question

Brent Batas (Lisk) avatar image
Brent Batas (Lisk) asked

Prevent user from changing its Title Display Name?

I want to give users the option to set their display name once and only once. Maybe we might process name change requests in the future, or offer it as a premium service, but the point is I don't want users to be able to update their own display names at will.

I'm looking at the UpdateUserTitleDisplayName API call:

https://api.playfab.com/documentation/client/method/UpdateUserTitleDisplayName

It looks like this is in the Client API. If I use this, it seems like someone theoretically could just make an HTTP POST request and change their username.

How can I prevent this? I want to use either the Username or Title Display Name, rather than just a read-only field, so that I can search for players based on these identifiers. (via GetAccountInfo and such).

apisPlayer Data
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

Sure, you can turn off any Client API using the Permission Policies for your title: https://playfab.com/blog/permission-policies. That way, once you create the Title Display Name via RegisterPlayFabUser (which can't be called more than once for a single account, since it's specifically what creates the account), they wouldn't be able to change it. Alternately, the Username can't be changed once an account is created, so you could just use that if you want to allow for frictionless account creation with a Device ID first (you'd use AddUsernamePassword to add it).

2 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Brent Batas (Lisk) avatar image Brent Batas (Lisk) commented ·

Hi Brendan, thanks for the reply.

Two questions:

1) Am I understanding correctly that if I specify an ApiPolicy, anything not specified is considered to be blocked?

2) I originally thought to use Username, but AddUsernamePassword requires an email and password, which I don't want to require from the user. (Steam authentication is sufficient)

0 Likes 0 ·
brendan avatar image brendan Brent Batas (Lisk) commented ·

That's correct - by default, the API calls are considered disallowed. You have to specifically enable them.

And yes, if you're not using email and password, that API call isn't really going to work for you (we do plan to add those as separate API calls later - the original one we have was as a result of a specific request).

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.