v1.7.0 - Tasmanian Devil

---

📣 The Release

---

Hey folks, the moment we've been waiting for is finally here! Flarum v1.7 is now live, and it's packed with some awesome new features and enhancements. Here are some highlights:

• 👨‍💻 Introduced support for PHP 8.2!
• 🚪 New access tokens user management UI.
• 🔓 Added a global logout to clear all sessions, access tokens, email tokens, and password tokens.
• 🛠️ Fixed notifications not being sent out on post approval.
• 🔍 SEO improvements relating to document headers
• 🧪 Created a Jest configuration package for frontend tests unit and component testing.
• 🖌️ Improved tag text color contrast for accessibility.
• 🚀 Introduced frontend extenders.
• 🧰 Introduced PHPStan support for extensions through a new package.
• 🔍 Admins can now search users in the admin users list.
• 👥 Added display name column to admin users list.
• 📄 Improved page navigation in the admin users list.
• 🆗 Added UTF8 tag slug support.
• 🔒️ Security patch.
• 🧑‍💻 And much much more...

👨‍💻 For Developers

---

Extensions compatible with 1.6 should still operate on Flarum 1.7 without any changes. However, this release introduces some developer-facing changes, we recommend updating your code accordingly:

• Frontend extenders (https://docs.flarum.org/extend/models/#adding-new-models-1, https://docs.flarum.org/extend/models/#extending-models, https://docs.flarum.org/extend/models/#extending-models)
• You can see all JS changes that might affect your extension: https://github.com/flarum/framework/issues?q=is%3Aclosed+milestone%3A1.7+label%3Ajavascript

Additionally, this release comes with nice new features:

• A PHPStan package to allow static code analysis in your extension through PHPStan (https://docs.flarum.org/extend/static-code-analysis).
• A Jest configuration package to allow you to write unit and components tests for your frontend code (https://docs.flarum.org/extend/testing#frontend-tests).

Checkout the full upgrade guide. Feel free to provide feedback or report any encountered issues!

⤴️ Upgrading

---

Before you upgrade, make sure to create a backup of your public/assets directory, your composer.json and your database!

Before starting the upgrade process, ensure you are on Flarum 1.0.0 or above in your Admin Dashboard or by typing php flarum info. If you're not, use the previous release announcement for upgrading from an earlier version.
To upgrade from 1.0 or 1.6 to 1.7, take a look at our upgrade guide documentation. The process should be much easier compared to previous major version upgrades, due to the lack of breaking changes.

If you run into any issues, please open a new discussion under the Support tag. Ignore similar discussions and open a new one anyhow. Make sure to mention the output of php flarum info, composer why-not flarum/core v1.7.0, and any errors to their fullest.

😇 Thanks to our Sponsors

---

Financial donations keep Flarum alive and kicking. The following companies and people deserve credit for making Flarum sustainable:

• Glowing Blue AG
• Sridhar Kamma
• Nathan Sweet
• Lincoln Russell
• Bart van Bragt
• Circuit Dojo
• David Wheatley
• Rad Web Hosting
• Seaborn
• Timotheus Pokorra
• Pep Oliveras
• Edmilerad
• JrdnHnz
• S4 Hosting
• Alexander Skvortsov
• Paulina
• Jai Gupta
• Guoqing
• Miguel A. Lago
• b0ring

Thank you to all the Supporters, backing us through Discuss:
@v17development and @waca !

Thanks for being awesome 😍 !

🙇‍♀️ Acknowledgements

---

Flarum wouldn't be the same without our over one hundred contributors, along with their generous time commitments! For this release we specifically thank these wonderful people:

• The non-team contributors that usually tackle unplanned, but extremely welcomed bugs or overhauls. We absolutely love contributions that help us move forward, so thank you very much:
  @n-peugnet @ornanovitch @rob006 @Darkle @OwenMelbz
• The core and staff team contributors, people that have vast knowledge of the code base who sacrifice their free time to bring the awesome Flarum software to you, for free. Thank you so much:
  @askvortsov @SychO @davwheat @luceos @ianm @clarkwinkelmann @OrdinaryJellyfish
• The community staff is the foundation to a warm and welcoming community. Many cheers for all you do:
  @jordanjay29 @Prosperous @GreXXL
• The well-oiled machine that is the translation team, keeping up with new languages, their maintainers and the translations perfectly well. Very, very much appreciated:
  @GreXXL @Justoverclock @rob006
• All our additional staff who all help us where we need it most:
  @tankerkiller125 @datitisev @Deebug @katos @victorparedes.
• A great shout out to everyone who's submitted carefully described issues and suggestions, especially:
  @ornanovitch
• And the whole community sharing their passion for Flarum, urging us on!

