Skip to main content

1.4.0

Added Component Security, allowing blacklisted components to be denied from loading. Also added some VideoPlayer improvements.

Changes

  • Added Component Security
    • This prevents blacklisted components from being loaded on an Avatar or World
    • The builder will now deny a user from uploading an Avatar or World that has blacklisted components.
      • The user will be forced to remove the component before being allowed to upload again
  • Added VideoPlayerBehaviour
    • Adds some MonoBehaviour methods for IVideoPlayers (since they aren't Components) that are sent from the current VideoPlayerDescriptor Component.
  • Removed both CanBeUsed methods from IVideoPlayer
    • These needed to be static
  • Downgraded XR Management to 4.4.0

API Changes

Component Security

Component Security simply protects users from malicious Avatars and Worlds acting naughty by exploiting built-in components.

caution

This is NOT a silver bullet! You should always practice precaution when allowing components through Component Security.

To start this off, all methods can be invoked with either an Avatar (meaning to run checks on the Avatar's transforms), or a Scene (meaning to run checks on the World, excluding any Avatars).

Getting Offending Components

The GetOffendingComponents method returns a Component[] containing all components that are blacklisted.

danger

This method may return duplicate Components. Please be sure that you handle this accordingly.

Below are some examples of usage

// Assume myLogger is a Logger
Logger myLogger = logger;

// Assume myAvatar is an Avatar
Avatar myAvatar = avatar;
// This allows everything on an Avatar. Scripting, Physics, Audio, UI, Light, and Particles, in that order.
AllowedAvatarComponent avatarComponentsAllowed = new AllowedAvatarComponent(true, true, true, true, true, true);

// Assume myScene is a Scene
Scene myScene = scene;

List<Component> offendingAvatarComponents = Security.GetOffendingComponents(myAvatar, avatarComponentsAllowed).ToList();
List<Component> offendingWorldComponents = Security.GetOffendingComponents(myScene).ToList();
Component[] allOffendingComponents = offendingAvatarComponents.Concat(offendingWorldComponents).ToArray();

foreach(Component offendingComponent in allOffendingComponents)
{
    if(offendingComponent == null || offendingComponent.gameObject == null) continue;
    myLogger.Warn($"Found offending item {offendingComponent.GetType().Name} on {offendingComponent.gameObject.name}");
}

Removing Offending Components

The RemoveOffendingItems removes all offending components on an Avatar or in a World automatically. This is the preferred way to quickly remove blacklisted components.

Below are some examples of usage

// Assume myAvatar is an Avatar
Avatar myAvatar = avatar;
// This allows only Scripting on an Avatar. Scripting, Physics, Audio, UI, Light, and Particles, in that order.
AllowedAvatarComponent avatarComponentsAllowed = new AllowedAvatarComponent(true, false, false, false, false, false);

// Assume myScene is a Scene
Scene myScene = scene;

// Always remove for Worlds first
Security.RemoveOffendingItems(myScene);
// Then remove Avatars
Security.RemoveOffendingItems(myAvatar, avatarComponentsAllowed);

Allowing your own Components

There are multiple categories for components to be put in, and while you don't have to use them, they should be used if you want the option for the components to be disabled by a user.

info

When allowing a Type to a SecurityList<T>, you cannot disallow that item, so be sure that's the type you want!

Below is an example of adding DynamicBone types to the Physics category

// Gets the Assembly that contains the types
Assembly assembly = Assembly.GetExecutingAssembly();
// Uses a built-in method to get DynamicBone types. You can replace this with your own Type(s) if you'd like.
Type[] dynamicBoneTypes = Security.GetDynamicBoneTypes(assembly);
foreach(Type type in dynamicBoneTypes)
{
    // Adds all the types to the SecurityList for the Physics category
    Security.PhysicsTypes.Allow(type);
}

Adding Extra Restrictions to Allowed Types

Sometimes, components may be allowed, but only under certain circumstances.

In the example below, Canvases are allowed on both Avatars and Worlds, but Avatars are not allowed to have Canvases that aren't in WorldSpace.

// Assume this is being called at some point in some method

// Register a Restriction for the Canvas type (must be a Component!) Callback with component (Component) and isWorld (bool)
Security.RegisterComponentRestriction<Canvas>((component, isWorld) =>
{
    // Cast the Component to our Target Type
    Canvas canvas = (Canvas) component;
    // If this is not on an Avatar, force the RenderMode to WorldSpace
    if (!isWorld) canvas.renderMode = RenderMode.WorldSpace;
    // If the RenderMode is WorldSpace...
    if (canvas.renderMode == RenderMode.WorldSpace)
    {
        // Add the TrackedDeviceGraphicRaycaster for VR support
        TrackedDeviceGraphicRaycaster trackedDeviceGraphicRaycaster =
            canvas.gameObject.GetComponent<TrackedDeviceGraphicRaycaster>();
        if (trackedDeviceGraphicRaycaster == null)
            canvas.gameObject.AddComponent<TrackedDeviceGraphicRaycaster>();
    }
});