Ban API, The potential issue of soft-locking yourself, by not being able to unban yourself

There’s a concept:

Roblox puts things on RobloxScriptSecurity, due to concerns, e.g. the ability to create QWidgets, because a Plugin Author could oversize the window or block the ability to close Studio, or with wrong use even crash Studio.

But this only happens if you install a Plugin and you can always uninstall it.

There’s no straightforward alternative provided, to create those Widgets outside of RobloxScriptSecurity. That security level, is a forced “baby-sitting”. (For a good reason)

_{But there’s no opt-out as well.}

BanAsync came out. And I am surprised that this was simply just released. Marketplace ModuleScripts could be just as malicious like Plugins

Pretty sure they had concerns, but maybe not studied that much.

But… idk

I don’t believe someone like Adonis Admin System or HD Admin, is going to do malicious things to their Modules. So, there shouldn’t be any issue when someone tried to consider it being one.

But using random Marketplace Scripts through InsertService, or without manually analyizing or extracting it out of the cloud, and integrating it into the game, that could be bad.

Summarized, BanAsync, doesn’t have much “baby-sitting” support nor was given a lot yet
Which is surprising compared to the other things that exist on Roblox that seem to have considered security.

_{I really don’t know why UserId 1, is magic here}

This could be a topic for, how Roblox is for all ages. vs. the innovation of them adding 17+ (to eventually be less restrictive or something, while still supporting the “all ages” thing).

Maybe one day they will allow more customization for a bunch of other technical stuff.

Thanks! Great to see you guys are listening to the feedback.

Something I noticed while testing is when I ban myself I could still test the game in studio! My work around is creating a script to unban yourself while in studio and running it! If you still dont understand, When i ban myself IN GAME it worked but when I joined on studio I could still test!

They mean that you can’t join the game on the regular roblox launcher. Studio doesn’t check to see if the player is banned, which makes sense as calling the ban functions in Studio has no effect on your ability to play the game.

I still don’t understand why banning/unbanning only works in a live production server. It causes issues like this to happen.

I agree! I feel they should check if the owner is ban and unban at the very least! I do understand at the same time that the api is brand new and issues were expected!

I say, Roblox could add a setting on the Creator dashboard that denies getting banned if you’re over or equal to a certain Group level number.

Hi, this is by design. Just like you are able to kick yourself, there is a reasonable scenario where you would want the ability to ban yourself. There are very simple workarounds to avoid banning users, including the experience owners. For example, you could check against an allow list before submitting the ban request. As mentioned above, the OpenCloud API is available to be used to unban yourself.

Is there a way to remove the logs from certain player?

… With the utmost respect, I feel as if this post misunderstands the concerns underlining this bug report, mainly:
(1) Developers should not have to use a cumbersome API to unban themselves (which, additionally, presumes they know how to use the API); and
(2) Malicious actors/backdoors could, if a creator does not know to utilize the API, irrevocably ban the experience creator & administrators.

We have seen this request made and have been discussing this. In the short term, we do not plan to do this because it was meant to be an audit log, and you never want to delete those. However, I certainly hear your arguments that you should be the ultimate arbiter on these decisions. We are figuring out how if this is a feature the general community will need, and if so, how to prioritize it.

Maybe in the future we get to see the BanAsync stuff in the creator hub which would allow us to work with it there. Only reason I wanted to clear the audit log was because I was trying to test it out on my self before I push it into Prod (in our game).

But thank you for replying can’t wait to see what’s the next for these new tools.

We are actively developing a page on Creator Hub.

1. We intended the OpenCloud API to be as easy to use as the engine API. Can you please provide some feedback on why you feel that it is cumbersome? We really do want to make this easy for you. Is the documentation unclear?
2. We have engineers actively trying to find ways to mitigate malicious plugins that introduce backdoors. As you may hopefully understand, this is a hard problem to solve for the entire breadth of ways that code gets executed in your experiences. We would hope that a creator who has been banned would be able to use all of the tools at their disposal. The vision for the page in Creator Hub has not been finalized yet, but that too will be an option soon.

This is so confusing, while testing the new ban API, I added my user id in it to see if it worked, it worked incredibly. Now, when I was removing my user id, I was still banned. /:

Question, trying to understand what this really means.

image850×194 90.2 KB

For the inherited boolean, if I want to ban them for all the the places under the experience should I make it true or false?

You don’t set the inherited boolean. That’s why it’s marked “Output Only”.

Can you create a separate bug report so we can investigate that separately?

Can’t you just unban yourself with the command bar? It doesn’t ban you from studio altogether.
No idea if anyone has said this already in the topic, but I thought I’d bring it up.

I used this same method to unban myself when we still had to make our own ban systems.

Unfortunately, while in edit mode, it’ll request that the request be done on the server.

and if run during a server test, it’ll skip over the request instead.

I don’t think this should be the only way to unban yourself in the case that people ban themselves. Adding to the command bar usage above, could it be possible to make it not skip over the request if it was made from the CommandBar?