Off-sale assets can still be downloaded

If an asset is set as on-sale and then returned to off-sale, it will still be downloadable. In the below screenshot I am not signed in and the asset is off-sale, yet I can still download it because it was on sale for one day over two months ago. I don’t think I need to explain why this is an issue.

image1005×482 38.9 KB

edit: as stated in my reply the download button is added by an extension, however, the button is linking to Roblox’s asset delivery API (https://assetdelivery.roblox.com/docs). My expectation would be that requests to this API for off-sale assets would return a 401 status code rather than the asset. I should also note that the asset delivery API will return the most recent version of the asset, not the most recent public version of the asset.

edit 2: various reproduction information

The asset in the above screenshot is: https://www.roblox.com/library/6106629980/Asset-Test
The download button is linking to: https://assetdelivery.roblox.com/v1/asset/?id=6106629980

(clicking the above asset delivery link will prompt you to download a .jpg file but if you change the extension to .rbxm, it is in-fact the asset)

I first created the asset by uploading a module script with the content “-- Version One”. I then set the asset to off-sale. Once off-sale, I was still able to download the asset while logged out.

I then edited the module script to have the content “-- Version Two (copylocked)” and published it over the asset. After doing so, I was able to download the off-sale asset while logged out and still got the most recent version (that was uploaded while the asset was off sale) with the content “-- Version Two (copylocked)”

This is because of BTRoblox, not ROBLOX itself.

That’s a browser extension, not a native Roblox feature. You need to add more technical details on how this is an issue without the browser extension for this to be actionable for engineers.

Either way, IIRC a couple years ago when I tested this, it was the case that any asset hash that you have published while the asset was Free will always remain downloadable by anyone. So if your model has versions 1 through 10 and it was Free while you published versions 1 through 5, then versions 6 through 10 are copy-protected but versions 1 through 5 are forever available for any user. (This might not be the case anymore but could explain the issue you are seeing with the browser extension)

Correct, the button is provided by an extension, but it is using Roblox’s asset delivery API. My expectation would be for the asset download URL to stop functioning when the asset is private.

I thought this might be the case too, I checked, it’s not. The latest version is available regardless of the on-sale status.

Yeah +1
BTRoblox has some features that shouldnt be accessable normally anyways, most abusing the roblox api, such as checking how much games have made and other things which shouldnt be accessable and should be private information. And this has existed for many years, and @Minstrix I dont think roblox is going to do anything about this, as checking the things that shouldnt be accessable like I mentioned have existed for months/years and roblox hasnt done anything or mentioned it yet as far as im aware, they either dont care or dont see it as a big enough problem to completely changed their API.

Can you make a change to the module and publish it and see if you can still get the latest version? Just turning it off-sale doesn’t create a new version AFAIK.

I understand you mean well but please don’t speak for Roblox! If the user finds the behavior unexpected it should still be reported as a bug so Roblox can comment. No point in making assumptions based on the fact it has been this way for a while.

That is exactly what I meant when I said “I checked” - the newest version of the module is given.

It appears this issue was happening because BTRoblox was using non-incognito cookies in incognito tabs, giving the illusion of downloading off-sale assets while signed out. I’ll leave this post up for anyone who is searching about this in the future.