Group permission API authentication requirements too strict

Problem:

As a developer, it’s too risky to use the group permission API to check permissions for arbitrary ranks in my group. Normally I run bots on alternate accounts, but this endpoint requires that the user be the owner of the group, or otherwise restricts them to only viewing permissions for their own rank. This requires me to disable 2-factor on my account (otherwise it can’t log back it when the process is automatically spun up), which I’m never going to do.

Even in a group where I have as many permissions as humanly possible for a non-owner, have access to Group Admin which can see all rank permissions, and have role 254, I can’t view role permissions for the lowest rank in the group.

If Roblox is able to address this, I would be able to use this endpoint without security tradeoffs for my account.

Proposed Solution:

Any account that has access to Group Admin (which can see all rank permissions) can use the group permission endpoint.

9 Likes

And how should we detect whether or not you may view the group admin page?

I was assuming you guys already has a way of checking this for deciding whether the Group Admin button is displayed.

Last time I checked, anyone with shouting abilities were able to view group admin.

Not sure if it is intentional behavior, could definitely be changed, maybe an “extra abilities” permission box.

We do have logic already in place for deciding whether or not a user can view the group admin page. I’m not asking as staff I’m asking what it should be instead of adding onto what it is now. (if you have suggestions)

If not building off of Group Admin, I’d be fine with ranks with higher roles being able to see the permissions of every other rank with a role <= theirs. I don’t know the specific reason why this API is locked behind a permission check, but I’m guessing it has something to do with users targeting members with specific permissions (for account theft, pestering them to do something over PMs, etc).

There’s no need for members with a higher role (usually meaning more privileges) to target members with lower privileges, and ranks of the same role usually have similar enough permissions that there’s no reason to target between those ranks either.