I was doing some research into privacy in Lua and the way in which variables can be interacted with. I found this post on the official Lua guide: https://www.lua.org/pil/16.4.html
It suggests that anything placed within a variable (such as a function) cannot be accessed directly. I was wondering whether someone could explain how this works, and whether this is still applicable to Roblox. I can see this being useful in Client-side circumstances. If I’ve completely misread what privacy in Lua entails I would love for someone to correct me.
This is a nice read up for vanilla lua; However, unfortunate as it is, exploits will deem all of this useless due to their intricate and, frankly, rather impressive methods of attack. So sadly, no.
Exploits can modify LocalScript environments, the LuaU registry, the LuaU stack, and many other impossible levels of access we cannot dream of as ROBLOX developers.
I guess it goes with the rule of whatever you put on the client is exposed.
From a purely Lua perspective do variables which encapsulate functions only return the result of that function? If so that must mean that exploiters can access the raw code on client side. I would have thought exploiters could be much more damaging if that is the case (even if you have good server side checks).
I’m sorry that I noticed this so late, I’m rather tired right now.
As for your query, Exploiters cannot access the “raw code” (EDIT: in the sense of 1:1 with what you wrote) from any script. However, bytecode is serialized with localscripts (assuming they have any code in them) which means that exploits can develop a “Decompiler” which “Decompiles” the bytecode into Lua code (LuaU in the case of ROBLOX,) with some imperfections (at least this is the case as far as I know.) I do not believe a “perfect Decompiler” has ever existed, and there are errors example being: defining a variable that needs to be set based on a conditional statement and it’s else(if) branches in the first conditional.
Although this is also somewhat common in other Lua decompilers, but might not be an occurrence for LuaU decompilers, although I’m not exactly sure.
But yes, all clients do essentially “have the raw code.” (So raw it’s compiled VM bytecode… Gordon Ramsay would not be happy.)
The best rule of thumb is to always do everything on the server, and use client side solely for interaction, UIs, etc. Exploiters have access to more than you think, and can completely ruin gameplay if you’re not careful of your server-sided checks. Exploiters can read all localscript code for the most part (not server script code, however), and can even send fake remote event signals, which is why you should always have proper server-sided checks.