[Plugin] Super Admin Chat Control - Monitor and Manage All Conversations Hi everyone, I've developed a new plugin called Super Admin Chat Control. This plugin is designed for forum administrators who need deeper oversight into the messaging system for moderation purposes. It allows administrators to view, manage, and interact with any chat room on the forum, even if they aren't a participant. Key Features: Global Access: View any private or group conversation directly. Moderation Power: Administrators can edit or delete any message within the chat system. Quick Audit: Adds a "View Chats" link to the user profile menu for admins. Smart Presence: Admins can view room history without being permanently added as members, keeping room statistics accurate. Bilingual UI: Full support for English and Hebrew interfaces. How it works: The plugin hooks into NodeBB's messaging system to elevate admin permissions. It overrides core functions like Messaging.canEdit, Messaging.canDelete, and Messaging.canViewMessage to ensure administrators have the necessary access for effective moderation. Technical Details: Compatibility: NodeBB ^3.0.0 or ^4.0.0. Hooks used: filter:messaging.isRoomOwner, filter:messaging.canReply, filter:messaging.loadRoom, and more. Installation: Install the plugin via your terminal: npm install nodebb-plugin-admin-chats Activate the plugin in the NodeBB Admin Control Panel (ACP). Restart NodeBB. Repo & Issues: You can find the source code here: https://github.com/palmoni5/nodebb-plugin-admin-chats Feel free to leave feedback or report issues on GitHub!

I was asking Claude Desktop some questions about the NodeBB API and it was blocked from https://docs.nodebb.org/ I think it would also be helpful for Claude Code to be able to access those docs as well. In CF just block the "surge bots" from China and Singapore and that should help. Plus, isn't docs a static site?

Hello. I am writing a plugin to support my game server. Login to the forum is supposed to be available only through game account (on first login with in-game credentials it creates a nodebb account with corresponding login and email and links it to the game account). I've replaced local login with my own strategy (i just override data.strategy in login.override) The problem is changing email. Nodebb sets session variables so the system thinks the account is still in the registration stage and asks for verifying email. I can't access /register/abort due to invalid csrf token (in browser its 403 Forbidden), which is, i believe, caused by default login strategy. Every other location redirects me back to /register/complete (email change). How do I fix the invalid csrf problem? Are there better approaches to my problem?

Saw this on https://sudonix.org at the bottom of topics, should we add this to core and possibly make it configurable in the ACP? [image: 1770905069843-e78c6db8-99f9-4b65-8ae0-6ebd66744a94-image.jpeg]

