The Update Process

The fastest way to update modern versions of UserSpice is via the update tool on your dahsboard.  However, if you want to download patches manually, they are here for you. If you want a tool to show you which patches you need (v5.0.7+), visit

Although updates are tested, you're always encouraged to backup your files before patching. 

UserSpice 5 Patches

5.7.4(from 5.7.0+) – June 14, 2024

  • 02022 Updated error display functions (iGriefU) (Dan Hoover)
  • 02014 Messaging plugin updated to v1.0.1 to fix an admin send bug (Dan Hoover)
  • 02008 PHPMailer updated to v6.9.1 for better compatibility with PHP 8.3 (Dan Hoover)
  • 02015 Changed order of redirects for function socialLogin (Dan Hoover)
  • 02016 Updated users/verify.php for better handling of passwordless logins and redirects (Dan Hoover)
  • 02017 removed viewport tag from head_tags so it can be controlled by the templates (Dan Hoover)
  • 02018 Fixed some of the w3c's complaints 🙂 (Dan Hoover)
  • 02019 Fixed password strength meter on admin_user page on dashboard (Dan Hoover)
  • 02020 Fixed broken tooltips on admin dashboard (Dan Hoover)
  • 01514 Clarified API response on successful login (Dan Hoover)
  • 01938 Added hook to api builder to create new api key for user on join (Dan Hoover)
  • 01991 Updated community functions plugin to 1.0.3 with some new functions and php 8.x fixes (Dan Hoover)


5.7.0(from 5.6.8+) – April 26, 2024

Note. This update will re-install all languages and most of the original dashboard widgets. Those things are easily deleted either before or after installing the update.

  • 02001 Updated bin() function to be multilanguage (Dan Hoover)
  • 02002 Created a new userspice_core plugin (auto installed) for migrations. (Dan Hoover)
  • 02005 Fixed bug preventing from builder from creating forms from db tables (Dan Hoover)
  • 01923 Removed timepicker and jqueryui from form builder (Dan Hoover)
  • 02000 updated jQuery to 3.7.1 and datatables to 2.0.3 (Dan Hoover)
  • 01999 Fixed redirect in language switcher to use built in Redirect class (Dan Hoover)
  • 01998 phpInfo and installation system requirements are available to master accounts from the snapshot widget (Dan Hoover)
  • 01983 Every language updated with 6 new strings to support new front end features (Dan Hoover)
  • 01997 Cleaned up helpers in permissions, us_helpers, and users to better match documentation and improve logic. (Dan Hoover)
  • 01992 Updated addPermission function to take an array of either users or permissions or both. (Dan Hoover)
  • 01996 You can now declare $menu_override = 0; to hide the menu on a page (Dan Hoover)
  • 01989 Changed id of username on admin_users to prevent userinfo plugin from overwriting the username on the user manager (Dan Hoover)
  • 01985 Updated login.php to display error messages. If you have a custom usersc/login.php you will probably want to migrate the usmsgblock section (Dan Hoover)
  • 01981 Added the ability to change update track from the update page (Dan Hoover)
  • 01982 Updated announcements badges, storage, and dismissal (Dan Hoover)
  • 01953 Permissions and User Tags now have a description field (Dan Hoover)
  • 01968 New Social Logins Framework for prettier and more consistent OAuth Experience (BangingHeads) (Dan Hoover)
  • 01969 New checkInternet function allows for faster usage of userspice when offline (Dan Hoover)
  • 01971 Updated userspice announcements system lets the system dynamically create announcements to warn of conflicts etc (Dan Hoover)
  • 01972 Link at the bottom of the dashboard lets you view previously dismissed announcements (Dan Hoover)
  • 01973 Updated the plugin manager to use friendlier names in activation messages (Dan Hoover)
  • 01974 Added the ability to remove passwords from user-facing pages so you can solely use Passwordless, OAuth or Passkeys (Dan Hoover)
  • 01975 Added a new feature for users to login with a link sent to their email. (Dan Hoover)
  • 01976 Deleted many $settings db calls. (Dan Hoover)
  • 01977 The javascript for messages.js (upper right error messages) is now being deferred for faster page loads (Dan Hoover)
  • 01978 Password Reset and Passwordless Logins now prepend uniqid() to the vericode (Dan Hoover)
  • 01979 New quick filter features allows you to filter the list of plugins in the plugin manager (Dan Hoover)
  • 01980 Any single row settings table that begins with plg_ can now use the admin settings ajax by adding a data-table attribute to the input (Dan Hoover)
  • 01967 Added some extra logic for cloaking into users whose emails were not verified. Added uncloak button to user_settings. (Dan Hoover)
  • 01941 Icon filled widgets on dashboard can now be overridden by dropping a custom.php file inside the widget and updating the $array (Dan Hoover)
  • 01959 Input::sanitize updated for non English Characters and given 2 new optional params (trim=true, and fallback=false) (Thanks tomu4) (Dan Hoover)
  • 01920 Functions updated to use global $db instead of DB::getInstance() (Dan Hoover)
  • 01965 Renaming perm 1 now updates the documentation on ultramenu to reflect the new name (Dan Hoover)

5.6.8(from 5.6.7) – March 17, 2024

  • 01965 Renaming perm 1 now updates the documentation on ultramenu to reflect the new name (Dan Hoover)
  • 01956 Added a check to see if the user is logged in for the metadata parser (Dan Hoover)
  • 01947 Removed extra closing tags in html footer (bestwmm) (Dan Hoover)
  • 01948 Updated styling on close button for announcement banner on the dashboard (Dan Hoover)
  • 01964 Japanese Language added by bestwmm (Dan Hoover)
  • 01955 Fixed bug in French Language (David) (Dan Hoover)
  • 01962 French language updated to fix Gravatar bug (Dan Hoover)
  • 01963 Ultramenu can now be called by id or the menu name (Dan Hoover)
  • 01961 Badges plugin updated to include categories, custom badge locations, permission badges, tags badges etc (Dan Hoover)
  • 01960 forgot_password.php now allows you to override the individual views in usersc/views (Dan Hoover)
  • 01951 Fixed footer not being properly included in admin.php (Dan Hoover)
  • 01949 Fixed an error in prep.php regarding the fallback template (Dan Hoover)

5.6.7(from 5.6.6) – January 19, 2024

  • 01931 Forgot password link is no longer shown if the default username/password are set on the email settings (Dan Hoover)
  • 01904 The main dashboard has been modularized for upcoming features such as custom dashboards (Dan Hoover)
  • 01618 Simplified user settings (Dan Hoover)
  • 01944 Added some padding to plugin manager (Dan Hoover)
  • 01595 Membership plugin updated to 1.0.7 (Dan Hoover)
  • 01891 Merged with 1859 (Dan Hoover)
  • 01859 Fixed organization management on SAAS plugin (Dan Hoover)
  • 01688 Fixed user management on SAAS plugin hook (Dan Hoover)
  • 01943 Fixed spacing on uncloak button on account page (Dan Hoover)
  • 01892 Downloads plugin updated to 1.0.3 to fix an undefined variable (Dan Hoover)
  • 01588 Demo plugin updated to 1.0.9. You can now specify your plugin icon in the menu (Dan Hoover)
  • 01822 Published codesnippets 1.0.3 (Dan Hoover)
  • 01925 Webhooks plugin updated to 1.0.3 to fix a link and better document. (Dan Hoover)
  • 01332 Uptime Plugin updated to 1.1.5 – Added an additional curl option for reliability. (Dan Hoover)
  • 01942 Moved email confirmation to on join to after POST plugin hook so plugins can kill the join process before the email is sent. (Dan Hoover)
  • 01675 SpiceBin updated to 1.0.2 to fix bug for non logged in users (Dan Hoover)
  • 01900 Added 3 additional functions to usertags 1.0.2 (Dan Hoover)
  • 01819 Cron plugin updated to 1.0.2 with additional documentation. (Dan Hoover)
  • 01896 Updated summernote in the plugins that use it (Dan Hoover)
  • 01901 Fixed plugin hook bug for disabled/deleted plugins (Dan Hoover)
  • 01907 Confirmed that json DB columns do not appear to be a problem for userspice. (Dan Hoover)
  • 01914 Deprecated Hash::salt method (Dan Hoover)
  • 01915 Resolved duplicated in the userspice documentation (Dan Hoover)
  • 01932 Added class gravitar-message so the message can be hidden. (Dan Hoover)
  • 01933 Added class profile-replacer to user_settings profile pic (Dan Hoover)
  • 01936 GDPR Plugin Updated to v1.0.7 (Dan Hoover)
  • 01935 Forum plugin updated to 1.0.5 and given a visual refresh (Dan Hoover)
  • 01930 Added sidebar_menu_id to NEW installs of UserSpice 5.6.6+ (Dan Hoover)

5.6.6(from 5.6.5) – November 19, 2023
Note 5.6.5 sat in Bleeding Edge for a long time, so that's why 5.6.6 was given a separate release just a few days later.

