Hello!
I am writing this in here, because txAdmin is part of fxserver packages.
I really love using txAdmin, but please keep it only as “web” tool to monitor and control server. I dont want to have any things related to new admin in-game resource. And yes, I know I can disable admin menu (or need to enable it). But still, the code of it may be exposed (all the server events etc.) and somehow lower the server security.
For example we use key bindings for everyting and we really do not want this in there:
Sooo. Really please, keep “monitor” resource really only for “monitoring” and server control, as it was. And make other things like that new txAdmin ingame admin menu as separate resource you need to add yourself to server.
I know you probably want to make txAdmin bigger, but I think it is great as it is and other things should really be separate.
@tabarra why is this key binding registered for users who don’t have access?
Before approving this functionality I did some cursory review to ensure the in-game functionality would have no impact on users not using the in-game functionality, including not setting any key binding by default.
In addition to that, all server events are explicitly audited before I merge in the updates - there already were server events before this in-game functionality, and none either before or now have any directly visible or invisible issues ‘reducing security’.
Was this key binding there already, or did you manually set it to ‘backspace’?
Only issue I see here is the spectate keybind, which does absolutely nothing unless you are in the spectate mode.
Related to security, If you found any specific vulnerability I would absolutely love to hear about it, but unbased claims that it “somehow lower the server security” is pointless to say the least.
It still seems to not be ‘zero-impact’ to people not using it, as evidenced by this user getting [worry mode] from seeing this unintended key bind.
Would it be possible to set a replicated convar if the menu is enabled and txAdmin is being used so the client script(s) just don’t run if this convar is not set, so one can’t ‘accidentally’ forget a key binding or other client-side logic?
→ additional GAMETODO: make sure replicated convars get reset to original value on server disconnect
This feature was added after the initial release and your review. You are correct in that it should not be bound if the menu is not enabled or the user does not have access, and will be fixed in the next release.
@Tsrak This feature does not “lower the server security,” as permissions are still verified server-side. This being bound for regular players is just a simple oversight.
No, the cache for the list of admins won’t be populated unless they load txAdmin through the menu, so everyone – including admins, would be denied permission (which is also logged).
