Trading Buttons

This plugin was a bit outdated and only got upgrade today (with help of @Arkshine I must add :slight_smile: ). Update plugin and I believe you must rebuild the app if it’s production or restart application. Here are some instructions from Discourse team: Install Plugins in Discourse

5 likes

Thanks for the update. I can confirm that everything is working.

5 likes

Hi Everyone

Can anyone help me to fix this issue?

On the desktop, I am getting a black screen

Discourse - V3.1.3

Uncaught (in promise) Error: Could not find module discourse-i18n imported from discourse/plugins/discourse-topic-trade-buttons/discourse/connectors/topic-above-post-stream/trade-buttons

Uncaught (in promise) Error: Could not find module `discourse-i18n` imported from `discourse/plugins/discourse-topic-trade-buttons/discourse/connectors/topic-above-post-stream/trade-buttons`
    at loader.js:247:1
    at u (loader.js:258:1)
    at a.findDeps (loader.js:168:1)
    at u (loader.js:262:1)
    at requireModule (loader.js:24:1)
    at plugin-connectors.js:57:1
    at plugin-connectors.js:45:1
    at Array.forEach (<anonymous>)
    at b (plugin-connectors.js:40:1)
    at plugin-connectors.js:56:1
    at plugin-connectors.js:153:1
    at plugin-connectors.js:45:1
    at Array.forEach (<anonymous>)
    at b (plugin-connectors.js:40:1)
    at S (plugin-connectors.js:150:1)
    at j (plugin-connectors.js:159:1)
    at e.renderedConnectorsFor (plugin-connectors.js:164:1)
    at get connectors [as connectors] (plugin-outlet.js:126:1)
    at Ce (index.js:1251:1)
    at reference.js:175:1
    at reference.js:136:1
    at e.track (validator.js:668:1)
    at f (reference.js:135:1)
    at index.js:5588:1
    at reference.js:136:1
    at e.track (validator.js:668:1)
    at f (reference.js:135:1)
    at index.js:5588:1
    at reference.js:136:1
    at e.track (validator.js:668:1)
    at f (reference.js:135:1)
    at reference.js:312:1
    at reference.js:136:1
    at e.track (validator.js:668:1)
    at f (reference.js:135:1)
    at Object.evaluate (runtime.js:3440:1)
    at Object.evaluate (runtime.js:1052:1)
    at It.evaluateSyscall (runtime.js:4263:1)
    at It.evaluateInner (runtime.js:4234:1)
    at It.evaluateOuter (runtime.js:4227:1)
    at Wt.next (runtime.js:5058:1)
    at Wt._execute (runtime.js:5045:1)
    at Wt.execute (runtime.js:5038:1)
    at Qt.sync (runtime.js:5105:1)
    at wr.render (index.js:6749:1)
    at index.js:7013:1
    at Mt (runtime.js:4139:1)
    at Tr._renderRoots (index.js:6996:1)
    at Tr._renderRootsTransaction (index.js:7039:1)
    at Tr._renderRoot (index.js:6985:1)
    at Tr._appendDefinition (index.js:6911:1)
    at Tr.appendOutletView (index.js:6899:1)
    at p.invoke (queue.ts:203:14)
    at p.flush (queue.ts:98:13)
    at h.flush (deferred-action-queues.ts:75:19)
    at $._end (index.ts:616:32)
    at _boundAutorunEnd (index.ts:257:12)

Hello and welcome @viswanatha :slight_smile:

As this seems connected to the topic-trade-buttons plugin I’ve slipped your post over to the relevant topic to get the right eyes on it. :+1:

@viswanatha Did you re-build your project after adding this plugin?

Hi @Janno_Liivak,

I have rebuilt my project, but still facing the same issue.

The following options are also missing.

image


Enable the topic trading buttons

Category setting


1 like

@Janno_Liivak You might need Pinning plugin and theme versions for older Discourse installs (.discourse-compatibility) since the last PR introduced discourse-i18n import that it has been added relatively recently in core (on October 12 I believe).

From what I see, this change happened after 3.2.0.beta2-dev (on September 12).

