I’m currently working on an admin GUI which allows the creator of the game to do things like kicking players etc. I wan’t to store this inside the ServerStorage and clone it into the game creators’ PlayerGUI whenever they join by using a playeradded event. Is there any way for exploiters to access the GUI?
If you mean by just taking the UI: They’d only be able to steal it while an admin is in game with the UI in their starter UI which the server inserted.
If you mean use the commands: It depends on server side sanity checks and how you handle it.
This way, considere it stolen yet. What you could do is, the script giving you a local script which clone the gui into your PlayerGui then the server script would delete the local script something like 0.1-0.25s later
Also, do not forget to compare the one to use commands with admin’s name with a table
Yep that’s true. But you could defend this action by a few steps.
- Use the
.ChildAddedevent on PlayerGui and check if the child that got added was a ScreenGui and was it named as the AdminGui.
- If the gui is found then simply kick the player. (Don’t worry about firing a RemoteEvent, as the player can be kicked from the client as well)
An example could be something like this:
local player = game.Players.LocalPlayer local PlayerGui = player:WaitForChild("PlayerGui") PlayerGui.ChildAdded:Connect(function(gui) if gui:IsA("ScreenGui") and gui.Name == "AdminGui" --[[Change the name to your admin gui name]] then player:Kick("Hah, tried exploiting? Nice try brother!") end end)
In fact, no.
The players in a server have no access to another player’s, in that server, PlayerGui, and it is replicated across the server only. It is not necessary to put the UI in the StarterGui folder and delete it constantly. ServerStorage service is a kind of full-of-secure against exploiters and can only be reached by the server or from a request by a client to the server. What @JayPlays_JP suggested in his post is the best to do.
exploiters can’t access other players startergui/gui (i think)
When developing any sort of security system, I find it best to assume that anything related to client stuff is already compromised by an exploiter. Although in this case, you said you cloned it from ServerStorage into a PlayerGui, which should mean that an exploiter wouldn’t be able to access it since another player’s PlayerGui is not replicated to other players. However, I would recommend to implementing the relevant server-side sanity checks which has been previously mentioned (such as is the player who is doing a certain action the game owner, etc).
An exploiter could access it, a PlayerGui can’t be trusted
What @AridFights1 suggested isn’t a very secure way of doing things as the local script could easily be deleted by the exploiter. If the UI is just being cloned to the PlayerGui when an admin joins with zero ways to secure the commands being executed, it’ll be a target for exploiters. Instead of storing the GUI in ServerStorage and only relying on that to secure your admin system, you should be running these checks on the server with Remote Events.
An example of this:
game.ReplicatedStorage.AdminEvent.OnServerEvent:Connect(function(Player,Command,Target,Reason) if Player.UserId == game.CreatorId then if Command == 'Kick' then Target:Kick(Reason) end else Player:Kick('You do not have permission to use this event.') end end)
game.ReplicatedStorage.AdminEvent:FireServer('Kick',game.Players.UsernameYouWantToKick,'Reason for kick here')