The Update Process

As people become more and more reliant on UserSpice, the goal is to make updating your code as painless as possible. Part of this involves not changing files unnecessarily. Whenever possible we will release patches that only overwrite the files which were changed.  We’ve also taken the version number out of each file.  The version number will only be changed in the file /users/includes/user_spice_ver.php and will be included in the admin panel by default.

When you download a patch the files will be in the same folders as they are in your site.  In other words, every patch will have the /user folder as we will always update the version number.  Some patches will be cumulative and some will be a single fix.  We’ll make that clear in the release below.

If you are upgrading from version 3.x, the only upgrade path is to go from 3.x straight to 4.0.0c.  From there you can apply any patches you want.  Please don’t try to go straight from 3.x to a different future version. The migration tool will not work for that.  You can get the 3 to 4 upgrade here.

Although updates are tested, you’re always encouraged to backup your files before patching. 

UserSpice 4.3 Patches

4.3.26(From 4.3.25) – December 15, 2018 – Important security update. Fixed a few bugs on join.php. Fixed a bug in session management. Added UserSpice 4.4’s announcement feature so you can be alerted of future security features.

4.3.25 (From 4.3.24) – June 17, 2018 – Important security update. Many thanks to the white hat hackers out there that help make our code better. This update changes the way we handle detecting the user’s ip address and removes the feature that checks if a username is taken.

4.3.24 (From 4.3.23) – May 15, 2018 – Important Security Patch for UserSpice 4.3 users, including a fix for a vulnerability on the Bio and Admin Pages. There is an update to run as well within this patch. This is very small update, but essential.

4.3.23 (From 4.3.20, 4.3.21 or 4.3.22) – April 26, 2018 – Hotfix for 4.3.21 and 4.3.22 to fix an auto-logout bug. Session Manager is being disabled, although you can enable it, some users are experiencing issues with it logging out users for no reason. You are welcome to use it, but know there could be a bug that will prevent usage of your site, and we are not aware of the fix yet.

Previous Notes:

April 25, 2018 – Hello everyone, Brandin here. Dan is working away hard on some extra UserSpice features so I completed most of this update-although Dan pitched in some Form Builder stuff 😉

This is a HUGE update-and although didn’t get its own major version push, it contains over 31 resolved bugs, with thousands of lines of modified code, updated composer packages and our very own security function-Session Management. UserSpice is now tracking Sessions for all users (similar to how some popular Social Media sites do) so you can end remote sessions, and on password resets these sessions will be ended to. With this, comes a powerful tool on users/admin_manage_sessions.php which can almost instantly log every user out of your site. There is a confirmation box and warnings around, and this can only be triggered from a user in the master account array, regardless of who has access to the page! Please be very careful with this tool, and test it greatly (of course not on your live site 😉 ) so we can get some feedback on it. As always, if you face any bugs, please report them to!

Recommended Upgrade Info:
-If you have not manually loaded any packages into Composer other than the built-in UserSpice ones, please delete the users/vendor folder (don’t worry, the update will re-add it!)
-If you get an error about an update on update.php, run it again!
-Running update.php is ESSENTIAL for this upgrade to work.
-If you are a larger scale site, keep an eye on your load time and consider disabling Session Management.

  • 00161 Remove error on page_footer session manager (Brandin Arsenault)
  • 00059 forms.php (Brandin Arsenault)
  • 00034 If you change your password any remote sessions should be destroyed (Brandin Arsenault)
  • 00157 Make killAllSessions master account array only (Brandin Arsenault)
  • 00023 Character “&” (Brandin Arsenault)
  • 00026 hasPerm needs isLoggedIn check before ID (Brandin Arsenault)
  • 00029 Settings are not refreshed after custom (Brandin Arsenault)
  • 00086 User Settings email change (Brandin Arsenault)
  • 00098 User Settings for OAuth Users (Brandin Arsenault)
  • 00113 usersc-check for matching users on insert and match perms (Brandin Arsenault)
  • 00128 Are we sure Admin Verify Timeout is being used? (Brandin Arsenault)
  • 00129 us_fingerprint_assets does not have Fingerprint_Added (Brandin Arsenault)
  • 00130 Line 80 on twofa.php is incorrect (Brandin Arsenault)
  • 00131 manage2fa.php IP code wrong (Brandin Arsenault)
  • 00132 _admin_stats.php (Brandin Arsenault)
  • 00133 Redirect after creating form (Brandin Arsenault)
  • 00134 Reset Links from ACP invalid (Brandin Arsenault)
  • 00136 Add X-Editable CSS (Brandin Arsenault)
  • 00138 Composer.Json is missing some packages (Brandin Arsenault)
  • 00139 Update composer packages (Brandin Arsenault)
  • 00140 Update twofa security (Brandin Arsenault)
  • 00141 Global $us_url_root for verifyAdmin (Brandin Arsenault)
  • 00142 Two FA assets being inserted every time (Brandin Arsenault)
  • 00143 Two FA check failing (Brandin Arsenault)
  • 00147 verify_new error (Brandin Arsenault)
  • 00148 New Google Users die (Brandin Arsenault)
  • 00149 Have to revert all changes to params (Brandin Arsenault)
  • 00152 twofa.php API URL is not cross-compatible (Brandin Arsenault)
  • 00153 Manage 2Fa IP Echo Wrong (Brandin Arsenault)
  • 00154 Two FA Fingerprint Compare is wrong (Brandin Arsenault)
  • 00155 Fingerprinting and Session Tracking (Brandin Arsenault)

4.3.20 (From 4.3.19) –  April 21, 2018 – Brandin & Dan here! This is a pretty large update, and as always, but especially with this update, you should backup your DB and files first! You can review the tickets below including the information in the hyperlink for some more detailed stuff.

