Hey everyone! 👋

After 10 months of development ⏰, I'm thrilled to announce that the first Release Candidate (RC) of Flatboard 5 is now available! 🎉 You can finally test it on your own servers.

I want to give a huge thank you 🙏 to all the users who provided feedback throughout this journey. Your input has been invaluable in getting us to this installable version. 💪

We're now in the final testing phase 🧪 before the official stable release, so this is your chance to help us iron out any remaining issues and make Flatboard even better. ✨

What's Next? 🔮

• Test it out 🧪 on your servers
• Report any bugs 🐛 or issues you encounter
• Share your feedback 💬 to help us refine the final release

Your continued participation means the world to this project. Let's make this final push together! 🚀

The Flatboard Team wishes you happy holidays filled with great exchanges on your new Flatboard installation! 🎄✨🎁

Looking forward to hearing your thoughts! 💭

Sounds good! Good job on the work.

yeaah 🎉

🎄 Flatboard v5.0.0-rc.2 Released – Merry Christmas! 🎅

December 23, 2025

We're excited to announce the release of Flatboard v5.0.0-rc.2, our second release candidate as we approach the stable v5.0.0 release. This update brings important bug fixes, performance improvements, and new maintenance features just in time for the holidays!

🎁 What's New in RC2

Bug Fixes

This release addresses several critical issues including incorrect reply counting for new discussions, SQLite storage bugs, notification delivery problems, and URL duplication issues. We've also improved the pinned discussions display and fixed various frontend resource handling issues.

Performance Improvements

We've significantly optimized tag loading across the platform by eliminating the N+1 query problem. The new batch loading pattern reduces database queries from 1+N to just 3 total queries, resulting in much faster page loads for discussion listings.

New Maintenance Tools

Added a new "Rebuild Discussion Replies" feature in the admin maintenance dashboard, allowing you to recalculate reply counts for all discussions with a single click.

Username Validation

Implemented comprehensive username validation (server-side, client-side, and JavaScript) to ensure profile URLs work correctly. Usernames now only accept alphanumeric characters, hyphens, and underscores.

📋 Full Changelog

For complete details on all fixes, changes, and improvements, check out the full changelog here.

🎅 Season's Greetings

As we release this update, we want to take a moment to thank our community for your continued support and valuable feedback throughout the year. Your contributions help make Flatboard better with each release.

Merry Christmas and Happy Holidays to everyone! 🎄✨

We wish you a wonderful holiday season filled with joy, peace, and time with loved ones. May the new year bring exciting opportunities and continued growth for your communities.

📥 Download & Upgrade

Download: Available on Resource Manager
Documentation: Visit our docs for upgrade instructions
Support: Join the discussion on our community forum

🔜 What's Next

We're getting closer to the stable v5.0.0 release! Continue testing this release candidate and report any issues you encounter. Your feedback is invaluable in helping us deliver a rock-solid stable release.

Happy Holidays and Happy Forum Building! 🚀

— The Flatboard Team

Flatboard v5.0.0-rc.3 Released

📋 Full Changelog

For complete details on all fixes, changes, and improvements, check out the full changelog here.

Flatboard v5.0.0-rc.4 Released

📋 Full Changelog

For complete details on all fixes, changes, and improvements, check out the full changelog here.

It's working!

Flatboard 5 RC5 - Release Summary

🛡️ Security & Group Management Improvements (High Priority)

Critical Security Fixes

Group Management Security Enhancements:

• Protected Default Groups: Default groups (Administrator, Moderator, Member, Guest) can no longer be deleted, preventing system breakage
• User Assignment Protection: Groups with assigned users cannot be deleted, ensuring data integrity
• ID-Based Group Identification: Groups are now identified by permissions and IDs instead of names, preventing security vulnerabilities from group renaming
• Duplicate Group Prevention: Fixed critical bug where renaming default groups would create duplicate groups, potentially causing permission conflicts

