Welcome to the official Flatboard Changelog 👋
All updates, improvements, bug fixes, and changes related to Flatboard will be published here.
Stay tuned for upcoming updates 🚀
Edited on Jan 01, 2026 By Fred .
Release Date: December 23, 2025
createPost() from replies_count + CASE WHEN :is_first_post = 1 THEN 0 ELSE 1 END to CASE WHEN :is_first_post = 1 THEN 0 ELSE replies_count + 1 END$stmtUpdate->execute() call that was causing incorrect counts$pdo to $this->db in SqliteStorage::togglePostReaction()\PDO::FETCH_ASSOC to:getUserSubscriptions()getSubscriptionsByDiscussion()getUserNotifications()trueX-Requested-With: XMLHttpRequest header to fetch requestsisRemotePath() method to FileStorageService for detecting remote URLs (http, https, ftp)UrlHelper::full() now detects existing subfolders in site_url and prevents duplicationhttp://localhost/Flatboard + /Flatboard now correctly produces http://localhost/Flatboard/discussion instead of http://localhost/Flatboard/Flatboard/discussionsite_url with baseUrl before constructionPluginController to prioritize plugin_description_default key from language files$ignorePinned parameter - New parameter in getAllDiscussionsSorted() method allows bypassing pinned sorting when neededNotificationService::notify() now accepts and stores discussion_id and post_id for improved diagnostics and data completeness/admin/maintenance/rebuild-discussion-repliesrecalculateDiscussionReplies() to SQLite Storage for maintenance operationsREADME.md with features, improvements, fixes, and usage instructionsdescription field to plugin.json with detailed French descriptionRefactored tag loading across multiple controllers to eliminate N+1 query problem:
Affected Controllers:
CategoryControllerTagControllerApi\DiscussionApiControllerApi\TagApiControllerNew Batch Loading Pattern:
Performance Impact: Reduced from N+1 queries (1 + N queries per discussion) to just 3 total queries
uploadImage() with detailed messages for all UPLOAD_ERR_* constantsplugin_description_default with graceful fallback to descriptionReference: /d/6-username-with-unsupported-characters
Server-Side Validation:
RegisterController, ProfileController, and UserManagementControllerClient-Side Validation:
pattern="[a-zA-Z0-9_-]+"/^[a-zA-Z0-9_-]+$/Translation:
username_invalid_format message in French and English error files✅ Permitted:
a-z, A-Z0-9-_❌ Prohibited:
| Username | Valid | Reason |
|---|---|---|
John_Doe | ✅ | Alphanumeric with underscore |
user123 | ✅ | Alphanumeric only |
my-username | ✅ | Alphanumeric with hyphen |
jean-marie | ✅ | Letters with hyphen |
Patrik Čmejla | ❌ | Contains space and diacritic |
user@example | ❌ | Contains @ symbol |
$this->pdo → $this->db\PDO::FETCH_ASSOC added for consistencydiscussionId and postId parametersnotifyNewReply() to pass contextual IDsEdited on Dec 22, 2025 By Fred .
/login/2fa/verify instead of the correct route /login/2fa. Updated all 2FA views across all themes (default, premium).window.url() helper function to include the base path./d/{number_slug}/posts now correctly include the subdirectory path.UrlHelper::to().uploads.images) and dynamically sets the imageAccept option in easyMDE to allow WebP uploads when permitted by file permissions.image/x-webp → image/webp) to handle variations across different systems.UploadController::uploadImage() to provide detailed error messages including MIME type, file size, and allowed types for better debugging.fas fa-rss iconfas fa-rss-square iconrel="alternate" and type attributes for SEOthemes/assets/js/url-helper.js to use window.BASE_URL when available, ensuring proper subdirectory support even if the helper is loaded before translations.php./d/..., /api/...) with window.url() calls in JavaScript code across all discussion views and themes.UrlHelper::to() instead of hardcoded paths for consistent subdirectory support.app/Views/auth/2fa.php and all theme variantsplugins/easymde/EasyMDEPlugin.phpapp/Services/UploadService.phpapp/Controllers/UploadController.phpapp/Views/discussions/show.php and all theme variantsthemes/assets/js/url-helper.jsapp/Views/layouts/frontend/footer.php and all theme variants/feed/rss, /feed/atom, /login/2fa)Release Date: December 25, 2025
Codename: MERRY CHRISTMAS
This release candidate focuses on major improvements to the translation system, URL handling for subfolder installations, two-factor authentication fixes, and various bug fixes and enhancements.
Complete hierarchical translation structure
module.section.element)Translation key migration
JavaScript translation fixes
json_encode() for proper escapingComplete translation coverage
Subfolder installation support
/forum), and nested subfolders (/apps/forum)Universal URL helpers
UrlHelper::to(), UrlHelper::asset(), UrlHelper::theme(), UrlHelper::plugin()UrlHelper::full() method for absolute URLs using configured site_url/index.php/ appearing in URLsAsset loading fixes
AJAX request handling
window.apiRequest() helper for API callsActivation fixes
UI improvements
/uploads/avatars/)errors.permission.denied not being translated (removed redundant errors. prefix)admin.panel.title and other admin panel translationssite_url for redirectssite_url detection during installationUser::invalidateCache() methodTranslation Keys: All translation keys have been migrated to hierarchical structure. Update any custom code using old flat keys.
URL Generation: Always use UrlHelper::to(), UrlHelper::asset(), etc. instead of hardcoded paths.
JavaScript Translations: Use json_encode() when embedding translations in JavaScript to avoid syntax errors.
2FA: The 2FA activation process has been improved. Test thoroughly if you have custom 2FA implementations.
Subfolder Installations: The base path is now automatically detected. No manual configuration needed.
Theme Settings: Theme settings (checkboxes, selects) should now save correctly. Verify your theme configurations.
Translations: All admin panel translations should now be complete. Report any missing translations.
app/Core/App.php - Added avatar serving route, improved routingapp/Helpers/UrlHelper.php - Enhanced base path detection and URL generationapp/Helpers/SeoHelper.php - Fixed SEO URLs to use base pathapp/Models/User.php - Added cache invalidation methodapp/Controllers/Auth/TwoFactorController.php - Fixed 2FA activationapp/Controllers/Admin/ThemeController.php - Fixed theme settings savingapp/Views/users/settings.php - Fixed 2FA message display, JavaScript translationsapp/Views/auth/2fa-settings.php - Fixed form submission, JavaScript errorsapp/Views/admin/* - Fixed all translation keyslanguages/*/main.json - Complete hierarchical restructurelanguages/*/admin.json - Added missing translationslanguages/*/errors.json - Fixed key structurelanguages/*/auth.json - Added 2FA translationsthemes/assets/js/api-helper.js - New universal API request helperThank you to all contributors who helped improve Flatboard 5!
Release Date: December 27, 2025
Version: 5.0.0-RC5
Compatibility: PHP 8.0+, SQLite/JSON Storage
This release includes comprehensive improvements to the Premium theme configuration system, API routing fixes, critical bug fixes for group management, significant backend UX improvements, theme optimization, and automatic theme mode improvements. All changes maintain backward compatibility and respect the core architecture constraints.
Fixed 404 errors for API endpoints (/api/presence/update and /api/notifications) by adding proper routing rules to redirect API requests to api.php instead of index.php.
.htaccess (Root directory)Added: API routing rule before the general rewrite rule
/api/* requests to public/api.php# Redirect API requests to public/api.php (supports subdirectories)
RewriteCond %{THE_REQUEST} \s+/api/ [NC]
RewriteRule ^api/(.*)$ public/api.php?url=/api/$1 [QSA,L]
public/.htaccess (Public directory)Added: API routing rule before the general rewrite rule
/api/* requests to api.php^/api/ to /api/ to support subdirectories (removed anchor ^)# Redirect API requests to api.php
# Supports subdirectories: /forum/api/... or /api/...
RewriteCond %{REQUEST_URI} /api/ [NC]
RewriteRule ^api/(.*)$ api.php?url=/api/$1 [QSA,L]
nginx.confAdded: API location block and FastCGI configuration
/api/* requests to public/api.php^/api/ to /api/ to support subdirectories (removed anchor ^)# API entry point (supports subdirectories)
location ~ /api/ {
try_files $uri /public/api.php?url=$uri&$args;
}
api.php# API PHP entry point
location ~ ^/public/api\.php$ {
fastcgi_pass unix:/var/run/php/php8.0-fpm.sock;
fastcgi_index api.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param QUERY_STRING $query_string;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
}
/api/* were being routed to index.php instead of api.phpapi.php file uses runApi() method which calls dispatchApi() instead of dispatch(), ensuring proper API response handlingThese changes support:
https://example.com/api/...https://example.com/forum/api/...https://forum.example.com/api/...^/api/ (only matches at start of path)/api/ (matches anywhere in path)/api/ even when preceded by a subdirectory path like /forum/api/After applying these changes, the following endpoints should work correctly:
GET /api/notificationsPOST /api/presence/update/api/* endpointsNo additional configuration needed. Just ensure mod_rewrite is enabled.
sudo nginx -tsudo systemctl reload nginxfastcgi_pass path if different (check your PHP-FPM socket location)Added comprehensive theme configuration system to the Premium theme, allowing administrators to customize layout, visual styles, and feature toggles without modifying core files. All changes are contained within the themes/premium directory.
