We're happy to. If you can let us know which add-ons allow data to be manipulated without proper permission checks which may cause data loss to any of our customers via passing simple URL parameters, we'd like to know so we can remove them from the resource manager and perhaps reconsider whether the author should be releasing their products here.
The author of the addon I was referring to is informed. It is not about the wide-ranging "possibilities" as @Kirby throws this into the public eye. I don't want anyone to suffer a disadvantage.
I had already tried to solve the problem with too wide rights in this addon using PHP,
Hi, I have to adapt an addon and would like to check in the code below whether the current user, who already has the group right to change the topic title, is also the owner of the topic that he wants to work on ... If not, "Exit - Not your thread ". class Thread extends XFCP_Thread {...
xenforo.com
But when it comes to "need to extend the Thread entity and implement a method with type checking", then that's above my ability because I am still too unknown to the internal structure of XF.
So it was easy to restrict the rights for my Users using @AndyB template.
But I was not aware of the gap between templates and php.