Security Benefits:

• ✅ Prevents accidental deletion of critical system groups
• ✅ Maintains data integrity by preventing deletion of groups in use
• ✅ Robust identification system that doesn't depend on group names
• ✅ Eliminates permission conflicts from duplicate groups

Technical Security Details

Group Identification Strategy:

1. Primary: Checks for specific permissions (admin.access, moderation.moderate)
2. Secondary: Uses cached group IDs from helper methods
3. Fallback: Checks group names for backward compatibility

This three-tier approach ensures:

• Groups can be renamed without breaking security
• New groups with similar permissions are correctly identified
• Backward compatibility with existing installations

Files Modified:

• app/Models/Group.php - Added protection in initDefaults() and delete() methods
• app/Helpers/GroupHelper.php - Added isDefaultGroup() and hasUsers() security checks
• app/Controllers/Admin/GroupController.php - Added validation to prevent dangerous deletions

🎨 Premium Theme Enhancements

New Configuration System:

• 15+ configurable parameters for theme customization
• Layout options (centered, wide, compact)
• Visual style controls (animations, borders, fonts, spacing)
• Feature toggles (hero sections, stats, breadcrumbs, avatars, signatures, etc.)

Benefits:

• Customize theme without modifying core files
• All changes contained within themes/premium directory
• Backward compatible with existing installations

⚡ Backend UX Improvements

Dynamic Updates:

• No manual page refresh required after operations
• Lists update dynamically via AJAX
• Smooth animations for deletions
• Forms reset automatically after success
• Language changes trigger automatic page reload

Applied to:

• Groups, Categories, Reactions, Users, Reports, Bans, Backups, Updates, Configuration

🔧 API Routing Fixes

Improved API Endpoint Handling:

• Fixed routing for /api/* endpoints
• Works with root, subdirectory, and subdomain installations
• Updated .htaccess and nginx.conf configurations

🌓 Automatic Theme Mode Fix

Browser Preference Detection:

• Automatic mode now correctly detects browser/system preferences (prefers-color-scheme)
• Real-time updates when system preferences change
• Replaced time-based detection (6h-20h) with proper system preference detection

Benefits:

• Theme adapts to user's system preferences
• Immediate updates when preferences change
• Standards-compliant implementation

📦 Theme Optimization

Premium Theme Size Reduction:

• Removed 58 unmodified view files
• Theme now only contains customized views
• Automatic fallback to default views for removed files

Benefits:

• Lighter theme package
• Easier maintenance
• Automatic updates for unmodified views

📝 Code Quality

Logging Improvements:

• Removed verbose debug logging
• Cleaner, more focused log files
• Better performance with fewer I/O operations

🔄 Migration Notes

No Action Required:

• All changes are backward compatible
• Existing installations work without modification
• Group security improvements are automatic

Optional:

• Review themes/premium/theme.json to customize theme settings
• Clean up any duplicate groups if they exist from previous versions

📊 Summary Statistics

• Security Fixes: 4 critical group management vulnerabilities fixed
• Files Modified: 50+ files across core and themes
• New Features: Theme configuration system, dynamic backend updates
• Bug Fixes: Group duplication, theme mode detection, API routing
• Performance: Reduced logging overhead, optimized theme size

For complete details on all fixes, changes, and improvements, check out the full changelog here.

