CoffeeCake

@planetalk I answered your question here:

If you're a CIC customer, contact Invision support. If you've got a self-hosted license, you can download 4.5 from the client area. Since you're adding Commerce, you'll need to redownload the files. More on that here: Invision doesn't offer a direct download of previous versions and 4.5.1 is the current released version. Support may be able to assist with earlier versions (not sure--I asked the question and never got an answer). If you get an answer on this, please let us know! Before you upgrade, note that 4.5 is a major shift from 4.4 and customizations will very likely break if they aren't updated for 4.5 (plugins, applications, themes, language packs, etc.)

Very often, these folks are at the mercy of their IT infrastructure requirements. Large (and small) enterprises have dependencies on IE for mission critical applications and IT departments will lock them into using dated browsers because the things they need to work were coded to work in IE. If you have a large number of members in certain industries browsing from their workplace, you'll find that many have no choice in the matter and your community not working may mean they go elsewhere.

Quickest and common aren't always most secure or best case for every implemention, and I think it's great to spawn a discussion on this! As we maintain code repositories for our IPS instance, an important consideration is that we don't include those secrets in committed code and maintain separate values for each instance. Our production values are intentionally different from test. This adds an additional layer of assurance that we won't inadvertently hit the wrong database, even though we isolate the environments on separate networks as well. Security is all about layering and compensating controls. Your secrets are only as good as your weakest link. If somebody else can access your filesystem in a shared hosting environment, or can write code to output the values of variables set within the IPS session, then your efforts are likely giving you a false sense of security. You can do things like encrypt credentials with a library and decrypt them in constants.php, or use a proxy for MySQL where the credentials are stored at the proxy level. Referring to values in a file that lives out of your web root is another option, and as you pointed out, passing them through the web server. Lots of options. Just remember to consider that with the most secure of deadbolts, if you leave it unlocked, or the back door open or a ladder propped up against the side of the house, you're only as secure as your weakest link.

What a great question, @Runar.

That doesn't seem right at all. What payments processor are you using?

Yes, it seems like a bit of logic in the support tool to say -- "does the folder that I should be looking for exist? No? better recreate from scratch" would be an improvement here. There are probably some people that upload things directly into the filesystem and would be upset when the files were removed though.

You mentioned you moved your site. Are permissions correct on the filesystem for IPS to create the directory and files? Is this 4.5 or 4.4?

See this thread:

Not sure what the bit about PHP is, yet just testing on IE 11, and can confirm that it is a highly degraded experience for IE users on 4.5 as compared to 4.4. For those in corporate environments where the choice of browser may be locked down, this is certainly less than ideal. IPS did announce stopping support of IE.

@Adriano Faria: After testing this upgrade, enabling the application with 2.2.0 installed on 4.5 results in a template error in the ACP: Disabling the application makes it go away. It also shows the following in the support tool as issues with the database. Shouldn't these no longer be in core_members? No data from the previous version is available on the front end. I think this may be an issue with the update routine? We'll be trying a fresh upgrade soon in our testing environment, yet something looks amiss.

Have you raised a support ticket? We'll look at this at our next 4.4.10 to 4.5.1 upgrade test and see what the result is. We would have the same issue you're describing here if not something configuration specific. I'll let you know what we find. Are these "inactive" people set to renew? Are they losing access to things a subscription gets them?

@Douglas Glover: You'll need to complete the Marketplace onboarding process in the ACP. There should be (or should have been) a notification in the ACP when you log in as an administrator that would have asked you to setup Marketplace and walk you through a process of verifying that the extensions, applications, themes, and languages installed on your community were matched with what it thought the resource on the IPS Marketplace is. For every extension you've purchased from the Marketplace here in 4.4 or earlier, you'd match it with the appropriate entry. This matching process, in our testing, got many of our extensions correctly matched, however in instances where the Marketplace title was different from what the actual plugin/application is called in its manifest. Once you match up all of your entries, you then confirm your finished, and the onboarding is complete. The first time we tested 4.5, it was not clear and we ended up getting into a situation where the Marketplace thought all of our entries were custom entries. This may be the scenario you're in. You'll likely want to create a support ticket and ask for assistance if this isn't working. There may be a way to restart that onboarding process. If this is a test upgrade and not your production site, I'd recommend starting over and looking a bit more carefully at what the notification says. It was not as clear as it could have been. Hope this helps! As you pointed out, uninstalling and reinstalling will likely erase the data associated with your resources. You don't want to do that. Here's what you should see:

This is a fantastic idea.

