Have you ever wondered what extensions we use here on the official Flarum Community? Wanted to have your Flarum instance set up to be as close as possible to ours? Look no further!
I am posting this discussion to outline the extensions we use, why we use them and their benefits to us as staff members in providing the best community we can for all current and future Flarumites!

What extensions do we use?

• FoF Ban IPs - Ban IP addresses from your forum.
  In our fight to prevent the spread of spam and mitigate bogus users joining the forum. We use this nifty extension to ban entire IP addresses from registering to Discuss should the need arise.

• FoF Byōbu - Well integrated, advanced private discussions.
  Not all forums can function without a private messaging system. The staff use this regularly to not only correspond between each other, but also to other members of the community.

• FoF Disposable Emails - Prevent users from signing up with disposable emails.
  Basically a preventative measure to stop users registering to Discuss with disposable email addresses.

• FoF Follow Tags - Follow tags and be notified of new discussions and replies.
  Fairly self-explanatory. The prime reason we use this extension is to provide the ability to follow specific tags, for example, the blog tag. This replaces the need for newsletters or other subscription-based services.

• FoF Formatting - Customise TextFormatter with plugins through the admin interface.
  What's a forum without pictures and links? This extension is used to allow you to correctly customise your posts with content and media.

• FoF GeoIP - Geolocation for your Flarum forum.
  Using your IP, this extension grants the ability to identify your geographical location. We use GeoIP to prevent blocking IPs from Cloudflare or other services that would impact not just the spammer.

• FoF Links - Manage Flarums primary navbar menu links.
  An extension used to customise navigation bar/menu links.

• FoF Merge Discussions - Merge two or more discussions into one.
  Definitely a useful tool especially for the moderators taking care of Discuss. This extension is used to merge discussions not only to keep things relevant, but to allow better organisation. No one likes seeing numerous discussions on the same subject now, do they?

• FoF Open Collective - Open Collective integration for your Flarum forum.
  We are a team completely consisting of volunteers, no one gets paid for their efforts working here at Flarum. Open Collective is a way you can support Flarum and its development. By contributing, you're helping us pay for our hosting and server infrastructure costs, as well as dedicated development time so we can keep making Flarum better. This extension automatically grants the Backer role to anyone backing us Open Collective and known to us with the same email address.

• FoF Sentry - Flarum integration for Sentry.
  Our nifty error-reporting tool with thanks to Sentry. With the Sentry extension we are made aware of errors on both our backend and frontend whenever they happen, with immediate reporting. We set Sentry up to report to Discord using webhook functionality, making us actionable on the spot. Sentry has been so great to sponsor our plan as well!

• FoF Spamblock - Mark user as spammer, suspending them and hiding their posts and discussions.
  Another one to take care of those nasty individuals that just want to spoil Discuss. We use this extension to mark a user as spammer, and in turn automatically suspends them hiding their posts and discussions from view. Especially useful for spambots and advertisers.

• FoF Split - Separate posts from one discussion into its own, splits discussions.
  Not only can we merge a discussion or post, but so to can we split them! You are likely to see this extension in action when a discussion goes way off topic or a staff member deems it necessary to create a completely new discussion.

• FoF Stop Forum Spam - Stop forum spam.
  Unfortunately spam is inevitable on any forum, but using this extension we are able to mitigate as much of it as possible using Stop Forum Spam's free database.

• FoF User Bio - Add the user bio back into Flarum.
  beta.8 saw the removal of the user bio from Flarum core, and in turn, this extension was released to bring it back.

• FoF Username Request - Allow users to request new usernames.
  Have you ever grown out of your username? May be you spelled it incorrectly? This extension gives us the ability to process any requested username changes. Please ensure you follow our Guidelines and use your common sense before submitting a request.

• GitHub Autolink - Autolink GitHub issues and commits.
  Definitely an important extension for our staff team as this allows for automated linking of GitHub issues and commits in posts.

• Bokt Redis - Adds Redis cache and queue to Flarum.
  An advanced extension we use for caching and queueing. We actually use Bokt Redis for queues only at this point. Using the Redis queue, wecan move long-running processes (like sending emails to subscribed users) outside of the user interaction of Discuss.

