I knew I should’ve added something like this to BaseAdmin.
If you want, I can try adding this to BaseAdmin to see if any problems occur.
I knew I should’ve added something like this to BaseAdmin.
If you want, I can try adding this to BaseAdmin to see if any problems occur.
What? No thank you. It is working fine now.
What do you mean with that? Can you explain?
The reply you posted earlier of you reverting the changes because of an issue, I saw that you updated cross-server ranking and it didn’t go as planned.
I was just asking if I can implement this in my admin system, BaseAdmin, to see if I could get it working.
But you said that it is working fine now, which is great to hear!
And I just remembered I still didn’t add that in BaseAdmin, so I might do that in a future update.
If you are going to modify any part of the system, I would appreciate if you give me credit in some form.
Important notice!
I have recently detected a security flaw in the module. I do not know how big of a problem this might be.
Basically, an exploiter could make a module in studio, which can ban people using the RomodMain module, as the module doesn’t have any admin verification. The module creator would publish the module and make it free to use. The module would be easy to access. With a injector, an exploiter could require the module, and start abusing the system.
Please correct me if I’m wrong.
If this is a big problem, I will have to make a fix, but it might take some time.
make a attribute that goes onto admins, check if they have it in the module. (idk if exploiters can get around that)
I should add admin checks to the module too, not just the event handler. Thank you for the suggestion.
Exploiters should not be able to bypass that.
I will politely correct you.
Again, injectors can execute code on the client. require
can only download assets on the server, so the only possible way of doing this is having some very insecure RemoteFunctions hooked up to a script that can require
the module and return it. Though I highly doubt that.
If you were to do this, yeah, good job. You’ll need to account for the future of Romod where users can rank other users using DataStores.
Trust me, plan this carefully. I made a post here about BaseAdmin which talks about a security flaw that would later be fixed in the next version. It wasn’t classified as “severe”, and I ignored it for a little over a year now. I realized that some generic RemoteEvents placed by free models can cause the exploit to happen, so I decided to patch it.
It happened a year and a half ago, when I decided to make a module for organizing commands for the previous version, AdminSuite. The problem was I needed to pass so many parameters over that it was very messy, and the rank command was one of them. I decided not to add another command just for ranking, and just place a value in the player that, when changed, will set the rank in the DataStore. There was already another value named AdminRank, which can set an admin’s rank in real-time.
I realized that many RemoteEvents were lazy and just blindly set any replicated value without doing any checks for the player. I realized that this was a problem since I used values.
Again, try to make this happen all internally in the module. For about a year from my development towards AdminSuite early on, I just had a table with all the admin names, and I would give them admin when they joined. If you weren’t admin, you couldn’t become admin. I kept on changing this and then I eventually decided that NonAdmins should be allowed to run commands, so I removed the admins table (which is still supported) and gave commands a rank where NonAdmins had a limited number of commands allowed which were harmless.
So basically, an injector can’t require modules?
It can, but it can’t download an asset ID. Even if the injector already had the module downloaded, my guess is that it wouldn’t work with the server.
This is incorrect, the client can download assets from the site, but it can only run it on the client.
I meant that you can’t directly call require
and use an asset ID from the client.
An exploiter can however it’s run on the client (no server code is ran)
Hi. Can you link a Trello board to this admin?
I currently haven’t implemented Trello support. You will have to modify the code in order to use trello. The problem is, the code is not commented yet, and is a big mess.
What will you use trello for?
I might be able to implement it if I know what it will be used for.
I would use the Trello board to add/remove game bans. I have created a Discord bot which can add/remove cards to the board, I just need a moderation system which can transfer that to Roblox. Thanks for your fast reply!
I think I found a problem in your code. This elseif
statement will always return true:
Edit: Also, is it possible to have an option to whitelist moderators from being banned rather than manually setting the datastore key?
I think the problem would be fixed with just an else instead of an elseif. Am I wrong?
I haven’t added moderator whitelisting yet. But it is planned. The owner will be able to ban mods tho. Maybe some specific admins too. It will be customisable.
Ok. That will maybe be added. If you need it right now, you might need to modify the code. But it’s messy. So if you need to modify it, sorry for the mess.
Before I can add it into the system, I will need to know a bit more about the bot, and how it works. I will also need to study how Trello API’s work.
Please DM me if you are interested.