  • 01912 Added the ability to have a different dashboard sidebar menu from the top if you specify $sidebar_menu_id in dashboard_overrides (Dan Hoover)
  • 01913 Adjusted styling on Dashboard filter bar for mobile (Dan Hoover)
  • 01917 Removed stray var_dump from admin_plugins that was visible during a redirect (Dan Hoover)
  • 01918 Fixed some tooltips on the settings pages (Dan Hoover)
  • 01919 Added a message to Registration settings explaining where to setup email verification (Dan Hoover)
  • 01922 Added support to UltraMenu to allow user tags to control access to menu items (Dan Hoover)
  • 01924 Updated Validate class to cross check email and username on unique and unique update (Dan Hoover)
  • 01929 Added screen reader mode to UltraMenu to hide/show a fallback word on menu items with no labels (off by default) (Dan Hoover)
  • 01927 Updated Profile Pic Plugin to v1.0.6 (Dan Hoover)
  • 01928 Added profile-replacer class to profile pic so it can be targeted with css, javascript or the profile pic plugin (Dan Hoover)

5.6.5(from 5.6.4) – November 15, 2023

  • 01894 Slovenian Language added to new installs v5.6.5+ – Thanks Jug! (Dan Hoover)
  • 01902 Plugins widget updated for compatibility with the dashboard filter. If you deleted the widget, you will need to delete it again. (Dan Hoover)
  • 01888 Logged in Username string substitution in the menu can now be prepended or appended with other text. (Dan Hoover)
  • 01911 New hed($string) function added to thoroughly html entity decode stubborn text. (Dan Hoover)
  • 01910 if you use dashboard_override to set sidebar menu to true and hide top menu to true, you can add a file to usersc/views/_admin_sidebar_fallback_menu.php to override the "fallback" menu (Dan Hoover)
  • 01908 Updated Menu class and menu editor for better handling of snippets. Existing snippets could break slightly and may need to be minified. (Dan Hoover)
  • 01886 Page links in admin_page view are now clickable (Bobby) (Dan Hoover)
  • 01909 Added new isDebugModeActive() function to see if US debug mode is active for the logged in user (Dan Hoover)
  • 01905 Debug mode now throws stack trace on dump and dnd calls to tell you where they were called from (Bobby) (Dan Hoover)
  • 01890 Preventing cloaking into unverified and blocked users (Dan Hoover)
  • 01893 Added ipCheck for consistency to user class (Benedikt) (Dan Hoover)
  • 01899 Add filter to dashboard (Dan Hoover)

5.6.4(from 5.6.3) – October 16, 2023

  • 01862 Fixed bug in French language and updated language pack to 1.1.2 (Jeff B) (Dan Hoover)
  • 01811 Removed strong and paragraph tags from language files (Dan Hoover)
  • 01872 Made password reset views more responsive (Dan Hoover)
  • 01874 Fixed view password eye on user_settings (Dan Hoover)
  • 01877 Menus now allow you to override the light/dark theme (Dan Hoover)
  • 01879 null coalescing IP if remote addr not set in ipCheck() (BangingHeads) (Dan Hoover)
  • 01883 Fixed dropdown not closing on page click (NES Collector, BangingHeads) (Dan Hoover)
  • 01884 Updated cancel button on user_settings (Dan Hoover)
  • 01880 Added an extra measure to prevent permissionless menu items (bobby) (Dan Hoover)

5.6.3(from 5.6.1) – June 29, 2023
5.6.2 was an internal release.  5.6.3 is the long term stable release.  It's not an urgent update but does fix a few bugs and adds a few nice features.

  • 01868 Fixed closing snippet div on ultramenu (Thanks Ivo) (Dan Hoover)
  • 01860 Spice shaker now shows the current version installs and updates the buttons for better UX (Dan Hoover)
  • 01858 Fixed some bugs to allow userspice to survive usersc/includes/dashboard_overrides not being writeable. (Dan Hoover)
  • 01863 Added support for those who want to update all 100 versions from 4.3 to 5.6 by fixing a missing table. (Dan Hoover)
  • 01864 Now recording the modified date if someone tries to update their user settings. (Dan Hoover)
  • 01865 Removed a stray user_spice_ver file in usersc (Dan Hoover)

5.6.1(from 5.5.7 – 5.6.0) – June 10, 2023
Versions 5.5.8-5.60 were treated as internal/developmental releases.  5.6.1 is the long term stable release.

  • 01853 Updated is_writeable check on spice shaker to prevent false error (Dan Hoover)
  • 01854 Added the ability to have always visible mobile icons and usersc/includes/hooks/mobile_hooks (Dan Hoover)
  • 01856 Fixed examples for offsetDate function (Dan Hoover)
  • 01851 Fixed ultramenu snippet selector dropdown (Dan Hoover)
  • 01846 Spice shaker is performing a different is_writable check for better compatibility with nginx (Dan Hoover)
  • 01845 Email function allows you to now specify an authtype. (Dan Hoover)
  • 01848 You can now pass an array of email addresses to the email function $to variable (Dan Hoover)
  • 01849 Fixed a php 8.1 data type error in function money (Dan Hoover)
  • 01850 Benchmarking plugin updated to v.2.0 (Dan Hoover)
  • 01844 Chat plugin updated to v1.0.2 for better z-index and us_url_root conflicts. (Dan Hoover)
  • 01840 Fixed UI for dashboard access (Dan Hoover)
  • 01837 Fixed the 2000 users message in admin_users (Dan Hoover)
  • 01843 Fixed unnecessarily slow query in join.php (Dan Hoover)
  • 01823 MySQL expert plugin updated to 2.0.1 with ui improvements and the ability to save queries without executing them. (Dan Hoover)
  • 01825 Store plugin updated to v.1.0.0 with a minor code cleanup and bugfix (Dan Hoover)
  • 01804 You cannot delete permissions 1 or 2 (pushed in 5.5) (Dan Hoover)
  • 01633 Removed calls to fetchUserDetails on the admin_user page (Dan Hoover)
  • 01808 Resolved a bug in how snippets are parsed in UltraMenu (Dan Hoover)
  • 01834 Fixed some undefined variables and minor bugs in us_helpers.php (Dan Hoover)
  • 01835 Deprecated mqtt function (Dan Hoover)
  • 01812 Cleaned up some functions in permissions.php (Dan Hoover)
  • 01815 Updated html_footer to allow usersc/includes/footer.php to truly include inside the footer. (Dan Hoover)
  • 01816 Fixed translated edit account info button on account.php (Dan Hoover)
  • 01818 Updated admin_menu to provide full path to the css in case the view is cloned to usersc (Dan Hoover)
  • 01833 Added hook to the bug reporter to return back to your project after visiting the userspice site (Dan Hoover)
  • 01829 Explained on UltraMenu that a tags are automatically closed on brand html (Dan Hoover)
  • 01826 Updated some rarely-used column types on settings and users to save space (Dan Hoover)
  • 01827 Fixed UltraMenu link bug which ignored the link target (Dan Hoover)
  • 01828 Updated UltraMenu code usage examples to show how to override a menu on a page (Dan Hoover)
  • 01830 The IP manager prevents you from blacklisting your own IP. (Dan Hoover)
  • 01831 Dan took a water break. (Dan Hoover)
  • 01832 SaaS Plugin updated to 1.0.4 (Dan Hoover)
  • 01677 Updated hasher plugin for compatibility with left sidebar menus (Dan Hoover)
  • 01807 Alerts plugin updated with a new default style and shoelace.js (Dan Hoover)
  • 01821 Uptime plugin updated to fix datatables error (Dan Hoover)
  • 01806 User Manager will now properly display a warning about disabled features for high user counts (Brandin Arsenault)
  • 01699 Provided a json header on the returnError function (Dan Hoover)
  • 01693 Added the ability to manage pages from the permission manager (LBC) (Dan Hoover)
  • 01690 Fixed bug where padlock on user manager was not changing for banned users (Telnz) (Dan Hoover)
  • 01689 Added fallback menu labels for ultramenu items without labels (Dan Hoover)

5.5.7(from 5.5.3 – 5.5.6) – February 27, 2023
Versions 5.5.4-5.5.6 were treated as internal/developmental releases.  5.5.7 is the long term stable release.

