Attempting to use :FireClient, is this implementation of it exploitable?

Help and Feedback Scripting Support
#1

Hello, I’m currently attempting to make an admin script for my game. I wanted to make a command for fun that would trip a chosen player. However, due to the method i’m using to trip the player not working server-side, I have to communicate the info back to a localscript. Currently, I have it set up so that a localscript fires the server with the command’s input. Then, a server script gets that input and determines a command that should be run, with the commands being stored in a modulescript. Currently, the main section of the trip command looks like this:

if target == nil then
		consoleOutput(sender,"ERROR: Player Not Found", true)
	else
		local remoteEvent = ReplicatedStorage:FindFirstChild("TripPlayer")
		remoteEvent:FireClient(Players:FindFirstChild(target), Players:FindFirstChild(target).Character)
	end

This fires the client with the tripPlayer remote, which has a localscript connected to it:

local function Trip(Character: Model)

	local RootPart = Character.PrimaryPart
	local Humanoid = Character.Humanoid
	Humanoid:ChangeState(Enum.HumanoidStateType.FallingDown)

	RootPart.AssemblyLinearVelocity += RootPart.CFrame.LookVector * 5
end


remoteEvent.OnClientEvent:Connect(Trip)

my question is, does this method of essentially allowing the client to fire any other client with the admin gui open it up for exploiters to take advantage of this and trip any player whenever they want? Obviously not everyone will have access to this gui, but anyone would be able to fire that remote manually, right?

I’m not very experienced with server-client replication, so apologies if I’m not wording this right.

2 Likes
#2

Exploiters cant use :FireClinet() but they can try bypas gui and use :FireEvent() to run this function.

(and I dont see any issue in making this a server script)

2 Likes
#3

Just add a UsedID check in the serverscript and u should be fine

1 Like
#4

Yup, what you should do is have a table of userids that have admin and check if the player who fired the trip remote to the server is a key of that table. If they are run the command if not, you can kick them and save them in a datastore so when they join back kick them again and they are essentially banned.

1 Like
#5

for whatever reason, attempting to run the trip command server-side just… doesn’t work. The player will only trip (at least in the way I want it to) if the command is run from a localscript. I assume it has something to do with the way roblox does physics calculations on clientside vs serverside.