Yearly wrap-ups, parcels, garlands… the summer is here, mate. If you found yourself on a chilly night (or hemisphere), read on to warm up as we take a look at another MyBB 1.9 milestone.

Fresh Out the Oven

Recent code on the development branch included the topping up of the new theme logic — with its Admin CP interface and front-end switches.

The majority of work on MyBB 1.9 focuses on how the file-based extension packages work, interact, and tie into the rest of the application. While managing themes, you’ll now find that every theme will be linked to a package found in the filesystem.

The individual, database-tied Themes will be the place to customize options defined by package authors.

You’ll still recognize most of the Admin CP styling section, as templates and stylesheets in the legacy format — inserted by plugins — will continue to be supported in the new series to ease the transition, while extensions are modernized.

Even though many authors prefer working in their favorite IDE, we want to bring a similar experience of creating and editing file packages to the Admin CP. We’re preparing to introduce an interface for Packages, where developers will find package-level tools — to prepare their themes and plugins for release — as well as a web editor for individual resources.

Another natural stepping stone up to MyBB 1.9 relates to how we all get there: the upgrade process.

Using the new installer — with a CLI and a web UI that causes less mouse button wear — the upgrade has caught up with the rest of the application. The necessary adjustments for the theme system, new features, and internals are now checked and applied to carry over existing forums to MyBB 1.9 (and it worked on the first try, too).

This means you can grab the latest version and follow the familiar, improved procedure to upgrade a test copy of your MyBB 1.8-based forum. How does the 1.9 series suit it so far?

Between the headline changes, there are a number of miscellaneous improvements.

Moderators will see their toolset expanded with the ability suspend avatars and private messages. When handing out warnings, they can also require them to be acknowledged.

Users will enjoy the smooth curves of built-in smilies remastered in vector format (if you prefer to with the force of all pixels, your old files will still be there). The general visual experience has also been brushed up around the deprecated post subjects, thread ratings, and a toggle to hide post icons globally.

And, to tell who’s who in the first place, a group legend for your forum community’s hierarchical needs.

A new theme and UI handling mean that we’ll continue applying visual, performance, and internal tweaks to the engine. An overview of source code languages — now including Twig and SCSS — helps convey the extent of changes to MyBB’s GUI (even larger when factoring in PHP controller code and theme logic). Code in those languages will be in focus, as we balance the cool hues of MyBB’s new default Base Theme.

As always, you’ll find the stream of changes in our repository.

Hot Reload

How do you keep an eye on the new branch? Most of our Community members prefer the simple build package, updated seconds after any change is committed to the repository. In our quest to improve quality of life, and to bridge users with code progress, we’ve made it easier to tell whether your local installation could use a refresh — to see the latest layer of tweaks.

Now, when using:

• the automated package,
• a .zip from GitHub, or
• simply git clone,

MyBB will show you the exact commit for the preview version you’re running — displayed on the Admin CP Dashboard.

Additionally, if further commits are made to the official development version — checked together with regular updates — the top commit will be shown below.

Take a glance at the Home page to see if any new changes made their way up since your download, to ensure that bug is still reproducible, or to simply live on the edge of dev-1.9.

We recommend pairing this with the &fast parameter during (re)installation. Which one of your setups has MyBB installing itself the fastest?

This shift in approach keeps code contributors in a closer loop, compared to individually tagged test releases along the development timeline.

To stay in the loop, the relevant discussions for the series — and later, its maintenance — can now be found in its own MyBB 1.9 Development category on our Forums. Additionally, the 1.9 Bugs and Issues forum has been opened to catch reports that don’t appear directly on GitHub.

Cooking Resources

What does this button do?

Ensuring everybody can confidently use the software comes in many forms.

As users, we don’t usually thumb through manuals — in part, because it’s baked into the UI as descriptions, hints, or visual cues. More extensive usage, however, gives rise to many non-trivial questions. As developers, we can parse the code, but the question becomes where to start. Those questions need to be answered somewhere, and providing the answers — often preemptively — is a large chunk of activities in a software project.

