I was wondering if the reason that the ServerHandling----Spawn methods do not require the Server tag is because the methods that invoke them are secured by OnStartServer?
Is this sufficient to prevent a malicious user from invoking these method calls directly?
To add images, here is the code I am wondering if it is secured :
In RTSPlayer.CS
Here is where I think our only security lies:
In Building.cs
Hi there, you are correct, but I would like to expand a little.
The other key part I would like to point out is that the methods are private. The ServerHandleUnitSpawn and Despawn can only be called by that instance of the RTSPlayer, so they are protected from being called directly by other RTSPlayer’s or any other script for that matter.
The only way to call them, is to invoke the event they are subscribed too. Since, as you stated, those event’s are only invoked on OnStartServer() and OnStopServer() the methods will only ever be called by the server. Therefore, no [server[ attribute is needed.
If for example, you called those events on your client, you might be able to add them to your local client list, but this would not affect the server in anyway. So there isn’t really a security risk here, as at best, you could break your local game by having your units on the list too many times. In this case the server logic and the client logic are running in parallel, and the key event, the building or unit being spawned is only occurring on and is controlled by the server. It’s possible there is some security risk I am not thinking of here, but in general this is another of example of a place where it couldn’t hurt to add the [Server] attribute if it makes your code clearly.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.
