No longer a way to determine if a user can manage an asset for validation purposes

As a Roblox developer, it is currently too hard to determine if a particular user has permission to edit a particular asset with the recent deprecation of the canmanage API. The new suggested API requires authorisation on behalf of an “authorised user” unlike the old API; so without continuing to use the deprecated API it is no longer going to be possible to determine if a third-party user can manage a given asset.

This is important for our internal processes because we use it for validation purposes. I help run a small-scale platform where developers can list their contributions (we are currently running beta tests, no public access yet), in-where we validate Edit access so that users cannot add experiences/assets which they have no involvement in. While we do provide the ability to list assets where the user may not have Edit access, we provide disclaimers next to these assets stating such. Removing the ability to “verify” Edit access is not an option for us either as it currently creates a deeper level of trust between users.

The only way to achieve our current effect without using the deprecated API is to either:

  • Allow any user to list any asset as something they made: Obviously not ideal given our use-case
  • Require users to provide their .ROBLOSECURITY token: Even worse

If Roblox is able to address this issue, it would improve my development experience because I would be better able to validate that a given user has actually contributed to a given asset.

3 Likes

This feels like a use case for Open Cloud OAuth2.0, where you ask users for permission to list their assets / get assets on their behalf and then you use that OAuth2.0 token on the back-end to validate that you can retrieve the assets’ information / they are the owner of the asset.

We’d need to make sure there is an OAuth2.0 endpoint for your specific use case.

We would probably never expose again a way to arbitrarily check if any user has access to any resource. This might have been the status quo before but there are serious privacy issues with exposing such an API.

2 Likes

It would be nice if a method on an already existing service was added to solve this issue.
There is no reason for it not to be there, it could be as simple as an IsEditor(UserId, PlaceId) method on the Players Service.

This would be very useful for scripting for example an administrator UI that you only want people who have edit access to the game to be able to access.