  • 00118 Allow overriding un-completed updates (Brandin Arsenault)
  • 00117 Remove botched Fingerprinting Updates (Brandin Arsenault)
  • 00110 2FA Assets Broken (Brandin Arsenault)
  • 00059 forms.php (Dan Hoover)
  • 00080 Fix form builder if required dropdown/etc is added later (Dan Hoover)
  • 00116 Create multi-database support (Dan Hoover)
  • 00115 Autocomplete on admin_pin should be disabled (Brandin Arsenault)
  • 00114 PIN codes don’t have to be numbers! (Brandin Arsenault)
  • 00104 Can’t make disable_2fa private? (Brandin Arsenault)
  • 00105 Admin option to reset User PIN (Brandin Arsenault)
  • 00103 Don’t allow reauth on admin_pin (Brandin Arsenault)
  • 00101 admin_user.php JS file call not cross-compatible (Brandin Arsenault)
  • 00106 if local was commented out for reauth (Brandin Arsenault)
  • 00108 Fix to time2str() function in us_helpers.php (Brandin Arsenault)
  • 00112 isAdmin needs $isLoggedIn (Brandin Arsenault)

4.3.19 (From 4.3.18) –  April 14, 2018 – Brandin here! This is a pretty large update, and as always, but especially with this update, you should backup your DB and files first! Review the tickets below including the information near them for some more detailed stuff. We changed our tracking method mid-way through this release so some of the tickets may have more details than what I included below. Please pay some particular attention to the changes to Two FA, reAuth and the Dump/DND functions.

00100 Track the date the use enrolls in 2FA



Updates: 4A6BdJHyvP4a

00066 Redirect after confirmation of permissions

00075 Clean up dnd and dump functions
New Functions: isAdmin(),isLocalhost()

Updated Functions: dump,dnd, both allow optional parameters of adminOnly and localhostOnly

00099 Allow hasPerm to default to current user ID

00097 Advancements in admin_verify technology
We’ve done a large overhaul on the Admin Verification system of UserSpice. We are now allowing pin-based verification which is set when a user hits admin_verify for the first time after this update. The User can reset the PIN via user_settings.php. The Admin can now set if ReAuth is even enabled, and the amount of time in minutes for verification to be checked. This is being done in conjunction with the recent move of reAuth from the DB to Session variables, and eventually once the system is proven, we will build the items into the session variables as a progression to reduce load on the DB.


ADD COLUMN pin varchar(255) DEFAULT NULL AFTER `password`;

ALTER TABLE settings

ADD COLUMN admin_verify tinyint(1) NOT NULL,

ADD COLUMN admin_verify_timeout int(9) NOT NULL;

UPDATE settings SET admin_verify=1,settings.admin_verify_timeout=120 WHERE id=1;

Updates: 69FbVbv4Jtrz

00084 Incorrect redirect after creating a new form

00043 MQTT tables does not load

00091 Omit disabled users from User Management List
We added a new button to the bottom of admin_users.php that can trigger the view of all users

00093 FORCE updates on new install

00055 Link on “Database out of date…” warning not /usersc compatible

00028 Your old password can be the same as your new…

00010 Two FA is not compatible with OAuth currently

00071 Allow destroying of fingerprints
We’ve added a feature into the Two FA Fingerprinting system that allows users to destroy and view fingerprint asset information on manage2fa.php.

00088 Couple of non usersc compatible links

00060 Make the expiry time for $vericode_expiry in join.php a site setting

00061 Delete forms

00083 Limit usersc redirect to only files in the ‘users’ folder

00081 Remove Experimental From backup options

00079 Add and document skip field on displayForm function

00078 Get displaySingleItem update from RFID System

00064 My cloaking got deleted!
We’ve moved cloaking to admin_user.php and made it a users-table permission

00068 Should email_test be UID 1 only?

00072 double checking what should be compared…

00073 Registration – Add Text Letting User Know Link Expires and To Check Their Junk Mail

4.3.18 (From 4.3.17) –  March 29, 2018 – Brandin here! Finally pushing updates on my own 🙂 This is a small update, but focused on baking Admin Verify (reAuth) and Two Factor Authentication a little more.

We moved reAuth out of the database and into the Session Data. This allows for less querying on the database on all of the secure pages. Although very minimal load, every bit helps! This allows means no easy manipulation of this data, which is a good thing, I promise! The other problem with having reAuth stored in the database is it was based on user-account, not user-session. So if you verify yourself on one PC while someone else is using your account maliciously elsewhere, they would then have access to all of the secured pages, defeating the purpose of reAuth.