  • 01671 Fixed issue where link target was not being shown in the ui of the menu builder (Dan Hoover)
  • 01674 Added show password eye on login. (Dan Hoover)
  • 01670 Fixed a bug where html branding was not being shown on manually inserted menus (Dan Hoover)
  • 01672 Fixed a bug when creating a new menu (Dan Hoover)
  • 01653 Added class "alternate-background" to many divs to allow them to be targeted when default background colors clash with templates (Dan Hoover)
  • 01669 Fixed issue with debug modal not popping on admin logs (Dan Hoover)
  • 01667 Fixed bug where dropdowns were not being populated on form updates (SeemsLikeChris) (Dan Hoover)
  • 01609 Resolved a bug in form builder where views were not ignoring validation for fields that were not being displayed (Briadark) (Dan Hoover)
  • 01644 Resolved several ux issues in the form builder plugin (Dan Hoover)
  • 01650 Protected Downloads plugin updated to support UserSpice 5.5+ (Dan Hoover)
  • 01654 Fixed error not being properly displayed for case unique in validation class (Renato) (Dan Hoover)
  • 01662 Fixed join form not showing validation errors (Renato) (Dan Hoover)
  • 01661 General settings now contains the option to load all users on the user manager and provides a search engine instead. (Dan Hoover)
  • 01660 Added the ability to highlight active menu items (Gamine) (Dan Hoover)
  • 01655 Removed deprecated php function call from time2str function in us_helpers (Dan Hoover)
  • 01652 Restored accidentally removed body plugin hook on account.php (Dan Hoover)
  • 01641 Both menu builders now display a warning if you've turned DB navigation off in general settings. (Dan Hoover)
  • 01645 Removed permission delete button on main permissions screen (Dan Hoover)
  • 01646 Fixed some issues with the cron manager and oce that were preventing cron edits from saving. (Dan Hoover)
  • 01541 Fixed an issue regarding changing CMS subcategories to parent categories. (Dan Hoover)
  • 01540 Resolved a discrepancy on how widgets are loaded in the cms plugin. (Dan Hoover)
  • 01647 Fixed broken dropdowns in cms plugin (Dan Hoover)
  • 01594 URL encoding error fixed with pr 25 (Dan Hoover)
  • 01640 Fixed bugs in admin page preventing the toggling of public and private (Dan Hoover)
  • 01619 Updated plain template navbar (Dan Hoover)
  • 01630 Duplicate dbmenu.php functions were removed from us_helpers.php (Dan Hoover)
  • 01627 Updated spice shaker for enhanced template info and visuals (Dan Hoover)
  • 01639 backup_util.php has been deprecated to usersc/includes/deprecated (Dan Hoover)
  • 01631 The Notification class has been deprecated but is still being auto-loaded for current installs via users/ (Dan Hoover)
  • 01636 Deprecated audit.php file to users/helpers/deprecated.php (will not autoload because they were not loaded at the time of deprecation) (Dan Hoover)
  • 01635 Fixed an issue where deleting users failed (Dan Hoover)
  • 01632 ui has been updated for a better user experience (Dan Hoover)
  • 01638 Template manager updated to show bigger/better thumbnails and enhanced accessibility (Dan Hoover)
  • 01626 Dashboard widgets only drag from the header for a better mobile experience (Dan Hoover)

5.5.3(from 5.5.2) – January 10, 2023

  • 01621 Resolved styling issues with login modal and social logins (sam) (Dan Hoover)
  • 01624 Fixed styling on login close button on bootstrap 4. (Dan Hoover)
  • 01623 Fixed some settings ui issues (Dan Hoover)
  • 01622 Fixed PHP 7 errors and updated some logic on permission management (Dan Hoover)

5.5.2(from 5.5.1) – January 7, 2023

  • 01602 Moved logos to usersc/images from users/images (Dan Hoover)
  • 01613 Added return to index button on login modal (Dan Hoover)
  • 01616 Fixed incompatibilities with Ultramenu builder and PHP 7 (Dan Hoover)
  • 01604 Added Accordion Menu option to Dashboard (Set in usersc/includes/dashboard_overrides (Dan Hoover)
  • 01612 You can hide the top nav by creating a variable $hide_top_navigation = true; Also available in dashboard_overrides.php (Dan Hoover)
  • 01610 Save button disabled on menu manager if 0 permissions are selected (Dan Hoover)
  • 01611 Fixed improper location for storage of menu hooks in usersc (Dan Hoover)
  • 01607 Suppressed error when multiple menus with plugin hooks were called on the same page. (Dan Hoover)
  • 01600 Providing option to use your template footer on the dashboard in usersc/includes/dashboard_overrides (Dan Hoover)
  • 01601 Removed logo files from 5.5.1 update (Dan Hoover)
  • 01606 Deprecated abrev_date, format_date, and userHasPermission functions. Removed old token classes. (Dan Hoover)

5.5.1(from 5.4.5 or 5.5.0) – January 2, 2023

This is everything in  5.5.0 plus the new bug fixes for 5.5.1, therefore there is no reason to download 5.5.0

  • 01599 Fixed a UI issue in ultramenu where current snippet was not being shown (Dan Hoover)
  • 01598 Fixed a bug in the plugin menu hook (Dan Hoover)
  • 01596 Improved creation of admin dashboard top menu (Dan Hoover)
  • 01597 style.css was not being included in the bs5 template (Dan Hoover)

5.5.0(from 5.4.5) – December 30, 2022

This is a major overhaul.  New features include new UltraMenu, Bootstrap 5, Font Awesome 6 and a drag and drop dashboard. If you haven't stored any of your own files in users/ you can delete everything in that folder except init.php and your logos in the images folder and apply this patch and you will get rid of any orphaned files.

5.4.5(from 5.4.4) – July 26, 2022

  • 01511 Debug mode warning on dashboard is now a link to the debug logs (Dan Hoover)
  • 01525 Updated Documentation for addPermission function (DKY) (Dan Hoover)
  • 01527 Updated tickets plugin to fix a stray comma that will break some db queries (Dan Hoover)
  • 01531 Clean urls plugin example script updated to support forms with no method attribute (Dan Hoover)
  • 01533 Sendinblue Plugin updated to better work with built-in functions (Thadius/BangingHeads) (Dan Hoover)
  • 01543 Backup menu item will not show on dashboard if backup has been removed (Dan Hoover)
  • 01544 Updated example for language creation (Jibak) (Dan Hoover)
  • 01545 Default language is now set for users when created by the admin (Jibak) (Dan Hoover)
  • 01546 Form builder updated to v2.1.3 with better form deletion logic (Stan R) (Dan Hoover)
  • 01529 Fixed Nav errors in PHP 8.1 while being a punk to Brandin 🙂 (Dan Hoover)
  • 01532 Added Danish translation – Thanks TFN (Dan Hoover)
  • 01539 Added Korean Language to new installs the language pack – Thanks Thadius! (Dan Hoover)
  • 01515 Updated force ssl to use Tekniskedirektorn's excellent patch to allow proxy servers (Dan Hoover)
  • 01530 Updated admin nav for better display of permission groups (Dan Hoover)
  • 01537 Updated classes on login.php (Dan Hoover)
  • 01523 Input::get no longer tries to force numeric values (Dan Hoover)

5.4.4(from 5.4.3) – May 19, 2022

  • 01520 Added the ability to specify a custom db port in the installer (Dan Hoover)
  • 01519 Fixed error on installer where db connection would incorrectly be reported as unsuccessful (Dan Hoover)
  • 01516 Fixed bug where email settings were being improperly stored (Dan Hoover)
  • 01517 Fixed bug where some users would get {missing text} on new installs (Dan Hoover)
  • 01518 Fixed bug where removing all permissions causes a redirect loop. Who in their right mind would do that 🙂 (Dan Hoover)
  • 00980 Simple Forums plugin updated to v1.0.2 (Dan Hoover)
  • 01186 Benchmark Plugin updated to v1.0.2 with better math function (Dan Hoover)
  • 01500 Removed stray opening php tag in check processing (Dan Hoover)

5.4.3(from 5.4.1 or 5.4.2) – May 13, 2022 (5.4.2 was an internal release)

