How can I allow RPC from a specific player only in an actor? I have an actor and only a specific player should be able to call an RPC depending some internal state (like e.g. team id). How can I ensure that not another player is able to send this RPC (e.g. with a modified client). Must the RPC go through the player’s playercontroller or how can the server be sure it’s the correct player? Or should you pass the playercontroller pointer?
If you have something like a Team ID, can’t you send the Team ID to the Server and he checks it before running the function? Or are you afraid a client could fake the Team ID and cheat?
I was wondering the same. I think the best bet here is to use a shared secret between server and client to uniquely identify a client on the server. My original thought was to pass the UniqueNetID of the player in the RPC call to the server, and use that on the server to obtain the player controller for validation. However, after looking at how ShooterGame uses UniqueNetID, I’m inclined to believe that this value is not a shared secret (they broadcast it in their BroadcastDeath_Implementation). I think I’m going to go the route of generating a unique ID on my clients and sending that data to the server, so that I can use it for identification. I’m sure there’s a better way of doing this, but for now this should work.
Some sort of cryptography would probably be the safest. A shared secret is an interesting idea, probably good enough. I guess I gonna rely on their implementation tough. Assuming only the client which the playercontroller belongs to can call the RPC:s.