themes/premium/theme.json)Added: 15 new configurable parameters for theme customization
Layout Options:
layout_style: Choose between centered, wide, or compact layoutsnavbar_style: Glass, solid, or transparent navbar stylescard_style: Elevated, bordered, or minimal card designsVisual Options:
animation_level: Control animation intensity (none, subtle, normal, high)border_radius: Adjust border radius multiplier (0.5x to 2x)font_size: Adjust font size multiplier (0.8x to 1.5x)spacing: Adjust spacing multiplier (0.8x to 1.5x)enable_gradients: Toggle gradient effectsenable_shadows: Toggle shadow effectsenable_parallax: Toggle parallax scrolling effectsFeature Toggles:
show_hero: Display hero section on homepage and forums pageshow_stats: Display statistics sectionshow_breadcrumbs: Display breadcrumb navigationshow_cta: Display call-to-action sectionsshow_avatars: Display user avatars in postsshow_signatures: Display user signatures in postsshow_share_buttons: Display social sharing buttonsenable_reactions: Enable reaction picker in postsshow_notifications_bell: Display notification bell in navbarenable_sticky_navbar: Make navbar sticky on scrollenable_back_to_top: Display back-to-top buttonenable_smooth_scroll: Enable smooth scrolling behaviorenable_lazy_loading: Enable lazy loading for imagesshow_user_presence: Display user presence indicatorsenable_tooltips: Enable Bootstrap and custom tooltipsenable_auto_refresh: Auto-refresh notificationsapp/Helpers/ThemeHelper.php)Added: getThemeSetting($key, $default) method
theme.jsonThemeHelper::getThemeSetting('show_hero', true)themes/premium/views/layouts/frontend/header.php)Modified: Applied theme settings to header and navigation
show_notifications_bell to conditionally display notification bellenable_sticky_navbar to add sticky-top class to navbarnavbar_style to add CSS classes (navbar-glass, navbar-solid, navbar-transparent)enable_smooth_scroll to add data-smooth-scroll attributecard_style, animation_level, border_radius, font_size, spacing, enable_gradients, enable_shadows, enable_parallax) by adding classes to <body> tagdata-theme-settings attributeimplode() error by initializing $bodyClasses before use<?php tagisAdmin detection logicthemes/premium/views/layouts/frontend/main.php)Modified: Applied layout style setting
layout_style to add classes (theme-layout-centered, theme-layout-wide, theme-layout-compact) to <main> tagthemes/premium/views/layouts/frontend/footer.php)Modified: Added back-to-top button and recent registrations section
enable_back_to_top to display scroll-to-top buttonenable_smooth_scroll for smooth scrolling behaviorAvatarHelper::getUrl() for correct URL generationthemes/premium/views/components/banner.php)Modified: Applied breadcrumbs setting
show_breadcrumbs to conditionally display breadcrumbsthemes/premium/views/categories/index.php)Modified: Applied hero, stats, and CTA settings
show_hero, show_stats, show_cta to conditionally display sectionsgetAllPosts() error by iterating through discussions to count poststhemes/premium/views/discussions/index.php)Modified: Applied hero, stats, and CTA settings
show_hero, show_stats, show_cta to conditionally display sectionsgetAllPosts() error by iterating through discussions to count poststhemes/premium/views/components/post-thread.php)Modified: Applied post display settings
show_avatars to conditionally display user avatars or placeholder with initialsshow_signatures to conditionally display user signaturesshow_share_buttons to conditionally display share buttonsenable_reactions to conditionally display reaction pickerthemes/premium/assets/js/main.js)Modified: Integrated theme settings for dynamic behavior
getThemeConfig() to read settings from injected JSON scriptenable_tooltips to initialize Bootstrap tooltips and custom Flatboard tooltipsenable_auto_refresh to control setInterval for notificationsenable_lazy_loading to initialize lazy loading or remove loading="lazy" attributesshow_user_presence to control updatePresence() callsenable_smooth_scroll to set document.documentElement.style.scrollBehaviorenable_parallax, animation_level, border_radius, font_size, spacing by setting CSS custom properties or adding classes to document.documentElementthemes/premium/assets/css/frontend.css)Modified: Applied theme settings for dynamic styling
card_style with specific CSS rules for elevated, bordered, minimal stylesenable_shadows and enable_gradients to conditionally disable these effectsborder_radius, font_size, spacing, animation_level, layout_style, enable_parallax by setting CSS custom properties or adding classesthemes/premium/views/components/theme-colors.php)Modified: Fixed function re-declaration error
if (!function_exists('hexToRgb')) to prevent re-declaration of the hexToRgb function--theme-border-radius, --theme-font-size, and --theme-spacing-multiplier based on theme settingsapp/Services/RssService.php)Modified: Added permission filtering for RSS feeds
getAllDiscussions() to only include discussions from categories visible to anonymous users using Category::canView($categoryId, null)app/Services/SitemapService.php)Verified: Confirmed correct permission filtering
Category::canView($categoryId, null) and Tag::canView(null)theme.json (JSON format)ThemeHelper::getThemeSetting($key, $default)themes/premium directoryFixed critical issues with group management including duplicate group creation when renaming default groups, missing protection against deletion of default groups, and improved group identification logic to use IDs and permissions instead of names.
app/Models/Group.php)Modified: initDefaults() method to identify default groups by ID/permissions instead of name
GroupHelper::getAdminGroupId(), getModeratorGroupId(), getMemberGroupId(), and getGuestGroupId() to identify default groups by their permissions and IDsapp/Helpers/GroupHelper.php)Added: New methods for group management
isDefaultGroup(string $groupId): bool
hasUsers(string $groupId): bool
user.group_id) and additional group assignments (user_groups table)Modified: Existing methods to use ID-based identification
isAdmin(), isModerator(), getAdminGroupId(), getModeratorGroupId(), getMemberGroupId(), getGuestGroupId() already use permission-based identification with fallback to namesapp/Controllers/Admin/GroupController.php)Modified: delete() method to add protection against deletion
Added: Validation to prevent deletion of default groups
GroupHelper::isDefaultGroup() to check if the group is a default groupgroups.message.cannot_delete_defaultAdded: Validation to prevent deletion of groups with users
GroupHelper::hasUsers() to check if the group has assigned usersgroups.message.cannot_delete_with_usersAdded: Proper error handling and JSON responses
Added: New translation keys for group deletion errors
French (languages/fr/admin.json):
groups.message.cannot_delete_default: "Impossible de supprimer un groupe par défaut (Administrateur, Modérateur, Membre, Invité)"groups.message.cannot_delete_with_users: "Impossible de supprimer un groupe qui a des utilisateurs assignés. Réassignez d'abord les utilisateurs à un autre groupe."English (languages/en/admin.json):
groups.message.cannot_delete_default: "Cannot delete a default group (Administrator, Moderator, Member, Guest)"groups.message.cannot_delete_with_users: "Cannot delete a group that has users assigned. Reassign users to another group first."app/Views/admin/groups.php)Improved: UX for group inheritance dropdown
<optgroup>GroupHelper methods to identify groups by ID instead of namegroups.type.admin, groups.type.moderator, etc.)initDefaults() would recreate them because it checked by name, leading to duplicate groups like "Administrateur - invité"The system now uses a three-tier identification strategy:
admin.access, moderation.moderate)This ensures:
initDefaults() checked groups by name instead of ID/permissionsGroupHelper methods that identify groups by permissions and IDsGroupController::delete()isDefaultGroup() and hasUsers() methods$baseGroupsMap to ensure each group is identified only onceImproved user experience in the admin panel by eliminating the need to manually refresh pages after create, update, or delete operations. Changes are now reflected immediately in the interface without full page reloads. Applied to all admin pages for consistent behavior across the entire backend.
themes/assets/js/admin-utils.js)Added: New utility functions for dynamic admin operations
reloadAdminList(url, containerSelector, callback)
removeAdminListItem(elementSelector, callback)
resetAdminForm(formId, listTabId)
updateAdminTableRow(rowSelector, data)
addAdminTableRow(tbodySelector, data, rowTemplate)
app/Views/layouts/backend/footer.php, themes/premium/views/layouts/backend/footer.php)Modified: Added admin-utils.js to footer
admin-utils.js before other admin scriptsadmin-sidebar.js, before core JS filesapp/Views/admin/groups.php)Modified: Replaced page reloads with dynamic updates
Create/Update Operations:
reloadAdminList() to refresh list via AJAXDelete Operations:
removeAdminListItem() to remove row from DOMAdded: data-empty-message attribute to tbody for empty state handling
app/Views/admin/categories.php)Modified: Replaced page reloads with dynamic updates
Create/Update Operations:
reloadAdminList() to refresh list via AJAXDelete Operations:
removeAdminListItem() to remove row from DOMAdded: data-empty-message attribute to tbody
app/Views/admin/reactions.php)Modified: Replaced page reloads with dynamic updates
Create/Update Operations:
reloadAdminList() to refresh list via AJAXDelete Operations:
removeAdminListItem() to remove row from DOMAdded: data-empty-message attribute to tbody
app/Views/admin/users.php, app/Views/admin/users/edit.php)Modified: Replaced page reloads with dynamic updates
Toggle Ban/Active Operations:
reloadAdminAfterAction() to reload page dynamicallyDelete/Anonymize Operations:
reloadAdminAfterAction() after modal operationsEdit User:
reloadAdminAfterAction() to redirect to users listapp/Views/admin/reports.php)Modified: Replaced page reloads with dynamic updates
Update/Delete/Purge Operations:
reloadAdminAfterAction() to reload page dynamicallyView Report Details:
reloadAdminAfterAction() for navigation with query parametersapp/Views/admin/bans.php)Modified: Replaced page reloads with dynamic updates
reloadAdminAfterAction() to reload page dynamicallyapp/Views/admin/backups.php)Modified: Replaced page reloads with dynamic updates
reloadAdminAfterAction() to reload page dynamicallyapp/Views/admin/plugins.php)Note: This page intentionally uses full page reloads
app/Views/admin/themes.php, app/Views/admin/theme-config.php)Note: These pages intentionally use full page reloads
Activate Theme Operations:
Theme Configuration:
app/Views/admin/updates.php)Modified: Replaced page reloads with dynamic updates
reloadAdminAfterAction() to reload page dynamicallyapp/Views/admin/config.php, themes/premium/views/admin/config.php, themes/bootswatch/views/admin/config.php)Modified: Enhanced dynamic updates with language change detection
Language Change Detection:
data-old-value attribute to language selectOther Settings:
The dynamic reloading system has been applied to most admin pages:
Note: The following pages intentionally use full page reloads:
Cleaned up verbose logging in the translation system to reduce log noise and improve performance.