  • 01512 Removed requirement for mb_strlen from Validate class (Dan Hoover)
  • 00802 Removed duplicate query from snapshot widget (Dan Hoover)
  • 01509 Protected Downloads plugin updated to clarify instructions (Dan Hoover)
  • 01487 Alerts plugin updated for compatibility with custom templates (Dan Hoover)
  • 01510 Added the ability to override or add additional parameters to the email function with a usersc script (Dan Hoover)
  • 01508 Added the ability to change email authtype to CRAM-MD5, LOGIN, PLAIN, or XOAUTH2 (Dan Hoover)
  • 01507 Created the ability to completely override the admin menu (telnz) (Dan Hoover)
  • 01497 Security Logs will now show for delegated users (Brandin Arsenault)
  • 01505 Pulled ReAuth UI Components (Legacy Feature) (Brandin Arsenault)
  • 01479 Convert head_tags Comments to PHP for New Installs (Brandin Arsenault)
  • 01503 Update SQL for New Installs (Brandin Arsenault)
  • 01493 Updated installer to deal with deprecated datetime call (Dan Hoover)
  • 01489 Updated input class to deal with inputs starting with leading zeroes (Dan Hoover)
  • 01494 Removed copyright message on dashboard menu (Dan Hoover)
  • 01443 API Builder updated with some customization options and some RESTful responses (Mr. Serikus) (Dan Hoover)
  • 01453 Documentation link now shown on API Builder Config Page (Dan Hoover)

5.4.1 (from 5.4.0) – March 22, 2022.

  • 01276 Tickets plugin has been updated to 1.0.2 to fix a config bug (Dan Hoover)
  • 01417 Fixed a sorting issue in the built in cron manager. (Marc) (Dan Hoover)
  • 01448 SAAS plugin fixed bug that could result in organization leader losing ability to manage their own org. Please update. (Dan Hoover)
  • 01449 Fixed an error in SAAS plugin for assigning permissions to an organization (Dan Hoover)
  • 01451 Cleaned up some divs in the SAAS Plugin thanks to some great reports by Espresso Dan (Dan Hoover)
  • 01450 Fixed broken form in SAAS plugin (Dan Hoover)
  • 01410 Form builder now returns "rule broken" so you can create custom error messages (Dan Hoover)
  • 01189 Added multilanguage support to form builder (Thanks Alexander!) (Dan Hoover)
  • 00627 displayTable function in forms plugin allows you to pass ["id"=>1] to show the id in the table. (Dan Hoover)
  • 01473 Form Builder now allows underscores and hyphens in form names (Dan Hoover)
  • 01455 Charts plugin updated to 1.0.4 to make line charts prettier (Dan Hoover)
  • 01471 Comments plugin updated with additional documentation (Dan Hoover)
  • 01472 Fixed loader to prevent redirect loops for banned ips (Dan Hoover)
  • 01422 Updated legacy sanitize helper function to use input static method (Dan Hoover)
  • 01457 You can now call the userspice message system from javascript usMessage("testing123","success");); (Dan Hoover)
  • 01426 Added cloakBegin and cloakEnd plugin event hooks (Dan Hoover)
  • 01389 Now allowing languages to create a key valled VAL_ALLOWED to be more flexible on min-max validation (Dan Hoover)
  • 01470 The dashboard css can now be overridden in usersc/includes/dashboard.css (Dan Hoover)
  • 01469 Darkened font on the dashboard (Dan Hoover)
  • 01391 Logged in user is redirected to user settings if they try to navigate to forgot password (Dan Hoover)
  • 01463 Improved Input::sanitize and added Input::json and Input::recursive (Dan Hoover)

5.4.0 (from 5.3.9) – December 30, 2021.

  • 01437 Resolved error messages only showing first character on user creation (Dan Hoover)
  • 01438 Add additional usersc include before system messages and force html entity encode before decode (Dan Hoover)
  • 01442 Removed stray html tag in login.php (Dan Hoover)
  • 01444 $validated variable on login.php now allows you to kill login with a hook in the post position (Dan Hoover)
  • 01445 Created unique table ids for tables with an id of paginate (Dan Hoover)

5.3.9 (from 5.3.8) – December 12, 2021.

  • 01431 Deal with hard coded + spaces in language files (Dan Hoover)
  • 01430 Updated echouser to deal with blanks and 0s (Dan Hoover)
  • 01423 Removed hard coded user id 1 on logger functions (Dan Hoover)
  • 01424 Updated logger function to avoid throwing errors on PHP 8 (Dan Hoover)
  • 01428 Fixed email verification bug caused by GDPR override plugin. (Dan Hoover)
  • 01429 Fixed missing email url encoding on email verification (Dan Hoover)
  • 00976 Removed unused columns from stripe plugin that broke table. (Dan Hoover)
  • 01420 Form builder has been updated to better handle non-English characters (Dan Hoover)
  • 01421 Updated sanitize function in Input class for cleaner usage (Dan Hoover)

5.3.8 (from 5.3.7) – December 6, 2021.

  • 01361 New fetchProfilePicture($userid) function is overridable and more flexible. (Dan Hoover)
  • 01413 includeHook function now returns more gracefully if a bogus position is called. (Dan Hoover)
  • 01412 updated createAttempt plugin hook (Dan Hoover)
  • 01305 Reports plugin updated to handle larger data sets (Dan Hoover)
  • 01377 Validate class now returns a rulesBroken array for better Multilanguage support (Dan Hoover)
  • 01382 Check updates and spice shaker will throw system errors if curl or zip are not installed. No diag mode needed. (Dan Hoover)
  • 00916 Auto logout plugin updated to detect mouse and keyboard input (Dan Hoover)
  • 01392 Fixed hard coded password minimum length on forgot password reset (Dan Hoover)
  • 01409 new fetchUser($id) function addresses the awkwardness of the legacy fetchUserDetails function (Dan Hoover)
  • 01383 fetchUserDetails function now behaves like the documenation (Dan Hoover)
  • 01394 Removed deprecated font color = tags in userspice core (Dan Hoover)
  • 01397 first parameter of logger() function can now ne an empty string (Dan Hoover)
  • 01400 New tokenHere() function to create a hidden input with the csrf token (Dan Hoover)
  • 01399 created new usError, usSuccess, usMessage functions to make passing errors cleaner and easer (Dan Hoover)
  • 01407 Fixed missing translation on force pw reset (Dan Hoover)
  • 01405 Added missing form label to verify_resend view (Dan Hoover)
  • 01403 Added missing language support to verify.php (Dan Hoover)
  • 01402 Changed settings query in cron.php to select * for convenience (Dan Hoover)
  • 01393 Added translation to login.php (Dan Hoover)
  • 01385 pluginHooks can return data with the hookData variable (Dan Hoover)
  • 01386 new User() can now be forced to look at the email column with second parameter (Dan Hoover)
  • 01387 Added new hooks for the email verification and password reset process (Dan Hoover)
  • 01379 Added Staging Code for Log Profiles/Filters via Hooks (Brandin Arsenault)
  • 01380 Performed Log Actions will now be tracked in the logs (Brandin Arsenault)
  • 01357 Added a new System Logs Action: Delete Logs (Keep ID) (Brandin Arsenault)
  • 01364 Log Filters and Actions have been moved to a dropdown for a cleaner UI (Brandin Arsenault)
  • 01376 User Settings will now properly display the correct field name during a validation error (Brandin Arsenault)

5.3.7 (from 5.3.5/5.3.6) – October 20, 2021.

