Is it fine if I :Destroy() some gui on the server to prevent exploiters?

jees1 · February 6, 2021, 10:24am

Pretty self explanatory as the title says, though I am working on my admin system and trying to work out how the ranks would work. It uses a gui, so I would need to destroy some features for them to not be able to access those areas. I would want to do this to prevent the exploiter from disabling/destroying the localScript that would normally destroy the gui and use a Server side script in ServerScriptService to destroy the gui.

Rigid_Studios · February 6, 2021, 10:32am

You may not be quick enough, the exploiter may have already copied the UI. Also the fact that this question even has to be asked is a bad sign, for a few reasons:

Admin UIs should never be part of Player’s starting GUI, they should be cloned onto the player if the player is confirmed to be an admin.
Admin commands shouldn’t be managed client-side, it seems as though that’s what you’re doing.

If everything were correct, there’d be no need to destroy an admin gui, just copy the correct parts into the player’s PlayerGui to begin with.

ShutzCh · February 6, 2021, 11:55am

You could simply have a server sided check which gets the player’s userid, name or group rank.

pocvq · February 6, 2021, 12:31pm

Really I think it’s ok for an example in a game I’m working for they wanted me to make a GUI that lets you pick the amount of cash you want then I have a extra safety feature it’s them by destroying the place where you put the number of they are not the owners or devs so even if the exploiter clones it it will destroy the textbox and they won’t be able to do anything

jees1 · February 7, 2021, 2:08pm

I have great and reliable checking on the server-side when the event for a command is fired to ensure they’re an admin and are allowed to use the command.

Rigid_Studios · February 7, 2021, 2:09pm

Then put the GUI somewhere in say, ServerStorage, clone it into any admin’s PlayerGui.

colbert2677 · February 7, 2021, 4:32pm

no

It’s just an interface meant to facilitate user actions. You shouldn’t be putting anything sensitive on the panel and if exploiters attempt to use the window, then the server should reject admin actions from non-admin users. The solution is to secure the server with validation of client requests, not hide the window.

pocvq · February 7, 2021, 10:48pm

Well I have a admin panel and what I do is if they are a admin then what happens is it Clones the Gui and sets its parent to StarterGUI and gives them the appropriate cmds of what they can do if not it just stays in server storage.