app/Helpers/Translator.php)Modified: Removed verbose debug logging
Removed: Debug logs for:
Translator: Loading translations)Translator: Translation file loaded)Translator: Translation file not found)Translator: Translations loaded)Translator: Translating common key)Translator: Key not found in translation path)Translator: Common key translation found)Translator: Domain not found)Translator: Common key found in main domain (fallback))Translator: Common key translation not found)Kept: Warning logs for actual errors:
Benefits:
GET /api/notifications returns correct responsePOST /api/presence/update works correctly/api/* endpoints function properlytheme.jsonprefers-color-scheme media querysudo nginx -t and reload with sudo systemctl reload nginxthemes/premium/theme.json to customize settings.htaccess (root directory)public/.htaccessnginx.confthemes/premium/theme.json (new)app/Helpers/ThemeHelper.phpthemes/premium/views/layouts/frontend/header.phpthemes/premium/views/layouts/frontend/main.phpthemes/premium/views/layouts/frontend/footer.phpthemes/premium/views/components/banner.phpthemes/premium/views/categories/index.phpthemes/premium/views/discussions/index.phpthemes/premium/views/components/post-thread.phpthemes/premium/assets/js/main.jsthemes/premium/assets/css/frontend.cssthemes/premium/views/components/theme-colors.phpapp/Services/RssService.phpapp/Services/SitemapService.phpapp/Models/Group.phpapp/Helpers/GroupHelper.phpapp/Controllers/Admin/GroupController.phpapp/Views/admin/groups.phplanguages/fr/admin.jsonlanguages/en/admin.jsonthemes/assets/js/admin-utils.js (new)app/Views/layouts/backend/footer.phpthemes/premium/views/layouts/backend/footer.phpthemes/bootswatch/views/layouts/backend/footer.phpapp/Views/admin/groups.phpapp/Views/admin/categories.phpapp/Views/admin/reactions.phpapp/Views/admin/users.phpapp/Views/admin/users/edit.phpapp/Views/admin/reports.phpapp/Views/admin/bans.phpapp/Views/admin/backups.phpapp/Views/admin/plugins.phpapp/Views/admin/themes.phpapp/Views/admin/theme-config.phpapp/Views/admin/updates.phpapp/Views/admin/config.phpthemes/premium/views/admin/config.phpthemes/bootswatch/views/admin/config.phpthemes/premium/views/ (all unmodified views)themes/assets/js/main.jsthemes/assets/js/theme-initializer.jsthemes/assets/js/theme-initializer-backend.jsthemes/premium/assets/js/main.jsthemes/default/assets/js/main.jsthemes/bootswatch/assets/js/main.jsthemes/futurist/assets/js/main.jsapp/Helpers/Translator.phpNone. All changes are backward compatible.
None at this time.
For issues or questions related to this release, please refer to the official Flatboard documentation or contact support.
Release Date: December 31, 2025
Version: 5.0.0-RC6
Codename: HAPPY NEW YEAR
confirm-modal.js to properly use window.__() function for translations instead of hardcoded fallbackscommon.confirm.title and common.button.confirm to both French and English translation files (languages/fr/main.json and languages/en/main.json)getTranslation() helper function in confirm-modal.js to properly handle translation keys with fallback supportapp/Views/admin/reactions.php: Removed extra closing brace in deleteReaction() function (line 373)themes/assets/js/discussion.js: Removed duplicate const modalElement declaration (line 397), now reusing the variable declared at line 376themes/assets/js/notifications.js: Removed orphaned code fragment (lines 466-479) that was causing syntax error with unexpected token :themes/assets/js/discussion.js: Added missing closing */ for multi-line comment block starting at line 484editDiscussion() function in app/Views/discussions/show.php to use UrlHelper::to() for proper URL construction, ensuring correct behavior when Flatboard is installed in a subfoldertogglePinDiscussion, toggleLockDiscussion, toggleSolvedDiscussion) to global scope in app/Views/discussions/show.phpdata-action-params and call the corresponding functionsthemes/assets/js/confirm-modal.jslanguages/fr/main.jsonlanguages/en/main.jsonapp/Views/admin/reactions.phpthemes/assets/js/discussion.jsthemes/assets/js/notifications.jsapp/Views/discussions/show.phpcommon.confirm.title (FR: "Confirmation de suppression", EN: "Delete Confirmation")common.button.confirm (FR: "Confirmer", EN: "Confirm")window.togglePinDiscussionwindow.toggleLockDiscussionwindow.toggleSolvedDiscussionNone
No migration required. All fixes are backward compatible.
category.view_private permission (replaced by allowed_groups on categories)allowed_groups field on each category, providing more granular controlapp/Helpers/PermissionHelper.phpgroup_permissions exist and are valid before skipping recreationgroup_permissions are missing or empty, they are now automatically recreated even if permission hash hasn't changedapp/Storage/JsonStorage.phpbtn-check buttons in dark mode to ensure text is always visiblethemes/default/assets/css/backend.cssthemes/premium/assets/css/backend.cssthemes/bootswatch/assets/css/backend.cssrendered_html and content_hash for the first post when editing a discussionapp/Controllers/Discussion/DiscussionController.phpNS_BINDING_ABORTED errors for avatar image requests when Flatboard is installed in a subfolder. All avatar URLs now use window.url() helper functionwindow.url() helperwindow.url() function to correctly handle trailing slashes in BASE_URLapp/Core/App.phpapp/Views/components/reaction-picker.phpapp/Views/components/translations.phpthemes/assets/js/url-helper.jsapp/Views/discussions/show.phpthemes/premium/views/discussions/show.phpthemes/bootswatch/views/discussions/show.phpthemes/premium/views/components/reaction-picker.phpthemes/bootswatch/views/components/reaction-picker.phpUncaught SyntaxError: redeclaration of const errorMsg in discussion view by removing duplicate const declarationUncaught TypeError: node.id.startsWith is not a function in MutationObserver by adding proper type and existence checks before calling startsWith()app/Views/discussions/show.phpsubscription.status.subscribed, subscription.status.unsubscribed, subscription.subscribed, subscription.unsubscribed)subscription namespace in language filesapp/Views/discussions/show.phpthemes/premium/views/discussions/show.phpUrlHelper for correct base path handlingUrlHelper::to('/admin/bans') instead of hardcoded pathsapp/Core/App.phpapp/Controllers/Moderation/BanController.phpapp/Views/admin/bans.phpthemes/premium/views/admin/bans.phpapp/Controllers/User/UserController.phpapp/Views/components/post-thread.phpthemes/premium/views/components/post-thread.phpapp/Core/App.phpthemes/assets/js/notifications.jsGroupHelper::isAdmin() and GroupHelper::isModerator() instead of group name comparison for more reliable permission-based detectionapp/Controllers/User/UserController.phpapp/Views/users/list.phpthemes/premium/views/users/list.phpthemes/premium/assets/css/frontend.cssBackup Download Feature: Added ability to download backup files directly from the admin panel
download() method in BackupController with security validationGET /admin/backups/downloadBackup Upload Feature: Added ability to upload backup files to the server
upload() method in BackupController with comprehensive validationupload_max_filesize)manifest.jsonPOST /admin/backups/upload (with CSRF protection)Request::getFile() method for file handlingTranslation Keys: Added new translation keys for backup download/upload features
backups.download: "Download" / "Télécharger"backups.upload.title: "Upload backup" / "Uploader une sauvegarde"backups.upload.select_file: "Select ZIP file" / "Sélectionner un fichier ZIP"backups.upload.file_help: Help text for file selectionbackups.upload.submit: "Upload" / "Uploader"backups.upload.uploading: "Uploading..." / "Upload en cours..."backups.upload.success: Success messagebackups.upload.error: Error messagebackups.upload.no_file: "Please select a file" / "Veuillez sélectionner un fichier"backups.message.uploaded: "Backup uploaded successfully" / "Sauvegarde uploadée avec succès"backups.message.upload_error: "Error uploading" / "Erreur lors de l'upload"backups.message.download_error: "Error downloading" / "Erreur lors du téléchargement"backups.message.invalid_name: "Invalid filename" / "Nom de fichier invalide"Backup Restore Process: Improved restore process to clean existing data before restoration
deleteDirectory() methodBackup Restore Logic: Simplified restore code using manifest-based deletion
manifest['options'] and manifest['included_items'] to determine what to delete/^backup_\d{4}-\d{2}-\d{2}_\d{2}-\d{2}-\d{2}(_\d+)?\.zip$/application/zip or application/x-zip-compressed.zip onlyupload_max_filesize (whichever is smaller)manifest.json in archiveRequest::getFile() for consistency with Flatboard's native file handlingdeleteDirectory() recursively to clean directories before restorationwindow.url() for proper BASE_URL handlingEasyMDE (uppercase) instead of easymde (lowercase) to match the actual folder nameplugins/easymde/EasyMDEPlugin.php to use plugins/EasyMDE/ instead of plugins/easymde/checkbox_allowYoutube and checkbox_allowTiktok parameters from plugin.jsongetToolbarForContext() and buildEditorConfig()transformToolbar() function detects if "youtube" or "tiktok" are present in the toolbar array and transforms them accordinglyCritical Security: Default Permissions for Groups: Fixed members having administrator rights on first installation
PermissionHelper::initDefaults() to properly assign permissions by groupadmin.access permission is now strictly limited to Administrators group onlyPermissions Not Saved: Fixed permissions being reset every time the admin permissions page was loaded
PermissionHelper::initDefaults() call from PermissionController::index() which was resetting permissions on each page loadPermissionHelper::initDefaults() to detect first installation and reset all permissions only during first installadmin.access with wrong groups)admin.access has incorrect groups (members having admin access)Guest Download Permission: Removed attachment.download permission from Guest group by default
PermissionHelper::initDefaults()File Upload Settings: Updated default file type restrictions
['pdf', 'doc', 'docx', 'xls', 'xlsx', 'ppt', 'pptx', 'txt', 'md', 'zip', 'rar', '7z'] to ['pdf', 'md', 'zip', 'rar', '7z', 'doc']webp is available but not enabled by default (default: ['jpg', 'jpeg', 'png', 'gif']). Administrators can enable WEBP in the permissions settings.webp is available but not enabled by default (default: ['jpg', 'jpeg', 'png', 'gif']). Administrators can enable WEBP in the permissions settings.install.php, app/Controllers/UploadController.php, all admin permissions views, all user settings views, markdown editor componentsPermission System: Enhanced permission initialization logic
admin.access with wrong groups)admin.access is strictly enforced to Administrators onlyPermissionHelper::initDefaults() now only resets permissions if they are detected as corruptedPermissionController::index() no longer calls initDefaults() to prevent resetting user modificationsinstall.php: Initial configuration during installationapp/Controllers/UploadController.php: Fallback defaults in upload methodsapp/Views/admin/permissions.php and theme overrides: UI display defaultsapp/Views/users/settings.php and theme overrides: Avatar upload UI defaultsapp/Views/components/markdown-editor.php and theme overrides: Image upload UI defaultsEasyMDE Admin View Not Translated: Fixed EasyMDE admin view displaying hardcoded French text instead of using translations
