• Categories
  • Recent
  • Tags
  • Popular
  • Solved
  • Unsolved
  • Users
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (Darkly)
  • No Skin
Collapse
brainCloud Forums

UserItems.AwardUserItem cannot be blocked for clients

Scheduled Pinned Locked Moved Unsolved APIs
4 Posts 3 Posters 488 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P Offline
    P Offline
    petri.liuska
    wrote on last edited by
    #1

    Hi, I've been experimenting with brain cloud and noticed that I can call UserItems.AwardUserItem as a client and can't find a way to block it. "Cloud Code - API Blocking" does not list it under the UserItems service. This seems rather strange as now a hacked client could just award an unlimited amount of items. Have I misunderstood something or is this a bug?
    I've noticed that this kind of blocking can be done for Virtual Currencies though. I believe in never trusting the client and would like to be able to strictly enforce that.

    1 Reply Last reply
    0
  • P Offline
    P Offline
    petri.liuska
    wrote on last edited by
    #2

    This will probably do what I'm after: https://help.getbraincloud.com/en/articles/1852058-is-there-a-way-to-prevent-a-client-apps-from-making-certain-api-calls
    I'm still wondering if there's a reason why AwardUserItem is not blockable via API Blocking?

    1 Reply Last reply
    0
  • J Offline
    J Offline
    JasonL bitHeads
    wrote on last edited by
    #3

    Thank you for bringing this to our attention. We will proceed to include this API in the list.

    1 Reply Last reply
    0
  • Paul WinterhalderP Offline
    Paul WinterhalderP Offline
    Paul Winterhalder brainCloudAdmin
    wrote on last edited by
    #4

    Update - we have patched this issue in our Public BaaS.

    The API call is now blockable via API Blocking - but it's also disabled by default now (via the core API itself). There's a new compatibility flag (that is by default enabled for all existing apps) that preserves the old functionality.

    Paul.

    1 Reply Last reply
    1

  • Login
  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Solved
  • Unsolved
  • Users