question

Brent Batas (Lisk) avatar image
Brent Batas (Lisk) asked

Entity API permissions - how to forbid CreateGroup() on Client?

I learned from the PlayFab community slack that we can tweak Entity API policies via this page:

https://developer.playfab.com/en-US/[title_id]/settings/api-features

However, without much documentation or examples, I don't know how to forbid the CreateGroup() call from my client.

I would like to forbid CreateGroup() otherwise a hacked client could just create guilds (groups) for free, but in our game we'd like guilds to have a virtual currency cost and only have one guild per player.

Another related question: how do we allow ListMembers() on the client?

P.S. It seems weird to me that CreateGroup() is allowed by default, while ListMembers() is denied by default. CreateGroup() seems way more dangerous to me than ListMembers().

entities
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Andy avatar image
Andy answered

Our general advice around Group operations right now is to just do everything in cloud script. Without documentation, creating entity policy isn't a realistic alternative.

In your specific scenario, I've been able to call ListGroupMembers() using a player's entity token without issue. Are you altering the entity policy on the groups as they're created? The default policies on groups contain these two entries that enable the behavior you desire:

                {
                    "Resource": "pfrn:group--group!*/Members/*",
                    "Action": "Read",
                    "Effect": "Allow",
                    "Principal": {
                        "ChildOf": {
                            "EntityType": "title",
                            "EntityId": "F53F"
                        }
                    },
                    "Comment": "Allow players to use groups methods"
                },
                {
                    "Resource": "pfrn:group--group!*/Roles/*",
                    "Action": "Read",
                    "Effect": "Allow",
                    "Principal": {
                        "ChildOf": {
                            "EntityType": "title",
                            "EntityId": "F53F"
                        }
                    },
                    "Comment": "Allow players to use groups methods"
                }

For CreateGroup, I'm still doing some digging. I've played around with the policy a bit, but can't get anything that works. In the interim, you could do something to "Stamp" real guilds in the system. Maybe write something to entity data on creation?

6 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Andy avatar image Andy ♦♦ commented ·

I heard back on CreateGroup. It's currently impossible to prevent clients from calling it. I've added a feature request to provide functionality, in either Entity Policy or API Policy, to prevent specific Entity API methods from being called by clients. For the time being, you'll need to use the workaround I mentioned.

0 Likes 0 ·
Brent Batas (Lisk) avatar image Brent Batas (Lisk) Andy ♦♦ commented ·

Checking back on this a couple years later. Is it still impossible to forbid a client to call CreateGroup()?

0 Likes 0 ·
Seth Du avatar image Seth Du ♦ Brent Batas (Lisk) commented ·

It is not supported for now. Please also consider sending a thread on Feature Request forum if there is no existing one.

0 Likes 0 ·
Show more comments
gooby avatar image gooby commented ·

sorry for also necroing this thread, but it is the only relevant answer on Google.

How does cloud script work with group creation? And does cloud script block group creation if a requirement is not met? lets say i validate group creation on my server, then give the player internal data a group creation token. Then they can call the cloud script API, which then checks if they have that token to successfully create the group. Is that possible?

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.