plugins/EasyMDE/views/admin.php to use translations from prepareAdminViewVars() instead of hardcoded textadmin_title, admin_description, current_order, drag_drop_reorder, save_configurations, saving, config_saved_success, config_save_error, error, missing_elements$contexts and $availableButtons arrays prepared by prepareAdminViewVars()json_encode() for proper language displayEasyMDE Language Configuration: Added automatic language detection and configuration for EasyMDE editor
plugins/EasyMDE/EasyMDEPlugin.php to detect current system language in buildEditorConfig()fr, en, es, it, ja, pt, ru, zhlocale option based on system language configurationplugins/EasyMDE/views/admin.php$translations, $contexts, $toolbars, and $availableButtons variables prepared by prepareAdminViewVars()PluginHelper::getTranslations() automatically uses Translator::getCurrentLanguage() when $lang parameter is nullprepareAdminViewVars() in EasyMDEPlugin.php loads translations and prepares all necessary variables for the admin viewlocale option is set in the JavaScript configuration passed via data-easymde-config attributespellcheck attribute to CodeMirror's editable element after initializationspellcheck option directly via cm.setOption('spellcheck', true)spellcheck attribute to original textarea elementspellcheck option to be set via cm.setOption('spellcheck', true)spellcheck attribute must be applied to the actual editable element, not just the wrapperSelective Plugin Backup: Added ability to select specific plugins to include in backups
Selective Theme Backup: Added ability to select specific themes to include in backups
Translation Keys: Added new translation keys for backup options
backups.option.plugins: Label for plugins backup optionbackups.option.themes: Label for themes backup optionbackups.select_all_plugins: Label for "Select All Plugins" checkboxbackups.select_all_themes: Label for "Select All Themes" checkboxlanguages/fr/admin.json) and English (languages/en/admin.json)BackupController: Enhanced create() method to handle plugin and theme selection
getAllPlugins() method to scan and list all available pluginsgetAllThemes() method to scan and list all available themesaddDirectoryToZip() to accept exclusion directories for plugins and themesdata, storage, messages, history, config, indexcache, compiled, node_modules, .gitmanifest.json to include selected_plugins and selected_themes arraysBackup Modal UI: Improved user interface for backup creation
selected_plugins and selected_themesTheme Activation with CSRF Token: Fixed theme activation not working due to missing CSRF token
activateTheme() JavaScript functionX-CSRF-Token header and request bodyapp/Views/admin/themes.php, themes/premium/views/admin/themes.php, themes/bootswatch/views/admin/themes.phpPlugin Activation/Deactivation Improvements: Enhanced plugin toggle functionality with better error handling
plugin.jsonCSRF Token Missing in Admin Views: Fixed multiple admin views that were not sending CSRF tokens
restoreBackup() and deleteBackup() functions now send CSRF tokencheckUpdates() function now sends CSRF tokenX-CSRF-Token header (token was already in FormData)Theme Activation with SQLite: Fixed theme activation errors in SQLite storage environments
Config::save() method with better error handling/stockage/json/) is now properly created and validatedX-CSRF-Token) and body for maximum compatibilityAll admin AJAX requests now follow this pattern:
// Récupérer le token CSRF
const csrfToken = document.querySelector('meta[name="csrf-token"]')?.content ||
document.querySelector('input[name="csrf_token"]')?.value || '';
if (!csrfToken) {
// Error handling
return;
}
// Créer FormData pour envoyer le token CSRF
const formData = new URLSearchParams();
formData.append('csrf_token', csrfToken);
fetch(url, {
method: 'POST',
headers: {
'X-Requested-With': 'XMLHttpRequest',
'X-CSRF-Token': csrfToken
},
body: formData
})
The Config class always uses JSON storage (/stockage/json/config.json) regardless of the main storage backend (JSON or SQLite). This ensures:
app/Views/admin/themes.php - Added CSRF token to activateTheme()themes/premium/views/admin/themes.php - Added CSRF token to activateTheme()themes/bootswatch/views/admin/themes.php - Added CSRF token to activateTheme()app/Controllers/Admin/PluginController.php - Enhanced error handling for plugin activationapp/Views/admin/backups.php - Added CSRF token to restoreBackup() and deleteBackup()app/Views/admin/updates.php - Added CSRF token to checkUpdates()app/Views/admin/plugin-settings.php - Added X-CSRF-Token headerthemes/premium/views/admin/backups.php - Added CSRF token to backup functionsthemes/premium/views/admin/updates.php - Added CSRF token to checkUpdates()themes/premium/views/admin/plugin-settings.php - Added X-CSRF-Token headerthemes/bootswatch/views/admin/backups.php - Added CSRF token to backup functionsthemes/bootswatch/views/admin/updates.php - Added CSRF token to checkUpdates()themes/bootswatch/views/admin/plugin-settings.php - Added X-CSRF-Token headerapp/Core/Config.php - Enhanced save() method with better error handling and directory validationapp/Controllers/Admin/ThemeController.php - Already had error handling, now works correctly with fixed ConfigYouTube/TikTok Disable in Discussion Edit: Fixed YouTube and TikTok buttons not being disabled in discussion edit context
$context = 'discussion-edit' in discussion edit views while keeping $draftType = 'discussion' for draft system compatibilityPresence Indicator on All Pages: Fixed presence indicator to work correctly on all pages, not just the index page
window.currentPath() helper function in translation files to get the current relative path (accounting for subdirectories)window.currentPath() instead of window.location.pathname directlywindow.BASE_URL (defined via UrlHelper::getBaseUrl()) to extract the relative pathpresence.js, main.js (default, premium, bootswatch, futurist themes)UrlHelper for URL normalization, ensuring server-side consistencyUser Edit View Translations: Fixed untranslated keys in the admin user edit view (admin/users/edit)
"edit" sections in languages/fr/admin.json and languages/en/admin.jsonusers.edit.title → "Modifier l'utilisateur" / "Edit user"users.edit.group → "Groupe" / "Group"users.edit.select_group → "Sélectionner un groupe" / "Select a group"users.edit.group_select_desc → Description textusers.edit.email_verified → "Email vérifié" / "Email verified"users.edit.email_verified_desc → Description textusers.edit.is_banned → "Banni" / "Banned"users.edit.password_keep_help → Help text for password fieldUser Count by Group: Fixed incorrect user count display in the groups list page
GroupHelper::countUsersInGroup() to properly validate group IDsgroup_id (pointing to non-existent groups) are now ignored instead of being countedgroup_id exists in the groups table before countingGroup Edit Redirection: Fixed redirection issue after saving a group edit
/admin/groups (list view) instead of staying on the edit URLUser Edit Redirection: Fixed redirection issue after saving a user edit
/admin/users (list view) instead of staying on the edit URLSQLite Boolean Normalization: Fixed boolean field normalization in SQLite storage
is_deleted, is_banned, and is_active fields in SqliteStorage::normalizeUserBooleans()Debug Logging: Removed verbose debug logs from production code to reduce log noise
app/Core/Controller.php (requireAdmin(), requirePermission())app/Helpers/PermissionHelper.php (can())app/Helpers/GroupHelper.php (isAdmin())app/Controllers/Admin/DashboardController.php (index())app/Views/layouts/backend/header.phpGroup User Counting Logic: Improved group user counting to be more strict
group_id as membersgroup_id are now ignored (not counted in any group)group_id values assigned to existing groupsThe fix_admin_permissions.php script was created to resolve admin access issues:
255d6da168ebeaef345baa3485df8f90) to the admin groupPermissionHelper::initDefaults()The translation files had duplicate "edit" keys within the "users" object:
password_keep_help, overwriting the first"edit" object with all keysapp/Views/discussions/edit.php - Added explicit $context = 'discussion-edit' for toolbar filteringthemes/premium/views/discussions/edit.php - Added explicit $context = 'discussion-edit' for toolbar filteringthemes/bootswatch/views/discussions/edit.php - Added explicit $context = 'discussion-edit' for toolbar filteringapp/Views/components/translations.php - Added window.currentPath() helper functionthemes/premium/views/components/translations.php - Added window.currentPath() helper functionthemes/bootswatch/views/components/translations.php - Added window.currentPath() helper functionthemes/assets/js/presence.js - Updated to use window.currentPath() instead of window.location.pathnamethemes/assets/js/main.js - Updated to use window.currentPath() instead of window.location.pathnamethemes/default/assets/js/main.js - Updated to use window.currentPath() instead of window.location.pathnamethemes/premium/assets/js/main.js - Updated to use window.currentPath() instead of window.location.pathnamethemes/bootswatch/assets/js/main.js - Updated to use window.currentPath() instead of window.location.pathnamethemes/futurist/assets/js/main.js - Updated to use window.currentPath() instead of window.location.pathnameapp/Core/Controller.php - Removed debug logsapp/Helpers/PermissionHelper.php - Removed debug logsapp/Helpers/GroupHelper.php - Removed debug logs, improved countUsersInGroup() methodapp/Controllers/Admin/DashboardController.php - Removed debug logsapp/Views/layouts/backend/header.php - Removed debug logsapp/Views/admin/users/edit.php - Fixed redirection after user saveapp/Views/admin/groups.php - Fixed redirection after group savethemes/premium/views/admin/users/edit.php - Fixed redirection after user savethemes/premium/views/admin/groups.php - Fixed redirection after group saveapp/Storage/SqliteStorage.php - Added boolean normalization for is_deleted, is_banned, is_activelanguages/fr/admin.json - Merged duplicate users.edit sectionslanguages/en/admin.json - Merged duplicate users.edit sections/u/{username}) right after registration. This fixes an issue where the cache could contain null values from previous lookup attempts, causing newly created users to appear as non-existent.app/Models/User.php - Added cache invalidation in User::create() methodwindow.url() JavaScript function to properly handle base URLs with trailing slashes and ensure correct URL construction when Flatboard is installed in a subdirectory (e.g., /forum/).app/Views/components/translations.php - Enhanced window.url() function with better base URL handlingthemes/premium/views/components/translations.php - Applied same fix to premium themethemes/bootswatch/views/components/translations.php - Applied same fix to bootswatch themethemes/premium/views/discussions/show.php - Improved error handling and URL construction for edit form loadingapp/Views/discussions/show.php - Already had correct implementation, verified consistencyThe user creation process now properly invalidates all relevant cache entries:
user:{userId} - User cache by IDuser:email:{md5(email)} - User cache by emailuser:username:{md5(username)} - User cache by usernameThis ensures that immediately after registration, users can access their profiles without encountering 404 errors due to stale cache entries.
