Hi everyone! An exploit was recently discovered (and quickly patched) in the tags extension. Thank you to @LianSheng for finding it and to @SychO for the quick fix! The fix will be included in beta 14, but has also been backported and released as flarum/tags v0.1.0-beta.13.1. We highly recommend that all forum admins upgrade their tags extension as soon as they get the chance.
Dev Diary: Beta 14
askvortsov This is why Flarum needs an announcement extension ASAP. I tried to create a couple once but they weren’t any good. Especially when it comes to security, there should be a red alert banner at the top of the site. Not everyone will read this diary thread. It will also be good to give extra attention to releases.
cmwetherell Yes.
Update with composer update flarum/tags
You can then confirm the update worked by checking Composer output (should say "updating to v0.1.0-beta.13.1"), or by checking the version number in the admin panel in the extension list.
- Edited
010101 Agree but a future like that should be in flarum core and it would be shown on every site to those who have permission for it. So when you come to your site you can actually fix it instead of not knowing about it, because you are not here on this forum every day. Hack one client that requested this forum was probably here only once...
i set up windows it is working, but Mac OS there are a lot of errors. I fix one bug, it becomes another bugs. Is there any file for macOS for Manuel set up?
- Edited
010101 Flarum needs an announcement extension
That's great idea!
We can make it even easier to start witch, for example:
- Create "Announcements" tag
- Set permissions to "moderated" (disable permissions:
Start discussions without approvalandReply to discussions without approval) - Ask extension creator to create discussion with standardised title (extension name will be the best imho).
Under this tag only Flarum administrators and extension owner can posts (their messages will be approved only)
What we can achieve?
- By luring whole
Announcementtag we can get notification about new extensions
- All discussion will be like small blogs / changelogs with important information only. We can fallow all extension discussion which we using. If new version is released - you will get e-mail about that (right now when you fallow extension discussion you will get sometimes multiple e-mails per day about support requests and because of that - some important information or version released can be missed)
- We will get one place with all extensions. There is option to sort them by date, so we can see which one is still under support and new versions are released (and how frequently) and which are already abandoned by authors.
- Further "Announcement extension" (or maybe extiverse?) can compared your installed extension list and search for their name on official Flarum forum discussions under "Announcements" tag. Then display it on Admin panel
askvortsov I think I found a bug with the update.
After updating I was playing around with the new First Post Approval Extension and afterwards I was deleting a post. I was able to delete a post but it through this error. At first glance it looks like it is related to tags:
MikeJones I don't think that error comes from the update. All the update adds is add proper permission checks (see https://github.com/flarum/tags/compare/v0.1.0-beta.13...v0.1.0-beta.13.1).
- Edited
QA is currently hard at work 
When clicking OK in the TagDiscussionModal on nightly.flarum.site the following error is shown in the console:
Uncaught (in promise) TypeError: app.current.get(...) is undefined
onsubmit TagDiscussionModal.js:310
promise callback*module.exports</mt</a.onsubmit TagDiscussionModal.js:308
handleEvent render.js:888
Lt instrument.js:345
[...]
exports render.js:964
a mount-redraw.js:14
show ModalManagerState.js:35
onclick addTagControl.js:11
handleEvent render.js:888
Lt instrument.js:324
Lt instrument.js:345
I render.js:910
[...]Another thing that happened is that the post scrubber showed "NaN of 16 posts", until I refreshed. I cannot reproduce the issue anymore unfortunately, but this is exactly what I did:
- open an unread discussion with no tags (as an admin)
- add a tag to the discussion
- start scrolling
These steps are not enough to reproduce the issue, but maybe they can still help...
- Edited
matteocontrini as I stated before, hard at work 
matteocontrini Thanks for reporting these! Was this from testing today?
matteocontrini TypeError: app.current.get(...) is undefined
I've seen this error in the console, but have been unable to replicate it. Is this for starting a new discussion, or editing an existing one?
matteocontrini post scrubber showed "NaN of 16 posts"
Did posts also disappear from the PostStream? This is something that a fix should have been pushed out for.
askvortsov Was this from testing today?
Yes, it was just a few minutes before posting the message here
askvortsov Is this for starting a new discussion, or editing an existing one?
While editing an existing one. I could reproduce it several times actually, on different discussions. (While I was trying to reproduce the other one ahah)
askvortsov Did posts also disappear from the PostStream?
Mmm not sure about this, I didn't pay attention...
Another option could be if mentions supported groups. Would need to be permission based to ensure normal users could not spam groups or everyone. There is the option to place new users in a group by default when they register (through an extension I think).
Or if we could force all users to follow tags (without the option to unsubscribe), or at least set certain tags to be followed by default, and then the user can manage their follow options as they wish.
That's ideal world, but a lot of new extension developers come and disappear all the time, so tracking who is mod developer and should be able to post under this tag and who should be removed will be a nightmare. It's simple to set some rules on stick post and allow to create new extension discussion for everyone and then review and approve correctly posted one.
It can be even more simplify by improving permissions with option like Reply to discussions if already approved, so author of own extension discussion can freely post updates if first post was approved. That makes something like personal blog page? Personal topic? I hope you can feel the idea
010101 my solution for this is Extiverse driven. Without burdening the core team and knowing that Extiverse already knows and understand everything it needs to inform webmasters of updates through e-mail or an extension. With stable and everything else going on, I haven't been able to push effort into that feature yet.
- Edited
@matteocontrini Thanks again for finding and reporting those! The cause has been found, and a fix will be included in the release.
On a more global note, as we're now in the QA stages of beta 14, public API changes are pretty much done. Because of the number of changes affecting extension developers this release, we've put together an extensive upgrade guide, and released it to our documentation site ahead of the release to make it a bit easier to upgrade extensions. We'll also be releasing some expansions to the documentation on Flarum's frontend closer to the release to help new developers, so stay tuned for that!
If you run into issues or have questions about upgrading your extensions, the dev tag on this forum and our discord (linked in header) are great ways to get help.
matteocontrini I ran into the NaN thing on the scrubber randomly in our QA environment, it went away after I created a new post in that same discussion, weird 
luceos Makes sense. Yeah, I suppose just a temporary extra sticky post like I see Clark has done is good too. You know... a very easy option might be to start a newsletter. Sure, then you have to hope most people using Flarum sign up. But, if you’re a serious Flarum user, you’ll sign up. Then for any type of release you send out a newsletter.