[RC5 Update] - 2025-12-29

Added

• Base URL Configuration: Added a new base_url setting in the admin panel's general settings
  • Allows administrators to manually configure the base URL path for the application
  • Supports automatic detection when left empty (default behavior)
  • Available in all themes (default, premium, bootswatch)
  • Includes helpful placeholder text and description
  • Translation keys added in both English and French:
    • settings.general.base_url: "Base URL"
    • settings.general.base_url_placeholder: "Leave empty for automatic detection"
    • settings.general.base_url_help: Detailed help text explaining usage

Changed

• URL Helper Improvements: Enhanced UrlHelper::detectBaseUrl() method
  • Improved detection logic when application is at the root of the domain
  • Prevents incorrect /public prefix from being added to base URL
  • Better handling of edge cases in URL detection
  • Added forceBaseUrl() method to explicitly set base_url to an empty string

Fixed

• URL Generation: Fixed issue where all asset loadings and internal links were incorrectly prefixed with /public
  • Improved base URL detection to correctly identify when application is at domain root
  • Fixed URL generation for assets, internal links, and API endpoints
  • Ensures proper URL structure regardless of installation path

Technical Details

• Configuration Controller: Updated ConfigController::update() to handle the new base_url setting
• View Updates: Added base_url input field in admin configuration views:
  • app/Views/admin/config.php (default theme)
  • themes/premium/views/admin/config.php (premium theme)
  • themes/bootswatch/views/admin/config.php (bootswatch theme)
• Translation Files: Added translation keys in:
  • languages/en/admin.json
  • languages/fr/admin.json

Migration Notes

• No database migration required
• Existing installations will continue to use automatic base URL detection
• Administrators can optionally configure base_url in Settings > General if needed
• If base_url is set, it will override automatic detection

Notifications

Added

• Notification Type Badge: Added a translated badge displaying the notification type (e.g., "Reply", "Mention", "Reaction") before the notification title in the frontend notification center
  • Badge appears in both the notification dropdown and the full notification list page
  • Supports all notification types: new_reply, mention, reaction, report_handled, badge_earned, resource_submission, private_message, level_up
  • Translation keys added: notification.types.{type}.label and notification.type.{type} in both French and English

Improved

• Error Handling: Enhanced error handling for notification API requests
  • 404 and 401 errors on notification routes are now silently ignored (no error popups)
  • Prevents unnecessary error messages when notifications are not available (e.g., for guests or when routes are not yet initialized)
  • Automatic polling of notifications every 30 seconds only when the tab is visible and user is logged in

Technical Details

• Modified files:
  • app/Views/notifications/index.php
  • themes/premium/views/notifications/index.php
  • themes/bootswatch/views/notifications/index.php
  • themes/assets/js/notifications.js
  • languages/fr/main.json
  • languages/en/main.json
  • themes/assets/js/toast.js (added notification routes to silent error list)

Groups

Fixed

• Default Group Detection: Fixed issue where custom groups with same permissions as default groups were incorrectly identified as default groups

  • Default group IDs are now stored in cache during initial creation
  • isDefaultGroup() method now uses cached IDs instead of permission-based detection
  • Prevents false positives when creating custom groups with similar permissions

• Group Duplication: Fixed critical issue where groups were duplicated on each admin panel login

  • Ensured GROUPS_INITIALIZED cache is always set after initialization
  • Improved group detection logic to be more robust and consistent
  • PermissionHelper::initDefaults() is now called only once after all groups are created

• Group Deletion Protection: Enhanced protection for default groups

  • Default groups (Administrator, Moderator, Member, Guest) cannot be deleted
  • Groups with assigned users cannot be deleted
  • Detection now uses cached default group IDs for reliable identification

Added

• Automatic Order Index: New groups now automatically receive the correct order_index when created
  • Calculates the maximum existing order_index and assigns maxOrder + 1 to new groups
  • Ensures new groups are placed at the end of the list
  • Default groups receive sequential order indices (0, 1, 2, 3) during initial creation

Improved

• Group Identification: Improved methods for identifying default groups
  • getAdminGroupId(), getModeratorGroupId(), getMemberGroupId(), getGuestGroupId() now:
    • First check cached default group IDs (most reliable)
    • Fallback to permission-based detection if cache is not available
    • Limit search to first 4 groups created to avoid false positives
    • Store identified IDs in cache for future use