Shortly after progress moves on from chats and first drafts, it bubbles up the information ladder, starting on the technical level. To help developers find their way in 1.9, we now attach high-level architectural summaries of code regions, starting with one for MyBB\View.

This authoritative information hierarchy then continues with content published more widely and with fewer technicalities.

Every now and then, we like to take people through preview workshops in the Development forums to demonstrate features still cooling off, and to gather feedback — while leaving options to make further adjustments.

Next? If code is poetry, documentation is its close reading; tutorials teach the craft; and Blog posts are authors’ notes. As the code for MyBB 1.9 begins to rhyme, it can be used to derive all the above.

Our Docs explain how the app works in living documents, maintained long-term, on par with stable code. Above articles updated for any new MyBB series, you’ll now find a switch to access content for the given branch.

We expect several key content related to MyBB 1.9’s new functionality, including the specification of new data formats. The go-to reference will include articles for:

• Resource files and metadata — the new system’s building blocks,
• Templates — on using Twig, useful theme functions, and variables,
• Assets — explaining the definition files, API functions, and pipeline,
• Theme packages — on theme types, inheritance, and features, and
• Plugin interfaces — on handling templates and styles, the new way.

While the changes and new features are great to look at for users, people building their forums, extensions, and contributing to the core, will feel more comfortable with a few cheatsheets. This is why, close to feature completion, we’ll begin a practical comparison and commentary relevant for each of those audiences hosted here, on the Blog.

The Blog tour, leading up to a stable release, will recap new features — big and small; what the new theme system is all about; how to update extensions so they stay compatible; practical tips for administrators upgrading their forums; and all notable internal changes for code contributors.

From chats to stable software, code is best accompanied by prose appropriate for each stage.

Warm Community

The extension ecosystem is part of MyBB’s identity.

One of the preview guides is the recently published introduction to UI plugins on MyBB 1.9.x, which shows the new, soon-to-be-canonical techniques to use when your plugin touches the user interface.

Even though the new methods implicitly make plugin code cleaner, the transition will be smoothed out by a set of compatibility features.

While 1.9 themes don’t use the legacy format, such templates and stylesheets will continue to be available for use by plugins — and attached to pages by MyBB. The plugin engine will collect legacy template variables, so they can be repurposed in 1.9 themes without modifying plugin code. The core will also assist legacy plugins with the rendering of full pages, when they don’t yet use the new HTML layout.

When your extensions are ready, you’ll be able to upload them to the Extend platform, and mark your new and existing projects as compatible with 1.9.x.

In addition to the Extensions category on the Forums, you can discuss those and other aspects of developing extensions in the unified chat channel #extend.

Before we wrap the post (and some presents), we’d like to look at the past and to the future, as this month marks two decades since MyBB began shaping internet communities — with its first stable version announced twenty years ago. Here’s to 20 more. We start with 1.9.

Thanks,
The MyBB Team

• 2 security vulnerabilities addressed:
  • Medium risk: Upgrade local file inclusion (advisory) — reported by Cillian Collins
  • Low risk: Unviewable threads title disclosure in search (advisory) — reported by Huseyn (Khatai) Gadashov (Exploit Azerbaijan)
• 37 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

MyBB’s ecosystem spans across several platforms connecting contributors, authors, and users. In this post, we’ll collect a number of recent highlights from around the Project.

10³ Stars on GitHub

Software is often divided into closed- and open-style development.

Back in 2009, MyBB switched from the former to the latter, enabling administrators and developers, who tweak their forums in the most random ways, to submit and see their fixes in official releases. The move also opened up the development process and allowed a crowd of enthusiasts to critique any upcoming changes and test them on their own servers, and with custom plugins.

Since then, code from 100+ contributors has made its way into MyBB, and earlier this year, the Project’s main repository passed the symbolic threshold of 1K stars from members of the open source community.

If you have patches of your own, or would like to otherwise make MyBB a better forum software, explore some of the options in the CONTRIBUTING.md file.