  • 01368 Fixd speling eror on dashbeoard menue (Dan Hoover)
  • 01375 Updated init.php for new installs to fix redirect bug. (Dan Hoover)
  • 01350 Security logs now has the ability to hide whitelsited IPs (James) (Dan Hoover)
  • 01339 Added new hooks to Page Manager (Dan Hoover)
  • 01348 Only Debugging Logs button will now properly filter logs (Brandin Arsenault)
  • 01344 Added new API Hooks (Dan Hoover)
  • 01349 views/_admin_logs now uses UserSpice_getLogs (Brandin Arsenault)
  • 01347 New Function: UserSpice_getLogs (Brandin Arsenault)
  • 01346 Fixed issue allowing admins to change passwords without confirming the new pw matches (chalnger86) (Dan Hoover)
  • 01345 Fixed language call on Validate class. (Dan Hoover)
  • 01343 Added ability to prevent maintenance.php redirect on parsers/apis but setting $noMaintenanceRedirect = true before init.php (Dan Hoover)
  • 01341 Users of Clean URLs should update Form Builder and their .htaccess file with the snippet from the updated plugin (Dan Hoover)
  • 01340 Remember Me Feature added via plugin (Dan Hoover)
  • 01338 Remember Var on Login is now above the hook so it can be modified via the hook if required (Brandin Arsenault)
  • 01337 login.php now has $username and $password which can be modified via the hook on this page and is passed to loginEmail (Brandin Arsenault)
  • 01336 Badges User UI updated and new hasBadge function added (Dan Hoover)
  • 01333 Updated plugin manager activation/deactivation/deletion logic (see notes on ticket) (Dan Hoover)
  • 01309 Form builder can now skip fields without creating a custom view (Dan Hoover)
  • 01272 Fixed bad link on Twilio dashboard (Dan Hoover)
  • 01331 cleanupPermissionPageMatches will no longer produce an error when it is triggered by a logged in user (Brandin Arsenault)
  • 01303 Fixed issue where some errors were being described twice (Dan Hoover)
  • 01329 Improper Plugin Removal (deleting files without uninstalling) will no longer cause errors in the Admin Panel or in the Plugins Manager (Brandin Arsenault)
  • 01304 Functions that globalize $user will gracefully fail if accessed without $user being properly defined (or accessed by guest) (Brandin Arsenault)
  • 01326 Migrate Core Code from checkMenu (legacy) to hasPerm (maintained) (Brandin Arsenault)
  • 01298 New Hook: adminUser createAttempt (Brandin Arsenault)
  • 01317 System Messages Footer now correctly defines the Error Class valErr (Brandin Arsenault)
  • 01308 Dashboard Access Features are now more verbose to avoid duplicated feature names (Brandin Arsenault)
  • 01314 Added the ability to hide the id in the Quick Crud plugin (Dan Hoover)
  • 01312 Added tooltip to badges plugin (PR From RoelandvanD) (Dan Hoover)
  • 01310 Fixed Hooker Plugin not listing the hooks it created. (Dan Hoover)

5.3.5(from 5.3.4) – September 1, 2021

  • 01302 Removed non-working ReAuth feature but left fields for plugin development (Dan Hoover)
  • 01299 Moved API key entry to only the dashboard with jQuery feedback on key validation (Dan Hoover)
  • 01301 Removed checkWrite.php parser file (Dan Hoover)
  • 01277 Spice shaker now attempts to delete stray files and warns you if it can't (Dan Hoover)
  • 01280 Added isSelected helper form helper function (Dan Hoover)
  • 01284 Standard template updated to 2.0.1 to use dynamic container open class. (Dan Hoover)
  • 01288 Form builder updated to 2.0.3 (Dan Hoover)
  • 01289 Added .htaccess to prevent rewriting of parser file urls (Dan Hoover)
  • 01294 MQTT plugin updated (Dan Hoover)
  • 01295 Fixed some migrations in the CMS plugin (Dan Hoover)
  • 01282 Logger function is overwriteable again (Brandin Arsenault)
  • 01283 Corrected a lognote in update 2021-07-11a for future updates (Brandin Arsenault)
  • 01286 Loader.php now uses isUserLoggedIn to validate a user being logged in (Brandin Arsenault)
  • 01293 New Function: isUserLoggedIn (Brandin Arsenault)
  • 01292 Sessions will no longer be destroyed automatically from visiting login.php (Brandin Arsenault)
  • 01290 The for for log clearing tools in System Logs now has an ID of log_clearing_tools that can be targeted (Brandin Arsenault)
  • 01291 Accessing login.php while logged in will now cause you to be redirected to settings.redirect_uri_after_login (Brandin Arsenault)
  • 01285 CMS Plugin updated to fix missing script tags. (Dan Hoover)
  • 01279 GDPR Plugin Updated to support longer text (Dan Hoover)

5.3.4(from 5.3.3) – July 17, 2021

  • 01263 Helper Functions now use ipCheck instead of REMOTE_ADDR (Brandin Arsenault)
  • 00730 cleanupPermissionPageMatches is triggered when deletePages is successful (Brandin Arsenault)
  • 01261 Added debug mode to dashboard and logger (Dan Hoover)
  • 01265 Updated PHPMailer to latest version (Dan Hoover)
  • 01266 Fixed bug that breaks error messages when the session is not set on some servers. (Dan Hoover)
  • 01268 ReAuth now uses isLocalhost instead of hard coding conditions (Brandin Arsenault)
  • 01270 New Function: cleanupPermissionPageMatches (Brandin Arsenault)
  • 01271 Removed extra divs from default index.php page (Dan Hoover)
  • 01273 Added maintenance and debug mode warnings to admin.php (Dan Hoover)
  • 01274 Updated form actions for better compatibility with clean urls (Dan Hoover)
  • 01275 Upgraded from jQuery 3.5.1 to jQuery 3.6.0 (Dan Hoover)

5.3.3(from 5.3.2) – June 22, 2021

  • 01258 Refer plugin updated to 1.0.4 (Dan Hoover)
  • 01257 Check it out on SS now takes you to the Plugin Config. Logo now takes you to the config if active (Dan Hoover)
  • 01256 Fixed broken link in admin menu (Dan Hoover)

5.3.2(from 5.3.1) – June 22, 2021

  • 01093 Footer now included on join after form submission (Dan Hoover)
  • 01218 Fixed verify email resend encoding (Dan Hoover)
  • 01216 Updated email settings to prevent accidental autofill (Dan Hoover)
  • 01236 Better compatibility for display_errors and display_successes (Dan Hoover)
  • 01254 updated sessionValMessages to merge error messages into arrays (Dan Hoover)
  • 01253 Added ability to parse html in error messages (Dan Hoover)
  • 01244 Admin Panel: Added Language Translations for hard-coded menu items (Brandin Arsenault)
  • 00731 Admin Panel: Added IDs and Classes for Menu Items (Brandin Arsenault)

5.3.1(from 5.0.7 through 5.3.0) – May 20, 2021 –  This cumulative update makes sure you have the latest files and are able to make a smooth transition to UserSpice 5.3.  If you'd like to apply any of these patches manually, you can grab them from

  • 01214 Added the 5.3.1 plugin hooks to the hooker plugin (Dan Hoover)
  • 01238 Removed TinyMCE from GDPR Plugin (Dan Hoover)
  • 01224 Added missing logo to the alerts plugin (Dan Hoover)
  • 01197 Fixed bad DB query example in Charts Plugin (Dan Hoover)
  • 01196 Added IP address to security logs (Dan Hoover)
  • 01198 DB class now supports alternative charsets (Dan Hoover)
  • 01200 Fixed div closing too early on check updates (Dan Hoover)
  • 01201 Removed shortcodes <? from code in favor of <?php (Dan Hoover)
  • 01203 New Norwegian language and updated French language (Dan Hoover)
  • 01204 Redirect::to no longer checking for file to exist (use Redirect::safe to do that) (Dan Hoover)
  • 01205 Better spacing on Authorized Groups on admin_nav_item view (Scourgess) (Dan Hoover)
  • 01206 Improved usability on admin_nav_item view (Scourgess) (Dan Hoover)
  • 01207 Fixed spelling error on admin_permission (Scourgess) (Dan Hoover)
  • 01208 reCaptcha removed from core (Dan Hoover)
  • 01209 Removed auto assign username feature (Dan Hoover)
  • 01210 New plugin hooks on forgot_password.php (Dan Hoover)
  • 01211 Removed restriction of using an email as a username (Dan Hoover)
  • 01215 Created a new joinAttempt plugin hook (Dan Hoover)
  • 01220 Updated error message for init files without loader.php (Dan Hoover)
  • 01223 Plugin management hidden for non-master-accounts (Dan Hoover)
  • 01225 Added if ! function_exists to checkAccess function on admin.php (Dan Hoover)
  • 01227 Added additional try/catch to db class (Dan Hoover)
  • 01228 Form Builder 1.2.0 released with UserSpice 5.3 support. Please update (Dan Hoover)
  • 01229 Added explicit null to error message function (Dan Hoover)
  • 01230 Updated Try/Catch statement in DB Class (Dan Hoover)
  • 01162 Preventing null on logs.user_id (default 0) (Dan Hoover)
  • 00840 All references to user_agreement removed in favor of GDPR plugin (Dan Hoover)
  • 00963 Refer plugin updated to 1.0.3 (Dan Hoover)
  • 00983 Updated Swedish language (Dan Hoover)
  • 01009 Validate class handles non-submitted fields more gracefully. (Dan Hoover)
  • 01137 Fixed error when $_SESSION['kUserSessionID'] is not set (Dan Hoover)
  • 01147 Fixed error message on user_settings.php (Dan Hoover)
  • 01150 Changed inputs on admin_user(s) to type="search" to combat lastpass bug (Dan Hoover)
  • 01151 Charts plugin updated to 1.0.2 (Dan Hoover)
  • 01154 Fixed function for backwards compatibility (Dan Hoover)
  • 01157 Session:get now returns null if session does not exist (Dan Hoover)
  • 01159 Deprecated checkPermission and updated securePage (Dan Hoover)
  • 01161 Resolved missing > in French language file (Dan Hoover)
  • 00495 Fixed super long logs squish the admin panel (Dan Hoover)
  • 01163 Adjusted formatting on system logs page (Dan Hoover)
  • 01166 Updated join form validation for consistency (Dan Hoover)
  • 01167 If you pass ONLY an array or object as your lognote, it will be automatically json encoded (Dan Hoover)
  • 01179 Added loader feature – adds to init.php (Dan Hoover)
  • 01182 Moved security headers higher on header1_must_include (Dan Hoover)
  • 01183 Added usersc/includes/pre_header.php (Dan Hoover)
  • 01184 Moved IP Blacklist earlier on page load (Dan Hoover)
  • 01185 Added explicit int on admin user view (Dan Hoover)
  • 01191 Better handling of registering and de-registering plugin hooks (Dan Hoover)
  • 01193 user_settings.php now redirects after update for better plugin compatibility. (Dan Hoover)
  • 01194 Fixed untranslated line in email message (Dan Hoover)

