It has been brought to my attention that doing something like this:
void AGameCharacter::AddAbility(TSubclassOf<ASystemAbility> ability, APawn* AbilityOwner)
{
if (Role < ROLE_Authority)
{
ServerAddAbility(ability, AbilityOwner);
}
}
Is not safe. Because someone can essentially inject anything into ability field on client side and tell server to spawn it. Which can be open for cheating.
What this function does it is called from blueprint, and it just spawn ability for character to use.
The question is how to make sure, that the only object that can be spawned by this function is either:
-
The one that we provided while creation of blueprint.
-
One that for example player pick up on level.
-
Or the one that we (server), know that can be used by player. Because this or similar function could be used to provide hook for UI to equip said ability to make it usable from inventory. This one looks more straight forward, as it should be possible to simply replicate list of objects that are available to current player, and by that we can make sure that player can only choose from provided list of objects.
Should I just make list of available Abilities to current player, replicate it, and just make sure that function will only be able to pick up objects from that replicated list ?
In case of point 2, new object would be simply added to existing list.