10² Stars for Top Extensions

If you’ve been using MyBB, you’ll know that the core package is only a part of its identity: extensions have an important place in the ecosystem that’s been maturing for two decades.

Today, the Extend platform hosts over 1300 projects that have published more than five thousand releases downloaded well over two million times, and a pair of extensions have already crossed the 100-star mark — taking a portion of over 6.5 thousand stars given in total.

Starring projects allows you to find them in a single place when you’re ready to start your new forum, and subscribing to them (which was done more than a thousand times) will notify you of new releases to check out.

As we work to define MyBB as lightweight software with modern features, we aim to further strengthen extensions as a pillar of the application by building authoring aids and APIs into the core to make the experience easier and more pleasant for everyone involved.

10¹ Development News

In recent months, numerous key elements of the upcoming series have taken shape. Read ten notes about the View system, extending MyBB, merged features, requirements, and upcoming works in the 1.9 Development Milestone thread.

We have also published a Quick Start cheatsheet, allowing you to set up the development branch and preview it right away using your favorite workflow.

If you’re ready for some tinkering and a deeper dive, read Experimenting with Inheritance Basics, where we make use of the new theming system and track how the application handles it so far.

10⁰ Familiar-looking Theme

When patrolling the Extend section, we noticed one submission was particularly reminiscent, but we couldn’t put our finger on it. A careful investigation that included, among other methods, reading its documentation revealed that it’s MyBB 1.9’s official theme — for MyBB 1.8.

The Curves UI takes the upcoming series’ look and backports it visually into the current stable version. It is also maintained on GitHub, where you can work with authors to improve it further.

It joins many responsive Community-maintained themes, so it’s another good starting point for customization, and if you’re looking to prepare your forum for the style transition into 1.9.x, you can now use its latest build to make the eventual switch extra smooth.

The Base

With the Community-driven environment giving the Project its power, the base of organizing work and tying up all loose ends is done by the MyBB Team.

To ensure this exponentiation yields the best product, we’ve recently brushed up and published the list of Roles, including ten non–management focus areas within the Team. Those now include separate teams for testing and developer relations, in adjustment according to the direction we’d like to take.

While those spots are often filled through invitation, if some of the listed activities pique your interest, tell us about it (the worst you’ll get is a friendly nudge in the right direction on how to make a positive impact!).

If you’d like to keep up to date with various news related to MyBB development and the Project behind it on the fediverse, use our verified handle @mybb@fosstodon.org.

Administrators of installed boards should update the existing configuration (inc/config.php) to include all addresses blocked by default in Disallowed Remote Addresses.

• 2 security vulnerabilities addressed:
  • Low risk: Incomplete disallowed remote addresses list SSRF (advisory) — reported by shin24
  • Low risk: Backups directory .htaccess deletion (advisory) — reported by shin24
• 16 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

This version includes improvements for compatibility with mailing configurations and recent PHP versions.

• 2 security vulnerabilities addressed:
  • Medium risk: Visual editor size code persistent XSS (advisory) — reported by Paulos Yibelo (Octagon Networks)
  • Low risk: ACP Themes persistent XSS (advisory) — reported by Or4nG.M4n
• 12 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

After applying the patch, we recommend using the Admin CP’s Tools & Maintenance → System Health → Check Templates tool to scan for security issues that may not have been detected before this version.

• 1 security vulnerability addressed:
  • High risk: ACP Templates RCE (advisory) — reported by Emmet Leahy

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

This version improves stability and compatibility with various PHP versions.

• 7 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team

• 1 security vulnerability addressed:
  • Low risk: User CP email persistent XSS (advisory) — reported by Ahmet Altuntaş
• 13 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

To keep up with Project news, you can now follow MyBB on Mastodon.

Thanks,
MyBB Team

One key to keeping software projects and the surrounding communities healthy is keeping friction for all audiences to a minimum.

In MyBB, this friction is derivative of user experience and developer experience. Our largest audience is formed by the end users — people browsing online forums, not expected to know what MyBB is, yet benefitting from fine-tuned visuals, phrases, and flows that come out-of-the-box. At the same time, we target two groups further down the forum assembly line, for whom both UX and DX apply.