🆘 Support the Project

---

We need your support to:

• Guarantee continued development on the software.
• Create a valuable ecosystem around the project.
• Ensure healthy extensions are available.

You can support us:

• 👕 By getting some swag from our merchandise store!
• 💵 By becoming a Supporter or Sponsor on Discuss, backing us on Open Collective or on GitHub.
• 🤟 By supporting new features with your pledge in our Proposals tag.
• 👩‍💻 By contributing to the source code, hop onto any of our open issues.
• 📈 By creating your own Flarum extensions and sharing them with the world!
• 🌎 By translating Flarum and extensions into your own language.
• 💝 By sharing your love for Flarum with friends, family and on the internet.
• 💬 By hanging out with us, here on discuss!

For installation instructions check our installation documentation. If you are interested in developing extensions for Flarum, check the extend section there.

With v1.7 out of the door and some v1.7.1 patches done, we now move on to v1.8, after a break 👼.
v1.8 will be dedicated to performance improvements and bug fixes and is very likely the last v1.x release before v2.0 development begins.
And as always, if you are interested in getting involved with Flarum: https://docs.flarum.org/#help-the-flarum-project

If you have not yet updated to v1.6.3 or later, do so immediately. The details of the vulnerabilities are public, and your forum could be maliciously exploited.
v1.6.3 has been released to address 3 security vulnerabilities reported by @clarkwinkelmann.

⚠️ Affected versions:
Two of the vulnerabilities affect all versions below v1.6.3.
One affect all versions between v1.3.0 and v1.6.2.

Upgrade instructions:

# Update to latest version
composer update --prefer-dist --no-dev -a -W

Verify that you're on v1.6.3

composer show flarum/core

Clear cache

php flarum cache:clear

---

Preface

⚠️ Post mentions can be used to read any post on the forum without access control (High Severity)

On December 27th, 2022, we received a report of a high confidentiality vulnerability in Flarum mentions through huntr.dev, affecting all versions below v1.6.3.

Impact
The mentionsPosts relationship included in the POST /api/posts and PATCH /api/posts/<id> JSON responses leaks the full JSON:API payload of all mentioned posts without any access control. This includes the content, date, number and attributes added by other extensions.

The attack allows the leaking of all posts in the forum database, including posts awaiting approval, posts in tags the user has no access to, and private discussions created by other extensions like FriendsOfFlarum Byobu. This also includes non-comment posts like tag changes or renaming events.
All Flarum versions prior to v1.6.3 are affected.
The details of this vulnerability were disclosed on the Flarum Discord's team channel at 00:07 UTC. The vulnerability's CVE score was 7.7, which is a high CVE score.

CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, resulting in a CVE score of 7.7. See the CVSS score breakdown.

A security advisory has been published on GitHub detailing information of the vulnerability: https://github.com/flarum/framework/security/advisories/GHSA-22m9-m3ww-53h3. Waiting for a CVE to be issued.

Workarounds
Disable the mentions extension.

⚠️ Notifications can leak restricted content (Moderate Severity)

On December 29th, 2022, we received a report of a moderate confidentiality vulnerability in Flarum core through the discord server private channel, affecting all versions below v1.6.3.

Impact
The notification-sending component does not check that the subject of the notification can be accessed by the receiver, and proceeds to send notifications through their different channels. The alerts do not leak data despite this as they are listed based on a visibility check, however, emails are still sent out.

This means that, for extensions which restrict access to posts, any actor can bypass the restriction by subscribing to the discussion if the Subscriptions extension is enabled.
The attack allows the leaking of some posts in the forum database, including posts awaiting approval, posts in tags the user has no access to if they could subscribe to a discussion before it becomes private, and posts restricted by third-party extensions.
All Flarum versions prior to v1.6.3 are affected.
The details of this vulnerability were disclosed on the Flarum Discord's team channel at 13:12 UTC. The vulnerability's CVE score was 6.8, which is a moderate CVE score.

CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N, resulting in a CVE score of 6.8. See the CVSS score breakdown.

A security advisory has been published on GitHub detailing information of the vulnerability: https://github.com/flarum/framework/security/advisories/GHSA-8gcg-vwmw-rxj4. Waiting for a CVE to be issued.

Workarounds
Disable the Flarum Subscriptions extension or disable email notifications altogether.

There is no other supported workaround for this issue for Flarum versions below 1.6.3.

