*José Antonio

Viewing and editing a member is probably one of the most frequently used features of the AdminCP. With the design unchanged for many years, and the tabbed interface starting to grow unwieldy, it was due for some love. We have not only dramatically improved the design but added many new features.

New AdminCP Member Page
Let's look at some of the improvements:
Easy Toggle between Member and Customer View
If you have Commerce installed, you can now toggle between "Member View" (which shows the screen above) and "Customer View" (which shows the current customer page in Commerce with the user's purchases, invoices, etc.). This makes it much easier to view all of a member's information in one place.
If you don't have Commerce installed, the top tab bar will not show.
Basic Information
The pane in the top-left shows the member's basic information like name, email address and photos. You can now reposition a member's cover photo and crop the profile photo (functions previously not available in the AdminCP). To change the display name or email address, you just click and hold on the information and a textbox appears. The buttons below allow you to merge, delete, sign in as, and edit the preferences or password for the member.
  
Basic Member Information Pane
In addition, this pane lists any social networks the user is logged in with. It shows you the member's profile photo and profile name on that network (for example in this screenshot, it is showing my Facebook profile's photo and name) and for many networks you can click on this to be taken directly to their Facebook/Twitter/etc profile. You can also edit the syncing options for the method and unlink the accounts, features which weren't available previously.
If you have Commerce installed, there is also an indicator if the user has an active subscription.

A member with an active subscription
 
Alerts
If a member is validating, banned, flagged as a spammer, or locked, a large banner will display drawing your attention to this. For validating and banned, it will explain exactly what the status is (for example, if they haven't responded to the validation email yet versus they are awaiting admin approval, or if they have been banned manually versus are in a group without permission to access anything).

A member that has been locked



Other possible alerts
 
Locations & Devices
This pane shows you, on a map, all of the locations the user has been when using the community (based on their IP address) as well as the IP address they used to register and most recently.

IP Address Locations
While the devices tab shows the most recently used devices.

Recently Used Devices
 
Content Statistics
Right in the middle of the profile you can see some statistics about the member's activity. This includes:
A sparkline graph of their recent content. Their content count and reputation count (with tools to manually change or rebuild). A breakdown of the amount of content they have made across all applications. A visual indication of how much of their messenger and attachment storage they have used. If Gallery and Downloads are installed, the existing statistics overview provided by these apps are also available here.
Content Statistics
Warnings & Restrictions
This block shows recent warnings on the account, and also highlights if any restrictions (i.e. content moderation, restricted from posting, or application-level restrictions) are being applied, which previously was difficult to see at a glance.

Warnings & Restrictions Block for an account which has content moderation in effect
 
Account Activity
On the right is a pane which shows all of the latest account activity. While this was available in previous versions (called "Member History") we have made some significant improvements:
The number of things that get logged has been significantly expanded. We now log photo changes, group changes, when a new device is used to login, if an account is locked (by failed logins or failed two factor authentication attempts) or unlocked, password/email/display name changes, when a user links or unlinks a social network login method, initial registration and validation, merges, being flagged/unflagged as a spammer, receiving/acknowledging/revoking a warning, restrictions being applied, two factor authentication being enabled/disabled/changed, an OAuth token being issued if Invision Community is being used as an OAuth Server, enabling/disabling receiving bulk mails, and accepting the privacy policy / terms and conditions, as well as all of the Commerce-related information that is already logged. Much more information is now shown such as who made the change (i.e. an admin, the user themselves, or if it was changed by the REST API or syncing with a social network) and how the change was made (for example, for a password change - if the user used the "Forgot Password" tool or changed it in their Account Settings) and what the data was before and after. This includes being aware of if the change was made by an admin after using the "Sign in as User" tool. You can now filter what information you are seeing to quickly find what you are looking for.
Recent Account Activity
 
Extensibility
The new profile has been designed with extensibility in mind. Third party developers can easily add new blocks our even entire new tabs. Any apps/plugins which are currently adding a tab to the "Edit Member" form will retain backwards compatibility with their tab continuing to appear when clicking the "Edit Preferences" button in the basic account information pane.

Our recent release of Invision Community 4.2 was the most well-received version ever! The feedback we received on new features like Clubs, Reactions, and Promotes was better than we could have hoped and we really enjoyed seeing all the creative uses as people implemented them on their own communities.
We have been hard at work on version 4.3 with a goal of improving on all the great new features. It is well under way and we are happy to able to start announcing what's new over the next few weeks.
Invision Community 4.3 will not only contain new features but also have a core focus on refinement from 4.2's new features. You will see many improvements to Clubs, new integration options, large application improvements, new promotional features, and more changes large and small.