Technical Details

• Modified files:
  • app/Models/Group.php
    • Added DEFAULT_GROUP_IDS cache storage during group creation
    • Improved initDefaults() to store default group IDs
  • app/Helpers/GroupHelper.php
    • Enhanced isDefaultGroup() to use cached IDs
    • Improved all default group ID getter methods
  • app/Controllers/Admin/GroupController.php
    • Added automatic order_index calculation in create() method
  • app/Core/CacheKeys.php
    • Added DEFAULT_GROUP_IDS constant

Cache Management

• Default group IDs are stored in long-term cache (DEFAULT_GROUP_IDS)
• Cache is not invalidated when groups are created, updated, or deleted (only default groups are protected)
• Cache ensures stable identification of default groups even after renaming or permission changes

URL Fixes

Fixed

• Incorrect /public Prefix in URLs: Fixed issue where all asset and internal links were incorrectly prefixed with /public

  • Improved base_url detection logic in UrlHelper::detectBaseUrlStatic()
  • Added condition to return empty string for base_url when application is at domain root
  • Prevents /public from being incorrectly added to URLs when site is at root level

• Base URL Detection During Installation: Fixed issue where assets were not accessible during installation due to incorrect paths

  • Updated install.php to use UrlHelper::detectBaseUrlStatic() for consistent detection
  • Improved asset_url() function to correctly prefix asset paths with detected base URL
  • Added informative alert in installation form displaying automatically detected base_url

• Base URL Configuration: Enhanced base URL management

  • Added base_url input field in admin configuration settings
  • Allows manual override of automatically detected base URL
  • Supports empty string to force root installation even if subdirectory is detected
  • Prevents index.php from being included in base_url configuration

Added

• Static Base URL Detection Method: Added UrlHelper::detectBaseUrlStatic() public static method

  • Can be used without initializing the full application (useful for installer)
  • Provides consistent base URL detection across application and installer
  • Handles multiple scenarios: root installation, subdirectory installation, and /public/ directory structure

• Base URL Admin Setting: Added base_url configuration field in admin panel

  • Available in general settings section
  • Displays current base URL value
  • Allows administrators to manually set or override detected base URL
  • Translation keys added: settings.general.base_url and settings.general.base_url_help

Improved

• Base URL Detection Logic: Enhanced detection algorithm
  • Multiple fallback methods for reliable detection
  • Handles edge cases: root installations, subdirectories, and /public/ directory structure
  • Validates detected base URL to prevent incorrect values
  • Automatically saves detected value to configuration

Technical Details

• Modified files:
  • app/Helpers/UrlHelper.php
    • Added detectBaseUrlStatic() public static method
    • Improved detectBaseUrl() private method to use static method
    • Enhanced base URL detection with multiple fallback methods
    • Added validation to prevent index.php in base URL
  • app/Controllers/Admin/ConfigController.php
    • Added handling for base_url setting in update() method
  • app/Views/admin/config.php
    • Added base_url input field in general settings section
  • themes/premium/views/admin/config.php
    • Added base_url input field
  • themes/bootswatch/views/admin/config.php
    • Added base_url input field
  • install.php
    • Updated detectBaseUrlDuringInstall() to use UrlHelper::detectBaseUrlStatic()
    • Improved asset_url() function for correct asset path generation
    • Added informative alert displaying detected base URL
  • languages/fr/admin.json
    • Added settings.general.base_url and settings.general.base_url_help translation keys
  • languages/en/admin.json
    • Added settings.general.base_url and settings.general.base_url_help translation keys
  • languages/fr/install.json
    • Added baseUrlInfo and baseUrlDetected translation keys
  • languages/en/install.json
    • Added baseUrlInfo and baseUrlDetected translation keys

Summary

Notifications

• Better user experience with notification type badges
• Improved error handling prevents unnecessary error popups
• More reliable notification polling system

Groups

• Fixed critical duplication bug
• Enhanced default group protection
• Automatic ordering for new groups
• More reliable group identification system

URL Fixes

• Fixed incorrect /public prefix in URLs
• Improved base URL detection during installation
• Added base URL configuration in admin panel
• Enhanced base URL detection algorithm with multiple fallback methods

ALWAYS RC5 VERSION!

