Ban API, The potential issue of soft-locking yourself, by not being able to unban yourself

Description

You can ban yourself, the Place Creator. You can’t ban User Id 1 (Roblox) though. But you can ban yourself the Place Creator. Which is a questionable issue for those with access to run Scripts.

But you can’t unban yourself…

Steps to reproduce:

1. Enter your Production Test Game
2. Run

game.Players:BanAsync({
    UserIds = {Put User ID here},
    ApplyToUniverse = true,
    ExcludeAltAccounts = false,
    
    Duration = 9000,
    
    DisplayReason = "Testing",
    PrivateReason = "A very cool test",
    
} :: BanConfigType)

Expected Result

But I am banned and I can’t unban myself even through Studio. Banning is more dangerous. Unban could be made lighter.

I am forced to use the API or other workarounds to unban.

Actual Result

You get banned, and have to use the API to unban yourself. Or other workarounds. But the API. Which is not that difficult actually, below there’s even code that I put. But maybe not a standard thing someone should be forced having to do.

As a workaround, you could give an alt account edit access, join the game on that alt, and then unban yourself through the developer console on that alt.

Roblox also plans to “provide the Ban API on Creator Hub” later this year which I assume means adding an interface to ban/unban players and view ban history right on the creator dashboard, which would make unbanning yourself a lot easier.

While that works, if you forget to delete or anything, about that alt account, it’s bad.

I just explored the API a little bit. I can update my ban request with it, all I have to do is generate a key and run something like that

const url = 'https://apis.roblox.com/cloud/v2/universes/<UNIVERSE-ID>/user-restrictions/<USER-ID>';

const data = `{"gameJoinRestriction": {
   "active": true,
   "duration": "3000s",
   "privateReason": "some private reason",
   "displayReason": "some display reason",
   "excludeAltAccounts": false
 }
}`;

const response = await fetch(url, {
   method: 'PATCH',
   headers: {
       'x-api-key': 'PUT-API-KEY-HERE-BUT-DONT-LEAK',
       'Content-Type': 'application/json',
   },
   body: data,
});

const text = await response.text();

console.log(text);

And then change the duration to like 1s or something. This can be run in the console, but you have to make a API Key for it. You’d run it while on this page https://apis.roblox.com/cloud/ or something, just to prevent CORS issues.

There’s other ways to run this in API, but this is the like the “patching” way on doing it quickly.

Technically, since there are secrets in a game, you could eventually even integrate BanAsync that works in Studio

Except the whole appeal of this new functionality is that it also bans suspected alts, which can (and depending how sensitive it is, probably will) pick up the alt, meaning it’s still locked out.

This is a major issue, in my opinion; a backdoor could theoretically irrevocably ban all the user/s (and their alt/s) of a given experience, including the Moderator/s & Administrator/s, and even the experience Creator.

For an inexperienced Dev (another appeal of this feature), they would likely not think to use the OpenCloud API to unban themselves (also, this would require them to have external VSCode knowledge).

Well, the alt account detection didn’t work when I tested it, so I’m not sure how sensitive it is. But like I mentioned they’re going to provide an interface on the creator hub anyway, so you can just easily unban yourself there.

They should add “Enable Ban API” toggle just like they have stuff for HTTP I guess.

Where disabling it, also disables bans being applied and checked. This is great, incase someone just wants to switch it off.

This sounds like a very cool solution, because indeed there’s probably people that do not or ever needed a Ban API. Regardless if they used Third-Party to ban.

But perhaps a Toggle in the Settings PROMOTES the Ban API way too much, and maybe Roblox doesn’t want to promote it.

_{I don’t know how Roblox handles Feedback nor if they have QA a-like tests (not the Platform/OS based QA). They do listen to feedback but, I feel like there’s feedback that doesn’t land anywhere.}

What is very interesting is that there is protection to ensure you don’t ban UserId 1 (the Roblox account), which is most-likely never going to join your experience; yet you are still able to ban yourself…

erm… just publish a version of your game containing a script that unbans you??? Maybe I’m missing something.

A workaround to prevent getting soft locking yourself from happening in the first place; I suggest utilizing “whitelist” codes, aka dictionary or array of user IDs then loop through to verify if your ID is on it or not before run Ban API codes.

This is more like band aid solution in short term but Roblox should implement some kind of actual protections for game owner and a list of users who can edit the game. Maybe even create a dedicated whitelist in the website or studio who cannot be banned at all.

Simple fix to prevent this issue: when running BanAsync, throw an exception if the banned user ID is equal to the creator’s ID. I do feel like dealing with edge cases such as potentially banning yourself is something you should prepare for when utilizing the ban API

This doesn’t address the primary concern, which is malicious actors (ie backdoors) using BanAsync to ban the user/s (and their alt/s) from a given experience, including the Moderator/s & Administrator/s, and even the experience Creator.

Nothing can or will address this, until Roblox either whitelists the Creator or allows UnbanAsync to be run in Studio.

I believe this has been sort of fixed, I went on my alt and attempted to ban myself, it returned the same error as if i tried to ban userId 1, Place creators now seem to have a protection

I thought about it, but didn’t ever try it.

It would work if the Script gets executed by joining as the only person before or after the Ban API kicks you.

Someone told me and showed me that banning the Main works with alt detection.

It didn’t work for me, maaaybe it’s because of a different reason.

I was thinking of:

• Maybe it depends what Region you’re in due to ToS or something?
• Or something else that nobody should really worry about?

ExemptAltAccounts should be set to false

But I wonder about mixed bans.

Yeah, this was one of my concerns when I saw the news as well.

Could not reproduce this. It still banned me.

Really wish they would allow the API to work in studio. Before I had my discord bot, I would just run a DataStore async call to ban people in the command line.

Is it possible to 100% disable Ban API on my experience? To prevent the possibility of malicious users trying to ban everyone.

This is just an acknowledgment announcement!

We’ve filed a ticket into our internal database for this issue, and will come back as soon as we have updates!

Thanks for flagging!

If you’re not using the ban api in any scripts, you’re fine.

the person you’re replying to specified backdoors, meaning you’d need to have used the api in your experience in some way for the backdoor to tie into the ban api