⚠️ Any user can reply in public discussions whose first post was permanently deleted (Low Severity)

On December 29th, 2022, we received a report of a low integrity vulnerability in Flarum core through through huntr.dev, affecting versions between v1.3.0 and v1.6.3.

Impact
If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that don't have a validated email.

Flarum automatically makes discussions with zero comments invisible so an additional condition for this vulnerability is that the discussion must have at least one approved reply so that discussions.comment_count is still above zero after the post deletion.
This can open the discussion to uncontrolled spam or just unintentional replies if users still had their tab open before the vulnerable discussion was locked and then post a reply when they shouldn't be able to.
In combination with the email notification settings, this could also be used as a way to send unsolicited emails.
Versions between v1.3.0 and v1.6.3 are impacted.
The vulnerability's CVE score was 3.5, which is a low CVE score.

CVSS
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, resulting in a CVE score of 3.5. See the CVSS score breakdown.

A security advisory has been published on GitHub detailing information of the vulnerability: https://github.com/flarum/framework/security/advisories/GHSA-hph3-hv3c-7725. Waiting for a CVE to be issued.

Workarounds
If you don't delete the first posts you are not affected. A workaround can be to delete the discussion itself, or amend the database to manually set a first_post_id.

---

How were the vulnerabilities fixed?

These were patched through a combination of efforts from multiple developers in the past couple of weeks and pushed to the core's release/v1.6.3 branch on the 10th of January 2023 around 12:00 UST. After verifying that the patch worked as expected and didn't have noticeable effects on other areas of core and bundled extensions, it was released as v1.6.3 on the same day an hour later.

What did we do right?

Available core developers looked into reports and discussed to patch the vulnerabilities one by one as soon as possible, an initial patch was proposed within a day and subsequent patches were proposed the week following it. With all approvals being acquired by the 9th January 2023.

What could we improve?

It took longer than usual to get a full patch ready and released, but this is mostly due to the fact this was a time of holiday for most of our team, but also because there were multiple (3) vulnerabilities we had to look into and our decision to fix them all in one patch.

How can we prevent this from happening again?

While we have made incredible progress in our backend test coverage, there is definitely a lot more that can be done. We need to invest more time into adding more backend tests so that issues such as these are caught earlier.⚠️

---

📣 The Announcement

Supporting our extension ecosystem in building even more awesome extensions, is something we firmly believe in. As such @askvortsov has been hammering away at this project (RFC: Flarum CLI Alpha, Flarum CLI Dev Diary), setting up a solid foundation for it to create a powerful tool for extension development that would help developers by automating some repetitive and menial tasks, and allow them to get into the actual work without much hassle.
Today, we're very excited to announce the 1.0 version of this tool, it comes with a range of commands to assist you along the way.

---

📥 Installation

Using npm simply run the following command to install the CLI globally.
If you have the alpha version installed, remove it first:

$ npm uninstall -g flarum-cli

Now install the new package:

$ npm install -g @flarum/cli

To run a command, use either flarum-cli or fl:

$ flarum-cli COMMAND
$ fl COMMAND

To see a list of available commands, run either of:

$ flarum-cli
$ flarum-cli --help

---

⬆️ Updating

$ npm update -g @flarum/cli

---

🌟 Highlights

The CLI has different types of commands for different tasks:
Initialisation

• flarum-cli init [PATH]: Generates a blank extension skeleton, including all recommended infrastructure.

Infrastructure

• flarum-cli infra backend-testing [PATH]: Adds (or updates) infrastructure for running automated backend tests.

Backend Boilerplate Generation: Generates different types of backend classes and/or extenders, ready to be used.

• flarum-cli make backend api-controller [PATH]
• flarum-cli make backend api-serializer [PATH]
• flarum-cli make backend api-serializer-attributes [PATH]
• flarum-cli make backend command [PATH]
• flarum-cli make backend event-listener [PATH]
• flarum-cli make backend handler [PATH]
• flarum-cli make backend integration-test [PATH]
• flarum-cli make backend job [PATH]
• flarum-cli make backend migration [PATH]
• flarum-cli make backend model [PATH]
• flarum-cli make backend policy [PATH]
• flarum-cli make backend repository [PATH]
• flarum-cli make backend route [PATH]
• flarum-cli make backend service-provider [PATH]
• flarum-cli make backend validator [PATH]

Frontend Boilerplate Generation: Generate frontend components/classes, ready to be used.