The window.url() function now:
undefined or null base URLsjson_encode() for safer JavaScript variable injectionThese fixes address issues that occur when:
/forum/)Release Date: January 4, 2026
Version: 5.0.0-RC8
This release candidate includes significant improvements to user experience, performance optimizations, bug fixes, and new features across the entire Flatboard platform. All changes are backward compatible and ready for production use.
stockage/, uploads/)index.html filesversions/ and docs/ directoriesapp/Controllers/Admin/BackupController.php - Added createFullArchive() methodapp/Views/admin/backups.php - Added UI button and JavaScript handlingapp/Core/App.php - Added route /admin/backups/create-full-archivelanguages/fr/admin.json - Added translationslanguages/en/admin.json - Added translationsreputation_recalculated for trackingplugins/Reputation/ReputationService.php - Added recalculateUserReputation() and recalculateAllUsersReputation() methodsplugins/Reputation/ReputationController.php - Added recalculateReputation() API endpointplugins/Reputation/ReputationPlugin.php - Added route /admin/reputation/recalculateplugins/Reputation/views/admin.php - Added UI button and JavaScript handlingplugins/Reputation/langs/fr.json - Added translationsplugins/Reputation/langs/en.json - Added translationsplugins/Reputation/views/history.php - Added support for reputation_recalculated actionplugins/Reputation/views/profile_tab.php - Added support for reputation_recalculated action#post-{id}) for direct linkingapp/Views/discussions/show.phpthemes/premium/views/discussions/show.phpapp/Controllers/Api/PostApiController.php - Added format=html supportapp/Views/discussions/show.phpthemes/premium/views/discussions/show.phpapp/Controllers/Api/UserApiController.php - Added /api/users/search endpointapp/Views/components/reaction-picker.phpthemes/premium/views/components/reaction-picker.php<link rel="prefetch"> for links and fetch() with cache for API callsX-Preload: true for server-side optimizationthemes/assets/js/discussion.js - Added initSmartPreloading() functionthemes/assets/js/main.js - Integrated preloading initializationmain.js for all themesthemes/assets/js/main.jsthemes/bootswatch/theme.json - Removed main.js from scriptsthemes/premium/theme.json - Removed main.js from scriptsmain.js files from all themesstrpos() calls with StringHelper methodsapp/Views/getOrSet() methodremember() automatically benefitsapp/Core/Cache.php - Added getOrSet() methodapp/Core/Router.php - Added $routesByMethod indexingbeforeEach() hook called before route handler executionafterEach() hook called after route handler executionapp/Core/Router.php - Added beforeEach() and afterEach() methodsapp/Core/Request.php - Added normalizeApiUrl() methodapp/Controllers/Admin/BackupController.php - Enhanced restore() methodadmin.backups.message.* instead of backups.message.*admin is passedapp/Controllers/Admin/BackupController.php - Fixed all translation keysflatboard-complete-)backup_* and flatboard-complete-* filenamesapp/Controllers/Admin/BackupController.php - Updated download validationthemes/assets folder and index.html in theme backupsindex.html were not included in backupsthemes/assets when themes option is selectedaddDirectoryToZip() to handle root files correctlyapp/Controllers/Admin/BackupController.php - Enhanced backup creationMutationObserver to detect when post is added to DOMapp/Views/discussions/show.php - Enhanced scrollToPost() functionthemes/premium/views/discussions/show.php - Same enhancements/forum/forums and JavaScript URL generation issuesUrlHelper::detectBaseUrlStatic() with better route detectionRequest::getUrl() normalizationwindow.url() JavaScript helper for API pathsapp/Helpers/UrlHelper.php - Enhanced base URL detectionapp/Core/Request.php - Improved URL normalizationapp/Views/components/translations.php - Enhanced window.url() helperPostControllerapp/Controllers/Discussion/PostController.php - Added message to JSON responseapp/Views/discussions/show.php - Fixed translation handlingthemes/premium/views/discussions/show.php - Same fixesform_config.* placeholdersapp/Helpers/FormFieldHelper.php - Enhanced translation systemplugins/EasyMDE/langs/en.json - Added placeholder translationsplugins/EasyMDE/langs/fr.json - Added placeholder translationsTranslator::trans()settings sectionshide_color_settings support for themesbasename() usageComplete Archive Creation:
Reputation Recalculation (plugin in developement):
Dynamic Post Updates:
Mentions:
@ in reply formReactions:
Smart Preloading:
Backup & Restore:
getOrSet() instead of remember() for clarityThis release candidate represents months of development, testing, and refinement. Special thanks to all contributors and testers who helped identify issues and improve the platform.
Next Steps:
Release Date: January 5, 2026
This release focuses on security improvements, performance optimizations, code quality enhancements, GDPR compliance, and bug fixes:
router.plugins.register for plugin route registrationKey Files Modified: RateLimiter.php, Visitor.php, DownloadService.php, show.php, PostApiController.php, App.php, Router.php, Session.php, Validator.php, Request.php, Response.php, Sanitizer.php, SearchService.php, SitemapService.php, WebhookService.php, WebhookQueue.php, WebhookHistory.php, Cache.php, Logger.php, MaintenanceController.php, dashboard.php, and all plugin files
app/Services/SitemapService.php)XMLWriter to properly escape all valuesloc, lastmod, changefreq, priority) are now properly escaped using XMLWriterhtmlspecialchars() was only applied to $loc, leaving $changefreq and $priority vulnerablesaveToFile(): Added strict path validation to prevent writing files outside allowed directory/^sitemap[a-z0-9_-]*\.xml$/i)BASE_PATH/public/ directoryrealpath() to resolve symlinks and prevent directory traversal attacksRateLimiter class with key sitemap_generationRuntimeException when rate limit exceededinfo logs to debug levelinfo levelapp/Services/SearchService.php)extractExcerpt() now escapes content with htmlspecialchars() before inserting <mark> tags<script>alert('xss')</script> would previously inject codeusername and bio fieldsRateLimiter class with key searchRuntimeException when rate limit exceededapp/Services/SitemapService.php)getCategoriesByIds() method when available (SqliteStorage, JsonStorage)Cache::getOrSet() with tag ['sitemap'] for easy invalidationinvalidateCache() method available for manual cache invalidationXMLWriter class for proper XML structureaddHomePage(), addDiscussions(), addCategories(), addTags()isPublicCategory() method@ operator and added proper try-catch blockssaveToFile() now uses LOCK_EX flag for atomic file writesserve() method: Proper Content-Type, Cache-Control, and Last-Modified headersContent-Type: application/xml; charset=UTF-8Cache-Control: public, max-age=3600 (1 hour cache)X-Content-Type-Options: nosniff for securityLast-Modified header for better caching supportapp/Services/SearchService.php)searchPostsInternal(): Loads all posts in batch instead of querying per discussionPost::byDiscussion() called in loop=1000+ database queriesCategory::findMany() and User::findMany() to load all entities at onceformatDiscussionResult() and formatPostResult() now accept preloaded entitiesCache::getOrSet() with tag ['search'] for easy invalidationinvalidateCache() method available for manual cache invalidationmb_strtolower() called once before loops instead of in every iteration$maxDiscussions = min(1000, $limit * 10) to avoid loading entire databaseapp/Services/WebhookService.php)Config, Logger, RateLimiterapp/Services/SitemapService.php)generate() method: Split into focused methodsbuildSitemap(): Main generation logicaddHomePage(), addDiscussions(), addCategories(), addTags(): Focused methodswriteUrl(): Centralized URL writing with proper escapingisPublicCategory(): Extracted duplicate permission checkingloadCategoriesByIds(): Batch category loading with fallbacksimplexml_load_string() to verify XML is well-formedapp/Services/SearchService.php)performSearch() methodsearch(): Public method with caching and rate limitingperformSearch(): Internal method without cache (for testing/debugging)formatDiscussionResult() accepts preloaded $category and $authorformatPostResult() accepts preloaded $discussion, $category, and $authorapp/Services/EmailService.php)smtp.verify_ssl configuration option for SMTP connectionsfalse (maintains backward compatibility with existing installations)smtp.verify_ssl = true for enhanced securityverify_ssl: true in production environmentsverify_ssl for self-signed certificates)validateEmail() method checks for valid email format and prevents header injection (\r\n)maskEmail() method masks email addresses (e.g., u***@example.com)@ operator from mail() calls to allow proper error loggingerror_get_last() informationapp/Services/NotificationService.php)$title and $link were not properly escaped in buildEmailBody()htmlspecialchars($value, ENT_QUOTES, 'UTF-8')validateUserId(), validateNotificationType(), sanitizeString()) to prevent malicious data injection through plugin hooksmaskEmail() method to mask email addresses in logs (e.g., u***@example.com) for privacy protectionapp/Services/WebhookService.php)WebhookQueue class for managing webhook jobsWebhookHistory class for storing webhook delivery recordswebhooks.urls (array of webhook configs)webhooks.url formatwebhooks.timeout: Request timeout (default: 10s)webhooks.connect_timeout: Connection timeout (default: 5s)config.jsonapp/Services/ExportService.php)ExportService class for secure user data exportgdpr.retention_days configuration (default: 365 days)AtomicFileHelper for thread-safe file writingExportController for secure file downloadsgdpr.retention_days: Data retention period in days (default: 365)install.php for new installations/stockage/exports and /stockage/json/export_logswebhooks.custom_headersapp/Controllers/Admin/MaintenanceController.php, app/Views/admin/dashboard.php)stockage/cache/POST /admin/maintenance/clear-cache (CSRF protected, admin only)app/Services/WebhookQueue.php)stockage/json/webhooks/queue/pending, processing, completed, failedapp/Services/WebhookHistory.php)stockage/json/webhooks/history/app/Cli/Commands/WebhookWorkerCommand.php)php