Hello all! (Sorry, I could not resist with the title ) Today we are releasing NodeBB v4.9.0, on a Friday, toward the end of the day, because we like having our weekends ruined. As usual, we recommend you update to this stable version of NodeBB, not least because it fixes a federation issue accidentally introduced last month. There are a bunch of new features and usability improvements here, for both end users and admins. Federation improvements abound, as well as a few moderation upgrades. As usual, we fixed a ton of bugs, and even a couple open issues from the 2010s Here is a list of the changes and new features you should expect to see! New "World" page /world has been updated so that is closer to a feed-reader than a topic list. While I will continue to iterate on this design over time to better promote topics, I am hoping that this proves to be more accessible of an interface compared to the old topic listing. Your watched/tracked remote categories will be listed in a sidebar (hidden behind a drawer on mobile views) for easy access. The default view ("Latest") continues to be a list of content from people you follow, and content shared by those same people. The other view ("Popular") shows unconstrained content, and can include content from people you don't follow. Remote topics now unavailable to guests After an Alibaba bot was recorded mercilessly scraping a lot of the public content served up by NodeBB, we decided to restrict access to that content to registered users. While this would normally mean that "View Original URL" would stop working from other federates sites (since visitors are usually guests), we have added an exclusion to this logic that will continue to serve up the content to guests if at least one local user has commented on the topic. UX change for composer and chats @baris worked on a number of usability fixes that make the experience of using our post composer and chat interface much better. For the longest time we had issues with the composer not properly resizing when mobile keyboards opened. Composing and replying should work much better now that we are using the latest CSS and javascript tooling to properly detect visual viewport changes. Better notifications @baris also updated the notifications system so that bodyLong, which usually contains post text, is now sent with all notifications. This should increase the usability of notifications (both via web, email, or push). Cross-posting privilege A previous release introduced the ability to cross-post content into local categories. This functionality can now be gated behind a privilege at the category level. Guest call-to-action @baris introduced a new guest "call-to-action" banner that will help guide guests toward registering a new account to contribute to your community Title-less topics As part of the changes to /world, we also allow the creation of topics without a title. If you don't pass in a title, we will generate one for you based on the first sentence in your post. The same title generation logic was applied to remote content in the past, and now it also applies to local content. This also means you can use the /world page to just fire off something quickly without having to do the hard work of thinking up a title. You're welcome Opportunistic backfill Now that the fediverse's largest implementor, Mastodon, supports context, which enables backfill, we have implemented an opportunistic backfill feature that will check for new replies when you enter a topic. It'll also regularly check the top most popular remote topics known by the instance for new posts. Reasons You can now set up a recurring list of "reasons", which you can invoke on certain moderation actions. These custom reasons can be used when a user is banned, muted, or on post queue rejection. You can set up these reasons from ACP > Manage > Users > (Gear) > Manage Custom Reasons [image: 1772219195391-image-2.png] Registration queue now applies for SSO plugins This issue, open since 2016 is finally fixed. SSO plugins don't automatically bypass the registration queue anymore. This was a common vector for spammers to bypass registration limitations. Additional features and bug fixes An improvement to auto-installation of plugins Removed many remote tids and pids stored in the db for no reason (thanks @baris) A regression that caused nodebb-to-nodebb federation to fail (and possibly many others) Notifications can now be passed custom icons ACP privilege selector now no longer shows remote categories Improvements to mentions to better handle periods at end of sentences, or names within names All cached used internally are now exposed in the admin panel for better management. Sitemap cache duration is now configurable Infinite scrolling now works on /world Slug generation errors when you mixed and matched - and . Topic pruning applies to all remote cids now, not just cid -1 Chats list updated properly now, when new messages are received, chat messages now properly backfilled upon reconnection NodeBB now federates Delete on both deletion and purge For the full changelog, please take a look at the closed issues list for this milestone, or take a gander at the much less impressive CHANGELOG.md in our repository root.

It would be a good idea to add an option to lock the forum at certain times, daily or weekly, or a maintenance mode at certain times. Thanks in advance

Can we get a button for this? https://blog.joinmastodon.org/2026/03/a-new-share-button/ [image: 1772956999013-5d70ec22-6cd8-4121-9bba-3e5fca5f7b63-image.jpeg]

Hi! I'm interested in knowing, is there a nodebb plugin for WordPress? I like your design, and I'm really interested in integrating it into my website in a way that integrates with WordPress. Is there such a plugin? Is there something in development? Thanks.

Hello everyone, since the update of our forum to 4.9.1 there is a display problem with the plugin nodebb-plugin-poll. The poll does not appear immediately, only after several refresh but not always. While trying to edit the first post of a topic containing a poll, I noticed that the poll code has completely disappeared, as if it had been deleted.

It seems to do nothing for me, is this working for anyone? I wanted to see last post first. I expected when clicked it would put the last post first, i.e. at the top of the scroll area. Is that right? It happened in safari and then I replicated same behaviour in brave browser.

We are publishing a notice today to bring to attention an unintentional breaking change that could affect some users of NodeBB. v4.5.0 contained an update to src/request.js that calls a DNS resolver to ensure that the destination address is not a reserved IP address (e.g. 192.168..., 127.0..) This change was introduced in order to close off any potential for Server-Side Request Forgery for any calls made within the NodeBB codebase. In the vast majority of installations, this has no unintended effects. In some installations, custom plugins or themes may call URLs that resolve to an internal address on purpose (e.g. to query an internal database or similar.) In those situations, the call will now fail as of v4.5.0. In those situations, you will need to update the plugin to add the domain to the allow list by calling the filter:request.init hook: plugin.json { ... "hooks": [ ... { "hook": "filter:request.init", "method": "allowInternalHostname" }, ... ] ... } library.js or similar const plugin = module.exports; plugin.allowInternalHostname = async ({ allowed }) => { allowed.add('example.org'); return { allowed }; });

I updated the forum to the latest version. I see that some of the translations have been destroyed and are now displayed in English. The system language is Hebrew. What can be done?

