 security vulnerability
 security vulnerability 
Hi @Janno_Liivak,
Thanks for this useful plugin! I found some critical security vulnerabilities that need attention:
Issues
- No authorization check - Any user can mark any topic as sold/purchased/exchanged
- Missing backend validation - Controllers don’t verify:
- Plugin enabled (topic_trade_buttons_enabled)
- Category buttons enabled (enable_*_button)
- Only frontend checks these settings (unsafe)
 
- Plugin enabled (
- No input validation - topic_idparameter not validated
- No action post created - Operations not logged, no record of who performed actions
Impact
- Unauthorized topic manipulation
- Bypass of plugin/category settings via direct API calls
- No audit trail of who performed trade actions