For site owners and community leaders, the software needs to be approachable and intuitive — without requiring particular knowledge of languages and technologies — but also allow tweaking its look and functionality by maintainers with technical experience.

For developers, in addition to a useful extension system, APIs, and documentation, the software needs to expose the appropriate tools to allow speedy development and testing — without assuming one’s familiarity with it.

These factors are crucial in the world of free and open-source software, where the development relies on external contributors and their ease of work.

A setup mechanism is where their paths cross: it has to break down unavoidable complexity, without getting in expert users’ way. Besides having to meet best UX and DX practices, it also carries the weight of defining the first impression of the product for everyone.

The Need for Speed

kawaii — 2:56 PM

I wonder how many of the PostgreSQL installs are me with my Docker stack

People who work with, and on MyBB, install it a lot. To comfortably test new code and eliminate bugs in the core and extensions, their setup should require minimal time and attention better spent on the task at hand.

The existing installation experience left much to be desired — among others, the old installer:

• • • • • • • is strictly synchronous and static, making users alternate between waiting and filling out forms,
            • asks for information that’s either nonessential (e.g. a website URL for the optionally displayed link), or derived (e.g. cookie settings that can be deduced from the forum URL),
            • contains technical details of little to no relevance, which also makes it more difficult to navigate,
            • loads pages only for the user to press Next, instead of proceeding automatically,
            • offers no shortcuts for quick setup for testing or development, and
            • can’t be scripted or automated.

The special part of the application accessed through install/ was largely self-contained and separate from the rest, offering a good target for improvements parallel to other work on the 1.9 series.

In this post, we share how the system was disassembled, redesigned, and rebuilt.

Key Changes

The new implementation was expected not only to address the web GUI problems, but also to introduce a mirror interface for the command line, as well as a PHP API for direct execution.

Rather than tailoring the interfaces to any specific business logic, the GUI and CLI were generally prepared for miscellaneous future usage (i.a. by the Merge System, which currently has to carry its own UI).

Correspondingly, the existing activities — installation and upgrade — were rewritten as universal processes with controlled input, output, and better-isolated logic, while the miscellaneous, reusable code was refactored into functions.

Del

The best kind of code improvement is its deletion. With MyBB 1.9 switching to file-based themes, the most time-consuming operation of inserting the templates into the database was safely removed. In the same spirit, the GNU GPL license agreement was left out, given that it relates to distribution, rather than usage of software. The installation’s final page was scrapped, and the summary information was moved to a Welcome to MyBB thread, which additionally serves as dummy content for new users to play with after being redirected there from the installer.

Process operations are executed automatically until user input is needed, without unnecessary confirmation or technical output. For example, the installer skips the full list of requirements — available on Download and Docs pages — and only produces relevant details when problems are found.

Input for settings related to HTTP cookies (responsible for the Domain and Path attributes) — effectively derivative of the Board URL — was removed, and the values are determined automatically instead. Similarly, the setting for the Secure flag will now be immediately enabled for HTTPS-based URLs.

The reorganization reduced the number of steps (and displayed screens) to four, grouping all related operations according to the types of data they depend upon (gathered using forms in the browser, or series of prompts in the CLI).

Ctrl V

Both processes were supplemented with a mechanism previously exclusive to the Admin Control Panel: checksum verification. Given the potential for various problems to occur during upload, MyBB will run an integrity check of its files during installation and upgrade.

Another feature brought in line with the core was language support: although a .lang.php phrases file was utilized, applying non-English languages required overwriting it, which was a pain point when distributing translations. In 1.9, the file was moved to the inc/languages/ structure, meaning that it can be supplied within ordinary language packs. When non-English packs are detected, a selection is displayed, and if just one extra language is present, it becomes the default option. This choice also changes the board’s Default Language, and that of the new administrator account.

Finally, the version check functionality was replicated in the GUI, allowing webmasters to easily confirm they are about to install, or update to, the application’s latest available version.

