GetProductInfo doesn’t hold true.
1 Like
Ahh, I did not know that. Seems like a platform flaw then.
2 Likes
the client can prompt on their own or send a remote event so this wouldn’t prevent exploiter.
1 Like
it does because if they send the id then just get the price with marketplace service then if the id the player bought is different to the one that got sent then just do nothing
2 Likes
yeah facts. if we were able to make a web request to roblox and get the exact purcahse…
so for the group sales endpoint… there’s a pending property. and i wonder what other properties come up for that.
1 Like
the problem is the getproductinfo doesn’t hold true. it’s cahced. look at clip above but also try it for yourself
1 Like
If you send a remote event as soon as they click it then it can’t be faked otherwise the person would end up paying the faked amount
2 Likes
they can send it themselves. or just prompt themselves.
1 Like
here are two endpoints i think worth exploring to resolve this issue. can update…
/v1/groups/{groupId}/revenue/summary/{timeFrame} (but this might not be valid if purchase is pending)
/v1/groups/{groupId}/transactions
Roblox-Apis/Documentations/economy.roblox.com.md at main · NoTwistedHere/Roblox-Apis (github.com)
1 Like
Yes they can send the remote themselves however when a user clicks it you can send a remote with the id of whatever there buying. Then detect if they bought it or not. Remove the id. If there is another id sent through but it doesn’t equal the bought one which you can check from the callback then do nothing
2 Likes
How long before the cache expires, or is it not known/unreliable?
2 Likes
i’m not sure what you mean by this. how would you detect if they purchased. there’s purchaseFinished which won’t work for this.
1 Like
i do not know exactly but i would say too long.
1 Like
purchased finished would work for this? How would it not
2 Likes
purchase finished occurs when you press okay. not when you press buy.
press buy roblox takes the price.
press okay game server takes the price.
1 Like
This works for non exploiters. But what we have to realize is that purchase prompting is all done on the client. Even if you call it from the server, its the client that has to handle the prompting. This means in theory using an exploit you can delay the prompts, remove it, or whatever. And the server would not know. All the server knows is when it attempted to send the prompt and when the prompt is finished which only fires after the client presses “OK”.
2 Likes
A solution here which Roblox has already incorporated for DevProducts is a purchase receipt that tells you everything including the price a product was bought at. This would literally eliminate any possibility for this exploit to occur.
6 Likes
Ok so here is another solution.
You get the users items store it in a table somewhere
When they press the button you call a remote event which passes the gamepass id and the target player
you check the id against the targets gamepasses if they have it all good otherwise just return
You get the cost with marketplace service
Wait for an event from the client with if they bought it or not and the bought id.
check the target players gamepasses again
if the id is the same as the last one and the price is the same we run whatever code
otherwise just run the code if it was the previous price
2 Likes
can’t rely on remote event for this. unless we were able to use something like getProductInfo in a loop on the server but the price on that doesn’t hold true.
1 Like
I think this has potential for a different exploit, where user can create an item with an insane price, join the game to get the price cached, then change the price and someone else buys the now-cheap item, yet game records the insane price, because everything else, except for the price, matches.
Easy to add some price checks, but their success rate depends on how frequently GetProductInfo() cache expires.
Also, this exploit requires two people/accounts, so a bit more effort.
2 Likes