boolValue - clientside vs serverside in Workspace

Metallica · May 30, 2020, 7:20am

Just looking for some clarification here.

Is the following scenario acceptable regarding security? While I accept the fact that exploiters will always be around, I’d like to make things difficult for them.

Door is a descendant of workspace
BoolValue “locked” and StringValue “key” are children of Door
Script “doorscript” is child of Door (not a localscript), and requires DoorModule (in ServerScriptService)

“doorscript” will pickup a clickdetector mouse click event and calls a function in DoorModule, passing in (player, door).

DoorModule checks Door’s “DoorType” StringValue and handles accordingly. DoorModule will check if a door is locked, and if so (and requires a key), will check if the player has said item.

If the circumstance allows, DoorModule handles opening the door.

Is this safe and sane? My concerns are:

If an exploiter modifies BoolValue “locked”, will this remain client-side? (Will the door act properly and NOT open if they click the door?)
Is there a safe and sane way to handle door animations/tweening from the module script? And/or can it be handled in the doorscript?
Can all of the above be handled inside the doorscript? (Main concern here is repeating lots of code for lots of doors, e.g. checking if player has key)

I have tried moving my tween code from the child doorscript into DoorModule but the animation does not play currently. That being said, I still have troubleshooting to do… but if there is a better way to structure this, I’m all ears.

Thanks all!

Xo_doz · May 30, 2020, 7:47am

I would look into the CollectionService (I believe that is what is is called). You would be able to handle your doors in the server rather than in each door, repeating code. You would be able to store the values in the door at the beginning of the server and use clickdetector. I haven’t used CollectionService at all so maybe someone who knows more about it can explain more, or look at the API.

If you mean client-side as in what the exploiter would see, then I would say yes, but hesitantly. You could run a test server and change it and see what the server-side sees after changing it from the client.

wevetments · May 30, 2020, 8:44am

I’d suggest to store states in a table rather than relying on ObjectValues

Xo_doz · May 30, 2020, 8:52am

Yeah I didn’t make it clear, by values I meant the BoolValue and StringValue that is in the door referred to in the original post. Whoops. May still not be the best thing, but it’s 5am right now.

ArtFoundation · May 30, 2020, 9:09am

They can see it and probably affect it client-side but nothing will happen if it was made by the server or placed in workspace from Explorer.

Generally as a future reference, if anything is made by the client, its theirs, even if it’s a part or a boolvalue, they’ll never replicate the change to the server if it wasn’t made by them.

Metallica · May 30, 2020, 5:37pm

Thanks, I was not aware CollectionService existed. It looks like a great solution once I read up on it some more.