5.2.6(from 5.2.5) – March 16, 2021 – This update deals with moving our API to a new server.  Note that if you change or create a new API key after 3/8/2021, you MUST be on 5.2.6 or later keep your API access. Users on version 5.x can also apply this patch if they are unwilling or unable to upgrade to the latest version.

5.2.5(from 5.2.4) – February 20, 2021- Users of 5.0.7 or later with free API key can now update using Tools->updates in your dashboard! 

  • 01119 Defaulting to port 443 for checking updates (Tek) (Dan Hoover)
  • 01092 Join.php now checking for usersc/views/_join and thank you (Alex) (Dan Hoover)
  • 01132 Updated parser files so attempted hackers see cleaner error messages (Brandin) (Dan Hoover)
  • 01133 Fixed https redirect issues on some servers (Thanks Abd) (Dan Hoover)
  • 01126 Added check/uncheck box to pages on permission editor (Dan Hoover)
  • 01142 Remove us_css and track_guest columns (Dan Hoover)
  • 01139 If max password is set to 30, will be increased to 150 (Dan Hoover)
  • 01141 Large log notes turn into a textarea that can be expanded (Dan Hoover)
  • 01143 Move dashboard copyright to left menu (FeistySquirrel) (Dan Hoover)
  • 01130 Fixed undefined variable in checkAcces function (Dan Hoover)
  • 01134 Added .htaccess to users/views (BangingHeads) (Dan Hoover)
  • 01135 Plugins can now override core functions with an override.php file (BangingHeads) (Dan Hoover)
  • 01136 Facebook login plugin updated to v1.0.2 (Dan Hoover)
  • 01129 Removed stray hard coding in User Class (Mark Z) (Dan Hoover)
  • 00699 Resolved combobox errors in an earlier commit (Dan Hoover)
  • 00631 Confirmed all form character limit checks are working (Dan Hoover)
  • 01096 "forms" column removed from new installs was causing a form builder issue (Dan Hoover)
  • 01112 Form builder migration tweak (Dan Hoover)
  • 01113 Fixed some errors in form builder. (Dan Hoover)
  • 01109 Added try/catch on _db->execute() (Banging Heads) (Dan Hoover)
  • 01114 Plugin functions can now override anything except usersc/custom_functions.php (Banging Heads) (Dan Hoover)
  • 01121 Added graceful skipping of missing widgets (Brandin) (Dan Hoover)
  • 01122 Fixed broken fetchAllUsers function (Dan Hoover)

5.2.4(from 5.2.3) – January 29, 2021- Users of 5.0.7 or later with free API key can now update using Tools->updates in your dashboard! 

5.2.3(from 5.2.2) – January 14, 2021- Users of 5.0.7 or later with free API key can now update using Tools->updates in your dashboard! 

  • 01022 Fixed ui bug in CMS plugin (Dan Hoover)
  • 01088 Added options for cc and bcc to email function (Dan Hoover)
  • 01067 Added 3 new plugin hooks in users/verify.php (Dan Hoover)
  • 01086 Deleting temp.php before downloading a plugin (Dan Hoover)
  • 01066 Fixed error in fetchAllUsers (Dan Hoover)
  • 01068 Changed the cookie class to deal with samesite attribute on all modern versions of php (Dan Hoover)
  • 01077 Fixed token error in bug reporter (Dan Hoover)
  • 01078 temporarily readded columns to the users table for compatibility. (Dan Hoover)
  • 01079 Added backticks around password in the user class (Dan Hoover)
  • 01080 Moved head tag on dashboard (Dan Hoover)
  • 01081 Renamed manage to settings in admin breadcrumbs (Dan Hoover)
  • 01082 Removed extra </div> reported by Andrew (Dan Hoover)
  • 01083 Added a warning not to muck with permissions 1 and 2 (Dan Hoover)
  • 01084 Lengthened page and title columns in the pages table for better language support (Dan Hoover)
  • 01085 Wrapped audit.php functions in if !function_exists (Dan Hoover)
  • 01071 Fixed a bug preventing the old from being deleted (Dan Hoover)
  • 01072 Updated securePage function for better handling of http to https redirects (Dan Hoover)
  • 01073 Improved default language for new users (Dan Hoover)

5.2.2(from 5.2.0 or 5.2.1) – November 17, 2020- Users of 5.0.7 or later with free API key can now update using Tools->updates in your dashboard! 

  • 01062 Fixed active column in Database (Dan Hoover)
  • 01063 Added cz-CZ language (Dan Hoover)
  • 01061 Fixed account_owner bug (Dan Hoover)
  • 01060 Updated db schema on new installs to support old mysql versions (Dan Hoover)
  • 00978 Added samesite attribute by default to the cookie class. (Dan Hoover)
  • 01039 Added notice about UserInfo Plugin on registration settings page (Dan Hoover)
  • 01047 Backup link fixed on check updates (Dan Hoover)
  • 01052 logs_exempt table pulled from new installs (Dan Hoover)
  • 01053 Rolled back some broken functions (Dan Hoover)
  • 01051 Rewriting banned.php in a migration file (Dan Hoover)
  • 01056 Checking before unlinking update zips to avoid warnings (Dan Hoover)
  • 01057 UserInfo Plugin Updated (Dan Hoover)
  • 01055 Updated ip ban logic (Dan Hoover)
  • 01049 Added DB Update for container_open_class (Brandin Arsenault)
  • 01045 Removed duplicate isStandardUser function (Brandin Arsenault)
  • 01046 Fixed Punctuation for Logtype in the Users Class (Brandin Arsenault)

5.2.1 – Internal Release only.

5.2.0(from 5.1.9) – November 6, 2020- Users of 5.0.7 or later with free API key can now update using Tools->updates in your dashboard! 

  • 01049 Added DB Update for container_open_class (Brandin Arsenault)
  • 01045 Removed duplicate isStandardUser function (Brandin Arsenault)
  • 01046 Fixed Punctuation for Logtype in the Users Class (Brandin Arsenault)

5.1.9(from 5.1.8) – October 29, 2020- Users of 5.0.7 or later with free API key can now update using Tools->updates in your dashboard! 

  • 01044 Hotfix: hasPerm NULL ID Bug (Brandin Arsenault)

5.1.8(from 5.1.7) – October 29, 2020- Users of 5.0.7 or later with free API key can now update using Tools->updates in your dashboard! 

  • 01040 all logs for various login types now say login (Dan Hoover)
  • 01043 Created isStandardUser function (Dan Hoover)
  • 01044 Hotfix: hasPerm NULL ID Bug (Brandin Arsenault)

5.1.7(from 5.1.6) – October 27, 2020- Users of 5.0.7 or later with free API key can now update using Tools->updates in your dashboard! 

