Click anywhere to close this dialog


Great is the art of beginning, but greater is the art of ending
Henry Wadsworth Longfellow

I announce that I cease all development and activity in the programming universe indefinitely. My career has reached the turning point I was not expecting for at least another year, leaving me highly off guard and without laid-out plans for this hobby's continuity. I have begun a 5-year residency program in Neurosurgery which is clearly not compatible, time-wise, with programming.

I gave in all my passion for developing, and you gave me back your loyalty and trust, even when I did not deserve that much. Now it is the time for payback. I release all my present and past work as Open Source software, in the hope some talented developer will continue maintaining and expanding my vision of a modern, sleek forum software. The intrinsic flexibility of MyBB is the true hidden gem of an otherwise outdated codebase; I do hope the project can continue and be updated complying to the latest coding standards.

I hereby thank Euan, kawaii, andrewjs18, Ben, Matt, Omar G., effone, Eric J., Devilshakerz, Wildcard, JordanMussi and all the other team members I have had the opportunity to work with when I was a MyBB team member. I thank Tomm M, my mentor, who inspired me to pick up coding with his piece-of-art plugins. And finally, I thank all of you MyBBoost subscribers who have helped me getting through my toughest university years economically.

Yours sincerely, Filippo

[Security] Email and password changing

6 Apr 2020 Edited
#1 This is a massive security vulnerability, the change email page is directly accessible.

- Permission setting to change password and email for usergroups.
- Username changes are moderator approvable, this functionality should be provided with password and email changes.
- Enforce email verification for password and email changes.
- Previous email, date and IP logging for email and password changes.
- Failed login attempts logging between password and email changes.
- IP and date logging for password reset requests.
- Lookup accounts with password/email changed from IP range.

Secondary plugin:
- Message and title filter for thread creation in sub-forums that prevents posting and responds with customizable instructions.
- Message and title filter for PM's and contact page which would disable(IP and cookie block) PM'ing and contacting through the contact page until further notice. This should be a flag in the database that can be modified externally and it would eventually update in the Task Manager.
Shade 6 Apr 2020
I can work on the first one. I have to do some brainstorming but it might be a Basic to Advanced-tier plugin. Don’t expect it before end of July/August.

Please open a thread per each plugin request.

PS: there is no security vulnerability. Both pages are only accessible if logged in.
Kalju 6 Apr 2020 Edited
The point is to stop users from being able to change email and password and the info provided in that thread just hides the buttons without removing the functionality.

I have it implemented by just copying the permission code from "can change username".
Shade 6 Apr 2020
So you don't need it anymore?
Kalju 7 Apr 2020
Still need the logging data.
Shade 7 Apr 2020 Edited
Alright, will add to my to-do list.