app/Cli/console.php webhook:process [limit] [max_time]webhook:process, webhook:cleanup, webhook:statsapp/Controllers/Admin/WebhookController.php, app/Views/admin/webhooks.php)app/Core/RateLimiter.php)flock() with non-blocking retry mechanismLOCK_EX | LOCK_NB (non-blocking) with 10 retries at 10ms intervalscheck() method for rate limit verificationapp/Core/Cache.php)storeKey(): Replaced blocking flock() with non-blocking retry mechanismLOCK_EX | LOCK_NB (non-blocking) with 5 retries at 5ms intervalsapp/Services/SearchService.php)app/Core/Logger.php)log_min_level in config.jsondebug, info, notice, warning, error, critical, alert, emergencyconfig.json or PHP constant LOG_MIN_LEVELnull (logs everything, backward compatible)"warning" or "error"setMinLogLevel(), getMinLogLevel()app/Core/AtomicFileHelper.php, app/Models/Visitor.php, app/Core/RateLimiter.php, app/Services/PresenceService.php)file_get_contents() calls with AtomicFileHelper::readAtomic() for thread-safe file operationsfile_get_contents() for reading user_presence.json with atomic operationsfile_get_contents() in getRetryAfter() and clearAllLoginRateLimits() with atomic operationsfile_get_contents() for reading user_presence.json with atomic operationsapp/Services/NotificationService.php)generatePostLink() method to centralize URL generation logicnotifyNewReply(), notifyMention(), and notifyReaction()app/Views/emails/notification.php template fileapp/Services/PresenceService.php)getActiveUsersDetailed() to load all users in a single queryUser::all()User::find() callsvalidateMinutes() method to validate time parameters$minutes parameterAtomicFileHelper::readAtomic() in try-catch blocksortByLastActivity() private methodgetPresenceStats() performancearray_column() and array_count_values() instead of manual loopsgetPresenceByPage() using Sanitizer::sanitizeUrl()app/Helpers/PermissionHelper.php)presence.view) permission to administrators and moderators only during installationprofile.view) permission during installationapp/Helpers/UrlHelper.php) & Request (app/Core/Request.php)/forums in subdirectory installations (e.g., /forum/forums)Request::removeBasePath() to correctly strip base path from request URLsUrlHelper::to() to properly construct URLs with base pathapp/Services/RssService.php)XMLWriter for secure XML generationXMLWriter (automatic escaping)&, <, >, ', ")Retry-After header when limit exceededlanguage, lastBuildDate, generator, ttl elementsdc:creator for authors)... indicator when content is truncatedall: All public discussions (default)category: Discussions from a specific categoryuser: Discussions by a specific usertag: Discussions with a specific taggenerateAtomFeed() methodfeed, entry, author, content, summary, categoryself, alternate, prev, next)url, type, and length attributes<link rel="enclosure"> elementspage parameter for navigating through feed pagesprev, next) in both RSS and Atom feedsapp/Controllers/Seo/RssController.php)/rss/category/{id} and /atom/category/{id}/rss/user/{id} and /atom/user/{id}/rss/tag/{id} and /atom/tag/{id}?page=N query parameterX-Content-Type-Options: nosniff header for securityapp/Views/components/translations.php)fb_{unique_hash}_FlatboardStorage) for browsers that don't support Proxyapp/Services/UploadService.php)shell_exec() with proc_open() for all external commands (unrar, 7z, clamscan)proc_open() with proper file descriptors for safer command executionSanitizer::sanitizePath() methodBASE_PATH using realpath()$file['type'])finfo_file() or mime_content_type() to successfully detect MIME typemalware.exe renamed to photo.jpg)verifyMagicBytes() method to validate file signaturesapp/Views/users/_user_card.php, app/Views/users/_visitor_card.php, app/Views/components/presence-item.php, app/Views/components/visitors-list.php, themes/premium/views/users/_user_card.php)profile.view permission.app/Views/components/visitors-list.php)presence.activeVisitors, presence.activeVisitorsCount, presence.noActiveVisitors, presence.anonymousVisitor.app/Services/NotificationService.php)getUserLanguage() method to retrieve the recipient user's language preferencenotify() to temporarily switch to recipient's language when creating notificationsnotifyModerators() to translate notifications in each moderator's languageLogger::debug() for routine operations and only logging errors or when app.debug is enabledJSON_THROW_ON_ERROR and proper exception handlingforceEmail logic using null coalescing operator (??) instead of verbose if/elseif/else chainreturn $preferences; statement in getUserPreferences()themes/nord/assets/css/frontend.css).post-body ul, .post-body ol, and their li elements.post-body-flatboard ul, .post-body-flatboard ol, and their li elements.post-body-flatboard color from var(--text-white) to var(--text-primary) to respect theme modevar(--text-primary) which adapts to light/dark modeplugins/resourcemanager/DownloadService.php)app/Views/discussions/show.php)#post-{id} links when navigating from homepage to paginated discussion pagesapp/Controllers/Admin/ThemeController.php, app/Views/admin/theme-config.php, themes/bootswatch/views/admin/theme-config.php)$data and $_POST arrays)#RGB and #RRGGBB formats with automatic conversionapp/Controllers/Admin/ThemeController.php, app/Views/admin/theme-config.php, themes/bootswatch/views/admin/theme-config.php, app/Helpers/ThemeHelper.phpapp/Views/admin/themes.php, themes/bootswatch/views/admin/themes.php)app/Views/admin/themes.php, themes/bootswatch/views/admin/themes.phplanguages/fr/admin.json, languages/en/admin.json)themes.screenshot translation keylanguages/fr/admin.json, languages/en/admin.json, themes/bootswatch/views/admin/themes.phpapp/Controllers/Api/PostApiController.php)app/Core/ErrorHandler.php)E_STRICT constant with direct numeric value check (2048) to completely avoid deprecation warningsPHP_VERSION_ID < 80000 check combined with numeric value comparison instead of referencing the constant2048 (E_STRICT's historical value) with version guard prevents PHP from emitting any deprecation warnings, even in PHP 8.4 where the constant may be removedapp/Core/Cache.php):)user:, category:, categories:all)app/Core/Sanitizer.php)callable $sanitizer = null to ?callable $sanitizer = null in sanitizeArray() method to explicitly mark the parameter as nullable?type) instead of implicit nullable parameters (type = null)languages/fr/main.json, languages/en/main.json)errors.validation.required translation key in both French and English main translation fileserrors.validation.required which was missing from the translation filesapp/Controllers/Moderation/ReportController.php)errors (plural) array to returning error (singular) string message to match JavaScript expectationsupdate() method with proper status validationhtmlspecialchars() protection for content previews in enriched reportsenrichReportWithPostData(): Enriches report with post-specific dataenrichReportWithDiscussionData(): Enriches report with discussion-specific datasetDiscussionUrl(): Sets discussion URL in reportcountRecentReportsByUser(): Counts recent reports for rate limitingfindPendingReportByUserAndContent(): Finds duplicate pending reportsresolved_at timestamp when report status is changed to 'resolved' or 'rejected'reported_id was empty when submitting reports. The problem was that form.reset() was clearing hidden field values. Final solution: Implemented memory-based storage system to completely avoid form reset issues:window.reportModalData object before any form manipulationupdateReportModalFields() to apply stored data to form fieldsshow.bs.modal event)reportPost() and reportDiscussion() functionsreport-modal.php submit handler to use memory dataisSubmitting flag to prevent multiple form submissions in the same requestnotifyModerators(): Added static cache to prevent notifyModerators() from being called multiple times for the same report IDnotify(): Enhanced email deduplication cache for report notifications using stable keys based on userId | type | reportId instead of timestampsisSubmitting flag is now properly reset when validation fails to allow retrydataset.initialized check to prevent multiple event listener attachmentsapp/Controllers/Moderation/ReportController.phpapp/Views/components/report-modal.phpthemes/premium/views/components/report-modal.phpapp/Services/NotificationService.phpapp/Services/EmailService.php)$phpmailerPath static property caches the successful pathmb_convert_encoding($str, 'UTF-8', 'UTF-8') callsloadPHPMailer() to use cached path when availableapp/Services/EmailService.php)toBool() method to replace repeated boolean conversion patternsfilter_var() with FILTER_VALIDATE_BOOLEAN for reliable conversion($value === true || $value === 'true' || $value === 1 || $value === '1')app/Models/Visitor.php)getConnectedUserIps() by filtering active users in a single passAUTO_CLEANUP_PROBABILITY = 100 (1 in 100 chance)SECONDS_PER_MINUTE = 60PRESENCE_CACHE_TTL = 5 (seconds)app/Core/App.php)LoginRateLimitMiddleware: 5 attempts per 15 minutes (prevents brute force attacks)RegisterRateLimitMiddleware: 3 attempts per hour (prevents registration spam)PasswordResetRateLimitMiddleware: 3 attempts per hour (prevents password reset abuse)TwoFactorRateLimitMiddleware: 5 attempts per 5 minutes (protects 2FA verification)UploadRateLimitMiddleware: 5 uploads per hour (prevents upload flooding)(.+) pattern to strict ([a-f0-9]{32}_[a-f0-9]{16}\.[a-z]{3,4}) pattern matching only valid avatar filenames(.