Xenforo 2.2 release

Status
Not open for further replies.
Sort by date Sort by votes
RallyFan said:
If you want to be really picky, there are exposed tokens parsed via URLS in plain text, which could be considered a security issue BUT those tokens don't expose any identifying information.

Only thing I'd like to see is a way to lockdown Admin Control Panel, whereby attempts to login, result in a blacklisted / blocked IP address.

I'd also recommend changing the default phrase "incorrect_password" to something like:
Code: 
<p>Username not found or Incorrect Password.</p>
<p>Please try again. If you believe this is in error, please contact us.</p>
<p>This error has been logged.</p>

This way it never confirms (like it does by default) that a username is correct, but password is not.
Click to expand...

I hate sites who do that. Some don't even confirm if you entered correct email and you're left guessing if you enter wrong email or their email isn't delivering/ending up in spam box.

That's not security. That's just crap user experience. Lock an account if more than x number of tries in x amount of time and problem solved. Lock the login pages behind cloudflare maximum security and no bot can access it = no bruteforce.
 
Upvote 0 Downvote
duderuud said:
I hope 2.2 will take speed (even) more serious.
For example, the FA icons (woff2) take way too long to load imo.

The default theme should be as fast as possible but maybe more important, 3rd party themes should be as fast as possible too. I hope there is a way to "force" developers to use certain templates/workflows/whatever to ensure loading times are as fast as possible.

I like the XF approach. The default install is lean and mean and can be extended with add-ons.

The downside of that approach is the dependability on 3rd party developers. That can result in problems during upgrades. Would be nice if that dependability can be reduced somehow.
Click to expand...

I agree. Especially with Google planning to punish/rank sites based on Pagespeed recommendations, it should be priority number one.

I managed to get my wordpress site score to 95 mobile/97 desktop with a simple plugin and it would be safe when Google implements that change next year.

I don't know if any such addons exist for xenforo and the scores for stock xenforo aren't that great.

I actually made a thread and it received no love which shows people probably don't even know or care about it.
 
Upvote 0 Downvote
STNN said:
I hate sites who do that. Some don't even confirm if you entered correct email and you're left guessing if you enter wrong email or their email isn't delivering/ending up in spam box.

That's not security. That's just crap user experience. Lock an account if more than x number of tries in x amount of time and problem solved. Lock the login pages behind cloudflare maximum security and no bot can access it = no bruteforce.
Click to expand...

To clarify we are only talking about the backend /wp-admin here.
That's the idea. Yes it's security by obscurity to a degree, but it lessens brute force attempts/account hijack attempts as there is no confirmation that the account even exists. It's not the site owners fault if people can't remember a username/password.

In fact it's a recommendation from security companies and Wordpress as well.

Not everyone uses Cloudflare and it's certainly not the be all and end all (infact for local AU users it slows your site down unless you have an expensive paid plan with a local POP).

STNN said:
I agree. Especially with Google planning to punish/rank sites based on Pagespeed recommendations, it should be priority number one.

I managed to get my wordpress site score to 95 mobile/97 desktop with a simple plugin and it would be safe when Google implements that change next year.
Click to expand...
I don't bother with Google Pagespeed as it has a long and documented history of being highly inaccurate compared to sites like GTmetrix.com.

Stupid stuff like "you got marked down because your js and css isn't minified", and yet it is. Or "not mobile friendly", yet the entire site is mobile responsive and clean as.
 
Upvote 0 Downvote
Matthew S said:
That creates a Denial of Service attack vector, which is why it is not done.
Click to expand...
Yep as you are effectively admitting that user account exists.

What STNN is proposing is akin to securing your house by having locks on the external doors, rather than standard door knobs. It's unlikely to stop most criminals because you are still responding as to if an account exists.

You never want to confirm on a login page that a username is indeed valid or invalid, as once that is determined, they know the password is the only thing they need to work on. That's 50% of your way to an intrusion (even if you aren't attempting to brute force a login page), as you can potentially use that username to authenticate not just with the admin login page.

The other reason it's annoying and account lockouts are not smart, is you can have a nefarious user who takes issue to another user. They deliberately try to log in several times just to lock that other users account out.

Sure I realise that most breaches these days are shifting towards injection attacks, exploits, and backdoors, but if you aren't responding to any username/password combination, it makes any attempt to brute force completely useless.
 
Upvote 0 Downvote
RallyFan said:
I don't bother with Google Pagespeed as it has a long and documented history of being highly inaccurate compared to sites like GTmetrix.com.

Stupid stuff like "you got marked down because your js and css isn't minified", and yet it is. Or "not mobile friendly", yet the entire site is mobile responsive and clean as.
Click to expand...

I agree with you. I think it's utter garbage but Google brings us traffic and we have to play by their rules. I hope they don't implement it ever.
 
Upvote 0 Downvote
STNN said:
I agree with you. I think it's utter garbage but Google brings us traffic and we have to play by their rules. I hope they don't implement it ever.
Click to expand...
Funny thing with Google is they do all this crap, and yet fail to act on sites that are SEO scam/spam sites. Punish the good guys and let the bad guys continue.

Probably one for another topic though :D
 
Upvote 0 Downvote
Alshalan said:
The important
When is the date of issue?
Click to expand...

How can they tell? They can only give an estimate but can not tell for sure. They did say it will be this year barring any unforeseen circumstances.

Coding is an extremely complex process especially at this level then ensuring it meets the quality guidelines, security, bugs etc. I hope XF takes as much time as they need so we don't have to deal with a broken forum.
 
