Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Verveo/Basic-Admin-Remade/llms.txt

Use this file to discover all available pages before exploring further.

Basic Admin Remade takes security seriously. This page covers the project’s security policy, how to report vulnerabilities, and best practices for configuring admin access securely in your Roblox game.

Supported Versions

Only the latest release of Basic Admin Remade receives security updates. If you are running an older version, you should upgrade to the current release to ensure you receive any security patches.
VersionSupported
Latest release✅ Yes
Older releases❌ No

Reporting a Vulnerability

If you discover a security vulnerability in Basic Admin Remade, please do not open a public GitHub issue. Instead, use the official private disclosure channel:
  1. Navigate to the BAR repository on GitHub: https://github.com/Verveo/Basic-Admin-Remade
  2. Click the Security tab near the top of the repository page.
  3. Click the “Report a Vulnerability” button to submit a private advisory.
The maintainers will review your report and respond as quickly as possible. You will receive updates on the triage and resolution of the vulnerability through the private advisory thread.

Security Best Practices

Follow these recommendations to keep your game and its players safe when using Basic Admin Remade.

1. Keep your Trello credentials private

BAR supports optional Trello integration for managing ban lists. Your Trello App Key and Trello Token are sensitive credentials. Never commit them to a public repository or share them publicly. In main_script.lua, these fields should only ever be filled in for private, server-side use: 
['Trello App Key'] = (''), -- Private trello application key.
['Trello Token'] = (''),   -- Private trello token.
If these values are ever exposed, revoke and regenerate them immediately through the Trello developer portal.

2. Use the new Roblox Ban API (UseLegacyBan = false)

In ExtraSettings.lua, the UseLegacyBan setting controls which ban mechanism BAR uses. Setting it to false (the default) enables the modern Roblox Ban API, which is more secure because Roblox handles enforcement at the platform level rather than relying solely on DataStore checks: 
["UseLegacyBan"] = false, -- Should we use the old ban system, or the new Roblox Ban API?
The new API bans apply universe-wide and can exclude alt accounts, providing significantly stronger protection than the legacy system.

3. Enable Command Confirmation

The Command Confirmation setting in main_script.lua triggers a confirmation prompt before executing commands that affect all players (such as :ban all or :pban all). Keep this enabled to prevent accidental mass actions: 
['Command Confirmation'] = true,
When enabled, BAR will ask the issuing admin to confirm before the command executes, giving you a critical safety net against misuse or mistakes.

4. Restrict the :s script execution command

The :s command allows execution of arbitrary Lua code on the server. In the BAR source it is registered at permission level 3 (Super Admin): 
{'s', sysTable.Prefix, Funcs.doScript, 3, {'s', '<Code>', 'Executes specified code.'}},
Only grant Super Admin (level 3) rank to players you fully trust. A player with access to :s can run any server-side Lua, which could be used to compromise your game. Use the Command Configuration table in main_script.lua if you need to raise this permission level even further: 
['Command Configuration'] = {
    ['s'] = {
        ['Permission'] = 4, -- Restrict to Game Creator only
    },
},
The :s (script execution) command executes arbitrary Lua code directly on your server. It is one of the most powerful — and dangerous — commands in BAR. Only grant the Super Admin rank (level 3) or higher to players you completely trust. Misuse of this command can irreversibly damage your game, manipulate DataStores, or harm your players’ experience. Consider restricting it to level 4 (Game Creator only) if you do not need to delegate script execution to other admins.

5. Do not modify the donorID in MainModule.lua

The donorID field in MainModule.lua is used by BAR to verify donor purchases through Roblox’s MarketplaceService: 
donorID = 9761068977, -- Please don't change. This is the only way you can support us, and how the team gets paid.
This value is tied to the official BAR donor product and cannot be spoofed by players. Changing it will break donor perk verification and may cause unexpected behavior. Leave this value exactly as it appears in the distributed source.

6. Require a reason for btools, sword, and segway (RequireReason = true)

Setting RequireReason = true in ExtraSettings.lua forces admins to supply a reason when granting building tools (F3X), a sword, or a segway. This creates an audit trail you can review in the admin logs: 
["RequireReason"] = true, -- Require a reason when running "btools", "sword", or "segway".
With this enabled, commands like :btools PlayerName will fail unless a reason is appended, e.g., :btools PlayerName building the spawn. The reason is stored in the server’s admin logs.

7. Use LockedOnStart = true on private or controlled servers

If you are running a private server, a testing environment, or an event server where only admins should be present initially, enable LockedOnStart in ExtraSettings.lua: 
["LockedOnStart"] = false, -- Should the server be locked on start, and an admin has to do :unslock?
Change this to true to ensure the server kicks any non-admin player who attempts to join before an admin explicitly unlocks it with :unslock. This is especially useful for preventing uninvited players from joining admin sessions.

License Summary

Basic Admin Remade is released under a custom license — it is not MIT, GPL, or any standard open-source license. The key terms are:
  • Free to use and modify — You may use and modify BAR for your own games at no cost.
  • Cannot be sold or commercially licensed — You may not sell BAR, any modified version of it, or use it as part of a paid product or service without explicit permission from the authors (B00PUP and Aspect_oi).
  • 🚫 Must not be used for malicious or harmful purposes — Using BAR to harm players, exploit games, or cause damage is prohibited.
  • 📋 Must include attribution if distributed — If you distribute BAR or a modified version of it, you must include the original license and give proper credit to the creators.
  • 🔒 Cannot be publicly redistributed at scale — Distribution is limited to small groups (friends, family, or private communities). Public redistribution on open repositories, public forums, or large-scale communities is not permitted.
  • 🚫 Cannot modify funding mechanisms — You may not alter donor perks or any money-making methods tied to the project without explicit author permission.
The full license text is maintained by B00PUP [boo@boopup.dev] and Aspect_oi. The authors reserve the right to modify the license at any time. Non-compliance may result in action being taken against your game.

Build docs developers (and LLMs) love

Get started for freeTalk to us