I want to upgrade the version of my NodeBB forum application, which I deployed using Docker Compose. How can I do it?

Not sure if this is a feature request or a bug report, but in my categories that are unfederated: if I type "@" and a letter, it shows a huge list of federated users. Can we have an option to turn this off. While it is great to be able to do this in a federated community, in a community where federated users do not have any privileges, it would be nice if this was disabled (or at least a toggle to turn it off)

Hi @all It's possible to update or maintain this plugin ? the information display shown is incorrect. https://github.com/psychobunny/nodebb-widget-board-stats#readme

Hello everyone, @baris The unread message counter in the pagination block is not visible. Is there a way or some CSS code to fix this? Or maybe, can the counter be automatically placed above or below the message counter in the pagination block, depending on its position? [image: 1772656847010-2f66de11-8d23-4063-8fe9-36ab778ef481-image.jpeg]

Hi team, @baris I've noticed a small UI bug in the homepage chat widget: when clicking the expand button to open the chat in full-page mode, the Bootstrap tooltip ("Agrandir" / "Expand") remains visible on screen instead of dismissing. The root cause seems to be that the layout shift caused by the expansion prevents the mouseleave event from firing, so Bootstrap never calls .hide() on the tooltip instance. I'm currently use this code for fix that : // ------------------------------------------------------------------ // Bug Fix Tooltip "Agrandir" Widget Chat Room // ------------------------------------------------------------------ $(document).on('click', '[data-bs-toggle="tooltip"]', function() { $(this).tooltip('hide'); });

I think this happened with the new nodeBB release. Video of bug: https://imgur.com/a/prHjiPH Basically, I can't delete federated communities. I'm not sure if there is something I am missing, but it feels like its a bug.

