Botões de Trading

lava · Agosto 21, 2025, 11:24am

Thanks for this useful plugin! I found some critical security vulnerabilities that need attention:

Issues

No authorization check - Any user can mark any topic as sold/purchased/exchanged
Missing backend validation - Controllers don’t verify:
- Plugin enabled (topic_trade_buttons_enabled)
- Category buttons enabled (enable_*_button)
- Only frontend checks these settings (unsafe)
No input validation - topic_id parameter not validated
No action post created - Operations not logged, no record of who performed actions

Tópico		Respostas	Visualizações
Discourse Category Lockdown Plugin pavilion	111	12723	15 de Outubro de 2025
Private Topics Plugin Plugin	92	4863	7 de Setembro de 2025
Solved Button Plugin Feature rfc , spec	65	21223	18 de Junho de 2015
Customize new topic button text Theme component official , topic-button-text	25	3375	25 de Fevereiro de 2025
Discourse Doc Categories Plugin official , doc-categories	107	5834	2 de Outubro de 2025