sileya-ai
/
vr-shopxo-plugin
1
0
Fork 0
Code Issues 3 Pull Requests Packages Projects Releases Wiki Activity
167 Commits
9 Branches
0 Tags
29 MiB
Commit Graph

16 Commits (f3f12e3ea58cb2f89459c53c1dce4e80ed0c4b4e)

Author SHA1 Message Date
Council 35c10a7f66 council(security): SecurityEngineer - add missing VenueList methods + security audit 
Security findings:
- SQL injection: LOW (query builder + parameter binding)
- XSS: LOW (ThinkPHP auto-escape, no |raw detected)
- Path traversal: LOW (all view paths hardcoded)
- CSRF: MEDIUM (ShopXO framework-level gap, out of scope for plugin)

Critical fix: admin/Admin.php was missing VenueList(), VenueSave(),
VenueDelete() — sidebar URL "/plugins/vr_ticket/admin/venueList" would
return 500 error. Added all three methods with v3.0 seat_map support.

P1 garbled name: documented DB fix SQL for shx_plugins + vrt_power tables.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-16 08:53:41 +08:00
Council 5b80e775bb council(review): BackendArchitect - Review FrontendDev P1 submit() refactor 
[PASS] Interface contract: specBaseIdMap['A_1'] = int ✓
[PASS] goods_params: stock=1, seat-level spec_base_id ✓
[PASS] Fallback strategy for Plan B transition ✓
[PASS] Seat label format matches backend regex ✓
[PASS] Price sources align between frontend and backend ✓

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-15 20:12:12 +08:00
Council 3b3dde5b32 chore: remove redundant duplicates (old plugin dir, shopxo-modifications, view/, reviews/, plan.md) 
All vr_ticket code now lives in shopxo/app/plugins/vr_ticket/
Goods.php modification lives in shopxo/app/index/controller/Goods.php
ARCHITECTURE.md is the single source of truth
 2026-04-15 13:43:13 +08:00
Council ad2eb780e4 council(finalize): FrontendDev - resolve plan.md conflict, Finalize phase complete 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:30:52 +08:00
Council 90602c11bc council(finalize): FrontendDev - 合并三方评审计划,解决 plan.md 冲突 
合并 SecurityEngineer + BackendArchitect + FrontendDev 三方评审结果
生成完整问题汇总表(13个问题 + 8项建议 + P0-P2 修复优先级)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:25:54 +08:00
Council 12e028eb8c council(finalize): BackendArchitect - Round 2 深度评审报告终稿 
新增发现:
- Admin 接口鉴权完全缺失(verifier_id 客户端可控)
- ALTER TABLE 条件逻辑错误(empty($cols) 永不成立)
- seatInfo.classes HTML 属性注入风险
- renderSessions() spec_base_id 赋值 bug
- 与 SecurityEngineer 报告交叉评审结论
- 发现汇总表:5 严重 + 7 中等 + 4 轻微 + 5 建议
- 综合评分:4.5/10(P0 修复项 4 个,P1 修复项 5 个)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:25:39 +08:00
Council c9b1066d98 council(finalize): BackendArchitect - Round 2 深度评审报告终稿 
新增发现:
- Admin 接口鉴权完全缺失(verifier_id 客户端可控)
- ALTER TABLE 条件逻辑错误(empty($cols) 永不成立)
- seatInfo.classes HTML 属性注入风险
- renderSessions() spec_base_id 赋值 bug
- 与 SecurityEngineer 报告交叉评审结论

综合评分:4.5/10(P0 修复项 4 个,P1 修复项 5 个)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:24:53 +08:00
Council 826a39f610 council(review): FrontendDev - 完成 vr-shopxo-plugin 前端代码评审报告 
评审发现:2个严重(S-01价格篡改/S-02 XSS)、4个中等、3个轻微、4项建议
交叉确认:与 SecurityEngineer / BackendArchitect 报告高度一致

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:24:04 +08:00
Council 723bfc28f3 council(review): SecurityEngineer - cross-review BackendArchitect's code report 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:21:09 +08:00
Council 6f26816277 Merge branch 'council/BackendArchitect' 2026-04-15 09:18:42 +08:00
Council 11fa6ccfdb council(draft): BackendArchitect - 输出 vr-shopxo-plugin 架构评审报告 
发现严重问题:
- onOrderPaid() 无幂等性(并发重复发票)
- verifyTicket() TOCTOU 竞态条件
- QR Secret 默认密钥硬编码
- |raw XSS 漏洞(goods.simple_desc)
- 购票参数无服务端验证

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:18:34 +08:00
Council 6664be6cc8 council(draft): SecurityEngineer - complete security review for vr-shopxo-plugin 
Findings: 1 critical (onOrderPaid race condition), 5 medium, 3 low, 4 suggestions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:17:08 +08:00
Council 852623fc9f docs: 完整开发日志 DEVELOPMENT_LOG.md 
- 覆盖 2026-04-13 调研 → 2026-04-15 Phase 0/1 完成全记录
- 需求背景 + 技术栈决策
- ShopXO 插件机制调研结论
- Phase 0 插件骨架(14文件 + 4表 + 测试数据)
- Phase 1 Goods.php 改法 + 浏览器验证截图
- Council 审议记录
- 关键决策固化表
- Phase 2/3/4 下步计划
- 清理废弃 review 文件
 2026-04-15 09:12:32 +08:00
Council a052d812ad council(draft): PM - PM Q1-Q4 review output 2026-04-14 18:21:32 +08:00
Council dd538ba08e fix: 明确允许最小范围修改ShopXO源码(MIT协议),以进度为先 2026-04-14 14:10:59 +08:00
Council b713cd73c3 council(finalize): backend-reviewer - execute T6/T8/T9, vote YES 
- T6: Confirm payment callback hook plugins_service_buy_order_insert_success
- T8: Supplement verifier permission validation (vr_verifiers whitelist)
- T9: Supplement vr_events/vr_sessions DDL (complete, indexed)
- Review pm-reviewer output: concurrent control already covered in 03 §9
- Vote: [CONSENSUS: YES] - docs ready for coding

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-14 14:09:56 +08:00