Block unauhtorized vehicle spawns

BE_Sketens · July 13, 2024, 1:32pm

Hey !

I managed to find a way to block “illegal” vehicle spawns, I know it’s a common issue on many many servers so why not share it.

!!! Has to be put in a server script !!!

BLOCKING CLIENT/SERVER VEHICLE SPAWNS
( not only player related - the server also spawns vehicles ( example : military base ) )

-- you structure it the way you want
Security.Blacklist.Vehicles = {
     -- some examples
     "hydra",
     "apc",
     "rhino"
}
-- The event is triggered BEFORE the entity is created
AddEventHandler("entityCreating", function(entity)
    -- gets the vehicle model
    local model = GetEntityModel(entity)
    -- check if the vehicle is not allowed in the server
    for _, v in ipairs(Security.Blacklist.Vehicles) do
        if model == GetHashKey(v) then
            CancelEvent() -- cancels the creation of the entity
        end
    end
end)

BLOCKING PLAYER VEHICLE SPAWNS

AddEventHandler('entityCreated', function(entity)
    local entityTmp = entity

    if not DoesEntityExist(entityTmp) then
        return
    end

    local src = NetworkGetEntityOwner(entityTmp)
    local eType = GetEntityPopulationType(entityTmp)

    if src == nil or eType == 0 then
        DeleteEntity(entityTmp)
    end

    -- checks if spawning that entity was allowed

   --[[
   You'll have to pay attention for this part, here is the code I use with MY OWN framework
   You'll have to adapt it yourself to make it work but the way of doing it is explained
   ]]

    -- eType 7 is mission entity ( 4 and 5 are for npc vehicles - no need to check them )
    -- eType 7 happens with spawn commands, garage vehicle spawns, ...
    if eType == 7 then
        -- This `if` checks if the vehicle has an owner ( I set an owner to every vehicle that is spawned but you can check the plate as well )
        if SB.Vehicles.GetVehicleOwner(entityTmp) == nil then
            -- this `if` checks if it was an admin spawning the vehicle ( example /car spawn )
            if SB.GetGroup(src) ~= "superadmin" then
                -- if here it means that the vehicle has no owner and it wasn't spawned by an admin > we delete the entity
                print("PLAYER [" .. src .. " - " .. SB.GetPlayerName(src) --[[ replace this with whatever you use to get the player name]] .. "] >> Vehicle Spawn [UNAUTHORIZED]")
                DeleteEntity(entityTmp)
            end
        end
    end
end)

This way of blocking unauthorized vehicles + spawns has been tested and nothing has bypassed the security for now ( of course there are many shady softwares, we couldn’t test them all – I can’t say more about it on the forum )

If some people have trouble modifying the code to match their framework I can try to help in the comments here - or also help each other out !

Also, if some of you know some ways to make it even more secure, don’t hesitate to share it with us and I’ll update this post

I hope this can help many of us !

Djon-Luc · July 17, 2024, 8:41pm

pretty sure this is already apart of qbcore base “qb-smallresources” can’t speak on other frameworks though. either way kudos i guess

BE_Sketens · July 17, 2024, 8:55pm

Well I cant say, I use my own framework ^^’

LlamaPalooza · July 17, 2024, 9:01pm

By your own framework you mean a decompiled version of QB or ESX with edits and event name changes.

BE_Sketens · July 17, 2024, 9:06pm

no lol, I created my thing from scratch based on what I needed. When you know what to do and how to do it, creating your own stuff isnt hard at all tbh

pregoooo · July 17, 2024, 9:09pm

I can’t remember if I tried entityCreated but the population type check can probably be bypassed

BE_Sketens · July 17, 2024, 9:34pm

Mhm that’s actually good to know
From the tests we’ve made it was always “as it should be” ( if it makes any sense since we’re talking about shady stuff ).

I see you’ve tried it with peds, have you tried it with other entities ?