Trading Buttons

plugin
105

This plugin was a bit outdated and only got upgrade today (with help of @Arkshine I must add :slight_smile: ). Update plugin and I believe you must rebuild the app if it’s production or restart application. Here are some instructions from Discourse team: Install Plugins in Discourse

5 Likes
106

Thanks for the update. I can confirm that everything is working.

5 Likes
107

Hi Everyone

Can anyone help me to fix this issue?

On the desktop, I am getting a black screen

Discourse - V3.1.3

Uncaught (in promise) Error: Could not find module discourse-i18n imported from discourse/plugins/discourse-topic-trade-buttons/discourse/connectors/topic-above-post-stream/trade-buttons

image
image1875×305 12.6 KB

Uncaught (in promise) Error: Could not find module `discourse-i18n` imported from `discourse/plugins/discourse-topic-trade-buttons/discourse/connectors/topic-above-post-stream/trade-buttons`
    at loader.js:247:1
    at u (loader.js:258:1)
    at a.findDeps (loader.js:168:1)
    at u (loader.js:262:1)
    at requireModule (loader.js:24:1)
    at plugin-connectors.js:57:1
    at plugin-connectors.js:45:1
    at Array.forEach (<anonymous>)
    at b (plugin-connectors.js:40:1)
    at plugin-connectors.js:56:1
    at plugin-connectors.js:153:1
    at plugin-connectors.js:45:1
    at Array.forEach (<anonymous>)
    at b (plugin-connectors.js:40:1)
    at S (plugin-connectors.js:150:1)
    at j (plugin-connectors.js:159:1)
    at e.renderedConnectorsFor (plugin-connectors.js:164:1)
    at get connectors [as connectors] (plugin-outlet.js:126:1)
    at Ce (index.js:1251:1)
    at reference.js:175:1
    at reference.js:136:1
    at e.track (validator.js:668:1)
    at f (reference.js:135:1)
    at index.js:5588:1
    at reference.js:136:1
    at e.track (validator.js:668:1)
    at f (reference.js:135:1)
    at index.js:5588:1
    at reference.js:136:1
    at e.track (validator.js:668:1)
    at f (reference.js:135:1)
    at reference.js:312:1
    at reference.js:136:1
    at e.track (validator.js:668:1)
    at f (reference.js:135:1)
    at Object.evaluate (runtime.js:3440:1)
    at Object.evaluate (runtime.js:1052:1)
    at It.evaluateSyscall (runtime.js:4263:1)
    at It.evaluateInner (runtime.js:4234:1)
    at It.evaluateOuter (runtime.js:4227:1)
    at Wt.next (runtime.js:5058:1)
    at Wt._execute (runtime.js:5045:1)
    at Wt.execute (runtime.js:5038:1)
    at Qt.sync (runtime.js:5105:1)
    at wr.render (index.js:6749:1)
    at index.js:7013:1
    at Mt (runtime.js:4139:1)
    at Tr._renderRoots (index.js:6996:1)
    at Tr._renderRootsTransaction (index.js:7039:1)
    at Tr._renderRoot (index.js:6985:1)
    at Tr._appendDefinition (index.js:6911:1)
    at Tr.appendOutletView (index.js:6899:1)
    at p.invoke (queue.ts:203:14)
    at p.flush (queue.ts:98:13)
    at h.flush (deferred-action-queues.ts:75:19)
    at $._end (index.ts:616:32)
    at _boundAutorunEnd (index.ts:257:12)
108

Hello and welcome @viswanatha :slight_smile:

As this seems connected to the topic-trade-buttons plugin I’ve slipped your post over to the relevant topic to get the right eyes on it. :+1:

110

@viswanatha Did you re-build your project after adding this plugin?

111

Hi @Janno_Liivak,

I have rebuilt my project, but still facing the same issue.

The following options are also missing.

image

Enable the topic trading buttons

image
image1830×63 3.55 KB

image
image1623×234 4.79 KB

Category setting

image
image923×855 17.6 KB

image
image774×797 12.3 KB

1 Like
112

@Janno_Liivak You might need Pinning plugin and theme versions for older Discourse installs (.discourse-compatibility) since the last PR introduced discourse-i18n import that it has been added relatively recently in core (on October 12 I believe).

From what I see, this change happened after 3.2.0.beta2-dev (on September 12).

So I think it would make sense to add an entry in .discourse-compatibility to say that users with an older Discourse version than 3.2.0-beta2-dev are locked to the latest commit before my PR (which is the one on Feb 22)

< 3.2.0.beta2-dev 88db827dcecf5faf4e009e38422ede6847488535
3 Likes
113

:warning: security vulnerability :warning:

TL;DR installing this plugin will - even when disabled - leak all topic custom fields that are present to anyone who can access the topic, including anonymous users. Depending on other plugins you have installed, topic custom fields can contain sensitive data.

When vetting this plugin for a client we discovered a number of security issues. We have fixed these issues in our fork (GitHub - communiteq/discourse-topic-trade-buttons) and made a pull request. However, the topic author has not responded to our pull request or our PM so we are now disclosing these issues.

Security fix: information leakage

All custom fields (including those from other plugins!) are being serialized, including to anonymous users. Custom fields can contain sensitive data and should never be serialized like that.

Since the sold_at etc values are being set server side anyway and the buttons are “computed” on topic.archived, the custom field logic can be removed from the frontend user-facing code and the custom fields only need to be serialized for the admin interface to work - hence the serialization can be limited to admin users. We do suspect that this is not even necessary either.

Initialization fixes

The if SiteSetting.topic_trade_buttons_enabled check that is fencing the serialization logic makes it necessary to restart Discourse after enabling or disabling the plugin. This check is unnecessary since Discourse already takes care of that.
Using respect_plugin_enabled: false is unnecessary and aggravates the security issue described above.

4 Likes
114

Pull request merged now

3 Likes
115

me too, can’t set up