Two Factor Authentication now has the ability to Fingerprint users and use this as a way to authenticate them. Similar to other systems such as Google and Facebook, your session is Fingerprinted and if you pass two factor authentication, it remembers your fingerprint for 30 days. There is not currently a way to destroy this, but this is still very much a work in progress. If you want to use the Fingerprint anywhere, you can use $_SESSION[‘fingerprint’];.

Don’t forget to report any bugs to the UserSpice Bug Tracker.

4.3.17 (From 4.3.16) –  March 22, 2018 – MUCH appreciation to Brandin, John and the community for having my back on this update.  I’m in the middle of a job change (and move) and everyone has really pitched in to help report and fix bugs and been so patient.  You can view details on any of the bugs by clicking on them.

Not all of the cancel buttons are cross-compatible
Update LoI68El211ON botches update.php
reAuth should be spam-proof
Link on “Database out of date…” warning not /usersc compatible
2FA buttons on accounts.php not /usersc compatible
admin_logs should be sorted by logid not logdate
randomstring isn’t overwriteable
forgot_password link is not cross compatible
_email_adminUser.php spelling mistake
Cron manager page typo
Facebook Login on admin_social should be above the FB settings
Update user: not check for new or old values
Missing return in permissionNameExists function
Facebook login broken
Join redirect got added before loggers again

4.3.16 (From 4.3.14) –  March 12, 2018 –

NOTE: There were a few bugs in the massive code changes for 4.3.15. If you already upgraded to .15 you can download this to just get the changes.

New advanced form builder features (documentation here) give you even more control over your form processing.   We’ve updated our bug tracking to a new custom system built by Brandin.  You’ll soon get even better bug/update tracking. For now, here are the fixes and improvements.

Advanced form processing allows you to do more things between when the user submits the form and the info is processed.
All pages in the /users folder are now usersc compatible. Simply copy a file to usersc and edit way. Don’t edit our core files!
A cookie fix was provided by a user on our subreddit.
2 Validate class updates were provided by gtilflm (aka gtrrewdfszx)
The DB driven menu now properly supports external urls (thanks Slimey!)
You can now specify the sender name and email address in the email function. Note that if you were using that for attachments, you may have to add another parameter to your code.
Brandin fixed a password reset bug that was pointed out by multiple users. Sorry for the frustration there.
The install folder is now deleted on first update.  If you’ve added stuff to this folder, it will fail, which is a good thing.


4.3.14 (From 4.3.13) –  February 18, 2018 – New form builder feature (documentation here) can drastically cut down your development time with forms and tables.  It’s pretty fleshed out, but expect improvements as the community gets its hands on it.  Addresses the following issues from the UserSpice bug tracker.  (Feel free to submit bugs/feature requests to

#067 Patched an array to string conversion issue on login.php
#066 Verify hold patch on verify.php – unable to patch init.php
#063 Reformatted page titles via update.php
#062 Spelling mistake on ACP
#057 Disable 2FA unexpected } fix
#055 2FA was not showing the form if no referrer (which rarely would be)
#054 api/index.php removal of securePage, wrapped with isLoggedIn function, repaired error output
#052 Login logger was double logging, too much logging, too much!
#051 Options tag not closed on _admin_css_settings
#043 messages.php was missing CSRF token check, added
#041 Vericodes needed to be baked more, 15 minute expiry added and is only valid on request
#012 Usernames that are numbers are finally allowed! We have patched this extremely old issue in the Users class
#053 Add Mark Unread option to Admin Notifications

4.3.13 (From 4.3.10,11,or 12) –  February 7, 2018 – Fly Eagles Fly! – Cumulative patch because we’ve done several updates in the last few weeks.

Addresses the following issues from the UserSpice bug tracker.  (Feel free to submit bugs/feature requests to

#007 oauth_success redesign, minor cosmetic changes, added redirect option in usersc/includes/oauth_redirect.php
#008 DB class update, added getColCount and getColMeta
#014 Allow custom hooks in db-driven nav, see usersc/includes/database_navigation_custom_loops.php
#015 Allow custom loops for lognote replacements, done in us_helpers, see helper for more details, you can now replace the lognote with this new helper
#018 2FA is not complete, removed from login page, made standalone, fixed APIs and namespace issues, updated settings included header lock, admin_user disable, and setting to disable and disabled + reset
#019 Disable registration, this highly requested feature is now done, and is compatible with Facebook and Google OAuth! Uses will now see “Registration Disabled” on join.php and the link will be hidden from the header. OAuth users without accounts that sign in from login.php will be greeted with the disabled page as well, and no account will be created. This is controlled from the ACP.
#042 disable autocomplete on admin.php forms to avoid breaking, for security as well
#045 Disable autocomplete on user_settings password fields for security
#046 Master Accounts should override permission_restriction settings, this logic was added
#049 permission_restrictions was being ignored, added logic to admin_user

Notes from 4.3.12 – Lots of bug fixes by Brandin. Probably mostly my type0s.

Admin Verify is now on by default when cloaking.  Cloaking does not cause you to mark your users notificaitons as read.  Fixed a spellign mistake.  Fixed some migration issues.  Lots of notification/logging fixes. Thanks Brandin.

Notes from 4.3.11 – What started off as just grabbing some low-hanging fruit updates, turned into a pretty big update.