I imagine that what @The Old Man was trying to say was not that these security patches should be given away in such a manner that IPS eats the cost, but that the expected overhead to make corrections when the vendor ships faulty code for individuals with a lapsed support contract should be factored into the initial price of the product. That may very well mean a price increase up front, with assurances on the back end. A security vulnerability or bug in IPS means that IPS shipped a product with a fault. A mistake was made, and that fault should be responsibly corrected by the vendor within a pre-agreed upon window of time. IPS works instead right now on a sort of subscription model. You get fixes so long as you maintain an active support contract. Software is sold many different ways, and this is just how IPS happens to do business.

and moderate!!!

I don't believe this is accessible in the ACP, yet after making backups of your backups and running this entirely at your own risk, you could use something like the following SQL query to return the results you're looking for: SELECT substring_index(clm.`login_classname`,'\\', -1) AS LoginMethod ,count(1) AS NumberOfMembersLinked FROM `core_login_links` cll INNER JOIN `core_login_methods` clm ON clm.`login_id` = cll.`token_login_method` WHERE cll.`token_linked` = 1 /* Only those who have successfully linked */ GROUP BY substring_index(clm.`login_classname`,'\\', -1)

Click on the emoji icon in the editor. When you scroll down, past all the standard emojis, you'll see one called "Emoticons." That's a group here. You can add more. You can also get to this from the Categories drop down in the upper right:

You can just drag and drop them in the groups and order that you want. No need to reupload.

Oh! Interesting idea. Do you mean using System > Settings > Posting > Word Filters to replace a number of different variations of the emoji text to the one that's configured as an emoji? If so, that might work for those folks typing them in, yet I'm not sure about searching in the emoji chooser.

You can create groups and drag and drop emoji between the group via the ACP > Customization > Emoji. At the top, there's an option to add a new group. Do that, give it the name you want, and then just click on the space above the existing custom emoji and drag it into the group you want. For the tags bit, that's probably a custom mod.

60 characters is crazy short for thread titles here, yes. If I were a new customer, I'd think that was out of the box, unchangeable behavior, and it would have been a hard pass. What we did was create an issue in our tracker for each dependency, find each dependency in the Marketplace or in our own repository, tested each resource, and linked back to the Marketplace entry. We then performed test upgrades using a copy of our production environment and make sure that our results matched what Marketplace thought it did using our test license. It didn't, we reported those issues, and they've since been fixed by IPS. We do this in a way that we can repeat it quickly over and over again by utilizing virtualization. This helps us know exactly what to expect when we "do it for real." You can see after completing marketplace onboarding and checking for updates what applications/plugins/themes/language packs have updates available, and see what happens if you turn on the ones that do not. Our beta testers play around and try to break things. We then update our tracker and we know we're not ready to go until we've successfully completed the issues attached to the 4.5 upgrade milestone.

Agree with all your points. It's entirely possible for IPS to record what was hidden by the "mark as spammer" option, yet it's just not working that way at present and the question becomes whether or not it's worth their time to develop that functionality. Our community had this very thing happen. A member who had been gone for some time, had thousands of posts over the years, and suddenly came back was mistaken by a moderator to be a new user posting spammy things. The post itself looked spammy, and you can understand why the moderator flagged the account. Yet the result was going through that poster's history and restoring thousands of posts manually. A solution like this would have to log what was deleted or hidden by that "flag as spammer" button press. What if your hypothetical moderator marked a member as a spammer that had thousands of posts, and some of those thousands of posts had been previously deleted or hidden for violating the rules? If unflagging them restored all their posts, including the rule violating ones, that wouldn't work well at all. Keep preaching the good ideas though. You're speaking with a voice of absolute sensibility. We should form a club and make t-shirts.