I want to give users the option to set their display name once and only once. Maybe we might process name change requests in the future, or offer it as a premium service, but the point is I don't want users to be able to update their own display names at will.
I'm looking at the UpdateUserTitleDisplayName API call:
https://api.playfab.com/documentation/client/method/UpdateUserTitleDisplayName
It looks like this is in the Client API. If I use this, it seems like someone theoretically could just make an HTTP POST request and change their username.
How can I prevent this? I want to use either the Username or Title Display Name, rather than just a read-only field, so that I can search for players based on these identifiers. (via GetAccountInfo and such).
Answer by Brendan · Apr 20, 2017 at 05:26 PM
Sure, you can turn off any Client API using the Permission Policies for your title: https://playfab.com/blog/permission-policies. That way, once you create the Title Display Name via RegisterPlayFabUser (which can't be called more than once for a single account, since it's specifically what creates the account), they wouldn't be able to change it. Alternately, the Username can't be changed once an account is created, so you could just use that if you want to allow for frictionless account creation with a Device ID first (you'd use AddUsernamePassword to add it).
Hi Brendan, thanks for the reply.
Two questions:
1) Am I understanding correctly that if I specify an ApiPolicy, anything not specified is considered to be blocked?
2) I originally thought to use Username, but AddUsernamePassword requires an email and password, which I don't want to require from the user. (Steam authentication is sufficient)
That's correct - by default, the API calls are considered disallowed. You have to specifically enable them.
And yes, if you're not using email and password, that API call isn't really going to work for you (we do plan to add those as separate API calls later - the original one we have was as a result of a specific request).