I know that people always say not to trust the client and do as much as you can on the server or with server validation, but how can this be done in all situations?
I have a few specific situations in my inventory/data system that I’m not sure how to go about. The inventory system is in serverscriptservice.
I want someone to be able to touch a part, and it gives them an inventory item. This would be through a Script (Server Script) under a part in the workspace. Is this secure?
Making an admin only console where you can give players items or cash.
Purchases
With robux
Without robux (ingame currency)
If anyone could help that would be great! I’m mainly looking for concepts, since the basis of the system is already written out.
Upon entry into the game, you can add a folder into the player and as they get items you add stringvalues into that folder. Then, when you save the data just save whatever is in the folder. For example, when you’re touching the part, you can use that serverscript that triggers the event when it is touched to create a stringvalue and insert it into the players inventory folder. Now, the admin console would work a bit weird as you would have to check if the player has the required asset or userid to open the admin console. From there you would then have a few buttons to signify what you want to give, how much of it, and to what player. You then fire a remoteevent from the client to the server and I suggest creating a specific script just for that. Purchases are simple enough as you just click a button from the gui, send a remoteevent to the server, and prompt the purchase. In-game currency would work the same aswell except when you fire that remoteevent you specify the amount of cash on the serverscript. I hope this could be of help to you!
a) the ability to call any remote in your game at any time, with any arguments, and knows what those arguments normally look like, and
b) complete control of their own character’s physics and movement, as well as the physics of parts around them. This includes the ability to fire touched events at will.
However, that someone has no access to the server code, other than through events.
Design your game so that even with all that power, someone couldn’t break things too badly. It’s impossible to be perfect, but Roblox makes it impossible, so do your best.