So I think it would make sense to add an entry in .discourse-compatibility to say that users with an older Discourse version than 3.2.0-beta2-dev are locked to the latest commit before my PR (which is the one on Feb 22)

< 3.2.0.beta2-dev 88db827dcecf5faf4e009e38422ede6847488535
4 likes

:warning: security vulnerability :warning:

TL;DR installing this plugin will - even when disabled - leak all topic custom fields that are present to anyone who can access the topic, including anonymous users. Depending on other plugins you have installed, topic custom fields can contain sensitive data.

When vetting this plugin for a client we discovered a number of security issues. We have fixed these issues in our fork (GitHub - communiteq/discourse-topic-trade-buttons) and made a pull request. However, the topic author has not responded to our pull request or our PM so we are now disclosing these issues.

Security fix: information leakage

All custom fields (including those from other plugins!) are being serialized, including to anonymous users. Custom fields can contain sensitive data and should never be serialized like that.

Since the sold_at etc values are being set server side anyway and the buttons are “computed” on topic.archived, the custom field logic can be removed from the frontend user-facing code and the custom fields only need to be serialized for the admin interface to work - hence the serialization can be limited to admin users. We do suspect that this is not even necessary either.

Initialization fixes

The if SiteSetting.topic_trade_buttons_enabled check that is fencing the serialization logic makes it necessary to restart Discourse after enabling or disabling the plugin. This check is unnecessary since Discourse already takes care of that.
Using respect_plugin_enabled: false is unnecessary and aggravates the security issue described above.

6 likes

Pull request merged now

3 likes

me too, can’t set up

I just found a deprecation notice in the developer console of my browser:

deprecation-identify-source.js:15 DEPRECATION: [PLUGIN discourse-topic-trade-buttons] The model property path was used in the discourse/plugins/discourse-topic-trade-buttons/discourse/templates/connectors/topic-above-post-stream/trade-buttons.hbs template without using this. This fallback behavior has been deprecated, all properties must be looked up on this when used in the template: {{this.model}} [deprecation id: ember-this-fallback.this-property-fallback] This will be removed in ember-this-fallback n/a. See Resolving the `this-property-fallback` deprecation for more details.

Just wanted to bring this to attention - although I cannot fix it myself. :see_no_evil_monkey:

3 likes

Let me translate do Portuguese-BR for you! I´m from Brazil.

2 likes

Hi @Anderson_Cardoso_Silva ! Are you able to make a pull request with translations?

I fixed some of the issues I saw in browser logs (including what @Roi mentioned) and some English texts which were weird. Tested everything in local dev environment but if somebody else could test it on their Discourse, I would be thankful.

2 likes

@Arkshine , added this line to .discourse-compatibility. Thanks!

1 like

:warning: security vulnerability :warning:

Hi @Janno_Liivak,

Thanks for this useful plugin! I found some critical security vulnerabilities that need attention:

Issues

  1. No authorization check - Any user can mark any topic as sold/purchased/exchanged
  2. Missing backend validation - Controllers don’t verify:
    • Plugin enabled (topic_trade_buttons_enabled)
    • Category buttons enabled (enable_*_button)
    • Only frontend checks these settings (unsafe)
  3. No input validation - topic_id parameter not validated
  4. No action post created - Operations not logged, no record of who performed actions

Impact

  • Unauthorized topic manipulation
  • Bypass of plugin/category settings via direct API calls
  • No audit trail of who performed trade actions
3 likes

Hi @Janno_Liivak,

The “[Purchased]” and “[Sold]” labels are suddenly showing up in Simplified Chinese on our site. Discourse 3.6.0.beta2. No changes were made on our site other than updates.

Any ideas on how to get the labels to match the language and character set of the topic/site?

Also, were those security vulnerability issues @lava mentioned ever addressed?

Thanks!
Gunnar

Hi @Gunnar! What language (and language code) is your site using?

Those security issues have not been addressed yet. I have been quite busy lately and as I don’t use Discourse myself anymore, just plain simply forgot about them :see_no_evil_monkey:

But I will create a task for myself now and try to find time soon to fix everything. If somebody can help out, I would be happy to review the pull request.

1 like

English (US). Here’s a screenshot of all “language” settings for our site: