Group Games - Ability to modify rank/role through Lua API


#1

User Story:

As a developer, it is impossible to create an interactive community with group games.

User Types, Use Cases, and the Benefits of Fulfilling Them:

The Game Fan Group:

Groups like berezaa Games, Pokemon BrickBronze Version, and StyLiS Studios are communities for the game(s) hosted by the group. There’s not much interaction with the community aside from shouting update statuses and posting on the group wall, so there’s not a whole lot of incentive to join the group. Tying in ranks with in-game achievements could help these communities grow:

  • Allow groups to expand their ranks past “Fan”, “In-Game Moderator”, “Developers”, “Owner” because anything past that is too much manual work
  • Encourage user interaction with the community by rewarding then with ranks based on in-game achievements for status
    • Currently BrickBronze does this manually for all 700,000 of their members!
  • Allow subcommunities of the game to exist in the group as well
    • This past RDC, ROBLOX mentioned they wanted to make forums a group/community thing. Being able to manipulate communities in-game would allow me to do something such as move users into ranks based on which of the six races they’re in and give them access to exclusive forums and walls

The Roleplay Group:

There are various kinds of roleplay groups. Some are military-based and have ranks like recruit, private, … officer, etc. Some are based on real life and have ranks such as “stylist”, “dresser”, “designer”, etc. These ranks are critical to the interactiveness of the community, so these groups spend enormous effort managing roles in the group. A war group might host a training and manually promote every single attendee afterwards. A coffee shop roleplay group may log users’ hours in the DataStore and then request members PM them for promotions when their hours are above a certain amount. The ability to modify ranks through the Lua API would:

  • Save these groups a tremendous amount of effort by removing the need to manually manage ranks for the masses
  • Save these groups, which notoriously have trouble bringing in talented programmers, the hassle of needing to have a member who knows how to write web bots
  • Save these groups which may not make money the revenue they’d have to expend paying someone to write them a web bot and paying for a server to host it on
  • Save these groups the headache of relying on free web services which have regular downtime or insane rate limiting

A Solution:

Server scripts in group games need to be able to modify the ranks of members through a Lua API, potentially the ability to exile members as well. Accepting/denying join requests might be useful as well, as there are groups who require users to complete a challenge and earn a badge before being manually accepted into the group.

Security Concerns:

It would not be great for someone to insert a free model into their game, or somehow some is able to run server code through an exploit, only for malicious code to demote everyone to the lowest rank or remove them from the group entirely. To address these concerns, ROBLOX should provide a private key in Group Admin only visible to the owner which is needed to use the API methods for changing rank/etc. The owner should also be able to control the maximum rank the group games are able to change. This is about as secure as current solutions utilizing a web bot.

There are further security concerns:

  • What do you do if your server scripts are leaked?
    • Someone both has to have your leaked game and access to run server code, so this is probably unlikely
  • What do you do if one of your developers who has edit access finds the API key in a script and uses it to exile everyone?
    • Maybe there’s a need to whitelist script hashes instead of using a private key to prevent tampering by users who don’t have permission
    • This is also possible with people abusing admin priveleges in a group, so maybe the solution isn’t to protect the key, but to render admin abuse ineffective by being able to revert rank changes and pending exiles which can be undone

Reply to Post "Group Games - Ability to modify rank/role through Lua API"
Automatic group promotion from a group game?
#2

This sounds cool. It’s like receiving badges, but instead they can also be taken away from you and on top of it, people can notice your achievements easier. Support.

Also, I think you already thought about this, but if this were to be implemented, this should probably become a (or a set of) method(s) that can only be called through server scripts/script inside the ServerScriptService to prevent many exploits.


#3

I would love to have this to work with


#4

This would be great to have solely in Lua, but for the moment, you can probably write a script that connects to a site and tells it to log onto a bot account that has permissions in the group to change players’ ranks.


#5

#6

This would be great, support :smiley:

There would just have to be a way to allow only certain games to be able to change the rank, maybe only games made by the group and then possibly a way to manually add other games that are allowed rank change privileges as well?


#7

Support. Allow changing ranks even to ranks that can exile other members?


#8

I just fear that this can be heavily abused by exploiters in non FE-games or FE-games with some flaws.


#9

Temple of Memories already does this through an external server and a bot account thanks to @As8D. It’s not to hard to set up, make sure you appoint an access key too. From already experiencing the effects, it’s a really good idea, support.

My group ranks are based on the levels people are in-game.


#10

The group owner should be able to configure promotion privileges per-game similar to group permissions.

As can everything many other things – if you don’t want to open up the potential for that to happen, then don’t enable it in your games. Otherwise, groups that can responsibly manage their places can enable it. They can also limit the ranks the API can promote to in order to prevent any serious damage, should a vulnerability in their game be discovered.


#11

What if ROBLOX made a better Group API to deal with this? I’m pretty sure they would considering that they are doing a revamp of the groups page in 1-2 months.


#12

Better group API as in one that can be used in-game to promote/demote users? Yeah – I completely agree – that’s what I’m suggesting.


#13

What about the countless groups that use a third party admin as kohl’s (or what the latest one is)? They can for instance sideload a script to change ranks. (This is a mere explain, I am not implying that someone will go rogue or so.)

Sure, this is an ok idea but there are too many security flaws in my opinion to this and making so that groups can limit it is still pretty risky to be honest as pretty much “any clan/group” would use this instantly without looking at the major flaws (depending on how it is designed ofc). Atleast a sort of secret key that is supplied with the call would be needed to be somewhat more secure eg game:GetService( ‘GroupService’ ):SetRoleInGroup( intGroupID, strSuperSecretKey, intRole ) ;

A better web api - for sure, I would love that as the current methods are a tad hacky, heh.


#14

Your suggestion doesn’t sound like a bad idea. ROBLOX could generate a code when rank changing was enabled and display it on the game config page. Developers would then copy that and use it in their invocations of the rank changing method. There shouldn’t be any security issues after that – in fact, it’d be more secure than current implementations using user-hosted webservers as even if the server code is stolen through an exploit, that can’t be used to access the promotion API as it has to be done through that game, as opposed to a webserver which takes requests from anywhere.


#15

I support this idea. Of course there would need to be a few work-around’s to this in order to prevent exploiters from promoting themselves in random groups, such as it can only be used in group games and as a server script. Other than that, a solid idea.


#16

I absolutly think this idea should be done, this will reduce the use of httpservice (not that thats a bad thing) for war clans and other groups. 100% support!


#17

Hello everyone!

So right now it is impossible to give and remove ranks from a user in rbx.lua without using httpservice, it would kinda work like this:

game:GetService(“GroupService”):PlayerAddRank(int userId,int rank, int groupid)

it would return if they are in the group and give them the rank so provided in the group id provided, will error if that rank is not in role set, if the player does not exist and if the group does not exist, can not be called from a local script. if the rank was lower then the rank the user has then it would lower their rank. I think this would most be used by the war clans as they would no longer have to use httpservice to do this.

Thanks for reading and I hope you support this idea! :wink:

Heres another post: Group Games - Ability to modify rank/role through Lua API


#18

I was wrong.


#19

I have updated the feature request to follow the template and improved the general reasoning of the post. Previous concerns are now addressed in the OP.


#20

quick note for ur desc of this berezaa games actually does use a bot to give ranks based on if they enter a special code they get from a discord bot which is unique to that player, just so u know.

werygergvewr
That is the bot, it is one rank above “Ranked Member”