 
You can expect to see news posts about new features and changes very soon with a release date in early 2018. Follow our news section or subscribe to our newsletter to receive updates.

We are releasing a patch for IP.Board 3.4.x and IP.Nexus 1.5.x to address two potential security issues brought to our attention.

It has been brought to our attention that an open redirect exists within IP.Nexus which might allow a user to redirect other users to a remote site of their choosing through IP.Nexus. Additionally, an issue has been brought to our attention where-by sensitive user data may be exposed in certain circumstances.


To apply the patch
Simply download the attached zip and upload the files to your server. This single zip file includes the patch files for both IP.Board as well as IP.Nexus.
 
patch-34x-05252016.zip
 
If you are an IPS Community in the Cloud client running IP.Board 3.4 or above, no further action is necessary as we have already automatically patched your account. If you are using a version older than IP.Board 3.4, you should contact support to upgrade.

If you install or upgrade to IP.Board 3.4.9 after the date and time of this post, no further action is necessary as we have already updated the main download zips.

We are currently beta testing our next release, 4.1.12, which contains hundreds of bug fixes, dozens of improvements, as well as a handful of new features. I wanted to introduce one of those new features: post preview.
Long-time users of our software will know that a post preview function was a standard feature, but we took the decision to not include it in the initial IPS4 release. It had a couple of drawbacks:
it only applied to certain pages, such as topic view - other WYSIWYG editors simply didn't get a preview the workflow wasn't very good for modern web apps, requiring a round-trip to the server and a full page refresh When IPS4 was released, we felt that the built-in rendering of the editor was a sufficient preview of how the end result would appear. However, while analyzing ongoing customer and user feedback for IPS4 in its first year of release, we have seen that a preview still has a use. There are some circumstances when a true WYSIWYG experience is just not possible such as using more advanced formatting (like LaTeX) or when admins create certain custom editor plugins.
As a result, we rethought post preview. We wanted to ensure that all editors could be previewed, and that it didn't have a clunky workflow. In addition, since IPS4 uses a responsive theme, we wanted to give users the opportunity to preview how their post would look on different devices.
Here's the result, and what will be available in 4.1.12:

Post preview in IPS Community Suite 4.1.12
The preview is shown by clicking a new button on the toolbar (meaning it can be moved, removed, etc. just like the other default buttons). When the preview loads, the toolbar allows the user to resize it to different device sizes. If they are on desktop, they can also view it at tablet at phone sizes; on a tablet, it can also be viewed at phone size.
So now we not only show a true preview of what content will look like when posted, but we also allow you to preview how it will look on other devices. Of course that preview is just a best-guess since different devices have different window sizes but it does give you an idea.
We hope this reimagining of an old feature for a more modern web will please end-users and make posting content a more accurate process. Stay tuned for more updates on what's included in 4.1.12!
Version 4.1.12 is currently in beta testing and should be released in the next two weeks.

Security should never be an afterthought for your community. All too often, site owners consider beefing up their security only when it's too late and their community has already been compromised. Taking some time now to check and improve the security of your community and server could pay dividends by eliminating the cost and hassle of falling victim to hacking in the first place.
Let's run down 7 ways that you can protect your community with the IPS Community Suite, from security features you may not know about to best practices all communities should be following.
 
