requires lua intervention to then parse the string into a format that you can use.
System Information:
Hardware Information:
Hardware Model: ASUS ROG STRIX X670E-E GAMING WIFI
Memory: 128.0 GiB
Processor: AMD Ryzen™ 9 7950X × 32
Graphics: AMD Radeon™ RX 7900 XTX
Disk Capacity: 4.0 TB
Software Information:
Firmware Version: 1003
OS Name: Arch Linux
OS Build: rolling
OS Type: 64-bit
GNOME Version: 47
Windowing System: X11
Kernel Version: Linux 6.11.0-arch1-1
Beta Features:
I have all Beta Features off, there is no Beta feature.
Reproduction Files:
See private content for staff-only section.
Expected behavior
I expect the service in question to emit the name of the instance, not it’s properties. children and other information.
This is very intentional, lets explain how a Instance prototype is implemented.
Instances implement five metamethods
__index - read property
__newindex - set property
__tostring - print override
__type - typeof override
__namecall - luau optimisation
These are implemented as guards to stop you accessing stuff you shouldn’t, the most relevent here is namecall, which changes how : behaves, since once a function leaks from a protected instance, theres no practical way to guard against it. But as a hottake, tostring probably doesn’t need to be protected.
Type isn’t protected because its a string.
Instance methods are all the same function, cough cough Destroy.
As for reading, I believe it would better to have a safe global function such as CanAccess().