NodeBB Development

The security advisory has now been published

@julian Yep. Grok what you are getting at here.

OTOH, in the hands of an expert, I suspect all those gauges and controls are a comfort.

Oh, that elusive "middle ground". As mentioned elsewhere, I do not envy the task modern UI/UX designers have before them.

More specifically, the issue is that it defines a static directory in plugin.json:

"staticDirs": { "s3": "public" },

But doesn't have it.

It seems to be an artifact of people forking and updating it without fully understanding what exactly it was doing - looking back at some history at some point someone moved the templates from public/templates to just templates/ and apparently NodeBB wasn't enforcing that directories have to exist at that point, so it wasn't noticed and all future forks inherited this bug.

NodeBB is IMO doing fine here - a lack of directory a plugin declared to have might suggest some issue with the installation or the plugin itself (for example a typo in a path). A plugin incorrectly declaring something it doesn't use can't really be distinguished from these issues.

Also, @julian while .gitignore works, I feel like it's a bit of abuse of that feature and the name is misleading (upon seeing a directory with .gitignore my first thought would be that something is supposed to go there but will be ignored. And I feel without knowing much about git I might've assumed it meant the whole directory would be ignored by git - the opposite of what it actually does). I personally prefer the convention of using an empty file named .gitkeep (or just .keep), since it more obviously refers to keeping the directory and wouldn't have any other potential impact on files included by git.

EDIT: TL;DR of the issue:
why would nodebb do this

Hello all,

We are notifying you today about a security vulnerability that was present in older versions of NodeBB. We were notified of these vulnerabilities on 25 May 2022, and have patched and released fixed versions of NodeBB, v2.0.1 and v1.19.8, three days later, on 28 May.

The specifics of this vulnerability are available upon request, but they are considered critical and affect the security of any site running an affected version of NodeBB. Admins are urged to upgrade to these patched versions as soon as possible.

Alternatively, the following changesets can be cherry-picked into your installation of NodeBB in lieu of a full upgrade:

v2.x https://github.com/NodeBB/NodeBB/commit/e802fab87f94a13f397f04cfe6068f2f7ddf7888 v1.19.x https://github.com/NodeBB/NodeBB/commit/81e3c1ba488d03371a5ce8d0ebb5c5803026e0f9

As always, the NodeBB team is available at your disposal to answer any questions or provide assistance in implementing these changesets.

For more information on the security vulnerability, please visit the GitHub Security Advisory page for this disclosure

@syedasad not out of the box, no. It sounds like you'd need a custom plugin to modify the topic visibility privileges on the fly based on whether the topic is the most recent X topics.

Feel free to reach out to us for a quote on this kind of custom work 🙂

[email protected]

@Livar-Bergheim lets do it bro 🙂

@田恩睿 It's probably better to keep the menu where it is, or at least in that file, but play around with the structure and CSS to have a left-side menu.

Right now it is pinned to the top using .navbar-fixed-top

@姬清 any logs?

Even the mobile version experience keeps being chaotic on this v2 beta im so glad the development is alive and having a big update like this v2 is nice news

@girish there may be something wrong with your dns. I can access that link just fine.

@JoeCaleb likely not the ideal candidate. NodeBB is designed to be a standalone web resource, co-existing alongside another side on a subdomain or subfolder.

You could customize a theme to match the look and feel of your main site – that's what we do here. The header and footer are dynamically retrieved from NodeBB.org

See nodebb-theme-community to learn how it is done.

Re: Creating multiple Node BB Admins but with limited access to ACP

@PitaJ , how can we create multiple admins? Can we assign a user as admin in Dashboard, please let me know.

@julian Hi Julian, After some thought I guess I would like to go even further and am wondering how to "pin" the navbar, as well as the topic bar so that they scroll completely normally like the rest of the page. Would this be doable? Thank you in advance. for your advice.

@pitaj
Thanks for the quick reply.
Well, the modifications are small (mainly change in colors and fonts) but have to be applied to many classes. And the UI/UX guy who will make it is not familiar with NodeBB but is familiar with Bootstrap.
With this context in mind, do you still advice doing the changes as Custom CSS (I guess you mean using the option in the Admin panel) ?
Sorry, if my question may sound stupid but I have a short experience with NodeBB and mainly with the API part...

@julian said in Why isn't email required anymore?:

There were two issues with this:

Incorrect emails would bounce, causing reputation issues over time

I run my own mail server and my forums are "small" so the bounces land in my queue/spool and are not a real problem. I see how this could cause significant grief otherwise, especially on larger forums.

I also use IsTempMail, which seems pretty effective on its intended targets. I wonder how many others do? Been a while since I played with those knobs but iirc, it was pretty painless to set up.

NodeBB prior to this change would allow any email to be entered, even other peoples' emails. A lot of sites do this, and it's not necessarily something we should guard against, but I personally find it really annoying when someone uses my email to sign up for random sites.

Hard nut to crack, this one. Maybe add a disclaimer to the welcome message along the lines of "Somebody, hopefully you, used this email address to register for our community at URL. If this was not you we apologize for the inconvenience."? 🤔

@subesh-s Have you tried using the login utilities route in the write API? It should send back a valid session cookie.

@julian Okay, I'll do that. Thanks!

Tags allow % character now, themes will need to be updated to use tags.valueEncoded instead of tags.valueEscaped
https://github.com/NodeBB/NodeBB/issues/10135

See changes in persona to update your custom theme https://github.com/NodeBB/nodebb-theme-persona/commit/6aada9127865ddc1cbaf8cd5f548ebc78f7bf90a