• Askvortsov Discussion Templates - Create per-tag templates for new discussions.
  Provides a consistent template for starting new discussions, like in our Support tag. This helps cut down on the amount of back-and-forth needed for information before diagnosing a support issue can begin.

• Askvortsov Moderator Warnings - This allows moderators to warn users.
  Moderators have often had to warn users by a public post or private discussion (see: FOF Byobu) in the past. This allows for a warning to occur seamlessly on the post itself, to help keep disciplinary messaging from spilling into public discussions.

• FOF Best Answer - Mark a post as the best answer in a discussion.
  This allows the authors of discussions (in our Support and Dev tags right now) to select the post that has provided the best answer to their question or problem, to make it clear for anyone reading it later.

• FOF Prevent Necrobumping - Warn before necrobumping old discussions.
  On very old discussions that might not be current anymore, we can display a warning to anyone coming later to respond to it and make sure they understand what the proper convention is. Sometimes we don't always read the dates when finding a discussion of a problem we have, and that's forgiveable. This extension just helps to be a helpful reminder.

As you can see, we are HUGE fans of extensions by Friends of Flarum, despite a lot of us being a part of the team itself. You can check out the project any time on GitHub by clicking here.

We obviously use the following core extensions as well...

• Akismet - Stop spam using the Akismet anti-spam service.
  
• Approval - Make discussions and posts require moderator approval.
  
• BBCode - Allow posts to be formatted with BBCode.
  
• Emoji - Convert text and unicode emoji into Twemoji.
  
• English - English language pack.
  
• Facebook Login - Allow users to log in with Facebook.
  
• Flags - Allow users to flag posts for moderator review.
  
• GitHub Login - Allow users to log in with GitHub.
  
• Likes - Allow users to like posts.
  
• Lock - End a discussion and don't let anyone add further replies.
  
• Markdown - Allows posts to be formated with Markdown.
  
• Mentions - Mention and reply to specific posts and users.
  
• Pusher - See new discussions and posts in real-time using Pusher.
  
• Statistics - Add a basic statistics widget on the Dashboard.
  
• Sticky - Pin discussions to the top of the list.
  
• Subscriptions - Allows users to follow discussions and receive notifications for new posts.
  
• Suspend - Suspend users so they can't post.
  
• Tags - Organise discussions into a hierarchy of tags and categories.
  
• Twitter Login - Allow users to log in with Twitter.
  

So there you have it! The entire list of extensions currently used by us at Discuss! Please feel free to use this discussion to comment on what extensions we use, but do not use it as a means to request new ones be added or created.
Until next time.

If you have not yet updated to v1.6.3 or later, do so immediately. The details of the vulnerabilities are public, and your forum could be maliciously exploited.
v1.6.3 has been released to address 3 security vulnerabilities reported by @clarkwinkelmann.

⚠️ Affected versions:
Two of the vulnerabilities affect all versions below v1.6.3.
One affect all versions between v1.3.0 and v1.6.2.

Upgrade instructions:

# Update to latest version
composer update --prefer-dist --no-dev -a -W

Verify that you're on v1.6.3

composer show flarum/core

Clear cache

php flarum cache:clear

---

Preface

⚠️ Post mentions can be used to read any post on the forum without access control (High Severity)

On December 27th, 2022, we received a report of a high confidentiality vulnerability in Flarum mentions through huntr.dev, affecting all versions below v1.6.3.

Impact
The mentionsPosts relationship included in the POST /api/posts and PATCH /api/posts/<id> JSON responses leaks the full JSON:API payload of all mentioned posts without any access control. This includes the content, date, number and attributes added by other extensions.

The attack allows the leaking of all posts in the forum database, including posts awaiting approval, posts in tags the user has no access to, and private discussions created by other extensions like FriendsOfFlarum Byobu. This also includes non-comment posts like tag changes or renaming events.
All Flarum versions prior to v1.6.3 are affected.
The details of this vulnerability were disclosed on the Flarum Discord's team channel at 00:07 UTC. The vulnerability's CVE score was 7.7, which is a high CVE score.

CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, resulting in a CVE score of 7.7. See the CVSS score breakdown.

A security advisory has been published on GitHub detailing information of the vulnerability: https://github.com/flarum/framework/security/advisories/GHSA-22m9-m3ww-53h3. Waiting for a CVE to be issued.

Workarounds
Disable the mentions extension.

⚠️ Notifications can leak restricted content (Moderate Severity)

On December 29th, 2022, we received a report of a moderate confidentiality vulnerability in Flarum core through the discord server private channel, affecting all versions below v1.6.3.

Impact
The notification-sending component does not check that the subject of the notification can be accessed by the receiver, and proceeds to send notifications through their different channels. The alerts do not leak data despite this as they are listed based on a visibility check, however, emails are still sent out.

This means that, for extensions which restrict access to posts, any actor can bypass the restriction by subscribing to the discussion if the Subscriptions extension is enabled.
The attack allows the leaking of some posts in the forum database, including posts awaiting approval, posts in tags the user has no access to if they could subscribe to a discussion before it becomes private, and posts restricted by third-party extensions.
All Flarum versions prior to v1.6.3 are affected.
The details of this vulnerability were disclosed on the Flarum Discord's team channel at 13:12 UTC. The vulnerability's CVE score was 6.8, which is a moderate CVE score.

CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N, resulting in a CVE score of 6.8. See the CVSS score breakdown.

A security advisory has been published on GitHub detailing information of the vulnerability: https://github.com/flarum/framework/security/advisories/GHSA-8gcg-vwmw-rxj4. Waiting for a CVE to be issued.

Workarounds
Disable the Flarum Subscriptions extension or disable email notifications altogether.

There is no other supported workaround for this issue for Flarum versions below 1.6.3.

⚠️ Any user can reply in public discussions whose first post was permanently deleted (Low Severity)

On December 29th, 2022, we received a report of a low integrity vulnerability in Flarum core through through huntr.dev, affecting versions between v1.3.0 and v1.6.3.

Impact
If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that don't have a validated email.

Flarum automatically makes discussions with zero comments invisible so an additional condition for this vulnerability is that the discussion must have at least one approved reply so that discussions.comment_count is still above zero after the post deletion.
This can open the discussion to uncontrolled spam or just unintentional replies if users still had their tab open before the vulnerable discussion was locked and then post a reply when they shouldn't be able to.
In combination with the email notification settings, this could also be used as a way to send unsolicited emails.
Versions between v1.3.0 and v1.6.3 are impacted.
The vulnerability's CVE score was 3.5, which is a low CVE score.

CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, resulting in a CVE score of 3.5. See the CVSS score breakdown.

A security advisory has been published on GitHub detailing information of the vulnerability: https://github.com/flarum/framework/security/advisories/GHSA-hph3-hv3c-7725. Waiting for a CVE to be issued.

Workarounds
If you don't delete the first posts you are not affected. A workaround can be to delete the discussion itself, or amend the database to manually set a first_post_id.

---

How were the vulnerabilities fixed?

These were patched through a combination of efforts from multiple developers in the past couple of weeks and pushed to the core's release/v1.6.3 branch on the 10th of January 2023 around 12:00 UST. After verifying that the patch worked as expected and didn't have noticeable effects on other areas of core and bundled extensions, it was released as v1.6.3 on the same day an hour later.

What did we do right?

Available core developers looked into reports and discussed to patch the vulnerabilities one by one as soon as possible, an initial patch was proposed within a day and subsequent patches were proposed the week following it. With all approvals being acquired by the 9th January 2023.

What could we improve?

It took longer than usual to get a full patch ready and released, but this is mostly due to the fact this was a time of holiday for most of our team, but also because there were multiple (3) vulnerabilities we had to look into and our decision to fix them all in one patch.

How can we prevent this from happening again?

