I have recently detected a security flaw in the module. I do not know how big of a problem this might be.
Basically, an exploiter could make a module in studio, which can ban people using the RomodMain module, as the module doesn’t have any admin verification. The module creator would publish the module and make it free to use. The module would be easy to access. With a injector, an exploiter could require the module, and start abusing the system.
Please correct me if I’m wrong.
If this is a big problem, I will have to make a fix, but it might take some time.
Again, injectors can execute code on the client. require can only download assets on the server, so the only possible way of doing this is having some very insecure RemoteFunctions hooked up to a script that can require the module and return it. Though I highly doubt that.
If you were to do this, yeah, good job. You’ll need to account for the future of Romod where users can rank other users using DataStores.
Trust me, plan this carefully. I made a post here about BaseAdmin which talks about a security flaw that would later be fixed in the next version. It wasn’t classified as “severe”, and I ignored it for a little over a year now. I realized that some generic RemoteEvents placed by free models can cause the exploit to happen, so I decided to patch it.
It happened a year and a half ago, when I decided to make a module for organizing commands for the previous version, AdminSuite. The problem was I needed to pass so many parameters over that it was very messy, and the rank command was one of them. I decided not to add another command just for ranking, and just place a value in the player that, when changed, will set the rank in the DataStore. There was already another value named AdminRank, which can set an admin’s rank in real-time.
I realized that many RemoteEvents were lazy and just blindly set any replicated value without doing any checks for the player. I realized that this was a problem since I used values.
Again, try to make this happen all internally in the module. For about a year from my development towards AdminSuite early on, I just had a table with all the admin names, and I would give them admin when they joined. If you weren’t admin, you couldn’t become admin. I kept on changing this and then I eventually decided that NonAdmins should be allowed to run commands, so I removed the admins table (which is still supported) and gave commands a rank where NonAdmins had a limited number of commands allowed which were harmless.
I would use the Trello board to add/remove game bans. I have created a Discord bot which can add/remove cards to the board, I just need a moderation system which can transfer that to Roblox. Thanks for your fast reply!
Yes, it would be. I would like to mention after looking at some of the code I found some issues with it. There weren’t too many issues but the issues that were there were pretty major.
The 1st issue I saw while testing it out was that it didn’t automatically update, because the scripts were just there and it wasn’t a MainModule. I did fix that, and it runs smoothly: RomodModule.rbxm (24.1 KB)
The next issue I found is where MessagingService was constantly subscribing, causing a memory leak.