Boutons de trading

Greffon
121

:warning: security vulnerability :warning:

Hi @Janno_Liivak,

Thanks for this useful plugin! I found some critical security vulnerabilities that need attention:

Issues

  1. No authorization check - Any user can mark any topic as sold/purchased/exchanged
  2. Missing backend validation - Controllers don’t verify:
    • Plugin enabled (topic_trade_buttons_enabled)
    • Category buttons enabled (enable_*_button)
    • Only frontend checks these settings (unsafe)
  3. No input validation - topic_id parameter not validated
  4. No action post created - Operations not logged, no record of who performed actions

Impact

  • Unauthorized topic manipulation
  • Bypass of plugin/category settings via direct API calls
  • No audit trail of who performed trade actions
3 « J'aime »