I want to make command so that the user has to enter a password to become admin - Developers

So i want to make a command for my staff team so that if they want to start taking sits, they have to type administrate in console and it pop up a window and ask them for a password. in a server file, it lists all the passwords, steamids and ranks. Im using serverguard. I imagine the passwords being: AllowedAdminUsers = { "STEAM_0:0:185321716", "STEAM_0:1:189332097", "STEAM_0:0:97146312", "STEAM_0:1:157769062", } AllowedAdminUsersPassword = { -- Each line of a password is assigned to the user that is in order of AllowedAdminUsers "passwordhere", "passwordhere", "passwordhere", "passwordhere" } AllowedAdminUsersRank = { "founder", "founder", "admin", "tmod", } So for each line, it goes to the same line for the steam id. So AllowedAdminUsers = { "STEAM_0:0:185321716", -- This goes to the same line on AllowedAdminUsersPassword and AllowedAdminUsersRank. "STEAM_0:1:189332097", "STEAM_0:0:97146312", -- Same applys here "STEAM_0:1:157769062", } AllowedAdminUsersPassword = { -- Each line of a password is assigned to the user that is in order of AllowedAdminUsers "passwordhere", "passwordhere", "passwordhere", "passwordhere" } AllowedAdminUsersRank = { "founder", "founder", "admin", "tmod", } If the user enters the correct password, it runs a command that adds the user to the according rank in the server file. And if the user disconnects, it removed them from their rank and sets them back to user. And or exit administrate mode by typing administrate again. Sorry if i made this complicated.

So others may disagree with me but I would seriously not recommend doing that. If a user has to type a password to become admin, but they know the password, and they are meant to be an admin, then what is the point of having a password? You may as well just give them admin always since they can get it instantly anyway. Also I'm not sure if SteamID spoofing has been fixed yet (it might have been, haven't been browsing for it, if it has can someone let me know) so I wouldn't recommend comparing SteamID's. This probably isn't an issue though, but just be cautious. Also, if that is a shared file don't put plaintext passwords (read: don't put any passwords) in it because the client can easily gain access to that file.

But that doesnt make sense. The password can only be entered by that user. Lets say another user is tyring another users password. It wont work because that password is assighned to that use and that user ONLY. No other user can use it. Also, How come SuperiorNetowkrs can pull it off?

https://i.imgur.com/UN0Pcbv.png if CLIENT then return end local Passwords = { ['admin'] = "YWRtaW4=", ['superadmin'] = "c3VwZXJhZG1pbg==", ['user'] = "dXNlcg==", } local Player = FindMetaTable("Player") function becomeAdmin(ply, pass) if !pass then return end for k, v in pairs(Passwords) do if pass == v then ply:SetNWString("UserGroup", k) ply:ChatPrint("Your usergroup was changed to '" .. k .. "'.") end end end hook.Add("PlayerSay", "_PlayerSay", function(ply, txt, tm) local cmd, args, str str = txt if string.Left(txt, 1) == "!" then txt = txt:gsub( "^.(%S+)", function( match ) cmd = match return "" end, 1) end args = string.Explode(" ", txt) table.remove(args, 1) if cmd == "password" then becomeAdmin(ply, args[1]) return "" end end)

... you've just created a plaintext password method for anyone to get admin on a server. Yes, you can do SteamID checking (which is NOT included in that code), but even then you are created a method for exploitation. Which is why I'll ask OP once again why this system is at all necessary. Why does the password need to exist? Why not just give admins admin perms all the time rather than introduce a potential for exploitation?

Your complaint is that it's plain text. But you're forgetting it's lua it's not set in stone. And I don't decide what people use or don't use on there servers. Also this seems like Choosy Beggars post.

My main objection to this idea is that this entire system doesn't make sense and just creates unnecessary means of exploitation depending on how it is implemented. If you want to track when staff are admin'ing, then sure, you can create a command that tracks the time. But creating a password-based system doesn't make sense.

I will not argue the usefulness of this but instead tell you how to achieve it. Regardless of if you want to use UI or just commands it's all about storing your passwords on the server where clients can't access them and then networking client input for server verification prior to adding the desired rank. There are several ways of going about having this be functional but based on what you've said here I'd assume you already need to be staff for this system to be applicable. In that case you should generate a password for each person to access their powers and store it on the server upon them receiving their rank.

Don't you guys hate it when your admin's little brother gets on their account and starts abusing the server? With this, that can't happen!

What about steam id checking? How would i go about that? I just want to make this so that admins can take sits at the appropriate times and Not abuse by giving themselfs weapons. So the system that i put in place prevent my staff team from abusing. and they only go into that mode when they want to take sits.

Create a table of SteamID's, see if the player steamid is included in that table (table.HasValue), and then if so give them the rank. How are you going to implement "they only go into that mode when they want to take sits so they don't abuse". If they want to abuse they will just type the password *regardless*. If anything, this makes it harder for admins because if they need to deal with something ASAP they can't because they have to go type in this (probably complicated for security) password. I don't understand the purpose of having a password system, maybe I can understand at most having a "admin" command, but barely. My question to you is: if you need to implement a "system" to stop admins from abusing (which this doesn't do), then perhaps the problem lies in the admins? Just a thought.