– Brandin fixed a lot of nagging bugs like $_GET variables being stripped if the user was logged out and last login not being logged when you use Oauth.
– John made some nice changes to the notification popup and helped with the auto-popup feature.
– New (optional) auto notification popup feature forces open the notification window when a new notification pops up. Great for corporate environments where notifications can be critical.
Security Update – Cron jobs are now disabled by default and your existing ones have been disabled until you step through a security hoop.  You will get a notification when you run the update.php and one will be on your cron manager.

Please note, due to database changes, you need to run update.php, which you’ll be reminded to do when you visit the admin panel.

4.3.10 (From 4.3.9) –  December 12, 2017 – New Cloaking feature! Note that this is not the final UI experience, but we wanted to get the feature out there so people can play with it. As it stands right now, if your user id is in the $master_account (as defined in users/init.php) you have the ability to “cloak” into another user.  There is a lot of discussion about how to make this feature convenient, yet still relatively difficult to implement so you don’t give it to someone by accident, hence hard coding the user id’s you want to be able to use it in init.php. The same thing goes for the backup feature. Please understand that giving someone access to the backup feature allows them to fully export your source code and your database, so it’s REALLY important that you don’t take this power lightly.   Let’s discuss in the forums.  Lots of other bug fixes. Thanks to Brandin and gtilflm for all their help.  Gtilflm came up with the proof of concept to make the whole cloaking thing work.

4.3.9 (From 4.3.8) –  December 2, 2017 – Make sure you update to 4.3.8 and run its update.php file before you go to 4.3.9 as this version gets rid of a lot of patches which patched other patches. If I’m feeling ambitious, I may make a patch straight from 4.2.11/12 to 4.3.10 or something so people don’t have to step through the bugs from previous version. They’re not terrible, but it’s good to see 4.3 being more “battle tested” by all the people who are putting it through its paces.

-Fixed a bug where users were asking to re-verify their password immediately after logging in.
-Fixed a bug where the time was not being correctly entered on notifications for some users in some circumstances.
-Fixed some code that should have been commented out (only affected certain versions).
-Cleaned up update.php.
-Made several changes to the fresh install sql file (does not affect updaters).
-Fixed an error where valid users were being incorrectly logged as banned. They weren’t actually banned, it was just showing up in the logs that they were.
-Fixed migrations.php so users are alerted in the admin dashboard if they have migrations that have not been run yet.  In the past, people would forget to run that and then wonder why the heck this garbage software is running so bad.  This give puts the blame on you, the end user, where it belongs 🙂

4.3.8 (From 4.3.4,5,6,0r 7) –  November 27, 2017 – YOU MUST run users/update.php to get the latest db updates.  You should be LOGGED IN when you run this update.  If you’re not, edit your update.php file by temporarily deleting or commenting out line 5 (the securePage function).

Cumulative update.  Lots of stuff in here.  The skeleton of a password strength meter and Google 2 factor authentication are here and are available to play with, but they aren’t fully ready.  To play with 2fa, you have to go into the settings table manually and change twofa from 0 to 1.  Many thanks to gtilflm and Jeff and Brandin and Quackles and Trioxin and all the other people in the forums who have been working hard to making UserSpice great.  It’s coming along. I’m sure there will be some bug fixes. There are lots of code changes in this one and it was a very stressful one at that, so expect a .9 somewhere in the next week.  

4.3.4 (From 4.3.2 or 4.3.3) –  November 16, 2017 – Lots of bug fixes.  Lots of database changes, so be sure to back up first.  Thanks for everyone’s contributions and patience!

-Added sorting and fixed resort on admin_users.php -Added lock to show if use is permissions = 0 or 1 on admin_users.php -Added page name to admin_pages.php -Changed _admin_stats ucfirst to echousername -Fixed bug with cron_manager links and cron not logging after certain amount of crons -Was missing title from fetchAllPages helper -Fixed a bug where last_confirm was not updated on login -Changed the design of admin_logs to use built in paginate -Fixed bug with multi-calls on admin_logs_manager, removed unusable enable/disable button, removed table-responsive div class as it was causing an extra horizontal scrollbar -Fixed a bug where SQL was not able to import settings as DEFAULT was not defined

4.3.2 (From 4.2.11/12 or 4.3.0/1) –  November 11, 2017 – This is a major milestone and is a massive update from 4.2.11.  Absolutely backup your database and your files.  Dumping all the files from this patch will immediately break your site.  Simply navigate to your site and you will be walked through the upgrade process.  Depending on how you “got” to version 4.2.11, you may be asked to make some changes (simplifications) to your users/init.php file.  Things like your recaptcha keys, copyright notice, and other settings that really didn’t need to be in init.php are now in the settings table of the db.  Feel free to ask questions in the forums.  More and more documentation will be coming out soon. Enjoy and thanks to everyone in the community who supported the project. NOTE: If there are weird issues with dates and times on crons, logs, or notifications, those will be fixed soon. We just had get out patches to make sure everyone has the tables themselves. After that, we can make the proper schema and logic adjustments. Note2: If you are updating from UserSpice 4.3.x, you will get warnings that tables already exist when you run patchme.php. That’s fine. You’ll lose some logs, but they’re new, so it shouldn’t be a problem.