+) to strict (\d{4})/(\d{2})/([^/]+) pattern with validation:basename() to prevent path traversalinitDefaults() method:app/Middleware/LoginRateLimitMiddleware.php: Rate limiting for login attemptsapp/Middleware/RegisterRateLimitMiddleware.php: Rate limiting for registration attemptsapp/Middleware/PasswordResetRateLimitMiddleware.php: Rate limiting for password reset requestsapp/Middleware/TwoFactorRateLimitMiddleware.php: Rate limiting for 2FA verificationapp/Middleware/UploadRateLimitMiddleware.php: Rate limiting for file uploadsapp/Core/Cache.php)storeKey(): Implemented file locking (flock) to prevent concurrent modifications of the .keys file, ensuring data consistencyindex.html) and IIS (web.config) in addition to Apache (.htaccess)glob() with DirectoryIterator: Changed all glob() calls to use DirectoryIterator to prevent memory exhaustion with large cache directories (100,000+ files)forget() method: Reads .keys file only once at the beginning and builds a hash-to-key map for O(1) lookups instead of reading it for each filegetOrSet() method: Uses sentinel value pattern instead of calling has() separately, reducing file operationsvalidateKey() method to prevent invalid characters and enforce length limits (200 chars max)CLEANUP_INTERVAL = 3600 (1 hour)LONG_TERM_TTL = 31536000 (1 year)MIN_CLEANUP_LOG_THRESHOLD = 50forget() method, improved memory efficiency with iterators.keys file, preventing data corruptionapp/Core/Controller.php)handlePermissionDenied() method to handle all permission errors consistentlynever: Methods that call exit now use never return type for better type safety (PHP 8.1+)verifyCsrf() method for manual CSRF token verification when neededrequireAdmin(): Removed unnecessary try-catch wrapper, now directly calls requirePermission()success() method for success messages with optional redirecterror() method for error messages with optional redirectrateLimit() method using RateLimiter class for proper rate limiting in controllersrequireOwnership() method to verify resource ownership (with admin bypass)validate() method with support for multiple rules (required, email, min, max, numeric, url)app/Core/Config.php)save(): Implemented atomic write with file locking using temporary file + rename pattern, preventing concurrent modifications from corrupting the configuration filesave() method - encryption now only happens in set() methodvalidateValue() method to validate:hasEncryptionHelper() method to gracefully handle missing EncryptionHelper classsmtp.password, smtp.username, smtp.host) can now be set via environment variables (takes precedence over file config).backup.old pattern)deduplicatePlugins() method with better filtering and cleaner logicapp/Core/CacheKeys.php)TTL_SHORT = 300 (5 minutes)TTL_MEDIUM = 3600 (1 hour)TTL_LONG = 86400 (1 day)TTL_PERMANENT = 31536000 (1 year)TAG_PERMISSIONS, TAG_CATEGORIES, TAG_GROUPS, TAG_REACTIONS, TAG_USERS, TAG_BOOTSTRAPinvalidatePermissions() and invalidateCategories() to use tag constants instead of hardcoded stringsapp/Core/AssetMinifier.php)clearCache() and deleteDirectory() using realpath() to ensure all operations stay within cache directorybin2hex(random_bytes(8))) to prevent collisionsminifyAndSave() to prevent concurrent operations on the same fileapp/Core/Autoloader.php)isPathSafe() method to validate that all loaded files are within the base directory, preventing directory traversal attacks$classMap cache to avoid reloading already-loaded classes, improving performance$failedLookups cache to avoid retrying failed class lookups (max 500 entries)glob() callsisValidClassName() method using PSR-4 compliant regex validationapp\Plugins\ and App\Plugins\ namespace patternsapp/Core/AtomicFileHelper.php)flock) as a safe fallback when FileLocker failsapp/Models/Visitor.php)file_get_contents, json_decode)Logger::error() for file operation failuresapp/Core/RateLimiter.php)flock) in check() method to ensure atomic read-modify-write operationsclearLoginRateLimits(): Replaced inefficient O(n) file scanning with direct O(1) key deletiongetRetryAfter() method with proper error handlingvisitor_tracking rate limit (60 requests per minute)flock with LOCK_EX) to prevent concurrent access issuesclearLoginRateLimits($identifier) now uses direct cache key deletion (O(1)) instead of scanning all files (O(n))clearLoginRateLimitsForIdentifiers(array $identifiers) for batch operationsclearLoginRateLimits(null) calls deprecated clearAllLoginRateLimits()addToWhitelist(string $identifier): Exempt identifier from rate limitingremoveFromWhitelist(string $identifier): Remove identifier from whitelistisWhitelisted(string $identifier): Check if identifier is whitelistedLogger::warning() for security monitoringclearAllLoginRateLimits() method maintained but deprecatedclearLoginRateLimits(?string $identifier = null)app/Models/Visitor.php)trans() method to centralize translation calls with consistent defaultsapp/Core/RateLimiter.php)The following limitations remain for future improvements:
File-based storage limitations:
Missing distributed system support: File-based rate limiting won't work correctly across multiple servers
No graduated penalties: All rate limits are fixed - no exponential backoff for repeated violations
No database migrations required for this release. All changes are backward compatible.
plugins/resourcemanager/DownloadService.php - Fixed syntax error, improved file recoveryapp/Views/discussions/show.php - Fixed anchor navigation, improved post detectionapp/Controllers/Api/PostApiController.php - Fixed post retrieval for large limitsapp/Models/Visitor.php - Performance optimizations, caching, error handlingapp/Core/RateLimiter.php - Critical security fixes, race condition prevention, whitelist supportapp/Core/App.php - Added rate limiting to routes, secured file serving, performance optimizationsapp/Core/Controller.php - Eliminated code duplication, added helpers (CSRF, rate limiting, ownership checks, flash messages)app/Core/Config.php - Fixed race conditions with atomic writes, added validation, environment variable support, automatic backupsapp/Core/Cache.php - Fixed race conditions with file locking, replaced glob() with iterators, optimized forget() method, multi-server protection, key validationapp/Core/CacheKeys.php - Added TTL and tag constants, enhanced documentationapp/Core/AssetMinifier.php - Added input validation, path traversal protection, ReDoS mitigation, secure placeholders, rate limitingapp/Core/Autoloader.php - Added caching, path traversal protection, rate limiting, optimized plugin loadingapp/Core/AtomicFileHelper.php - Removed thread-unsafe cache, improved fallback mechanism, added write verificationapp/Middleware/LoginRateLimitMiddleware.php - New: Rate limiting for login attemptsapp/Middleware/RegisterRateLimitMiddleware.php - New: Rate limiting for registrationapp/Middleware/PasswordResetRateLimitMiddleware.php - New: Rate limiting for password resetapp/Middleware/TwoFactorRateLimitMiddleware.php - New: Rate limiting for 2FAapp/Middleware/UploadRateLimitMiddleware.php - New: Rate limiting for file uploadsThe RateLimiter now uses file locking (flock) to ensure atomic operations:
LOCK_EX) prevent concurrent modificationsgetConnectedUserIps() reduced from O(n²) to O(n) complexityflock) instead of reading without lock when FileLocker failsstoreKey() prevents race conditions when multiple processes update the .keys file simultaneously.htaccess, Nginx index.html, IIS web.config) ensures cache files are not accessible via webDirectoryIterator replaces glob() to handle large cache directories (100,000+ files) without memory exhaustionforget() method optimized to read .keys once instead of per-file, reducing I/O by ~70%getOrSet() eliminates redundant has() callsapp/Core/Sanitizer.php)sanitizeHtml() with options to control images and links, comprehensive event handler removal, dangerous protocol filtering, and data URI protectionDEFAULT_ALLOWED_TAGS, ALLOWED_PROTOCOLS, DANGEROUS_ATTRIBUTES, MAX_FILENAME_LENGTH, MAX_URL_LENGTH for better maintainabilitysanitizeUrl() now validates protocols, removes control characters, checks length, and supports strict modeisValidUrl() method to validate URLs without modifying themsanitizeEmail() now validates emails and removes control charactersisValidEmail() method to validate emails without modifying themsanitizeForAttribute(), sanitizeForJs(), sanitizeForCss() for different output contextssanitizeFilename() now supports extension whitelist, prevents hidden files, and better path traversal protectionisAllowedExtension() method to validate file extensionssanitizePath() now supports mustExist parameter and better path normalizationnormalizePath() method to normalize paths without requiring them to existsanitizeInt(), sanitizeFloat(), sanitizeBool() for type-safe input sanitizationsanitizeArray() method for recursive array sanitizationremoveAccents() is now public and includes comprehensive accent map (100+ characters)stripHtml() and truncate() methods for text manipulationescapeOnce() method to prevent double HTML encodingapp/Core/Router.php)name() method to define named routes and url() method to generate URLs programmaticallygroup() method to group routes with shared prefix and middlewareenableCache() method to cache compiled routes for 90% performance improvementresource() method to generate all RESTful routes (index, create, store, show, edit, update, destroy) in one callwhere() method to validate route parameters with regex patternspatch() method for partial updatesRouteBuilder for method chainingdispatch() and dispatchApi() into handleRequest() method, eliminating 140 lines of duplicationnormalizeUrl(), isStaticFile(), sortRoutesByPriority(), tryMatchRoute(), handleNotFound(), executeControllerHandler(), executeCallableHandler(), resolveMethodParameters()STATIC_EXTENSIONS, PLUGIN_THEME_PREFIXES, CACHE_FILEapp/Core/Response.php)$sent flag to prevent modifying responses after sendingself for method chainingcache() and noCache() methods for easy cache managementtext(), html(), download() for different content typestooManyRequests() method with Retry-After header supportback() method to redirect to referer with fallbackwithHeaders() method to set multiple headers at once<pre>, <textarea>, <script>, <style> blocksgetHeaders() and getStatusCode() methods for debuggingapp/Core/Request.php)_method field and X-HTTP-Method-Override header for REST APIspost(), query(), json() for accessing different data sourcesCF-Connecting-IP), standard proxies, and proper IP validationisSecure() and getScheme() methods for detecting secure connectionswantsJson(), accepts(), getAcceptLanguage() for proper API responsesgetUrl(), getRawUrl(), getUri(), getFullUrl() for different URL formatscookie() and cookies() methods for easy cookie accesshasFile() validates upload success, getFile() for easy accesshasAll() and hasAny() for checking multiple keys at