To prevent exposure of some internal functionality to potential future Lua privilege escalation exploits, we are planning to switch the following methods to RobloxSecurity (and eventually remove):
Function Instance Players:CreateLocalPlayer(int userId, bool isTeleport = false) [PluginSecurity]
Function void NetworkServer:Start(int port = 0, int threadSleepTime = 20) [PluginSecurity]
Function Instance NetworkClient:PlayerConnect(int userId, string server, int serverPort, int clientPort = 0, int threadSleepTime = 30, int dataCenterId = -1, string userName = ) [PluginSecurity]
Function void ScriptContext:SetTimeout(double seconds) [PluginSecurity]
Function void DataModel:SetCreatorID(int creatorID, CreatorType creatorType) [PluginSecurity]
Function void DataModel:SetCreatorId(int creatorId, CreatorType creatorType) [PluginSecurity]
Function void DataModel:SetGearSettings(GearGenreSetting genreRestriction, int allowedGenres) [PluginSecurity]
Function void DataModel:SetGenre(Genre genre) [PluginSecurity]
Function void DataModel:SetPlaceID(int placeID, bool robloxPlace = false) [PluginSecurity]
Function void DataModel:SetPlaceId(int placeId, bool robloxPlace = false) [PluginSecurity]
Function void DataModel:SetPlaceVersion(int placeId) [PluginSecurity]
Function void DataModel:SetUniverseId(int universeId) [PluginSecurity]
This will mean that existing plugins that use these methods will stop working. The change is scheduled to happen on October 4th.
These methods will also not be callable from command bar.
If you have concerns about removal of any of these methods please let us know what your use case is in comments so that we can consider alternative options and/or add this to the list of future features to fill the need.
Update: due to popular demand, SetPlaceId will be left as is, except that we’ll remove robloxPlace argument
I also use game:SetPlaceId(id) from command bar (idc about plugin) to use datastores in studio without going through the annoying process of publishing or pressing edit on site
I also have a game that I upload to 2 places and use setplaceid to swap between their datastores
Was just about to mention exactly this. I wrote (and have used for a long time) a plugin that remembers place IDs and auto-sets the place ID upon loading an RBXL. I don’t want to have to load my game from the Roblox website in order to access data stores.
Edit: I want to reinforce how much this change would really make my workflow more annoying. I like my RBXLs and data stores, as well as the ability to switch between difference place IDs for testing/production. Let me use both of them at the same time.
Sometimes I use CreateLocalPlayer as a hacky workaround to not having a network connection to start a Play Solo session.
It is rare for this to happen thankfully (usually when I’m trying to work on stuff while on a roadtrip), but the ultimate problem here is that Roblox calls upon web APIs to get the Lua scripts responsible for starting Play Solo sessions and stuff. It would be handy if these were integrated somehow.
I don’t expect this to be considered because Roblox Studio is unsupported offline, but it hasn’t stopped me from trying.
I was thinking of making a plugin for this some time next month, oh say to have multiple computers test with a higher ping. Unless the function is kept, I won’t be doing this. I may have a triple monitor setup, but I can’t run 3 mice at once.
Also, I guess I will get to work on that plugin if I get time tonight, or tomorrow. Would be VERY nice for Ultimate Boxing.
If SetPlaceId were removed/restricted, then my DataStore plugin would still work if you loaded the game from the site in Edit mode or published it from Studio to a place. But it looks like the original post is updated showing that SetPlaceId will remain.
print(game.PlaceId,game.GetObjects)
-- plugin: function, function
-- script in studio: function, function
-- script online: function, nil
game:SetPlaceId(113456)
-- plugin: works
-- script in studio: errors "" because PluginSecurity
-- script online: errors "" because PluginSecurity
game:GetObjects("rbxassetid://113456")
-- plugin: works
-- script in studio: errors "" because PluginSecurity
-- script online: errors "Attempt to call a nil value"
you’ll also notice that GetObjects doesn’t show up in the API Dump, because the API Dump is generated by/from the client, not studio
I know of methods that only work on the client (renderstuff, GetFriendsOnline, …) but all those are also present on the server as far as I know. There isn’t really a way for me to find out though.
There is also a service exclusive to Roblox’s dedicated servers called ThumbnailGenerator.
I never documented it on the wiki because it isn’t really usable by developers. I discovered the service when that one warning used to show up in the developer console saying that the client didn’t know what it was.
I ran a brute force test on the service’s members and I found a few results. There is a property called GraphicsMode that can be queried by the developer console’s command bar, but I think this was an error. Changing it doesn’t appear to do anything,
There is also a function called ClickTexture, but the console is unable to call it.
I speculate that this service is used by Roblox to render in-game asset thumbnails.
Xbox One:
There is a service called PlatformService exclusive to Xbox One.
The service is intended for interfacing with the Xbox API stuff, launching games from their main menu, and a bunch of other internal things.
There are a lot of references to it in Roblox’s CoreScripts, but they always wrap it in a pcall because trying to get the service from a platform that it doesn’t exist on will throw an error.
