ReplicatedStorage and ModuleScripts that access the server

Goldangy · September 1, 2019, 3:41am

Hey guys,
I have a simple question - let’s say I want clients to have only part of my server data. If I have a module in ReplicatedStorage that accesses ServerScriptService/ServerStorage, can exploiters possibly access other parts of the server by just calling server services?

Example:

local ServerScriptService = game:GetService("ServerScriptService")
local SampleModule = {}

function SampleModule:Method()
    return ServerScriptService.Data.SomeData
end

return SampleModule

Will exploiters be able to modify this method and change it to get their desired server data?

Usering · September 1, 2019, 4:08am

Any call you make to get contents of ServerScriptService/ServerStorage on the client will error due to the contents only being visible to my the server.

RomeoEDD · September 1, 2019, 5:29am

to ensure that this function in the module is not called from the client you can do this

local runService = game:GetService("RunService")
SampleModule.Method = runService:IsServer() and function()
     return ServerScriptService.Data.SomeData
end

byc14 · September 1, 2019, 9:46am

ModuleScripts run in the environment and at the context they’re require()ed from.

-- ModuleScript
local module = {}

function module.DestroyBaseplate()
    workspace.Baseplate:Destroy()
end

return module

-- From client
local Module = require(ReplicatedStorage.Module)
Module.DestroyBaseplate()

-- Server:
print(workspace:FindFirstChild("Baseplate"))
-- > Baseplate

-- Client:
print(workspace:FindFirstChild("Baseplate"))
-- > nil

-- From server
local Module = require(ReplicatedStorage.Module)
Module.DestroyBaseplate()

-- Server:
print(workspace:FindFirstChild("Baseplate"))
-- > nil

-- Client:
print(workspace:FindFirstChild("Baseplate"))
-- > nil

The ModuleScript returns the module table to the localscript and the localscript executes the DestroyBaseplate function, vice versa.