Hi everyone, @baris I’m currently facing persistent xhr poll error issues with NodeBB behind Cloudflare (Free plan, proxied / orange cloud). I’ve been debugging this for quite a while and would really appreciate some expert input. The Problem In the browser console I consistently get: [socket.io] Connection error: xhr poll error With error i nnodebb : [image: 1772441871370-ae8a3eb4-96d2-4fee-903f-4147c3522059-image.jpeg] Network tab shows: /socket.io/?_csrf=...&EIO=4&transport=polling → 403 [image: 1772441925180-570a8724-b086-44a1-bf3e-51d4e0935fb6-image.jpeg] So the failure happens during the polling transport phase, before WebSocket upgrade. I guess Login works. Sessions work. Forum loads. But sockets keep failing with 403 with error connexion in nodebb interface 🧭 Infrastructure Overview Server VPS wHetzner with public IP and firewall Hetzner with open port : 80, 443, Virtualmin CF Proxied 8443, nodebb 4567, redis 6379, clustering 4567, 4568, 4569 Same ports open in the server with firewalld/virtualmin Managed via Virtualmin Nginx reverse proxy Let’s Encrypt SSL Ubuntu Server NodeBB Setup Latest stable NodeBB 4.9.1 Node.js LTS 18 MongoDB Redis enabled Cluster mode enabled scaling Here my config.json: ``` { "url": "https://xxx-xxx.net", "socket.io": { "cors": { "origin": "*" } }, "trust proxy": true, "secret": "xxxx-xxxx-4c42-xxxxx-xxxxxxxx", "database": "mongo", "mongo": { "host": "127.0.0.1", "port": "27017", "username": "nodebb", "password": "xxxxxxxxxxxxxxxxx", "database": "nodebb", "uri": "" }, "port": [4567, 4568,4569], "redis": { "host":"127.0.0.1", "port":"6379", "database": 5 } } ``` Here my vhost nginx : upstream io_nodes { ip_hash; server 127.0.0.1:4567; server 127.0.0.1:4568; server 127.0.0.1:4569; } server { server_name xx-xx.net www.xx-xxx.net mail.xx-xx.net webmail.xx-xx.net admin.xx-xx.net; root /home/xxx-xxx/nodebb; #dossier root nodebb index index.php index.htm index.html; access_log /var/log/virtualmin/xxx-xxx.net_access_log; error_log /var/log/virtualmin/xx-xx.net_error_log; client_max_body_size 20M; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_FILENAME "/home/xx-xx/public_html$fastcgi_script_name"; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT /home/xx-xxx/public_html; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS $https; location /.well-known { } location ^~ /.well-known/acme-challenge/ { try_files $uri /; allow all; } # Ajout du Reverse Proxy : location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; #proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_set_header Host $host; proxy_pass http://io_nodes; proxy_redirect off; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # serve static assets # Ajouter le bloc ci-dessous qui forcera tout le trafic dans le cluster nodebb - redis lorsqu'il est référencé avec "@nodebb" # (A désactiver si pas de cluster nodebb - redis ou http://127.0.0.1:4567 pour serve static assets ) location @nodebb { # proxy_pass http://127.0.0.1:4567; proxy_pass http://io_nodes; } location ~ ^/assets/(.*) { root /home/xxx-xxx/nodebb/; try_files /build/public/$1 /public/$1 @nodebb; } # serve static assets compressed gzip on; gzip_min_length 1000; gzip_proxied off; gzip_types text/plain application/xml text/javascript application/javascript application/x-javascript text/css application/json; location ~ "\.php(/|$)" { try_files $uri $fastcgi_script_name =404; default_type application/x-httpd-php; fastcgi_pass unix:/run/php/173162234249002.sock; } fastcgi_split_path_info "^(.+\.php)(/.+)$"; if ($host = webmail.xxx-xxxx.net) { rewrite "^/(.*)$" "https://xxx-xxx.net:20000/$1" redirect; } if ($host = admin.planete-warez.net) { rewrite "^/(.*)$" "https://planete-warez.net:10000/$1" redirect; } listen 65.21.3.134:443 ssl http2; listen [2a01:4f9:c010:db20::1]:443 ssl http2; ssl_certificate /etc/letsencrypt/live/xx-xx.net/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/xx-xx.net/privkey.pem; # managed by Certbot rewrite /awstats/awstats.pl /cgi-bin/awstats.pl; } server { if ($host = xx-xx.net) { return 301 https://$host$request_uri; } # managed by Certbot server_name xx-xx.net www.xx-xx.net mail.xx-xx.net webmail.xx-xx.net admin.xx-xx.net; listen 65.21.3.134; listen [2a01:4f9:c010:db20::1]; return 404; # managed by Certbot } Nginx has been reloaded. NodeBB restarted multiple times without "origin": "*" or "cors": { ️ Cloudflare Configuration Plan: Free Status: Proxied (orange cloud) SSL/TLS Mode: Full (Strict) with Let's encrypt SSL on the web servers with certbot WebSockets: ON Cache Rules Rules created: If URI Path contains /socket.io/ Then: Bypass cache WAF Custom ignore rule for /socket.io/* Custom ignore rule for /api/* No rate limiting. --> Issue persists. 🧪 What Has Been Tested Verified Redis connectivity Verified cluster processes running Verified cluster port in netstats Confirmed trust proxy: true Confirmed X-Forwarded-Proto is set Cleared all caches Restarted everything multiple times test without "origin": "*" or "cors": { 🧠 Observations The failing request includes _csrf, for example: /socket.io/?_csrf=...&EIO=4&transport=polling This suggests either: CSRF validation failing Session cookie mismatch Header mismatch Cloudflare altering something in polling requests But: Login works Normal requests work Only socket polling fails Questions Has anyone experienced 403 specifically on transport=polling behind Cloudflare? Is there anything specific in NodeBB cluster mode that could cause this? Could Cloudflare be interfering with long-polling specifically (even with WebSockets enabled)? Is there a recommended minimal known-good config for NodeBB + Cloudflare (Free) + cluster? At this point I’m unsure whether: This is CSRF related This is Cloudflare related This is a subtle proxy/session issue Or something specific to polling transport Any guidance or expert would be greatly appreciated. Thanks in advance

Hi all — since updating to the latest stable, a few users (and myself) are getting randomly logged out while browsing. No obvious errors in logs and server load looks normal. Anyone else seeing inconsistent session drops lately?