This probably effects at least the entire v1.3.x line if not even earlier.

By simply right-clicking and inspecting the quantity field element on the shop page, a user can change the item name field client side and buy items that don't belong to that shop - or any shop, for that matter - so long as they know it's name. Therefore, validation is necessary to confirm that the item does belong in the shop.

In classes/class_itemshop.php, down in public function purchase(), you'll want to fix this.

After $mysidia = Registry::get("mysidia"); you'll want to wrap the rest of the contents in:

if ($item->shop != $this->shopname) Throw new NoPermissionException('Did you really think this item could be bought at this shop?'); else {And close the else right before return $status;.

I did so...and got a Parse error: syntax error, unexpected T_IF, expecting T_FUNCTION in /home2/luteus/public_html/imaginea.net/caveofcrystals/classes/class_itemshop.php on line 218, which I know has something to do with the patch, because when I remove it the message goes away. Any idea why this fix is causing this error?

I'm having absolutely zero problems with this fix on a fresh install. Are you positive that you closed the else statement as instructed in the post? Just in case, this is exactly what your purchase function should look like:

public function purchase(Item $item){
$mysidia = Registry::get("mysidia");
if ($item->shop != $this->shopname) Throw new NoPermissionException('Did you really think this item could be bought at this shop?');
else {
if($item->owner != $mysidia->user->username) Throw new NoPermissionException('Something is very very wrong, please contact an admin asap.');
else{
$item->quantity = $mysidia->input->post("quantity");
$cost = $item->getcost($this->salestax, $item->quantity);
$moneyleft = $mysidia->user->money - $cost;
if($moneyleft >= 0 and $item->quantity > 0){
$purchase = $item->append($item->quantity, $item->owner);
$mysidia->db->update("users", array("money" => $moneyleft), "username = '{$item->owner}'");
$status = TRUE;
}
else throw new InvalidActionException($mysidia->lang->money);
}
}
return $status;
}


PS: Yes, if you failed to close the else statement, then, yeah, you'd get exactly the error you described. I just tested it by only following the first step of my instructions but not the last part.

Aha, it worked! I put the if/else statement in the wrong place. Thank you!

The issue is fixed in the next release.