Allow me to manually invoke and check plugin permissions

As a Roblox developer, it is currently too hard to properly script around plugin permissions.

This is due to a lack of methods to check the permissions of a plugin. Apps on both Apple and Android allow this on a developer level, which both implement their own request and check methods for various permissions.

Right now, to invoke the HttpService requests to URLs and Script injection prompts, you have to hackily “probe” the permission system by either dropping in and removing a script, or sending a HTTP request to that URL.

local HttpService = game:GetService("HttpService")
local function tryProbeUrlPermission(url)
  local s = pcall(HttpService.RequestAsync, url)

  -- this can fail in other ways for example; an invalid url, no connection etc.
  -- an explicit invokation prevents this hacky workaround
  return s
end

It would be much cleaner if I could just check and/or request the prompt at startup on plugin. The prompt request method should only work if permissions have not been requested beforehand

plugin:RequestPermission(Enum.PermissionType.HttpUrl, "https://www.google.com")
plugin:RequestPermission(Enum.PermissionType.ScriptInjection)

It would also be nice if debugging plugin permissions was possible on local plugins, but thats for a different post. The easiest method is to just unlock PermissionService:GetPermissions and then I can script around that, however, obtaining the ID of a plugin is it’s own rabbit hole that doesn’t make this the easiest method over just mounting two methods onto a plugin (eg RequestPermission and CheckPermission)

If Roblox is able to address this issue, it would improve my development experience because I’d be able to request and check permissions on my own behalf without using hacky workarounds that probe the system

15 Likes

Yes! We needed this. I’m a plugin developer and have no clue as to why my plugins require script access though they never create or access scripts. It would be amazing for me to manually set it to not as it could scare people away from my plugin thinking it’s malicious though it isn’t.

2 Likes

It would be also cool to have the ability to check if module and it’s sub-modules use this or at least block it for the defined path. It could give developers better control over running customisable code (like add-ons to plugins, when plugin - for example - requires asset by it’s id, same goes for admin tools, etc.).

Docs:

  • Module:CheckPermission(PermissionType: Enum.PermissionType): boolean
  • Module:CheckPermission(PermissionType: Enum.PermissionType, HTTP_ENDPOINT: string?): boolean
  • Module:RejectPermission(PermissionType: Enum.PermissionType): void
  • Module:RejectPermission(PermissionType: Enum.PermissionType, HTTP_ENDPOINT: string?): void
Example
local Module: ModuleScript
local RequiresScriptInjection = Module:CheckPermission(Enum.PermissionType.ScriptInjection)
local RejectScriptInjection_modules = {}
if (RejectScriptInjection_modules[Module.Name]) then
    Module:RejectPermission(Enum.PermissionType.ScriptInjection)
end

If it would be good idea, it could be also included for every module instance, same as the Enum.PermissionType having more permission in the future (for plugins and modules - some available for plugins and or modules (defined in documentation)). If not, Module:CheckPermission() and Module:RejectPermission() could be replaced by plugin:CheckPermission(Module, ...) and plugin:RejectPermission(Module, ...).

With the move towards public packages, PackageLinks should be expanded to have controllable permissions that give it or restrict scripts under it from doing certain things. Obviously the main breakout of this would be parenting a script outside the package, but that could be blocked with its own permission.

1 Like