  • 01024 Removed legacy code for the session manager on account.php (Brandin Arsenault)
  • 01026 Updated container to container-fluid on standard template (Brandin Arsenault)
  • 01029 **IMPORTANT** fetchAllUsers now ONLY accepts a boolean value for the desc parameter (Brandin Arsenault) (Brandin Arsenault)
  • 01032 Code & Logic Improvements to hasPerm, added optional parameter to disable masterAccount checking (Brandin Arsenault)
  • 01035 Added setting for main div classes (Brandin Arsenault)
  • 01036 Fixed a number of autocomplete issues on the Admin Panel (Brandin Arsenault)
  • 01037 **IMPORTANT** the column was removed for future installs, some code was added to join.php and views/_admin_users.php to handle legacy support for this column (Brandin Arsenault)
  • 01038 Fixed line-height for the ACP Navigation Toggle that cause misalignment (Brandin Arsenault)
  • 00356 Removed Logs Manager (Legacy) (Brandin Arsenault)
  • 00936 Large cleanups to the users table for new installs, core code updates were required (Brandin Arsenault)
  • 00969 Removed a redirect on user_settings that caused a lack of success messages (Brandin Arsenault)
  • 00979 Corrected "cycle" from "cylce" on views/_admin_tools.php (Brandin Arsenault)
  • 00982 Removed a double class attribute on admin_users (Brandin Arsenault)
  • 00984 Resolved some legacy tooltip calls on the standard template and misc pages (Brandin Arsenault)
  • 00986 time2str will now return null if supplied null (Brandin Arsenault)
  • 01002 Removed spaces that were breaking userinfo plugin (Dan Hoover)
  • 01003 Wrapped join inputs in form group class (Dan Hoover)
  • 01005 Centered text on a few views for better styling (Dan Hoover)
  • 01006 Made view usersc compatible (Dan Hoover)
  • 01008 _joinThankYou no longer has a bad link when join.php is in the usersc folder (Brandin Arsenault)
  • 01010 Cleaned up securePage function (Dan Hoover)
  • 01011 Added Metadata Column to Logs table (Brandin Arsenault)
  • 01015 Fixed bug where previously verified emails could not update. (Dan Hoover)
  • 01016 Coding Standard Fixes for users/views/_admin_settings_general.php (Brandin Arsenault)
  • 01017 Coding Standard Fixes and strict variables on functions for helpers/users.php (Brandin Arsenault)
  • 01018 Coding Standard Fixes and strict variables on functions for helpers/helpers.php (Brandin Arsenault)
  • 01019 Removed legacy code and performed cleanup on user_settings.php (Brandin Arsenault)
  • 01023 Added a redirect when you successfully add or remove a folder on admin_pages (Brandin Arsenault)

5.1.6(from 5.1.5) – August 5, 2020- Users of 5.0.7 or later with free API key can now update using Tools->updates in your dashboard! 

  • 00988 moved title in admin.php (Dan Hoover)
  • 00989 Fixed html in loop (Dan Hoover)
  • 00990 Fixed missing space in admin users (Dan Hoover)
  • 00991 Moved closing p tag (Dan Hoover)
  • 00992 Removed extra </div>s reported by Andrew (Dan Hoover)
  • 00993 Removed extra </div> reported by Andrew (Dan Hoover)
  • 00994 Fixed html errors in admin_pages (Dan Hoover)
  • 00995 Fixed missing </p> tag. Thanks Andrew (Dan Hoover)
  • 00996 Fixed html spice shaker form – Thanks Andrew. (Dan Hoover)
  • 00997 Removed extra </div> reported by Andrew (Dan Hoover)
  • 00956 Rolled back a bad patch from bug 931 (Dan Hoover)
  • 00959 Added link to security logs. Thanks Odin (Dan Hoover)
  • 00967 Added check for http host in force_ssl (Dan Hoover)
  • 00962 Fixed a bug in the pluginActive function for non logged in users (Dan Hoover)
  • 00970 Added a FName First Initial of LName option in echouser (Dan Hoover)
  • 00998 Changed documentation for custom css with ihadavision's snippet (Dan Hoover)
  • 00974 Used dustball's preg match to detect bad pastes of api keys (Dan Hoover)
  • 00955 Deleting before update (Dan Hoover)
  • 00947 OAuth Session User to Session Name, Add Success Hooks to Facebook Login. Thanks BangingHeads! (Dan Hoover)
  • 00948 Fixed Facebook redirect after login bug (Dan Hoover)
  • 00746 All facebook redirect issues appear to be solved (Dan Hoover)
  • 00824 Facebook Redirect/Session issues resolved in another commit (Dan Hoover)

5.1.5 (from 5.1.4) – August 5, 2020- Users of 5.0.7 or later with free API key can now update using Tools->updates in your dashboard! 

  • 00952 Pushed Brandin's improvement for the fetchUserDetails function (Dan Hoover)
  • 00938 Added missing pages from default page hider in admin pages (Dan Hoover)
  • 00954 Fixed a bug causing the notification system to not display properly on some installs. (Dan Hoover)
  • 00934 Removed references to two factor authentication from the core code (Dan Hoover)
  • 00953 Cleaned up dnd function (Dan Hoover)
  • 00951 Added plugin hooks for admin_settings parser (pre and bottom) (Dan Hoover)
  • 00950 DB class not throwing error on first with no results. (Dan Hoover)
  • 00827 Added ability to send attachment to emails (Dan Hoover)
  • 00896 Updated multidb logic in the db class (Dan Hoover)
  • 00897 Verify email does not try if email is already verified (Dan Hoover)
  • 00909 Fixed html entities and non-translated email subjects (Dan Hoover)
  • 00917 htmlspecialchars_decode has been replaced with html_entity_decode (Dan Hoover)
  • 00925 Updated file based CMS widget logic. (Dan Hoover)
  • 00930 Form builder is now optional but recommended for the UserInfo plugin (Dan Hoover)
  • 00931 Email becomes "unverified" now if updating your email address in user_settings.php (Dan Hoover)
  • 00939 Once custom settings are defined the instructions no longer display (Brandin Arsenault)
  • 00937 Logging for user blocking on _admin_user now uses the correct column (Brandin Arsenault)
  • 00940 Updated blank page to match new template system (Brandin Arsenault)
  • 00941 Modified fetchUserDetails to return null if no data is sent to the function (Brandin Arsenault)
  • 00942 Fixed data error on Admin Logs where the Log ID was shown as the User ID (Brandin Arsenault)
  • 00580 Missing text resolved in an earlier commit (Dan Hoover)
  • 00566 Validation code Resolved in another commit (Dan Hoover)
  • 00007 Cron job ip regulation was added in 5.0 (Dan Hoover)
  • 00465 after_user_deletion script was added a while back (Dan Hoover)
  • 00467 errors have ids or classes now (Dan Hoover)
  • 00589 Most table character sets were cleared up in 5.1.4 (Dan Hoover)
  • 00779 URL regeneration resolved in an earlier release (Dan Hoover)
  • 00797 Root write check now happens on install as of 5.1.4 (Dan Hoover)
  • 00837 Added min/max characters for password and username on new user modal in admin_users (Dan Hoover)
  • 00842 Fixed buttons at the bottom of user_settings.php (Dan Hoover)
  • 00875 Forgot password page does not attempt now if email is not setup. (Dan Hoover)
  • 00868 custom_functions.php is now included earlier so you can override more core functions with your custom ones (Dan Hoover)
  • 00876 Classes were added to the err and msg functions in 5.1.4 (Dan Hoover)
  • 00932 Updated hashing logic on API and downloader.php (Dan Hoover)
  • 00933 pluginActive now works if not logged in (Dan Hoover)
  • 00121 Unique session and cookie names generated during install since earlier version (Dan Hoover)
  • 00588 Installer updated (Dan Hoover)
  • 00593 localhost placeholder removed (Dan Hoover)
  • 00616 Updated installer logic (Dan Hoover)

5.1.4 (from 5.1.3) – July 16, 2020- Users of 5.0.7 or later with free API key can now update using Tools->updates in your dashboard!   Many new plugin hooks and small feature improvements that make UserSpice better.  Thanks to everyone who has submitted bugs and fixes!

