I understand that a localscript fires an event to the server to check if the requirements for a specific action are fullfilled, however my question is, since exploiters can access and edit localscripts, what stops them from simply removing the code snippet that fires the event? For example, let’s say I have this script (sorry if the script has any mistakes):
-- LOCALSCRIPT
local toolgiver = *pathToTool*
local event = *pathToEvent*
toolgiver.Clickdetector.MouseButton1Click:Connect(function(player)
event:FireServer()
event.OnClientEvent:Connect(function(player, isValid)
if isValid then
-- code here
end
end)
Couldn’t the exploiter just remove the snippet where the event is fired and do local isValid = true ?
I have searched for an answer on the devforum however I couldn’t really find anything. Thanks beforehand!
You’re right, that was a dumb example, sorry
But what if I, for example, have a GUI button and when the button is clicked and the player has the needed group rank, another GUI is showed to the player? The visibility of the GUI would have to be handled on the client, so that’s where I get back to my original question.
Actually no you wouldn’t need to, you can actually display and change UI from the server
local function onPlayerAdded(Player)
local PlayerGui = Player:WaitForChild("PlayerGui")
-- and now you can add or modify UI
end
Player.PlayerAdded:Connect(onAdded)
So you’d just be able to do UIObject.Visible = true and it would still replicate to the client
But your original question is still a bit unclear to me. Could you uh rephrase it maybe?
Any exploiter can make any UI within their “PlayerGui” visible whenever they want to do so. Just make sure to write checks on the backend for all requests related to this “Group GUI” that validates that the requesting player has the correct permissions to request the server to perform said actions.
Sorry, I was a bit unclear. I meant that I wanted the UI to only be shown to the player who clicked the button. The script you provided would make the UI visible for everyone. However, while writing this it came to my mind that I could just include the players username when I fire the request and then make the UI visible for that particular user.
My original question/concern was, that the exploiter could just remove the snippet where the event is fired and sligthly modify the script, however I realised that, like you already said, I could just let the serverscript handle the actions instead of firing an event back to the client.
You are correct, nothing is secure on the client, ever.
Sanity checks usually happen on the server (I say this because you can sanity check to a degree on the client, but that is a whole different topic). Anything you receive from the client must be the bare minimum amount of information to request anything, letting the server validate the information and request.
Your example is faulty because you would need to clone the tool on the server anyways. Otherwise, the player will have a tool that only exists on their client (which is also important to secure any tool remotes you may have as well).
Yeah I just wanted to show that you could modify UI on the server. You can probably add your own logic to make it only visible for a specific player (or whatever you’re going for)
A few replies pretty much already answered your question, but I like to share this paradigm with programmers experimenting with Roblox’s client-server model:
The client should never be able to make decisions on its own. The client can request whatever resources it wants to create/distribute, but the server has the final say in determining if that client has the proper authorization to complete the request.
Additionally, I see you’re also asking about a UI to only show for a specific player. You should assume that exploiters will enable this UI by themselves, so any features that the UI provides should be sanity checked on the server.