UserSpice 4.2 Patches

4.3.12 (From 4.2.12) –  February 3, 2018 – This is the big one! Bypass all the early hiccups with 4.3 and go straight to 4.3 stable. READ THE INSTRUCTIONS and follow them in order. Backup everything. I’ve tested this on a bunch of 4.2 installs, but you never know.

4.2.12 (From 4.2.11) –  November 11, 2017 – Security update!  We added a few security features to the password reset feature just to make things a little safer.  Vericodes are now longer and alphanumeric.  Note that even more robust features are coming in 4.3.1, but we thought everyone should have this patch. NOTE: There is a file that will go in your root called vericode.php.  This will update all your existing vericodes to the new format. It’s not 100{3bc1fe685386cc4c3ab89a3f76566d8931e181ad17f08aed9ad73b30bf28114d} necessary but is a really good idea. Just go into your dashboard and click admin pages to get it into the system. Set it as admin only. Run vericode.php and then delete vericode.php.  To give you an idea, the current 6 digit numeric vericode could have been brute forced at 18.52 mins online (with a rate of 1000 guesses per second hitting your webserver, on average they would get in at 9.26 minutes).  The new code takes 4.01 trillion centuries at 1000 guesses a second.  Even a massive attack of 100 Trillion guesses a second would take 40.08 centuries.

4.2.11 (From 4.2.10) –  September 9, 2017 – Fixed two Facebook login bugs.  One fixed by user jdmfarms. Thanks for that.  Karsen fixed a search.js bug. Bladerunner fixed the pesky master account not found bug.  Enjoy everyone.

4.2.10 (From 4.2.9) –  August 13, 2017 – Relatively lightweight patch with improvements provided to the backup system by Firestorm and some SB Admin css edits as requested by Haydentech.  Note that since 4.3 and 4.2.x developments are occurring at the same time, I’m generally only pushing out updates that give additional usability to 4.2.x.  4.3 will be a (relatively) painless upgrade (fingers crossed) that provides lots of cool new features.

4.2.9 (From 4.2.6 or 4.2.7 or 4.2.8) –  July 2, 2017 –

BE SURE that admin_pages shows admin_backup as private and admin only after running the patch.

New backup feature provided by Firestorm.  Please not that this feature is EXPERIMENTAL. There is a readme file that explains that you need to make a modification to your init.php and run the patchme.php file.  If you are coming from 4.2.6 or 4.2.7, you also need to simply visit the admin_pages.php page in the dashboard so it can find your maintenance.php file. It should be public.

Right now the backup everything feature will recursively backup your backups. This is a problem that I’d like to look into as a community. None of my quick and dirty solutions worked.  You can find this feature by going to the admin dashboard and click the link at the top, right next to the check for updates link.

I know there are other things on my todo list. Lots of bug fixes and things like that, but they require more testing than I can do at the moment.  Slow and steady we’ll get to this stuff.

4.2.8 (From 4.2.6 or 4.2.7) –  June 8, 2017 – Community issued patches. Thanks everyone! Again…busy season, just happy to have people in the community helping so much.  These are the “low hanging fruit” patches. There are 4 or 5 (non-critical) patches in my bug tracker that I’m working on, but I don’t have time to write a database patch right now plus I have features I want to add at the same time.

PLEASE NOTE: You must go into the admin panel and click admin pages so your database can find the new maintenance.php file.

Lots of great stuff from user Firestorm.  A great update to the maintenance mode and a fallback for jquery when the cdn doesn’t work. I need to get these fixes for bootstrap too.

User Jeff squashed the bug which was giving extra slashes.  Thanks Jeff!

Muhammedc tracked down a jquery bug in helpers.php.

4.2.6 (From 4.2.3 or 4.2.4 or 4.2.5) –  April 18, 2017 – Lots of little patches. Thanks to all the users who submitted this stuff (Brandin, Trioxin).  Here’s a quick rundown.

Note: April – August is the busiest time of year for me in Alaska so I’m going to be concentrating on bug fixes rather than adding new features for the most part.
Note2: 4.2.4 was a botched release. Sorry about that.  Just apply this patch and you SHOULD be good to go.
Note3: 4.2.6 fixes a bug in user_settings.php  in 4.2.4 & 4.2.5.  If you already have 4.2.5 you, you can just update that one file along with users/includes/user_spice_ver.php

-Front end users are now forced to abide by your min/max password rules when editing passwords AFTER their account has been created.
-Admins can now edit passwords in admin_user.php
-A bug has been fixed in the “recent users” section of the admin panel if a user showed up in the list whose account has been deleted.
-A bug has been fixed for users who were redirected to the login page after being denied access
-A bug has been fixed regarding validation errors
-The bug for users who fail to check the terms and conditions box has finally been fixed. Sorry about that.

4.2.3 (From 4.2.2) – March 10, 2017 – SECURITY UPDATE – As part of our release update, our software is audited by a 3rd party looking for vulnerabilities.  Last full review was 4.1.8.  This one found some very minor bugs, but still worth fixing.  1 clickjacking vector was fixed in the header.  Also, now that js/css are being called from various CDNs, it is important to have integrity checks in those calls to make sure the code is not being modified by a man in the middle. This was fixed for all 3rd party CDN calls.  Additionally, I decided to change input fields from “text” to “password” for sensitive information in the admin dashboard and email settings to prevent people from seeing passwords. Note that out of necessity, these passwords/keys are stored in the clear in the database itself.  AND FINALLY – I think I found a universal fix for content sliding up under the header when resizing the screen.  Just in case it breaks stuff for you, this code is called in usersc/includes/bootstrap_corrections.php.  You can put whatever you want in there and it will be injected into the header.