Upvote 0 Downvote
I am quite surprised not many people (if any) are requesting WYSIWYG editor on pages backend..? :whistle:

My "Want" list includes:
  • Auto-close topics (based on criteria such as time, prefix etc)
  • WYSIWYG Editor on Pages
  • Ability to restrict access to the dashboard to IP
  • Poll permissions - restrict creation of polls per user group
 
Upvote 0 Downvote
GPA-R said:
I am quite surprised not many people (if any) are requesting WYSIWYG editor on pages backend..? :whistle:
Click to expand...

This is not the right thread or forum for requests/suggestions, you need to like the first post here:

xenforo.com

WYSIWYG editor in Pages

Logician's templates let me edit the page with WYSWYG. I can also enable my mods to edit like that. Can these Pages do that? Much faster and easier for simple text + pics stuff. Also I want some Pages access permissions by usergroup or several. Even better for my homepage I want PARTS of the...
xenforo.com xenforo.com
 
Upvote 0 Downvote
GPA-R said:
I am quite surprised not many people (if any) are requesting WYSIWYG editor on pages backend..? :whistle:
Click to expand...
Pages and custom fields are probably the least developed aspect of XF and both are crucial for content delivery. We have already tons of moderator tools, if not for everything an addon. Whereas content focused stuff is underdeveloped or non-existent.

We need so much more for content creation. Content brings people to your sites, not "auto-close topics" as a tool. Sure, I agree that an auto-close option would be nice to have (like many more things which is just not there), but we are lacking more important stuff then these stuff.

It is June and still no news. Even if we get the long awaited news, the wait is so long that the expectations are growing bigger and bigger. We'll see I guess.
 
Upvote 0 Downvote
GPA-R said:
I am quite surprised not many people (if any) are requesting WYSIWYG editor on pages backend..? :whistle:
Click to expand...
Xenforos power is in being complex yet simplistic. It's complex areas generally don't break the simplistic things.

When you start integrating (often bloaty) WYSIWYG editors for pages, that can change things greatly.

I like the 10-15MB download and install package, and would rather not see it a 150MB download and install package for lesser used features.

Easier to just jump into an online HTML editor, fire it up and format your page as you like (ensuring it complies with HTML5 standards), and then just copy/paste the code into pages.

frm said:
When will 2.1.11 be ready? 😄
Click to expand...
Hold the boat we haven't got to v2.1.10.3 yet!
 
Upvote 0 Downvote
RallyFan said:
Xenforos power is in being complex yet simplistic. It's complex areas generally don't break the simplistic things.

When you start integrating (often bloaty) WYSIWYG editors for pages, that can change things greatly.

I like the 10-15MB download and install package, and would rather not see it a 150MB download and install package for lesser used features.

Easier to just jump into an online HTML editor, fire it up and format your page as you like (ensuring it complies with HTML5 standards), and then just copy/paste the code into pages.


Hold the boat we haven't got to v2.1.10.3 yet!
Click to expand...
A WYSIWYG editor (froala) is already included in the package (I am using it right now to write this message) so I believe it would be extremely easy to implement. I think XF developers have their own reasons for not adding this and it's definitely not related to coding or bloating etc. Maybe they want to keep that platform purely as a forum software and I completely understand that. If you start adding CMS features you open the door for more bugs and problems since people will most probably start using it tobuild non-forum sites.
 
Upvote 0 Downvote
I just hope they don't cram it with too much bloat. Best to keep the basic forum software light and then provide the rest as options you can purchase.
 
Upvote 0 Downvote
XF 2.2 HYS cycle?

MondayTuesdayWednesdayThursdayFridaySaturdaySunday
Jun 1Jun 2Jun 3Jun 4Jun 5Jun 6Jun 7
Jun 8Jun 9Jun 10Jun 11Jun 12Jun 13Jun 14
?
Jun 15Jun 16Jun 17Jun 18Jun 19Jun 20Jun 21
???
Jun 22Jun 23Jun 24Jun 25Jun 26Jun 27Jun 28
???
Jun 29Jun 30Jul 1Jul 2Jul 3Jul 4Jul 5
???
 
Upvote 0 Downvote
sbj said:
XF 2.2 HYS cycle?

MondayTuesdayWednesdayThursdayFridaySaturdaySunday
Jun 1Jun 2Jun 3Jun 4Jun 5Jun 6Jun 7
Jun 8Jun 9Jun 10Jun 11Jun 12Jun 13Jun 14
?
Jun 15Jun 16Jun 17Jun 18Jun 19Jun 20Jun 21
???
Jun 22Jun 23Jun 24Jun 25Jun 26Jun 27Jun 28
???
Jun 29Jun 30Jul 1Jun 2Jun 3Jun 4Jun 5
???
Click to expand...
So why are we going from July 1st back to June 2nd? :unsure:
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

lucien_lies
  • Question Question
XF 2.2 Issue with Importing xf_profile_post_comment Table in XenForo 2.2
Replies
5
Views
550
Chris D
Chris D
xml
A safe yum.conf would not break Xenforo 2.2
2
Replies
21
Views
1K
fly
fly
Chernabog
Not a bug Xenforo 2.2 -- Some forums are not showing correct thread counts (e.g. 0 when there's 10)
Replies
3
Views
397
Chernabog
Chernabog
otto
Other I search for a Import from X-Forum 1.x to a fresh Xenforo 2.2.x / paid job
Replies
3
Views
629
otto
otto
Melvin Garcia
Spanish Translation for XenForo 2.2.x [Paid]
Replies
2
Views
670
Melvin Garcia
Melvin Garcia
Top Bottom