1. Be selective when adding administrators
Administrator permissions can be extremely damaging in the wrong hands, and granting administrator powers should only be done with great consideration. Granting access to the AdminCP is like handing someone the keys to your house, so before doing so, be sure you really trust the person and that their role requires access to the AdminCP (for example, would moderator permissions be sufficient for the new staff member?).
Don't forget to remove administrator access promptly when necessary too, such as the member of staff leaving your organization. Always be aware of exactly who has administrator access at any given time, and review regularly. You can list all accounts that have AdminCP access by clicking the List Administrators button on the System -> Security page.
2. Utilize Admin Restrictions
In many organizations, staff roles within the community reflect real-world roles - designers need access to templates, accounting needs access to billing, and so forth. IPS4 allows you to limit administrator access to very specific areas of the AdminCP with the Admin Restrictions feature, and even limit what can be done within those areas. This is a great approach for limiting risk to your data; by giving staff members access to only the areas they need to perform their duties, you reduce the potential impact should their account become compromised in future.
3. Choose good passwords
This seems like an obvious suggestion, but surveys regularly show that people choose passwords that are simply too easy to guess or brute force. Your password is naturally the most basic protection of your AdminCP there is, so making sure you're using a good password is essential.
We recommend using a password manager application such as 1password or LastPass. These applications generate strong, random passwords for each site you use, and store them so that you don't have to remember them.
Even if you don't use a password manager, make sure the passwords you use for your community are unique and never used for others sites too.
4. Stay up to date
It's a fact of software development that from time to time new security issues are reported and promptly fixed. But if you're running several versions behind, once security issues are made public through responsible disclosure, malicious users can exploit those weaknesses in your community.
When we release new updates - especially if they're marked as a security release in our release notes - be sure to update as promptly as you can so you receive the latest fixes. Your AdminCP will also let you know when a new version is ready for download.
5. Use .htaccess protection for your AdminCP
In addition to IPS4's own AdminCP login page, you can set up browser-level authentication, giving you a double layer of protection. This is done via a special .htaccess file which instructs the server to prompt for authentication before access to the page is granted. IPS4 can automatically generate this file for you - simply go to System -> Security in your AdminCP, and enable the "Add a secondary admin password" rule.
And it should go without saying, but to be clear: don't use the same username or password for both your .htaccess login and your admin account, or the measure is redundant!
6. Restrict your AdminCP to an IP range where possible
If your organization has a static IP or requires staff members to use a VPN, you can add an additional layer of security to your community by prohibiting access to the AdminCP unless the user's IP matches your whitelist. This is a server-level feature, so consult your IT team or host to find out how to set it up in your particular environment. If you're a Community in the Cloud customer, contact our support team if you'd like to set up this protection for your account.
7. Properly secure your PHP installation
Many of PHP's built-in functions can leave a server vulnerable to high-impact exploits, and yet many of these functions aren't needed by the vast majority of PHP applications you might run. We therefore recommend that you explicitly disable these functions using PHP's disable_functions configuration setting. Here's our recommended configuration, although you or your host may need to tweak the list depending on your exact needs:
disable_functions = escapeshellarg,escapeshellcmd,exec,ini_alter,parse_ini_file,passthru,pcntl_exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,show_source,shell_exec,symlink,system Another critical PHP configuration setting you need to check is that open_basedir is enabled, especially if you're hosted on a server that also hosts other websites (known as shared hosting). If another account on the server is comprised and open_basedir is disabled, the attacker can potentially gain access to your files too.
Naturally, Community in the Cloud customers needn't worry about either of these steps - we've already handled it for you!
 
So there we go - a brief overview of 7 common-sense ways you can better protect your community and its users. As software developers, we're constantly working to improve the behind-the-scenes security of our software, but as an administrator, there's also a number of steps you should take to keep your community safe on the web.
If you have any tips related to security, be sure to share them in the comments!

HTML Logic is our name for the additional tags available in IPS4's templates that allow runtime logic to be executed. It comprises if/then/else statements as well as loops and more.
Since HTML Logic has access to all of the underlying PHP framework in IPS4, it's very powerful and a lot can be achieved with it. One common use is to limit certain content within a template to particular member groups. Let's see how that might be done.
 
Showing or hiding content only to guests
We'll first look at a simpler idea: showing or hiding content specifically to guests (i.e. anyone who isn't logged in). Within IPS4, the \IPS\Member::loggedIn() object contains information about the current user. Guests always have a member_id of NULL (i.e. no value), so we can simply check that value in our logic tag:
{{if \IPS\Member::loggedIn()->member_id === NULL}} This content *only* shows to guests, since they have a NULL member_id. {{endif}} {{if \IPS\Member::loggedIn()->member_id}} This content *only* shows to logged-in users since their member_id is a number, which will equal true. {{endif}}  
Showing content only to specific groups
Let's go a bit further and this time show content to specific (primary) member groups. First, you need to get the IDs for the group(s) you want to deal with. You can find this by editing the group in the AdminCP, and making a note of the id parameter in the URL. On my installation, the Administrator group is ID 4 so we'll use that in our example.
Once again, we're using the \IPS\Member::loggedIn() object, but this time we're using the member_group_id property.
{{if \IPS\Member::loggedIn()->member_group_id === 4}} This content only shows to members in the "Administrators" group (ID 4 in our example) {{endif}}  
Working with multiple groups at once
Following the code above, you could simply repeat the check against \IPS\Member::loggedIn()->member_group_id several times, for each ID you want to allow. However, since our templates allow arbitrary PHP expressions to be used, there's a neater way: use an array of member group IDs you want to allow, and check against that using PHP's in_array function. Here's an example where we only show content to group IDs 2, 4 and 6:
{{if in_array( \IPS\Member::loggedIn()->member_group_id, array( 2, 4, 6 ) )}} This content only shows to members in groups with the ID 2, 4 or 6. {{endif}}  
Have a request for a theme tip? Let us know in the comments and we'll try and help out in a future tip!