While we have made incredible progress in our backend test coverage, there is definitely a lot more that can be done. We need to invest more time into adding more backend tests so that issues such as these are caught earlier.⚠️

Hey,
With v1.6 released, time to move onto v1.7
We will try to post updates on the roadmap progress in this cycle.

v1.6.0 - Kookaburra

---

📣 The Release

---

We are happy to announce the release of v1.6, not the biggest release but sizeable and important regardless:

• 🤙 You can now mention groups, like me mentioning @Flarum Team (flarum/framework#3658) - Bounty
• 📈 Statistics extension now supports custom date ranges (flarum/framework#3622)
• 📈 Statistics extension now allows exporting the graph (flarum/framework#3662)
• 🧩 Using an automated installer, you can now choose extensions to enable (flarum/framework#3655)
• 📧 Notifications for approved posts are now properly sent out (flarum/framework#3656) - Bounty
• 👯 Group edit modal now contains a color preview input field (flarum/framework#3650)
• 🐛 Many bugs have been squashed.
• ♿️ Accessibility improvements have been made.
• 🧑‍💻 And much much more...

👨‍💻 For Developers

---

Extensions compatible with 1.5 should still operate on Flarum 1.6 without any changes.

⤴️ Upgrading

---

Before you upgrade, make sure to create a backup of your public/assets directory, your composer.json and your database!

Before starting the upgrade process, ensure you are on Flarum 1.0.0 or above in your Admin Dashboard or by typing php flarum info. If you're not, use the previous release announcement for upgrading from an earlier version.
To upgrade from 1.0 or 1.5 to 1.6, take a look at our upgrade guide documentation. The process should be much easier compared to previous major version upgrades, due to the lack of breaking changes.

If you run into any issues, please open a new discussion under the Support tag. Ignore similar discussions and open a new one anyhow. Make sure to mention the output of php flarum info, composer why-not flarum/core v1.6.0, and any errors to their fullest.

😇 Thanks to our Sponsors

---

Financial donations keep Flarum alive and kicking. The following companies and people deserve credit for making Flarum sustainable:

• Glowing Blue AG
• Sridhar Kamma
• Lincoln Russell
• Bart van Bragt
• Lurker
• Circuit Dojo
• David Wheatley
• Timotheus Pokorra
• Edmilerad
• ange1k
• S4 Hosting
• Seaborn
• Alexander Skvortsov
• Paulina
• Jai Gupta
• Matt Kilgore
• Guoqing
• Miguel A. Lago
• LianSheng
• Soobin Rho
• PapaFig1
• Nsustain

Thank you to all the Supporters, backing us through Discuss:
@v17development and @waca !

Special thanks for all the Devotees (people pledging to our bounties in the Proposals tag), you are driving a lot of new features! These people have helped ship a new feature in this release with their pledge:
@datlechin @Darkle @SKevo @GreXXL @pkernstock @Lurker @CyberGene @meihuak .

Thanks for being awesome 😍 !

🙇‍♀️ Acknowledgements

---

Flarum wouldn't be the same without our over one hundred contributors, along with their generous time commitments! For this release we specifically thank these wonderful people:

• The non-team contributors that usually tackle unplanned, but extremely welcomed bugs or overhauls. We absolutely love contributions that help us move forward, so thank you very much:
  @datlechin @ornanovitch @iPurpl3x.
• The core and staff team contributors, people that have vast knowledge of the code base who sacrifice their free time to bring the awesome Flarum software to you, for free. Thank you so much:
  @askvortsov @SychO @davwheat @luceos @ianm @clarkwinkelmann
• The community staff is the foundation to a warm and welcoming community. Many cheers for all you do:
  @jordanjay29 @Prosperous @GreXXL
• The well-oiled machine that is the translation team, keeping up with new languages, their maintainers and the translations perfectly well. Very, very much appreciated:
  @GreXXL @Justoverclock @rob006
• All our additional staff who all help us where we need it most:
  @tankerkiller125 @Deebug @katos @victorparedes.
• A great shout out to everyone who's submitted carefully described issues and suggestions, especially:
  @ornanovitch @orschiro.
• And the whole community sharing their passion for Flarum, urging us on!

🆘 Support the Project

---

We need your support to:

• Guarantee continued development on the software.
• Create a valuable ecosystem around the project.
• Ensure healthy extensions are available.

