You can ban yourself, the Place Creator. You can’t ban User Id 1 (Roblox) though. But you can ban yourself the Place Creator. Which is a questionable issue for those with access to run Scripts.
But you can’t unban yourself…
Steps to reproduce:
Enter your Production Test Game
Run
game.Players:BanAsync({
UserIds = {Put User ID here},
ApplyToUniverse = true,
ExcludeAltAccounts = false,
Duration = 9000,
DisplayReason = "Testing",
PrivateReason = "A very cool test",
} :: BanConfigType)
Expected Result
But I am banned and I can’t unban myself even through Studio. Banning is more dangerous. Unban could be made lighter.
I am forced to use the API or other workarounds to unban.
Actual Result
You get banned, and have to use the API to unban yourself. Or other workarounds. But the API. Which is not that difficult actually, below there’s even code that I put. But maybe not a standard thing someone should be forced having to do.
As a workaround, you could give an alt account edit access, join the game on that alt, and then unban yourself through the developer console on that alt.
Roblox also plans to “provide the Ban API on Creator Hub” later this year which I assume means adding an interface to ban/unban players and view ban history right on the creator dashboard, which would make unbanning yourself a lot easier.
And then change the duration to like 1s or something. This can be run in the console, but you have to make a API Key for it. You’d run it while on this page https://apis.roblox.com/cloud/ or something, just to prevent CORS issues.
There’s other ways to run this in API, but this is the like the “patching” way on doing it quickly.
Technically, since there are secrets in a game, you could eventually even integrate BanAsync that works in Studio
Except the whole appeal of this new functionality is that it also bans suspected alts, which can (and depending how sensitive it is, probably will) pick up the alt, meaning it’s still locked out.
This is a major issue, in my opinion; a backdoor could theoretically irrevocably ban all the user/s (and their alt/s) of a given experience, including the Moderator/s & Administrator/s, and even the experience Creator.
For an inexperienced Dev (another appeal of this feature), they would likely not think to use the OpenCloud API to unban themselves (also, this would require them to have external VSCode knowledge).
Well, the alt account detection didn’t work when I tested it, so I’m not sure how sensitive it is. But like I mentioned they’re going to provide an interface on the creator hub anyway, so you can just easily unban yourself there.
They should add “Enable Ban API” toggle just like they have stuff for HTTP I guess.
Where disabling it, also disables bans being applied and checked. This is great, incase someone just wants to switch it off.
This sounds like a very cool solution, because indeed there’s probably people that do not or ever needed a Ban API. Regardless if they used Third-Party to ban.
But perhaps a Toggle in the Settings PROMOTES the Ban API way too much, and maybe Roblox doesn’t want to promote it.
I don’t know how Roblox handles Feedback nor if they have QA a-like tests (not the Platform/OS based QA). They do listen to feedback but, I feel like there’s feedback that doesn’t land anywhere.
What is very interesting is that there is protection to ensure you don’t ban UserId 1 (the Roblox account), which is most-likely never going to join your experience; yet you are still able to ban yourself…
A workaround to prevent getting soft locking yourself from happening in the first place; I suggest utilizing “whitelist” codes, aka dictionary or array of user IDs then loop through to verify if your ID is on it or not before run Ban API codes.
This is more like band aid solution in short term but Roblox should implement some kind of actual protections for game owner and a list of users who can edit the game. Maybe even create a dedicated whitelist in the website or studio who cannot be banned at all.
Simple fix to prevent this issue: when running BanAsync, throw an exception if the banned user ID is equal to the creator’s ID. I do feel like dealing with edge cases such as potentially banning yourself is something you should prepare for when utilizing the ban API
This doesn’t address the primary concern, which is malicious actors (ie backdoors) using BanAsync to ban the user/s (and their alt/s) from a given experience, including the Moderator/s & Administrator/s, and even the experience Creator.
Nothing can or will address this, until Roblox either whitelists the Creator or allows UnbanAsync to be run in Studio.
I believe this has been sort of fixed, I went on my alt and attempted to ban myself, it returned the same error as if i tried to ban userId 1, Place creators now seem to have a protection
Really wish they would allow the API to work in studio. Before I had my discord bot, I would just run a DataStore async call to ban people in the command line.
If you’re not using the ban api in any scripts, you’re fine.
the person you’re replying to specified backdoors, meaning you’d need to have used the api in your experience in some way for the backdoor to tie into the ban api