An authenticated employee with sales permission could:
- Create negative-total sales (store "pays" the customer)
- Set discounts > 100% for negative-total effect
- Bypass inventory controls with negative quantities
This fix adds validation in:
- postEditItem(): validates discount <= 100% for percentage discounts,
discount <= item total for fixed discounts, and non-negative price/quantity/discount
- postComplete(): blocks sale completion if total is negative (exceptions for returns)
CVSS v3.1: 6.5 Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
34986c8e4e