CoffeeCake

To serve PDFs inline, you could consider altering your web server's configuration (i.e. .htaccess if you're using apache, or the actual .conf files themselves) to force the following headers for PDF files. Something like the following: <LocationMatch "\.(?i:pdf)$"> ForceType application/pdf Header set Content-Disposition inline </LocationMatch>

@Pyrotechnic, in addition to @Adriano Faria's plugin, you can achieve this out of the box using Group Promotions. To do so, set the default Members group to not have access to private messaging, and create a promotion rule that promotes the user to a group with PM permissions after reaching your desired level of posts (and/or any other option in the group promotion rules). Edit: Seeing you were looking to avoid creating another member group--in that case, the plugin Adriano provided looks to be a good fit.

Perhaps something with RSS feeds?

Do you mean that the conversation goes back years between two people? Or that they get alerted to a new PM that was actually sent in 2012? If it's the first thing, I think that's expected behavior (assuming the people chatting with each other have been doing so for 8 years)--there's no cutoff there. If it's the second thing, I think you should open a support ticket and have someone take a look.

It would be really nice to note somewhere when a patch is released, even if it's a sort of opt-in thing, buried twenty levels deep, as to continue giving the impression that everything is fine in the "oops" hours following a new release. Otherwise, you're left with one of two choices: Unnecessarily clearing cache to see if a new patch has been released, which for a large community may have the impact of undoing mechanisms for caching resources that don't need to be uncached, slowing down stuff, and increasing bandwidth. Going crazy when something that does affect you doesn't work, trying to determine what's happened, eventually getting to the point where you clear cache, and then seeing that there was a patched release some unknown time ago that may have rendered the past hour of running about with your hair on fire unnecessary. I'd subscribe to a mailing list (or forum here) that featured alerts like "for those of you using Stripe and Commerce, a patch was released today that addresses edge case scenarios where payment is made in Reptilian Kettles, but your Stripe account is set to Grecian Germaniums as the default currency, and the transaction amount is between 46 and 47 parsecs, adjusted for inflation. If this applies to you, run the support tool or download an updated package from the client area." Maybe this applies to two IPS clients, but when it impacts them, it's really an issue for them. I think @SJ77 deals entirely in Reptilian Kettles. Even having an option to check for new patches without clearing cache would be a welcome addition.

I'll just leave this here in the event someone else encounters it. I don't have a clear reproducible case.

I understand there's a separate permission, however I believe this data should not be shown without explicitly requesting it and logging that it was requested to be viewed. This should be an auditable activity. Someone that has this permission should not be able to see the answers of every person who has supplied those answers just by viewing the member record in ACP.

I don't think we ever removed the password prompt for the onboarding process--does part of the onboarding process attempt to access the ACP or is it a call back to /api? You can achieve this in nginx with something like map. Here's a good example (and those look like Xenforo URLs): https://serverfault.com/questions/930145/nginx-redirect-based-on-query-string-parameters I think the issue in your configuration is that you are returning an error (418) for matches instead of passing it to IPS. Someone here had a good guide to Nginx + php-fpm + IPS. I think it was @Makoto. Edit: Here it is!

No Tapatalk installed here.

If you know the IP address ranges you'd like to ban you could take that approach. Otherwise, you'll need a third party tool. Maybe something like this?

How your SMTP provider works is unknown--you'd have to ask them. A relevant question may be what happens if the SMTP server returns an error? Does IPS try again or simply drop that mail?

I noticed a member who had turned on two factor authentication and provided security answers. I don't believe it's security best practices to show these values to anyone looking at the member's account in plaintext, without some sort of action being taken that is logged. For example, a button to view the values that then logs the account who requested to view the values, or even better, only validate that the entered answer matched what the user specified without displaying the values at all. Right now, the answers are available to anyone with permission to view without taking any action to see the answers. Please change this behavior to require a click on something that would insert "Paul E. viewed member's security questions and answers" or such in the account activity logs at a minimum.

Insert it into custom.css in your theme's CSS resources.

You can't match by querystring like that (the things after the ? in the URL) for a location block in nginx. In our testing, we left basic authentication on and did not have issues with Marketplace. Not sure if something has changed with 4.5.3 making that a prerequisite. I was told the same thing by support at one point, yet there appeared to be no actual requirement for removing basic auth. We did have the /api url open though....

Yes, guest group has permission to post (and guests are posting).

I don't. There have been two occasions where I adjust a forum's permissions for another user group now and as a result, guests have the ability to post (their posts appear without any approval--this isn't post before registration). I think it's a bug with editing group permissions from ACP > Members > Groups > Padlock. At no point am I editing the guest group.

Oddly, I've had guests granted posting permission twice now after editing permission for another group. Anyone else seeing this?

Most (if not all) of the constants that can be set can be found in init.php.

You may need to adjust your webserver configuration. Are you using apache?

This is something we developed in-house for 4.5. In 4.4 and below, we used this:

Oh, what fortuitous timing. Please remove this completely dangerous tool. Offer it as an optional download. Stick it on your CICs if you must, but this is a completely unnecessary vector to be potentially exploited.

They should redirect, and have no impact.

Sorry. That may have been confusing. We create a notification when we create a new support request. If we need to contact members, we do it through the support request system. We do not currently send a notification when we make moderation actions or respond to reported content, but we'd like that feature as well as you've described. Rather than send out an e-mail, our request for @DawPi is to integrate with the support request system so that a request is logged and viewable within the support request section of ACP.