I currently have an experience dedicated to custom map testing in private servers.
Players will ask the game server to load their public module containing a map. Although this opens up the custom map testing experience for remote code execution, no single API has led to permanent effects.
With the introduction of Ban API, malicious actors now have the opportunity to anonymously and irreversibly lock out all players from the experience across all other private servers.
Outside my own situation; Ban API could also potentially be utilized in public modules in any experience anonymously and irreversibly.
Please, do add an experience setting to disable Ban API, ASAP.
GetBanHistoryAsync accepts a UserId to check its ban history; there is no API - and by extension, no ban detection methods - to discover who all has been banned, unfortunately.
DataStores go unused in this environment and unfiltered text is both the fault of the map maker and can only ever display to whoever is in that private server with the map maker.
yeah I agree, this is not a Roblox issue, this is purely a system design issue. Regardless of whether issues have happened so far or not, it is up to you to sandbox module execution and not up to Roblox.
This is a very weak use-case because it’s built on insecurity and is applicable to a very small set of users (potentially only you in this instance)
Also OP, you shouldn’t trust the client in anyway in Roblox, consider making a level-editor with people loading their own levels using JSON data they can paste into some TextBox, and have custom maps load/spawn logic that the game already has scripted, you can still have unsecured code if you want but having unsecured code run on a multiplayer game is very risky so i don’t recommend unless it’s entirely singleplayer and other players can’t affect each other.
So TDLR; make a level editor that allows users to only spawn props and pre-existing game logic
You’re right, it doesnt seem like there is a work around for any in-game systems at this point in time, my bad.
If the problem is something your experiencing currently and desperately need a fix, i.e. you have already discovered players abusing this api and wish to stop it, this cloud api endpoint may interest you.
A feature so unprotected that people ask for a way to disable it. However, this is not unheard of, so I can see it being added.
This feature should have an optional lock to prevent abuse in sandbox experiences or ones with backdoors. It needs the same security as HttpService, Loadstring, and 3rd Party Teleports.