manuelhimmler Posted October 26, 2009 Share Posted October 26, 2009 My Gamemode-Ressource is MTARL, but it can't access to kickPlayer, why? Part of acl.xml: <group name="Admin"> <acl name="Moderator" /> <acl name="SuperModerator" /> <acl name="Admin" /> <acl name="RPC" /> <object name="resource.mtarl" /> <object name="user.Manuel1948" /> <object name="resource.admin" /> <object name="resource.guieditor" /> <object name="resource.webadmin" /> <object name="user.Silvercorn" /> </group> Part of Client Script: function callServerFunction(funcname, ...) local arg = { ... } if (arg[1]) then for key, value in next, arg do if (type(value) == "number") then arg[key] = tostring(value) end end end triggerServerEvent("onClientCallsServerFunction", root, funcname, unpack(arg)) end function FalsePassword(IP) falselogins=falselogins + 1 RefreshInfobox("Falsches Passwort! Noch "..(3-falselogins).." Versuche.") if falselogins == 3 then hideLoginGUI() outputChatBox("[AutoKick] 3 mal falsches Passwort",0,255,255) callServerFunction("kickPlayer",source,nil,"3 mal falsches Passwort") end end addEvent("FalsePassword",true) addEventHandler("FalsePassword", getLocalPlayer(),FalsePassword) Part of Server Script: function callServerFunction(funcname, ...) local arg = { ... } if (arg[1]) then for key, value in next, arg do arg[key] = tonumber(value) or value end end loadstring("return "..funcname)()(unpack(arg)) end addEvent("onClientCallsServerFunction", true) addEventHandler("onClientCallsServerFunction", root, callServerFunction) Link to comment
robhol Posted October 26, 2009 Share Posted October 26, 2009 The resource name in the ACL might be case sensitive. Make sure all the letters in the resource name are capitalized correctly. Link to comment
eAi Posted October 26, 2009 Share Posted October 26, 2009 You really must be careful providing access to something like kickPlayer directly from a client-side script. If someone hacked their version of MTA, they could kick everyone on your server, and do anything an admin could do (by the looks of your code). This is exactly why MTA doesn't provide these functions client-side. Instead you should have the server ask the client for a password. The client sends a password back. If the client gets it wrong three times, the server kicks that client. That's pretty secure - there's no way someone can get someone else kicked. Link to comment
driver2 Posted October 27, 2009 Share Posted October 27, 2009 You really must be careful providing access to something like kickPlayer directly from a client-side script. If someone hacked their version of MTA, they could kick everyone on your server, and do anything an admin could do (by the looks of your code). This is exactly why MTA doesn't provide these functions client-side.Instead you should have the server ask the client for a password. The client sends a password back. If the client gets it wrong three times, the server kicks that client. That's pretty secure - there's no way someone can get someone else kicked. Would it also be secure to check the player's account on the server, or could the player send another player's player element as his own? Link to comment
manuelhimmler Posted October 27, 2009 Author Share Posted October 27, 2009 The resource name in the ACL might be case sensitive. Make sure all the letters in the resource name are capitalized correctly. Thanks, this was the solution, and @ all other: Why should the player hack to kick himself? Link to comment
Gamesnert Posted October 27, 2009 Share Posted October 27, 2009 Thanks, this was the solution, and @ all other: Why should the player hack to kick himself? You really must be careful providing access to something like kickPlayer directly from a client-side script. If someone hacked their version of MTA, they could kick everyone on your server, and do anything an admin could do (by the looks of your code). This is exactly why MTA doesn't provide these functions client-side. There's your answer, because it's by far not just restricted to his own. Think about it. function callServerFunction(funcname, ...) local arg = { ... } if (arg[1]) then for key, value in next, arg do arg[key] = tonumber(value) or value end end loadstring("return "..funcname)()(unpack(arg)) end addEvent("onClientCallsServerFunction", true) addEventHandler("onClientCallsServerFunction", root, callServerFunction) This tells the server to do exactly the function entered. It won't just simply kick the player itself if he uses kickPlayer, but it targets the target specified. For instance: callServerFunction("kickPlayer",getPlayerFromName("unsuspecting_victim")) -- Not sure if I used it correctly, but it's about the theory The server would handle this piece of code like it's a piece of a server-side script. Therefore, it would kick that player. Now you might be at some point, "how could they access callServerFunction anyway?" Don't ask me, I don't know. But frankly, I wouldn't want to find out either. The best way for preventing is is to simply place the falselogins check server-side. This means you would need to send the amount of falselogins with the triggerClientEvent though. Link to comment
eAi Posted October 27, 2009 Share Posted October 27, 2009 I haven't seen anyone hack client-side scripts but it's eminently possible. You shouldn't trust any client-side script to do what you expect. Client-side scripts were designed for 'superficial' things, not things that can affect the stability of other players game. If you start putting code client-side that other players can see the effect of, you're opening yourself up to potential trouble. Don't say I didn't warn you! Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now