
A perfect example of Flarum's customizability. This highly customised Dutch developer community has a unique layout, with beautiful elements like a custom loader. Created by the author of the popular SEO and Support Platform extensions.
A perfect example of Flarum's customizability. This highly customised Dutch developer community has a unique layout, with beautiful elements like a custom loader. Created by the author of the popular SEO and Support Platform extensions.
As a leading British telephone network, giffgaff serves millions of customers. Through innovative use of Flarum, they've built up a passionate peer support community, improving support and engaging customers.
Leading provider of communication and entertainment in Switzerland. Their Flarum community creates a framework for healthy togetherness while supporting their customers with an appealing, user-friendly community experience.
FoF Ban IPs - Ban IP addresses from your forum.
In our fight to prevent the spread of spam and mitigate bogus users joining the forum. We use this nifty extension to ban entire IP addresses from registering to Discuss should the need arise.
FoF Byōbu - Well integrated, advanced private discussions.
Not all forums can function without a private messaging system. The staff use this regularly to not only correspond between each other, but also to other members of the community.
FoF Disposable Emails - Prevent users from signing up with disposable emails.
Basically a preventative measure to stop users registering to Discuss with disposable email addresses.
FoF Follow Tags - Follow tags and be notified of new discussions and replies.
Fairly self-explanatory. The prime reason we use this extension is to provide the ability to follow specific tags, for example, the blog
tag. This replaces the need for newsletters or other subscription-based services.
FoF Formatting - Customise TextFormatter with plugins through the admin interface.
What's a forum without pictures and links? This extension is used to allow you to correctly customise your posts with content and media.
FoF GeoIP - Geolocation for your Flarum forum.
Using your IP, this extension grants the ability to identify your geographical location. We use GeoIP to prevent blocking IPs from Cloudflare or other services that would impact not just the spammer.
FoF Links - Manage Flarums primary navbar menu links.
An extension used to customise navigation bar/menu links.
FoF Merge Discussions - Merge two or more discussions into one.
Definitely a useful tool especially for the moderators taking care of Discuss. This extension is used to merge discussions not only to keep things relevant, but to allow better organisation. No one likes seeing numerous discussions on the same subject now, do they?
FoF Open Collective - Open Collective integration for your Flarum forum.
We are a team completely consisting of volunteers, no one gets paid for their efforts working here at Flarum. Open Collective is a way you can support Flarum and its development. By contributing, you're helping us pay for our hosting and server infrastructure costs, as well as dedicated development time so we can keep making Flarum better. This extension automatically grants the Backer role to anyone backing us Open Collective and known to us with the same email address.
FoF Sentry - Flarum integration for Sentry.
Our nifty error-reporting tool with thanks to Sentry. With the Sentry extension we are made aware of errors on both our backend and frontend whenever they happen, with immediate reporting. We set Sentry up to report to Discord using webhook functionality, making us actionable on the spot. Sentry has been so great to sponsor our plan as well!
FoF Spamblock - Mark user as spammer, suspending them and hiding their posts and discussions.
Another one to take care of those nasty individuals that just want to spoil Discuss. We use this extension to mark a user as spammer, and in turn automatically suspends them hiding their posts and discussions from view. Especially useful for spambots and advertisers.
FoF Split - Separate posts from one discussion into its own, splits discussions.
Not only can we merge a discussion or post, but so to can we split them! You are likely to see this extension in action when a discussion goes way off topic or a staff member deems it necessary to create a completely new discussion.
FoF Stop Forum Spam - Stop forum spam.
Unfortunately spam is inevitable on any forum, but using this extension we are able to mitigate as much of it as possible using Stop Forum Spam's free database.
FoF User Bio - Add the user bio back into Flarum.
beta.8 saw the removal of the user bio from Flarum core, and in turn, this extension was released to bring it back.
FoF Username Request - Allow users to request new usernames.
Have you ever grown out of your username? May be you spelled it incorrectly? This extension gives us the ability to process any requested username changes. Please ensure you follow our Guidelines and use your common sense before submitting a request.
GitHub Autolink - Autolink GitHub issues and commits.
Definitely an important extension for our staff team as this allows for automated linking of GitHub issues and commits in posts.