Insert

To help prevent accidental overwriting of data, signs of an existing instance will result in alternative headings and descriptions, indicating a reinstallation. As forgotten forums may appear broken for numerous reasons (e.g. failed database connection, or missing content), a more precise status is attached to the first step.

Lowering the bar for new forum owners, we made two improvements to the database credentials form — likely to be the most difficult one. First, the process now provides instant feedback for parameters at multiple stages (server connection, authentication, database access, and existence of old tables). Second, while the default database engine selection was already filtered according to enabled PHP extensions, the new process will also perform a number of educated guesses to pre-fill the rest of the form. This behavior may be especially beneficial to testers and developers who use standardized credential sets.

User Interfaces

Web UI

The new web-based interface uses a single index.php entry point, which contains fallback code to provide friendly error messages when PHP cannot be executed, or its version is not supported.

In MyBB 1.8 and before, when accessing the directory with a functional forum, administrators would be presented with an upgrade/install choice screen — this was simplified by opening the upgrade screen by default, with a link to force reinstallation for local network requests that indicate a non-production board.

The flow in the browser-based GUI is managed by a client-side controller, capable of handling input and output asynchronously, letting users fill out and submit subsequent forms as the attached operations execute in the background. A server-side controller provides fallback support for no-JavaScript clients.

More form fields take advantage of input verification and autocomplete features supported by browsers and password managers. Password fields were enriched with reveal toggles (in browsers other than Microsoft Edge, which provides the feature natively) — balancing the UX with the removal of redundant retype password input — and then placed at the end of forms to detect usage of other entered data (like site details, username, or email) for score calculation, powered by the zxcvbn library.

The auto-login feature was extended to likewise initialize a session for the Admin CP, enabling administrators to instantly explore it and finish configuring their forums.

When installing in development mode, an additional post is created in the welcome thread with convenient links to launch the process again and reset MyBB to its default state.

Over six years ago, we pointed out the tip-over in observed web traffic into the majority using HTTPS — today’s data shows that secure transmission for publicly-available sites is a universal standard. Although administrators of new forums should be well-aware of this, and have HTTPS already set up, some may delay this step until after the installation. This, of course, is dangerous, given that passwords and login keys already start being transmitted. Therefore, the installer warns about an unsafe connection for public network requests (limiting warning fatigue during non-production usage).

Consistent with our long-term development plans, the new setup system has no inline styles nor scripts, which allowed us to add a restrictive Content Security Policy by default.

The web implementation tracks the time of each operation using the Performance API, and the custom measurements can be observed using developer tools built into some web browsers.

Safety

The installer has been equipped with additional checks to prevent misuse. Previously, authentication was only required to access the upgrade script, but not installation, which may have allowed third parties to access it when the complete directory was uploaded and the lock file was deleted for upgrading.

The new system will check for additional, process-specific lock files, with lock_install created automatically. To reinstall the board, administrators will be also required to delete or empty the configuration file, which will provide another cue that existing data will be overwritten. These constraints don’t apply in a development environment, in which case a detailed installation status is simply shown on the first screen.

Authentication-related logic tied to the upgrade script was reworked by removing assumptions about the stability of initialization and credential handling, which may become temporarily broken during the upgrade process (e.g. after uploading new files, but before applying database changes). Instead, the upgrade process validates administrators’ sessions carried over from the forum front-end opportunistically, and otherwise relies on an ad-hoc proof by prompting them to create a temporary file with the name cryptographically tied to a cookie value.

CLI

This version improves cache system stability, and compatibility with PostgreSQL (PDO) and recent PHP versions.

• 1 security vulnerability addressed:
  • High risk: ACP Languages local file inclusion (advisory) — reported by yelang123 (Stealien), NGA (Stealien)
• 8 issues resolved

Check the Release Notes for more information.

Get latest MyBB Full & Upgrade Packages →

The MyBB Project extends thanks to reporters and researchers following responsible disclosure.
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
If you would like to contribute to the Project, Get Involved.

Thanks,
MyBB Team