Flatboard v5.0.0-rc.6 Released

Release Date: December 31, 2025
Codename: HAPPY NEW YEAR

📋 Full Changelog

For complete details on all fixes, changes, and improvements, check out the full changelog here.

Fred

I can´t change themes (default, Premium) anymore.
Only via json.conf but not all Settings work and the Colors Wrong.

Backups not working anymore, I can select the Folders but if I try to start it Iwas asked if I wish to create a Backup and if I say ok nothing happens.

JPRuehmann

Flatboard v5.0.0-rc.7 Released

Release Date: January 02, 2026
Codename: HAPPY NEW YEAR

📋 Full Changelog

For complete details on all fixes, changes, and improvements, check out the full changelog here.

Flatboard v5.0.0-rc.8 Released

Release Date: January 04, 2026
Codename: HAPPY NEW YEAR

📋 Full Changelog

For complete details on all fixes, changes, and improvements, check out the full changelog here.

Flatboard v5.0.0-rc.8b Released

Release Date: January 05, 2026
Codename: HAPPY NEW YEAR

📋 Executive Summary

This release focuses on security improvements, performance optimizations, code quality enhancements, GDPR compliance, and bug fixes:

• 🔴 Critical Security Fix: Fixed race condition vulnerability in RateLimiter using file locking
• 🔴 Critical Security Fix: Fixed XML injection vulnerabilities in SitemapService and XSS in SearchService
• 🔴 Critical Security Fix: Fixed SSRF vulnerability in WebhookService with URL validation and private IP blocking
• ⚡ Performance: Added caching layers in Visitor model (bot detection, presence data)
• ⚡ Performance: Fixed catastrophic N+1 query problems in SearchService (1000+ queries → few queries)
• ⚡ Performance: Fixed timeout issues in RateLimiter and Cache using non-blocking locks with retry
• 🔄 Async Processing: Implemented asynchronous webhook queue system with retry logic and exponential backoff
• 📊 Monitoring: Added webhook history tracking and admin interface for webhook management
• 🔒 GDPR Compliance: Implemented complete user data export system with ZIP archive generation and email delivery
• 🛠️ Admin Tools: Added cache clearing tool to maintenance dashboard for easy cache management
• 🐛 Bug Fixes: Fixed post navigation, download service syntax error, API post retrieval
• 🛡️ Reliability: Enhanced error handling and logging throughout the codebase
• 📚 Documentation: Comprehensive PHPDoc documentation in French for all core classes
• 🔌 Plugin System: Universal hook router.plugins.register for plugin route registration
• ✅ Validation: Enhanced Validator class with 38 validation rules and Laravel-style syntax
• 🔐 Session Management: Improved secure session handling with fingerprinting and timeout management
• 📝 Logging: Added configurable minimum log level to reduce verbosity

Key Files Modified: RateLimiter.php, Visitor.php, DownloadService.php, show.php, PostApiController.php, App.php, Router.php, Session.php, Validator.php, Request.php, Response.php, Sanitizer.php, SearchService.php, SitemapService.php, WebhookService.php, WebhookQueue.php, WebhookHistory.php, Cache.php, Logger.php, MaintenanceController.php, dashboard.php, and all plugin files

📋 Full Changelog

For complete details on all fixes, changes, and improvements, check out the full changelog here.

Fred

A lot of 404 errors

Gavin

Hold on, let me get my crystal ball out. In the meantime, here's how to report bugs in the correct forum section, please.

Fred

So far it's just that. Only if magic allows that.

Flatboard v5.0.0-rc.10 Released

📋 Full Changelog

For complete details on all fixes, changes, and improvements, check out the full changelog here.