LeoTR
Active member
- Affected version
- 2.3.7.
I'm reporting a critical architectural gap in the Webhook system (specifically post.update / thread.update). The current implementation lacks "origin-awareness," meaning it treats API-based updates exactly the same as human interactions.
This creates a dangerous "infinite recursion loop" for anyone using two-way automation.
The Loop Scenario (How it happens):
Proposed Solutions:
1. The Primary Fix (Admin Panel):Please add a "User Criteria" or "Exclude User Groups" tab to the Webhook definition page.
This is a necessary safeguard for any modern event-driven integration. Thanks for looking into this.
This creates a dangerous "infinite recursion loop" for anyone using two-way automation.
The Loop Scenario (How it happens):
- A user posts a thread -> Webhook fires.
- An external automation tool (middleware) receives the data, processes it (e.g., via OpenAI/LLM), and writes back to the thread using the XenForo API.
- The Failure: XenForo detects this API update and fires the webhook again.
- Result: The automation runs again on its own output. This repeats indefinitely (thousands of times) until the server crashes or limits are hit.
- The "Bankruptcy" Risk: If the workflow triggers a paid service like OpenAI (GPT-4) or uses a metered automation platform (Zapier/Make), this loop can drain a credit card or monthly quota in minutes. A single thread update can unintentionally trigger 1,000+ billable executions.
- Operational Denial: It effectively DDoSes the external service and the XenForo job queue.
Proposed Solutions:
1. The Primary Fix (Admin Panel):Please add a "User Criteria" or "Exclude User Groups" tab to the Webhook definition page.
- Logic: "If the action is performed by [Bot User Group], DO NOT fire the webhook."
- This is the standard way to prevent recursion in most other platforms.
This is a necessary safeguard for any modern event-driven integration. Thanks for looking into this.