are u sure PromptGamePassPurchaseFinished is it vulnerable? because there is no processreceipt for gamepasses
Your first sentence made me almost write a whole paragraph, then I understood that it was ironic. 
Get rid of it as fast as you can, youâre gonna have to find a other way to track gamepasses.
Itâs still a vulnerability, so it should be fixed either way.
still its a vulnerability
how about gamepasses? skids can just send fake signal to server and pretend to have all gamepasses in existance (aka free stuff without paying roblox piracy??)
iâve tested this in my game and the PromptGamePassPurchaseFinished does not seems to be vulnerable, but the products was
you could say that remote events fired from the client are a vulnerability. you are given tools by roblox engineers and they tell you how to use them. you cant sue a sewing machine company because you tried to hammer a nail in with it and broke the sewing machine
2 Likes
Youâre right, I shouldânt sue the company, I should sue the sewing machine.
Gamepass can be checked on the server with UserOwnsGamePassAsync from the MarketplaceService.
Itâs so crazy that many people wont take time to search this thing up.
it wonât work when someone buys in-game because its based on cache
however i gotta admit i donât know if thats even true because i didnât test it in first place
aka you need to tell your players to rejoin the game after they purchased the gamepass (and use UserOwnsGamePassAsync once player joins game)
and yes i already knew about this function
1 Like
double reply: yep someone already said this
Err, thereâs tons of confusion here. I think you may be getting the two events twisted. ProcessReceipt is fired upon devproduct purchases, PromptProductFinished is for UI callback(s).
Itâs important to note their intended usage versus going out of the way to implement unneeded checks that roblox already handles.
This is true as well. Itâll require the player to rejoin for the cache to be updated, because of this thereâs PromptGamepassPurchaseFinished, of course handled on the Server and using some sort of tag system indicating the user can access all game pass assets/tools.
1 Like
^ yes, this is what i meant but i was joking around lol
prompt finished should be used for anything client side like loading or menus closing/ animations. processreceipt for actually handling purchases.
see my point here this is stupid
you canât handle gamepass purchases without opening vulnerabilities to exploiters
you need to tell your players to rejoin the game instead of giving the effects of that gamepass instantly (just so it canât be exploited)
Unfortunately, this is not the case; this event is fired by the client to the server and is not validated on the server by default.
1 Like
gamepass is entirely safe from exploiters. its a getasync, which directly queries robloxâs databases. you are misinformed entirely
the post doesnât mention roblox databases in any way so i have no idea what the hell are you talking about
Hmm, is it not possible to determine the origin of the signal with getfenv?
you canât handle gamepass purchases without opening vulnerabilities to exploiters
yes you can. gamepasses are entirely free from this vulnerability. because they are checked with an async function. which uses the inventory api.
you need to tell your players to rejoin the game instead of giving the effects of that gamepass instantly (just so it canât be exploited)
wrong. again, userownsgamepassasync(). you dont need to make them rejoin at all.