question

glen avatar image
glen asked

Can't deny master_player_account from setting Objects

I'm unable to prevent the client from being able to set master_player_account Objects by adding an API policy in Entity Global Title Policy. Here is the policy I added:

{

"Action": "Write",

"Effect": "Deny",

"Resource": "pfrn:data--*!*/Profile/Objects/*",

"Principal": "*",

"Comment":

"Only title can edit master user objects",

"Condition": {

"CallingEntityType": "master_player_account"

}

On the client side my SetObjectsRequest is:

SetObjectsRequest request = new SetObjectsRequest()

{

Entity = new PlayFab.DataModels.EntityKey() { Id = playFabId, Type = "master_player_account" }, Objects = entityObjs

};

This always results in the Object getting set. If I change "CallingEntityType" to title_player_account it has not difference but it does prevent the title_player_account objects from being set, as expected. This also prevents characters from being able to set objects. As an aside, when this prevention happens for a character, that character does not seem to be returned in the CloudScript call server.GetAllUsersCharacters(), at least for a certain amount of time.

How do I prevent the client from setting master_player_account objects?

apis
3 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sarah Zhang avatar image Sarah Zhang commented ·

We are trying to reproduce this behavior.

0 Likes 0 ·
glen avatar image glen commented ·

Further testing still indicates that the policy is not working as intended. But server.GetAllUsersCharacters() not returning the character likely was an error in my code.

0 Likes 0 ·
glen avatar image glen commented ·

@Sarah Zhang any success in reproducing the behavior as detailed in my original post?

0 Likes 0 ·

1 Answer

·
Sarah Zhang avatar image
Sarah Zhang answered

Yes, we have reproduced it. After research, we found that developers can only use the title_player_account at the title global policy level. This information is from our engineering team's comment in the thread -- https://community.playfab.com/comments/18623/view.html. It looks like this feature hasn't been updated.

The customer of the above thread also provided a workaround for setting profile policy for master_player_account. For your case, you can call SetProfilePolicy in batches to set the access rights to EntityObject for the master_player_account.

1 comment
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

glen avatar image glen commented ·

Perfect, thanks!

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.