Hi,

It was brought to my attention that your tool allows players to essentially assume ownership over others' entities regardless of prop protection.

In your script, you aren't doing any checks with the "Nocollide within Sphere/Box" options (#6, 7, 8, and 9) to see if the player using the tool actually owns the entities before applying the constraint between them.

Typically you would check if the server has the Common Prop Protection Interface (CPPI) and that the entities have the ENTITY:CPPICanTool method implemented, or just do a normal hook.Run( "CanTool", ... ) call and see if the server allows or prevents the action.

Without the checks, players are currently able to constrain other players' entities to their own, thus allowing them to use Advanced Duplicator 1 and the generic Duplicator tool to steal the entire contraption. Similarly, since the entities are now constrained, players can press R to unfreeze the dupe, breaking it entirely and potentially crashing the server. Players can also undo their entities and coincidentally delete the constrained entities that don't belond to them.


This is a serious concern for any building server, and I strongly urge you to patch this exploit.