Shout - Private Messaging for Flarum

Kyrne

You guys are crazy! Let me go through each question.

[deleted] so you got it fixed? If not I'll proceed with the change.

iPurpl3x No, the admins would have to know their password, that's why they are asked a second time after logging in. It also has a detection that sends the other user (not being impersonated) if you even attempt to view their messages (it will fail anyways).

danielunited on desktop I assume? This is totally doable and is like halfway done already just because of mobile support. Maybe I'll add this as an option in the future.

clarkwinkelmann I'm going to fix that up.

Yalfoosh you will only be asked for the password 1 time per device (until cache is cleared). I'll look into the Firefox issue.

Edit: looks like my hands are tied: https://bugzilla.mozilla.org/show_bug.cgi?id=1639542
I could use local storage as a fallback.

[deleted]

Kyrne so you got it fixed? If not I'll proceed with the change.

No. That was just a test. As I'm using WordPress to handle authentication, I need a way to set a password if there isn't one.

Kyrne

[deleted]

0.1.6

Add option to let users make their own password - setting in admin.
- If you already have at least 1 encryption key set up and decide to switch to this option you will need to truncate user_encryption_keys and set PMSetup to 0 for those users in the users table. To clarify, if you don't use anything like Github login, Wordpress integration, etc. This is not necessary.
- If you use these services at all I would encourage you to enable this as those users won't be able to use the ex
Markdown support
- Plaintext links will be automatically turned into actual links
- Markdown image embed works but you can't click the image to open it up bigger. I recommend the FancyBox Extension.
- Emoji's are supported too now. On desktop you can type them using : just like discord. There is no helper however to help users get the emoji names correct.
- The markdown is sanitized so don't try any XSS ya freaking script kiddies
Message previews before sending (like when editing a post) to help with markdown formatting
Negative unread messages fix
- It will not be fixed right away but will slowly resolve itself as messages are sent.

Updating:

composer update kyrne/shout
php flarum migrate
php flarum cache:clear

Yalfoosh The fix for this is not included in this update, I'm still trying to work on a solution (why can't Firefox just be normal?)

HD3D

Kyrne Typo error in "Enter a paassword to setup private messages."

Also, it is really confusing for users to use password option, can't we have an option in admin panel if we want our users to set up password or not?

Yalfoosh

Kyrne You're insanely fast! However, I don't think emojis work (2 different messages):

[deleted]

Kyrne Upgraded successfully (it seems to 0.1.7), truncated the table, and set PMSetup to 0 for all users. Now I am unable to set any password - it responds with the below

EDIT: Spoke to @Kyrne on Discord. Seems it's a caching issue of sorts - all working now !

Kyrne

HD3D whoops, fixed.

The password is required for the extension to work securely. What part of it is confusing?

HD3D

Kyrne The confusing part is that what if they choose a new password other than their account's password and later on the forget the password, are they gonna be able to recover it?

Kyrne

HD3D if you forget you password you lost access to all your old messages. This is true of every encrypted messaging service.

Mark73

Kyrne I'm 100% against admins accessing users private messages. But losing access to all old messages because you forgot the PMs password? Well that's a negative point...

HD3D

Kyrne In this case, I think you should let us (admins) to decide if we want our users to set up shout password or let them use it without password.

I understand that you want your extension to work securely sir but you can do it on your site and on our sites you can let us decide.

And if you can please disable the setup option and make it default that everyone should have Private Messaging option enabled. (Imagine I'm an admin and I need to wait for my users to set up their inbox in order to message them?) 😕
I should be able to message them without this restriction

Kyrne

Mark73 the only other secure way around this is to have users download a copy of their keys (which is totally doable) to import later if they forget the password.

Mark73

Kyrne Not the best way as we all know how people want everything to be as simple as possible. Yet, I'm glad there is a way to recover old messages, definitely considering this

Kyrne

Yalfoosh nope. That update wasn't supposed to add full emoji support (and I guess it didn't add it at all). I'll try to hook flarum/emoji.

Mark73 interesting read: https://www.forbes.com/sites/anthonykosner/2012/08/05/how-secure-is-your-cloud-take-the-mud-puddle-test/#76fcfd506627

Kyrne

Yalfoosh not sure if joyful is an emoji. Try :1234:

Yalfoosh

Kyrne

am I doing something wrong?

Yalfoosh

HD3D Why don't you simply use Byobu then? It's more polished and has more features.

HD3D

Yalfoosh I'm already using byobu but I thought Shout could be more useful and easy for users but the restrictions to shout are making it impossible for me to use

Kyrne

HD3D shout was built around the concept of private, encrypted messages. The 2 are essentially inseparable without a lot of work.

I'm still lost as to how the password aspect makes it impossible to use? Websites run on passwords and if you lose them for encryption you're SOL on any truly secure messaging service.

I'm going to stand firm on encryption only. I will be adding a feature shortly where you can force a user to setup their encryption before they can continue to use the site (on a per user or whole site level)

HD3D

Kyrne I understand your point but let me explain my point in simple words:

Because of the password requirement the shout won't be enabled right? So it simply means that as an Admin I need to wait for my certain user to setup Shout with the password in order to message him/her.
What if they never setup their private messaging so I can't message them?

If you really want users to have their private messages secured and have control over it, you can give them an option to set up password for shout in their profile/settings or on the shout UI itself so they can decide if they want a password on their messages or not. but as default shout private messaging should be enabled for all the users.

Just like on facebook, twitter or any other social app.

HD3D

Kyrne I'm going to stand firm on encryption only. I will be adding a feature shortly where you can force a user to setup their encryption before they can continue to use the site (on a per user or whole site level)

This can do the trick too but don't you think it will confuse the noob users? And if they use password other than their account's password then it will confuse them during login to remember which password is for which.

I'm pretty sure it will be more appreciated by everyone and less confusing for everyone if you can give and password setting up option on shout UI or settings. so everyone can decide if they want to secure their messages or not.

« Previous Page Next Page »