Hi everyone, I have a quick question for you, is the restricted boolean on RegisterCommand supposed to be not working? Because I’ve found out no matter if I set it to true or false the ace to use that command is always automatically allowed to builtin.everyone. Has anyone experienced that issue or has a fix for it?
Some more information:
I don’t have that permission defined in my server.cfg
No script has been granted permissions to modify aces
I register the command server-sided (like this:)
RegisterCommand('command_name_here', function(source, args)
-- Stuff that should happen here
end, true)
Checking other aces with IsPlayerAceAllowed is working as expected and returns false per default if the ace is not set, this only happens on registered commands
Edit: Thanks for moving this post to the appropriate subforum
No, as I’ve also (vaguely) said, and now will state clearly, we do not modify the builtin.everyone group at all, yet when we run the list_aces command in the server console builtin.everyone literally shows every permission for every command on the server as allowed.
Server version is 6683, we’re on the newest version shown on /artifacts/fivem/build_proot_linux/master/ / FiveM Artifacts
Unfortunately even with the current version (26389 on Linux) of the server this still happens. The builtin.everyone group still gets every permission for any server command registered through scripts.
If I had to guess, it does work, but It’s a bit interesting, so if that value is true it means people with ACE permission “command.command_name_here” can run it, but by default FiveM creates the ACE perms and grant them to builtin.everyone unless overwritten, hence it works for all.
Try removing ace perms for builtin.everyone and then granting command.command_name_here allow
Can confirm that removing the permissions one by one works but unless put in the server.cfg they reappear on any server restart.
This definitely seems more like a bug even if it was intentional.
I mean the purpose of ace permissions is supposed to be that noone (except the console) can run these commands by default unless explicitly granted.
Granting everyone these permissions automatically defeats the purpose of that feature and allows anyone to run any commands, even high risk administrative ones, unless the resource defines extra ace perms for them.
That would mean that for any resource added I would have to list_aces, go through the whole list which by the time it’s configured is getting extremely long, defining remove_ace for every one of the builtin.everyone entries still left and hope for the best that they execute every time.
Not to mention the elephant in the room that they are back as soon as one of the scripts is restarted, which can happen regularily when changing settings or if something hangs, which means manually running the commands to remove the permissions again one by one unless one wants to full restart the server and interrupt everyone’s RP.
Granting everyone these permissions automatically defeats the purpose of that feature and allows anyone to run any commands
Yeah, kind of, but it’s only 1 line of code to disable ACE perms for builtin.everyone.
But honestly, never used this, I just personally feel like ACE perms are a bit annoying to edit & outdated.
I always just put to my scripts methods for tx auth, esx group auth, qbcore permission groups, and discourage using ace perms though I make them available, although even then i check the ACE perms inside the function not with the 3rd param
It’s not one line but multiple unfortunately. I have to run remove_ace on every command.commandgoeshere to have the line go.
Like for example remove_ace builtin.everyone command.test allow
Just running this with command does nothing, it has to be the exact ace perm in the ACL to do anything.
Thanks, while I haven’t focused on this all the time obviously it’s gotten a bit annoying here and there. I mostly use either ESX group auth or extra ACE perms [the manual IsPlayerAceAllowed check with an ACE permission that’s not command.anythinghere] as well but every now and then I’ve come across a FXAP encrypted paid script that doesn’t and it has been a bit annoying making sure that nobody can run these commands except admins.
Now that the server I’ve spent all this time creating with a buddy (it took a while since we worked on that alone and tried to make as much as possible ourselves) is nearing release I was double checking if I could finally mitigate this problem and therefore came back to this topic.
Went the same route of creating many scripts myself, but doing it alone, has taken like 6 months now. Finally got the braincells needed to realize that I can start selling the scripts xD