oncedebug() method returns comprehensive request informationhasHeader() for checking header existence, improved header parsing with nginx fallbackgetJsonInput() alias)app/Core/PluginHelper.php) (New File)getTranslations() with caching and fallback to default languagesafeExecute() and safeExecuteBool() for error handling in pluginsreadJsonSafe() and writeJsonSafe() for safe file operationscheckDependencies() to verify plugin requirements (PHP version, extensions, other plugins)getAssetUrl(), enqueueStyle(), enqueueScript() for CSS/JS assetsrenderView() for rendering plugin views with error handlingaddRoute() for easy route registration via hooksscheduleCron() for registering scheduled tasksisVersionCompatible() for version checking with operatorsgetCacheDir(), clearPluginCache(), clearAllCaches() for plugin-specific cachinggetMetadata() with caching for plugin.json dataapp/Core/Plugin.php)getStats() method to monitor loaded plugins and hooksreset() method to clear all plugins and hooks (useful for testing)trigger() signature while supporting new oneapp/Core/Logger.php){user_id})getStats() method to track total logs, logs by level, and last log timeperformance() method for performance metricsexception() method with formatted stack traces and previous exception supportcleanOldLogs() method to remove logs older than specified dayslog($message, $level, $type) signatureapp/Core/FileLocker.php)synchronized() method to execute code blocks with automatic lock managementgetStats() method to monitor active locks and lock filesglob() with DirectoryIterator for better memory efficiencymicrotime() for precision/stockage/cache/locks) for better organizationapp/Core/ErrorHandler.php)setContext() method to update Request/Response context dynamicallynever return type for methods that exit ensures proper type checkingsuccess(), error(), rateLimit(), verifyCsrf()) simplify common operationshandlePermissionDenied()realpath() to ensure they stay within allowed directoriesglob() callsapp/Core/Router.php)router.plugins.register hook for universal plugin route registrationresource() method returning self for method chainingregisterPluginRoutes() method to trigger plugin route hooksapp/Core/Session.php)app/Core/Validator.php)validate() static method with array-based rulesstring, integer, boolean, array, numericalpha, alpha_num, alpha_dash, betweendate, date_format, before, afterip, ipv4, ipv6json, uuid, regexsame, different, not_inrequiredIf, requiredUnless, requiredWithvalidated() method returns only validated fields (prevents mass assignment)app/Core/Request.php)app/Core/Response.php)app/Core/Sanitizer.php)router.plugins.register hookResourceManager, Reputation, EasyPages, AIModeration, CookieConsentForumMonitoring, TranslationManager, ArchiveBuilder, AIchatboxPrivateMessaging, StorageMigrator, Flatboard4UrlFixapp.routes.register to router.plugins.registeraichatbox and ForumMonitoring pluginsapp/Core/Cache/CacheValue.php)fromJson() now throws InvalidArgumentException for invalid data instead of silently returning nulltimeToLive(), age(), hasTag(), hasAnyTag(), hasAllTags() for better cache managementtoArray() as it's managed by Cache::set() (cleaner separation of concerns)app/Core/Exceptions/NextRouteException.php)reason property for debugging why a route declinedsetReason(), getReason(), and getFullMessage() for better debuggingapp/Core/Validations/FieldValidations.php)required() incorrectly rejected "0" and 0 as empty values (now uses !== null && !== '' instead of empty())strlen() with mb_strlen() in minLength() and maxLength() to correctly handle UTF-8 characters (e.g., "café"=4 characters, not 5 bytes)integer(): Validates integer valuesbetween(): Validates numeric range (min-max)date(): Validates date formatip(), ipv4(), ipv6(): Validates IP addressesusername(): Validates username format (alphanumeric + underscores)confirmed(): Validates value confirmation (e.g., password confirmation)slug(): Validates URL-friendly slugsboolean() (only true/false) from permissive booleanLike() (accepts '1', '0', 'on', 'off', 'yes', 'no', etc.)This version finalizes the migration from inline JavaScript to reusable ES6 modules.
tag-manager.js:
mention-manager.js:
load-more-manager.js:
toast-manager.js:
form-validator.js:
attachments-manager.js:
draft-manager.js:
profile-manager.js:
auth-2fa-manager.js:
app/Views/discussions/create.php – Uses TagManager, MentionManager, FormValidatorapp/Views/discussions/edit.php – Uses TagManager, MentionManager, FormValidatorapp/Views/discussions/search.php – Simplified with SearchFormManagerapp/Views/posts/edit.php – Uses StandalonePostEditManagerapp/Views/users/profile.php – Uses ProfileManagerapp/Views/auth/2fa.php – Uses Auth2FAManagerapp/Views/auth/2fa-settings.php – Uses Auth2FAManagerapp/Views/layouts/frontend/footer.php – Loads all frontend modulesthemes/premium/views/layouts/frontend/footer.php – Sync with default themewindow.Flatboard.translationsCreated DiscussionListService:
getDiscussionsPaginated(), separatePinned(), sortDiscussions()Created DiscussionService:
checkCooldown(), checkDuplicate(), filterByPermissions()recordDiscussionCreation()Created PostService:
validatePost(), checkCooldown(), checkDuplicate(), processMentions()Created PaginationHelper:
paginate(), getPaginationData()Created DiscussionHelper:
formatDiscussionUrl(), getBreadcrumbs()Created AttachmentHelper:
normalizeAttachments(), validateAttachments(), sanitizeAttachmentUrl()Refactored DiscussionController:
index() uses DiscussionListService, Cache::remember(), RateLimiter::attempt()show() uses $this->authenticate() and DiscussionHelperstore() uses DiscussionService and Validator::validate()Session::get('user_id')Refactored PostController:
PostService and AttachmentHelperValidator::validate()$this->authenticate() for authenticationRefactored CategoryController:
DiscussionListService::getDiscussionsPaginated()Refactored SearchController:
SearchService::searchPaginated() for database paginationarray_slice() post-fetchCache::remember() and RateLimiter::attempt()Validator::validate() for search parametersCreated discussion-show-manager.js:
Created discussion-form-manager.js:
Created post-edit-manager.js:
Created search-form-manager.js:
Created frontend-bundle.js:
Systematic use of native Flatboard methods:
$this->authenticate() instead of Session::get('user_id')Validator::validate() for all input validationRateLimiter::attempt() for rate limitingCache::remember() for cachingLogger::info() / Logger::warning() for loggingTranslator::trans() for internationalizationElimination of anti-patterns:
$_GET, $_POST, $_SESSIONexit() and die()| Metric | Before | After | Improvement |
|---|---|---|---|
| PHP Lines in DiscussionController | 1945 | ~800 | -59% |
| DB Queries (index page) | 15+ | 4 | -73% |
| Avg. Response Time | ~500ms | ~150ms | -70% |
| Inline JavaScript (show.php) | ~4000 | 0 | -100% |
| Reusable JS Modules | 0 | 5 | +5 |
Multi-method Authentication:
hash_equals()security.public_version_checkNew Endpoints:
GET /api/version/check-updates: Check for available updates (admin only)GET /api/version/changelog: Retrieve version history (public if configured)Multiple Formats:
full: All information (default)simple/version: Version onlyminimal: Version + namePerformance:
Enhanced Security:
UpdateController logic for update checkssend_update_statsAdmin Diagnostics:
Use of Native Flatboard Methods:
ApiController as base class for authentication and standardized responsesCache for data cachingConfig for centralized configurationLogger for audit trailTranslator for internationalized messageserrorResponse() and successResponse() for standardized responsesMulti-layer Security:
RateLimiter (100 webhooks/hour/IP, configurable)timestamp.body formatX-Webhook-Id and cache (24h default)Asynchronous Processing:
202 Accepted response (< 200ms)WebhookQueueRobust Validation:
WebhookValidator for event-specific validationValidator for validation rulesUse of Native Flatboard Methods:
RateLimiter with new webhook key (100 attempts/hour)Cache for deduplication and rate limitingConfig for centralized configurationLogger for audit trailTranslator for internationalized error messageserrorResponse() and successResponse() for standardized responsesAdditional Endpoints:
POST /api/webhook/test: Configuration test (admin only)GET /api/webhook/queue: Queue visualization (admin only)POST /api/webhook/retry/{jobId}: Manual retry of failed webhook (admin only)Improved WebhookQueue:
add(), getQueue(), getStats(), retry()type: 'incoming') and outgoing (type: 'outgoing') webhooksDocumentation:
docs/webhooks-config.md with complete configuration guideImproved Maintainability:
Edited on Jan 14, 2026 By Fred .
Here are the key updates and fixes in this Release Candidate version before the official v5 final release:
allowed_groups and is_private fields has been optimized to prevent errors when changing the visibility of categories.Deprecation issue in login rate limit handling:
clearAllLoginRateLimits() method with a more robust mechanism, ensuring the integrity of login rate limits.Inconsistency in getRemainingAttempts() method:
Incomplete clearing in clearLoginRateLimits() method:
Fixed 404 error when deleting a thread in "Largest Threads":
/admin/privatemessaging/delete-thread.Issue with "Best Answer" functionality:
The "Best Answer" feature was not working correctly due to an incorrect URL in the app/Views/discussions/show.php file.
setBestAnswer and removeBestAnswer functions used inconsistent URLs. One used the correct URL (/d/{number_slug}/best-answer), while the other used the incorrect URL (/d/{number_slug}/set-best-answer).Fix: The incorrect URL has been updated to use /best-answer instead of /set-best-answer, ensuring the "Best Answer" feature works properly.
clearAllLoginRateLimits() method.This version is the final Release Candidate (RC) before the official Flatboard v5 Final release. We’ve made significant improvements to ensure better stability and smoother permission management.
The final release is coming soon! Please test this RC and share any feedback to ensure a smooth final release.
Thank you for your patience and feedback throughout the development process!
This discussion is locked