You can support us:

• 👕 By getting some swag from our merchandise store!
• 💵 By becoming a Supporter or Sponsor on Discuss, backing us on Open Collective or on GitHub.
• 🤟 By supporting new features with your pledge in our Proposals tag.
• 👩‍💻 By contributing to the source code, hop onto any of our open issues.
• 📈 By creating your own Flarum extensions and sharing them with the world!
• 🌎 By translating Flarum and extensions into your own language.
• 💝 By sharing your love for Flarum with friends, family and on the internet.
• 💬 By hanging out with us, here on discuss!

For installation instructions check our installation documentation. If you are interested in developing extensions for Flarum, check the extend section there.

📖 Introduction

Welcome to our newest community update. In this edition we want to show you the versitlity of Flarum as a multi-language forum patform. Also - like you are already used to - we will share interesting updates on the Flarum ecosystem, including the newest plugin additions and active bountries. In Edition 4 of our community updates 2022 we featured a overview about push notifications and mobile app support. Feel free to skip back to this post in case you are interested. But now lets move on to our newest update.

---

🗣️ Multi-language in Flarum! What are the options?

Many message boards have a target audience speaking different languages. Support for multiple languages is, therefore, at the heart of much good software. But supporting different languages as variables for text does not make for a good multi-language community. Many extensions are available that help you customise your community for a truly multilingual experience. But before we go there, let's start with language support in Flarum first.

🌐 Flarum Lang

With the Flarum Language Project, we started to get more of the available translations under a common roof. Those languages are also available on Weblate. This web-based platform allows you to contribute to all available languages to get new extensions translated or improve translations. Of course existing or new languages are always welcome to join the project. All contributions are welcomed!
Find all 40 available languages on the GitHub Project. A big thank you needs to be sent to all the many language pack maintainers and contributors.

🧩 Extensions

While Flarum offers great support for different languages to be installed in one installation, there are many extensions out there that greatly improve the handling of multi-languages.

Discussion Language by @FriendsOfFlarum

This extension allows one to assign a language to discussions, allowing one to filter content by language. There are many neat features like language auto-detect to assist users in finding what they are looking for.
Find out more on the extensions page.

Localizd by @glowingblue

This premium extension extends Flarum to add support for translating core features into different languages. This includes the Forum description as well as, most importantly, Tags. This allows users to change the Forum to the language of their desire completely.
Find out more on the extensions page.

Translate by @ianm

Another premium extension allows the automatic language detection and translation of discussions and posts. This allows users to easily view the complete content a multi-language has to offer and does not limit them to the languages they speak. Asides from the extension, a professional language translation service like Google Translate or DeepL is needed. Both offer free limits to get this started, though.
Find out more on the extensions page.

Other extensions

Of course, we also need to mention the FoF Linguist extension and the Translation Inspector, which are both useful tools to improve the languages of Flarum or modify them to the specific needs of your community.

🧪 Samples

Now one might argue that this is theoretically very nice but is there any bigger community out there using this in the real world? I am really happy to say yes! Also, this community has been highlighted in a previous community update already! You can read the interview of @Dany and visit the community.

📰 Other News

Flarum released Version 1.6, including the first two bounties successfully funded and implemented. Please also note that a critical security update has been released for affected version 1.5.x to 1.6.1. Work on the next version, 1.7 has already started.
Also on date of publishing this article there are currently different promotions running for Black Friday offering some big discounts on premium extensions worth checking out.

🏴‍☠️ Active Bounties:

• Mentioning Tags has been picked up by @ianm to be implemented in 1.7 but still happily takes supporters.
• Improving FoF Spamblock still looking for funding and implementation
• Turnstile Captcha has been picked up by @ianm to be implemented but still happily takes supporters
• Federation Extension has been picked up by @luceos but still needs a lot of funding

🕸️ Extension Highlights

• Sudo Mode by @clarkwinkelmann to protect sensible areas of Flarum administration
• Post Stream Search by @clarkwinkelmann allowing easy search within a discussion

---

🏁 Final words

We hope you have liked this edition of “Community Updates”. Looking forward to your comments and ideas for future updates. We are going to pickup speed again and hope to see you soon on the next edition of Community Updates.