Bokt Redis - Adds Redis cache and queue to Flarum.
An advanced extension we use for caching and queueing. We actually use Bokt Redis for queues only at this point. Using the Redis queue, wecan move long-running processes (like sending emails to subscribed users) outside of the user interaction of Discuss.
Askvortsov Discussion Templates - Create per-tag templates for new discussions.
Provides a consistent template for starting new discussions, like in our Support tag. This helps cut down on the amount of back-and-forth needed for information before diagnosing a support issue can begin.
Askvortsov Moderator Warnings - This allows moderators to warn users.
Moderators have often had to warn users by a public post or private discussion (see: FOF Byobu) in the past. This allows for a warning to occur seamlessly on the post itself, to help keep disciplinary messaging from spilling into public discussions.
FOF Best Answer - Mark a post as the best answer in a discussion.
This allows the authors of discussions (in our Support and Dev tags right now) to select the post that has provided the best answer to their question or problem, to make it clear for anyone reading it later.
FOF Prevent Necrobumping - Warn before necrobumping old discussions.
On very old discussions that might not be current anymore, we can display a warning to anyone coming later to respond to it and make sure they understand what the proper convention is. Sometimes we don't always read the dates when finding a discussion of a problem we have, and that's forgiveable. This extension just helps to be a helpful reminder.
⚠️ Affected versions:
Two of the vulnerabilities affect all versions below v1.6.3
.
One affect all versions between v1.3.0
and v1.6.2
.
# Update to latest version
composer update --prefer-dist --no-dev -a -W
Verify that you're on v1.6.3composer show flarum/core
Clear cachephp flarum cache:clear
v1.6.3
.Impact
The mentionsPosts
relationship included in the POST /api/posts
and PATCH /api/posts/<id>
JSON responses leaks the full JSON:API payload of all mentioned posts without any access control. This includes the content, date, number and attributes added by other extensions.
v1.6.3
are affected.CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
, resulting in a CVE score of 7.7. See the CVSS score breakdown.
Workarounds
Disable the mentions extension.
v1.6.3
.Impact
The notification-sending component does not check that the subject of the notification can be accessed by the receiver, and proceeds to send notifications through their different channels. The alerts do not leak data despite this as they are listed based on a visibility check, however, emails are still sent out.
v1.6.3
are affected.CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
, resulting in a CVE score of 6.8. See the CVSS score breakdown.
Workarounds
Disable the Flarum Subscriptions extension or disable email notifications altogether.
v1.3.0
and v1.6.3
.Impact
If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that don't have a validated email.
discussions.comment_count
is still above zero after the post deletion.v1.3.0
and v1.6.3
are impacted.CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
, resulting in a CVE score of 3.5. See the CVSS score breakdown.
Workarounds
If you don't delete the first posts you are not affected. A workaround can be to delete the discussion itself, or amend the database to manually set a first_post_id
.
release/v1.6.3
branch on the 10th of January 2023 around 12:00 UST. After verifying that the patch worked as expected and didn't have noticeable effects on other areas of core and bundled extensions, it was released as v1.6.3
on the same day an hour later.Before starting the upgrade process, ensure you are on Flarum 1.0.0 or above in your Admin Dashboard or by typingBefore you upgrade, make sure to create a backup of yourpublic/assets
directory, yourcomposer.json
and your database!
php flarum info
. If you're not, use the previous release announcement for upgrading from an earlier version.If you run into any issues, please open a new discussion under the Support tag. Ignore similar discussions and open a new one anyhow. Make sure to mention the output ofphp flarum info
,composer why-not flarum/core v1.6.0
, and any errors to their fullest.
Thank you to all the Supporters, backing us through Discuss:
@v17development and @waca !
Special thanks for all the Devotees (people pledging to our bounties in the Proposals tag), you are driving a lot of new features! These people have helped ship a new feature in this release with their pledge:
@datlechin @Darkle @SKevo @GreXXL @pkernstock @Lurker @CyberGene @meihuak .
Learn how to harness the extensibility of Flarum to create your own extensions and customize your community.
Help us make Flarum even more powerful and customizable! Every bug report, pull request, and documentation improvement is a huge help.