4.2.2 (From 4.2.1d,e,f, or g) – March 6, 2017 – Rollup of previous bugfixes as well as new features.   Most of these changes primarily affect new installations by default but with a few changes in your init.php file, you should be up to speed.

Note: If you are upgrading and want to take advantage of the “Master Account” / Site offline feature, you must add the line…
$master_account = [1];
to your users/init.php file. This allows you to take your site offline to the public and still allow you to visit it for testing. Any user id’s you want to be able to visit the site should be listed in that array.

New features:

New Check For Updates feature is built into the admin dashboard. This feature will be more automated over time. Because of this, version numbers will no longer have letters.

Master Account lets you mark the sign offline to everyone except the users whose ids are in the $master_account array in the init. Those users just see a warning message that the site is offline. login.php is always online.

Timezone is now set during installation.  Existing users should consider changing their timezone in  users/init.php unless you happen to live in Toronto.

Recaptcha is now fully disabled by default on installation (as opposed to only on join as it was before).


4.2.1g (From 4.2.1d OR 4.2.1e or 4.2.1f) – March 2, 2017 – Rollup of bugfixes for version d,e, and f.  Fixes header/footer bugs. Fixes a messaging bug in some browser versions.  Hopefully will fix some issues some users were having on some servers with jQuery. Removed double jQuery call in join form.  Just overwrite the files and you’re good to go. Please give feedback in the forums.
New Feature: There are 2 new scripts in usersc/scripts. They allow you to take control over what happens if a user bumps into our “not logged in” or “doesn’t have permission” checks.  You can do anything from database updates to redirecting them somewhere else. The sky’s the limit.

4.2.1d (From 4.2.0 any version) – February 20, 2017 – New experimental message system. Ability to alter echouser function. Ability to allow username changes. Ability to have recaptcha for join form only.  This is a BIG update with a very complicated patch. PLEASE backup your files and database just in case.  Note, users of 4.2.0 final or 4.2.0b should run patchme420.php.  Users who were on a previous version of 4.2.1(rare) should run patchme421.php to fix a minor bug.

4.2.0b (From 4.2.0 Final) – February 18, 2017 – Bug fixes found by users after installing 4.2.0. Primarily around Facebook Oauth and showing the words UserSpice instead of your site_name as defined in the database.
4.2.0 Final (From 4.1.8c OR 4.2.0 Beta) – February 13, 2017 – Significant improvements from the “Release Candidate” below. See for documentation.   Expect to spend about 10-20 minutes getting the credentials for the social logins setup.  They’re all disabled by default.

1. Backup your files and database and anything that’s important to you.
2. If you have not upgraded to at least version 4.1.8c, do that before running this patch.
3. Copy all the files to your server, overwriting existing files.
4. Patch your database
a. If you’re running version 4.1.8c run patchme418.php (ignore all errors)
b. If you’re running version 4.2.0 beta, run patchme42beta.php (ignore all errors)
5. Delete both patchme files for security reasons.
6. Enjoy

4.2.0 Beta (From 4.1.8c) – November 27, 2016 – Beta but Stable – This is the release candidate for version 4.2.  It includes Facebook and Google social logins. See for documentation.   Expect to spend about 10-20 minutes getting the credentials for the social logins setup.  They’re all disabled by default.

Note: YOU MUST PATCH YOUR DATABASE by running the patchme.php file in the root folder. This will give your database the default spaces to store all the new settings.

Note2: Because no data is migrated (i.e. changed) in this update, you can replace the changed files with ones from 4.1.8c to roll back your install even after patching the database. No harm no foul if you don’t like it.

Also added in 4.2…

  • Password rules are now stored in the database with a new strength meter from user gtilflm (Note that symbol rule is suggested, not enforced).
  • Hooks have been put in for version comparision and automatic update detection.
  • Force SSL/HTTPS is no longer considered experimental
  • Admin pages is now a little clearer (red and green colors) if a page is private or public…thanks to picassoo for this.

UserSpice 4.1 Patches

4.1.8c (From 4.1.8b) – November 6, 2016 – Recommended Several bug fixes. Just unzip over your current install and replace files. Backup your stuff first. WARNING: if you are using the analytics.php file, this update will overwrite your customizations.  The main problem was bad commenting in the file.  You should probably just fix it manually. It’s a new feature, so I’m sure it’s not widely used yet.

install/install/includes/sql.sql – Not for upgraders, but new installers get cleaned up default sql with all the ids starting down low where they belong. Several useless things removed and proper auto-increments.
users/join.php – Got rid of ‘company’, reduced min username to 2.
users/views/_join.php – Got rid of ‘company’, reduced min username to 2.
usersc/includes/analytics.php – Fixed a bug that showed up in various annyoing ways on different systems. Caused AJAX and Headers Already Sent Errors.
users/includes/user_spice_ver.php – Obligatory


4.1.8b (From 4.1.7b) – October 31, 2016 – Super Strongly Recommended – I have had various people try to pound on UserSpice 4.0 and 4.1 and try to break things over the past 9 months, but I decided to do a full on pentest/secturity audit from several different automated firms.  There’s good news.  There isn’t a ton of “the sky is falling” stuff in the old code, but I’ve cleaned up a lot of stuff (with PLB’s help) that will make your code more secure.  NOTE: I will be posting the full methodology and report and outstanding issues in a separate post.  For now…just update.