• flarum-cli make frontend component [PATH]
• flarum-cli make frontend modal [PATH]
• flarum-cli make frontend model [PATH]

Code Updates:

• flarum-cli update js-imports [PATH]: Adds admin/forum/common namespaces to all JS imports from flarum core.

And of course, you can always use the help command to see a list of all available commands with their descriptions:

• flarum-cli help [COMMAND]

---

🔥 The Most Powerful Commands

Of all the aforementioned commands, the two most powerful ones that will make a huge difference, are the extension initialisation command and the backend model generation command. The former obviously allows to kickstart the extension with the recommended skeleton from the Core Dev team, while the latter not only creates the backend model, it allows to create all the classes related to the model, from just its name:

• Table migration
• Policy
• API Serializer
• CRUD API Controllers
• CRUD Handlers
• Repository
• Validator
• Routes
• Related Extenders

🧑‍🏭 Support & Feedback

If you encounter any problems while using the CLI, or would like to propose additional features/commands, please open an issue in the github repository.
Any and all feedback is appreciated.

Links

• GitHub
• npm

📖 Introduction

Welcome to our newest community update. In this edition we want to show you the versitlity of Flarum as a multi-language forum patform. Also - like you are already used to - we will share interesting updates on the Flarum ecosystem, including the newest plugin additions and active bountries. In Edition 4 of our community updates 2022 we featured a overview about push notifications and mobile app support. Feel free to skip back to this post in case you are interested. But now lets move on to our newest update.

---

🗣️ Multi-language in Flarum! What are the options?

Many message boards have a target audience speaking different languages. Support for multiple languages is, therefore, at the heart of much good software. But supporting different languages as variables for text does not make for a good multi-language community. Many extensions are available that help you customise your community for a truly multilingual experience. But before we go there, let's start with language support in Flarum first.

🌐 Flarum Lang

With the Flarum Language Project, we started to get more of the available translations under a common roof. Those languages are also available on Weblate. This web-based platform allows you to contribute to all available languages to get new extensions translated or improve translations. Of course existing or new languages are always welcome to join the project. All contributions are welcomed!
Find all 40 available languages on the GitHub Project. A big thank you needs to be sent to all the many language pack maintainers and contributors.

🧩 Extensions

While Flarum offers great support for different languages to be installed in one installation, there are many extensions out there that greatly improve the handling of multi-languages.

Discussion Language by @FriendsOfFlarum

This extension allows one to assign a language to discussions, allowing one to filter content by language. There are many neat features like language auto-detect to assist users in finding what they are looking for.
Find out more on the extensions page.

Localizd by @glowingblue

This premium extension extends Flarum to add support for translating core features into different languages. This includes the Forum description as well as, most importantly, Tags. This allows users to change the Forum to the language of their desire completely.
Find out more on the extensions page.

Translate by @ianm

Another premium extension allows the automatic language detection and translation of discussions and posts. This allows users to easily view the complete content a multi-language has to offer and does not limit them to the languages they speak. Asides from the extension, a professional language translation service like Google Translate or DeepL is needed. Both offer free limits to get this started, though.
Find out more on the extensions page.

Other extensions

Of course, we also need to mention the FoF Linguist extension and the Translation Inspector, which are both useful tools to improve the languages of Flarum or modify them to the specific needs of your community.

🧪 Samples

Now one might argue that this is theoretically very nice but is there any bigger community out there using this in the real world? I am really happy to say yes! Also, this community has been highlighted in a previous community update already! You can read the interview of @Dany and visit the community.

📰 Other News

Flarum released Version 1.6, including the first two bounties successfully funded and implemented. Please also note that a critical security update has been released for affected version 1.5.x to 1.6.1. Work on the next version, 1.7 has already started.
Also on date of publishing this article there are currently different promotions running for Black Friday offering some big discounts on premium extensions worth checking out.

🏴‍☠️ Active Bounties:

• Mentioning Tags has been picked up by @ianm to be implemented in 1.7 but still happily takes supporters.
• Improving FoF Spamblock still looking for funding and implementation
• Turnstile Captcha has been picked up by @ianm to be implemented but still happily takes supporters
• Federation Extension has been picked up by @luceos but still needs a lot of funding

🕸️ Extension Highlights

• Sudo Mode by @clarkwinkelmann to protect sensible areas of Flarum administration
• Post Stream Search by @clarkwinkelmann allowing easy search within a discussion

---

🏁 Final words

We hope you have liked this edition of “Community Updates”. Looking forward to your comments and ideas for future updates. We are going to pickup speed again and hope to see you soon on the next edition of Community Updates.