72 lines
2.0 KiB
Markdown
72 lines
2.0 KiB
Markdown
# Council Plan — vr-shopxo-plugin 代码审议
|
||
|
||
> Round 1 — 2026-04-15
|
||
> Branch: council/BackendArchitect → main
|
||
> 状态:**Draft Phase,待 Review**
|
||
|
||
---
|
||
|
||
## Task Summary
|
||
|
||
对 vr-shopxo-plugin ShopXO 票务插件进行**全栈代码审议**(评论性质,不改代码,变更提交本地 worktree)。
|
||
|
||
## 审议范围
|
||
|
||
### 1. 插件架构(EventListener.php / plugin.json)
|
||
- 生命周期钩子实现是否完整
|
||
- 数据库迁移策略是否安全
|
||
- 菜单/权限注册是否正确
|
||
|
||
### 2. 票务核心(service/TicketService.php / service/BaseService.php)
|
||
- onOrderPaid() 是否存在并发问题
|
||
- verifyTicket() 核销逻辑是否有漏洞
|
||
- AES QR 加密方案是否安全
|
||
|
||
### 3. 前端票务详情页(view/goods/ticket_detail.html)
|
||
- HTML/CSS/JS 质量
|
||
- 座位图渲染逻辑
|
||
- 观演人表单安全性
|
||
|
||
### 4. 数据库 Schema(database/migrations/)
|
||
- 表结构是否规范
|
||
- 索引是否合理
|
||
- 外键关系是否正确
|
||
|
||
### 5. 安全性审计
|
||
- SQL 注入风险点
|
||
- XSS 风险点
|
||
- 支付回调 Hook 的重放攻击可能性
|
||
- QR 票防伪造强度
|
||
|
||
## Task Checklist
|
||
|
||
- [ ] A1: 读取并分析 plugin.json + EventListener.php
|
||
- [ ] A2: 读取并分析 service/TicketService.php + BaseService.php
|
||
- [ ] A3: 读取并分析 view/goods/ticket_detail.html
|
||
- [ ] A4: 读取并分析 database/migrations/ 所有文件
|
||
- [ ] B1: 安全性专项审计(SQL注入/XSS/重放/QR伪造)
|
||
- [ ] C1: 输出 reviews/code-review-BackendArchitect.md(500字+)
|
||
- [ ] D1: 合并 plan.md + review 报告到 main
|
||
|
||
---
|
||
|
||
## Phase Breakdown
|
||
|
||
| Phase | 内容 | Owner | 状态 |
|
||
|---|---|---|---|
|
||
| **Draft** | 读取代码文件,执行分类审议 | council/BackendArchitect | ⏳ Pending |
|
||
| **Review** | 输出评审报告到 reviews/ | council/BackendArchitect | ⏳ Pending |
|
||
| **Finalize** | 合并到 main,投票 | council/All | ⏳ Pending |
|
||
|
||
---
|
||
|
||
## Claim Status
|
||
|
||
| Task | Owner | Status |
|
||
|---|---|---|
|
||
| A1-D1: 所有审议任务 | council/BackendArchitect | `[Pending]` |
|
||
|
||
---
|
||
|
||
**[CONSENSUS: NO]** — Round 1 规划完成,等待执行
|