What you need to know:  Various new .htaccess files have been added. Bootstrap and FontAwesome have been updated to the latest versions.  If you use the custom scripts in the usersc folder, don’t go overwriting your scripts willy-nilly. They were, however, what was causing the extra /’s in the urls.  I’ve fixed that. More details to come, but this is a BIG update with lots of files.

What’s optional: The /usersc stuff and the css/js/fonts files are all optional, but adding the .htaccess files are strongly recommended if your server has directory listings turned on by default

4.1.7b – (From any version 4.1.3,4.1.4,4.1.4b,4.1.5,4.1.6,4.1.6b, or 4.1.7 )October 22, 2016 – Strongly Recommended – This patch includes everything in the one below, but also includes these bug fixes.

users/user_settings.php – A missing = sign was causing email addresses to become not verified even if email verification was turned off. This was a problem because if this happened, the user had no way to verify. Many thanks to Kighlander for finding this bug.
users/admin_users.php – Admins can now create usernames as short as two characters.  I also added back the automatically generated profile for new users.
users/includes/user_spice_ver.php – Gives you peace of mind that your UserSpice is up to date.

4.1.7 – (From any version 4.1.3,4.1.4,4.1.4b,4.1.5,4.1.6,or 4.1.6b)October 19, 2016 – Strongly Recommended – Let’s just pretend that version 4.1.6 never happened, mmmkay?   This is a complete rollup release of all updates to take ANY userspice version 4.1.3 or later all the way up to 4.1.7.  The individual issues below are listed. This release in particular finally addresses encoding issues and has been thoroughly tested for email verification, password resetting, and all things email. If there is a use case I’ve missed, please let me know. It also fixes an unlikely but possible edit_profile.php bug. Much thanks to Nikolai, Sebastian, PLB, and Brian for pointing me in the right direction on this stuff.

4.1.6b – (From 4.1.5) – October 16, 2016 – NOT Recommended – Fixes a bunch of bugs found in the forums.   NOTE: To install this patch, unzip the patch over your current install, it will overwrite the following files.

Many thanks to everyone in the forums who submitted bugs and often bug fixes. You make patching this project MUCH easier.

Note: If you downloaded the “original 4.1.6 and you are missing some navigation links, just steal the navigation.php from this package”

This is a substantial bugfix, usability fix, and new feature release.  A post in the forums will give a little more info behind some of this stuff.

userc/includes/analytics.php – Added a place to put your custom Google or other Analytics code.
usersc/includes/custom_functions.php – Added a place to put your custom helpers/functions.
users/admin_users.php – When creating users in the backend, users who were created with a permission level other than “user” (such as admin), were not given “user” permission by default. This is fixed.
users/classes/Redirect.php – Added support for PLB’s redirect with a message feature and custom redirects.  More on this in the forum at the post listed at the top of this bugfix.
users/classes/User.php – session_unset and session_destroy are now part of the class on logout.
users/edit_profile.php – It is possible that some users who upgraded may not have received this fix, so I’m re-pushing it out.
users/forgot_password.php – Fixed overzealous use of rawurlencode. Changed rawurlencode to urlencode.
users/helpers/language.php – Added an error message that was missing for manual account creation.
users/helpers/us_helpers.php – Added PLB’s redirect, custom functions, and custom analytics.
users/includes/header.php – Test feature  – if an err get message is found in the url, it is sanitized and displayed.
users/includes/navigation.php – Capitalized the first letter of the username in the navigation bar – WARNING, if you’ve modified your navigation php, do not install this file or it will overwrite your changes.
users/includes/users_spice_ver.php – If you’re rocking 4.1.6, you should see it in the admin panel. Major upgrade over the previous version of this file.
users/join.php – Lowered required username length to 2 for people who like to keep things simple or have names like Bo or Jo.
users/login.php – Put in the groundwork for AfterLoginGoto feature
users/user_settings.php – Corrected minimum password length to 6 as pointed out by user Angel.
users/views/_email_template_forgot_password.php -Fixed underzealous use of rawurlencode. Changed regular to raw.
users/views/_join.php – Starred currently required fields.

4.1.5 – (From 4.1.4b)September 11, 2016 – Recommended – Fixes a bunch of bugs found in the forums.   NOTE: To install this patch, unzip the patch over your current install, it will overwrite the following files.

Many thanks to PLB, Brian, and Anphung for the bug reports and patches.

users/_blank_pages/project_root.php – Fixes a bug where the securePage function was commented out by default
users/classes/Config.php – Adds a return false if no configuration data is found
users/classes/Input.php – Allows the input::get function to process arrays.
users/includes/user_spice_ver.php – Lets you know that you’re now rocking 4.1.5
users/admin_users.php – Fixes yet another bug when you delete a user. This bug only showed up on certain configurations.
users/email_test.php – Better formatted email test and notes on debugging email configuration courtesy of PLB
users/forgot_password.php – We are now properly encoding email addresses to deal with people who have non-traditional addresses.
users/join.php – We are now properly encoding email addresses to deal with people who have non-traditional addresses.
users/user_settings.php – Added an explanation of how to change your profile pic.
users/verify.php – Changed line 27 to Redirect::to($us_url_root.’users/verify.php’); for people who were having verify redirect issues. Feel free to hard code this with something else if you need to.
users/verify_resend.php – We are now properly encoding email addresses to deal with people who have non-traditional addresses.

4.1.4b – (From 4.1.3)August 29, 2016 – Recommended – Fixes a bunch of bugs found in the forums.   NOTE: To install this patch, unzip the patch over your current install, it will overwrite the following files.

users/email_settings.php (your settings are safe in the database)
users/user_settings.php (again, your settings are safe)

Many of these patches are documented at  <a href=”″>Debugging With Dan</a>.

Bugs Fixed
-User was required to verify email even after resetting password (which requires proof of email).  Forum Discussion here. Credit: user plb
-Verify.php link was wrong – Forum Discussion here.  Credit: user plb.  Video here.
-Bio was not being created when a user was manually created.  Sorry, I can’t find the original post to give credit 🙁  Video here.
-Email settings not being saved before testing. Forum Discussion here.  Credit: user plb.  Video here.
-User was able to (after verifying once) change their email address to anything.  Forum Discussion here. Credit: user plb. Video here.
-User could change username even if it was supposedly disallowed. Forum Discussion here. Credit: users plb and firestorm.  Video here.
-Error messages popped up when deleting a user since the manual user creation feature was added.   Forum Discussion Here. Credit: user firestorm. Video here.

PLEASE NOTE: There are a few more usability features coming soon.  I decided to break these bugs out so we could fix errors in this release and add features in the next one.

4.1.3 – (From 4.1.2)July 24, 2016 – Recommended – Fixes a few random database and usability bugs found in the forums. Gives better (working) guest tracking.  Also allows admins to create new users in the admin_users panel without having to walk through the join process.  NOTE: To install this patch, unzip the patch over your current install, it will overwrite the following files.

IN ADDITION: you also need to run the patchme.php file to make a quick update to your database. It is strongly recommended that you backup your files and your database first.

4.1.2 – (From 4.1.0 and/or 4.1.1) May 22, 2016 – Recommended – Fixes the initial bugs found on release of version 4.1. Updates the user class, various email functions and some built in helper functions. View 4.1.1 changelog here and the 4.1.2 changelog here.

UserSpice 4.0 Patches

(Current version is located in /users/includes/userspice/user_spice_ver.php)
4.0.0f – Note – If your server is blocking your css files after upgrading to 4.0.0f, the fastest fix is to delete the .htaccess files in all the subfolders.  Sorry about that. The same issue could be going on in the beta as well.  We will release a new version ASAP.

4.0.0e to 4.0.0f – April 11, 2016 – Strongly Recommended – This patch adds .htaccess files to folders that probably should have had them.  Your php files were always safe, but it’s nice to shut down people who are playing around with urls.  Also included in this patch is a the ability to block a user.  Simply go to manage users, click a user’s name, select block and update. They will be presented with a banned message.  It’s something we were toying around with on the UserSpice 4.1 alpha and decided to roll out with the security update. This is an in-place update that adds a lot of .htaccess files and then replaces your existing us_helpers.php file, your admin_user file and your admin_user view.  It shouldn’t break anything.  If you get strange errors of people being banned who shouldn’t be, let us know in the forums, but everything has been tested and seems to work fine.  Best of all…no need to update your database. This structure was baked in all along in the users table as “permissions.”  1 is not blocked, 0 (as in zero permissions) is blocked.

4.0.0d to 4.0.0e March 28, 2016 – Recommended – These are relatively simple bug fixes in 4.0 that I wanted to get out of the way before beginning on 4.1.  Thanks to everyone in the forums who is pointing this stuff out.  What’s new? I rolled in that fix to the profile system that has been available for about a month into 4.0.0e.  Also fixed were some ugly errors if someone didn’t enter a username or password or if you created a new page but never added it to the database.  Now UserSpice is much more clear about what’s going on.  Also, “remember me” is no longer checked by default on the login form for security reasons.  There are 2 patches.

OR – This one will take you from ANY 4.0 release up to 4.0.0e.


4.0.0 to 4.0.0d – February 22, 2016Recommended – Apparently menus are hard. Especially conditional ones.  It’s not a security vulnerability, but administrator links were coming up in regular users’ menus. This patch fixes that.  There will be a completely new navigation overhaul in version 4.1, but this is a temporary solution to the problem. It can be unzipped and will work by dropping it right on top of any version of 4.0 from beta through 4.0.0c.

4.0.0 to 4.0.0cFebruary 17, 2016Recommended – This cumulative patch fixes a bug where the user was given a 404 when trying to reset their password from certain pages.  It also removes the version number from the header and puts it in a separate file. This allows us to change the version number without constantly modifying your header files.   You can install this patch on 4.0.0 or 4.0.0b (formerly referred to as 4.0.1). Because this bug could cause a bad user experience, it is recommended.

3.2.0 to 4.0.0 February 1, 2016.  Watch this video for more info…