  • 00870 We now have a link to backup userspice on the auto update page (Dan Hoover)
  • 00874 Fixed a div causing footer/modal issues (Dan Hoover)
  • 00878 Removed remember me checkbox on login (Dan Hoover)
  • 00881 Fixed token error in stripe plugin (Dan Hoover)
  • 00886 After creating a new menu item, you are now redirected to the edit page (Dan Hoover)
  • 00887 Spelling error in en-us lang file (Dan Hoover)
  • 00888 Added event hooks to verifyFail and verifySuccess (Dan Hoover)
  • 00889 Resolved in another commit (Dan Hoover)
  • 00890 Admin pages shows an alert when pages are removed from the db (Dan Hoover)
  • 00891 Implemented Had3z's improvements to the Input class (Dan Hoover)
  • 00892 Added default timeout of 15 seconds for error messages (Dan Hoover)
  • 00893 Moved character set designation higher up into mail function (Dan Hoover)
  • 00894 Added an extra hook for the userInfo plugin (Dan Hoover)
  • 00899 Fixed parser file location in session manager plugin (Dan Hoover)
  • 00900 Made the Update/Cancel buttons on user_settings.php look less terrible (Dan Hoover)
  • 00901 Added better ios compatibility to dropzone (Dan Hoover)
  • 00902 Disabling messaging if plugin not active for old installs (Dan Hoover)
  • 00903 Duplicate of simplex footer fix (Dan Hoover)
  • 00904 HTML edited in GDPR plugin (Dan Hoover)
  • 00905 Fixed a footer issue in simplex template (Dan Hoover)
  • 00906 Added a space to the English language and to the userspice language pack (Dan Hoover)
  • 00907 Fixed a php tag that was supposed to be php echo in user_settings.php (Dan Hoover)
  • 00911 Fixed rendering error in the form fields in the form builder plugin (Dan Hoover)
  • 00912 Login.php now logs failed login attempts (Dan Hoover)
  • 00914 Fixed the inability for the public (not logged in) to view forums (Dan Hoover)
  • 00915 Fixed checkbox logic (Dan Hoover)
  • 00920 Resolved in Forum 1.0.1 (Dan Hoover)
  • 00921 New migration schema for plugins (Dan Hoover)
  • 00923 Updated fetchUserDetails to return null on no hits (Dan Hoover)
  • 00924 Wrapped helpers.php in function_exists and added classes to error messages (Dan Hoover)
  • 00670 Resolved in another commit (Dan Hoover)
  • 00926 Updated login.php err logic (Dan Hoover)
  • 00927 Updated logout method (Dan Hoover)
  • 00928 Made a db patch for db engine (Dan Hoover)
  • 00929 Made a db patch for db charset (Dan Hoover)
  • 00237 This feature is already implemented. (Dan Hoover)

5.1.3 (from 5.1.2) – May 29, 2020- Users of 5.0.7 or later with free API key can now update using Tools->updates in your dashboard!  

One line of code fixed a variety of issues. Thanks for helping us track this down.

  • 00873 Missing $form_valid = true; causing misc scripts not be called in some circumstances (Dan Hoover)
  • 00877 Missing $form_valid = true; causing some of the join thank you scripts to not be called in some circumstances (Dan Hoover)
  • 00879 Missing $form_valid = true; causing during_user_creation to not be called in some circumstances (Dan Hoover)

5.1.2 (from 5.1.1) – May 9, 2020- Users of 5.0.7 or later with free API key can now update using Tools->updates in your dashboard!  

  • 00871 Added UTF-8 Encoding + Email attachment feature to mail function (From Edward) (Dan Hoover)
  • 00872 Upgraded to jQuery after bugs found by Edward and Waldo (Dan Hoover)

5.1.1 (from 5.0.9 or later) – May 4, 2020 – Users of 5.0.7 or later with an API key can now update using Tools->updates in your dashboard!  5.1.0 was an internal release only.  

Thanks to Usamusa for more UI/UX tweaks and some code cleanup. Thanks to everyone who has submitted bug reports and suggestions. The following tickets have been addressed since the last version. The old Terms and Conditions feature has been removed in favor of the GDPR plugin.  Files will be pulled in later versions.

  • 00860 Updated hasPerm logic (Dan Hoover)
  • 00865 Added a space in the echouser function (Dan Hoover)
  • 00866 Updated to phpmailer 6.1.5 (Dan Hoover)
  • 00867 Cleaned up user_settings.php (Dan Hoover)
  • 00863 Updated to Bootstrap 4.4 by Usamusa (Dan Hoover)
  • 00864 Popper.js updated by Usamusa (Dan Hoover)
  • 00861 Updated to jQuery 3.5.0 (Dan Hoover)
  • 00858 New Validation Rule is_in_database (Dan Hoover)
  • 00859 You can now pass internal links to search in Spice Shaker (Dan Hoover)
  • 00851 Updated buttons on Admin Permissions (Dan Hoover)
  • 00854 Changed int size on 5 columns (Dan Hoover)
  • 00853 Created IP Lock Plugin (Dan Hoover)
  • 00852 Added Update & Close button to user editor (Dan Hoover)
  • 00850 Added Update & Close button to page editor (Dan Hoover)
  • 00857 Deleted 404 link in UserSpice forums (Dan Hoover)
  • 00847 Added feature in membership 1.0.5 (Dan Hoover)
  • 00845 SAAS Updated (Dan Hoover)
  • 00841 Usamusa UI changes (Dan Hoover)
  • 00816 Usamusa UI changes (Dan Hoover)
  • 00828 Removed terms & conditions in favor of the GDPR plugin (Dan Hoover)
  • 00838 Fixed bad return statement (Dan Hoover)
  • 00826 Added after_user_deletion.php (Dan Hoover)
  • 00830 Now disabling messaging in DB if plugin is not active (Dan Hoover)
  • 00835 db results() now returns empty if the query fails (Dan Hoover)
  • 00836 Email query updated _admin_user.php (Dan Hoover)
  • 00799 Fixed user agent error (Dan Hoover)
  • 00795 Stable version users no longer see a new version in the update checker until it goes stable. (Dan Hoover)
  • 00813 Updated login id's and fixed bug that broke login if settings->recaptcha == 2 (Dan Hoover)
  • 00821 Added password length and new ids for plugins/javascript (Dan Hoover)
  • 00818 Fixed language issues in English and German [astrakid] (Dan Hoover)

5.0.9 (from 5.0.8) – December 21, 2019 – Users of 5.0.7 or later with an API key can now update using Tools->updates in your dashboard! 

Much appreciation to Usamusa for a bunch of UI tweaks not reflected in the changelog and for our Bleeding Edge Testers who found a frustrating bug before it ever got released into the mainstream.

  • 00772 Resolved in another commit (Dan Hoover)
  • 00771 Fixed dashboard hand floating improperly (Dan Hoover)
  • 00778 Resolved some autocompletion errors (Dan Hoover)
  • 00779 Reworked some abs_us_root and us_url_root stuff (Dan Hoover)
  • 00768 Resolved in another commit (Dan Hoover)
  • 00780 Gravatar language no longer shows if profile_pic plugin is active (Dan Hoover)
  • 00791 Updated pluginActive function (Dan Hoover)
  • 00783 Removed duplicate language keys (Dan Hoover)
  • 00786 Fixed language error in validate.php (Dan Hoover)
  • 00790 Add ability to hide userspice default pages in the page manager (Dan Hoover)
  • 00788 Removed class text-danger from Validate class and helpers.php (Dan Hoover)
  • 00789 Tweaked admin menu (Dan Hoover)
  • 00777 Fixed a bug causing some plugin hooks to install twice. (Dan Hoover)
  • 00787 Updated backup delete feature (Dan Hoover)
  • 00781 Created diagnostic mode for spice shaker (Dan Hoover)
  • 00750 Added sticky footer to default theme. (Dan Hoover)
  • 00761 Made fname, lname, email lengths consistent (Dan Hoover)
  • 00759 Added the ability to specify a bug report is for a plugin/template etc (Dan Hoover)
  • 00765 Initial blocked and whitelisted ips cleared (Dan Hoover)
  • 00763 Fixed bug in _admin_user.php (Dan Hoover)

5.0.8 (from 5.0.7) – December 21, 2019 – Users of 5.0.7 with an API key can now update using Tools->updates in your dashboard!

  • 00753 Fixed manual account verification on admin user
  • 00755 Many fixes to the mail/password reset features (Dan Hoover)
  • 00737 Updated phpmailer for PHP 7.3 compatibility (Dan Hoover)
  • 00752 admin.php will now properly display Admin Dashboard as the page title (Brandin Arsenault)

5.0.7 (From 4.4.0 or later) – November 7, 2019 – If you are on ANY version of 4.4 or 5 and want to jump to 5.0.7, use this patch.  BACKUP and FOLLOW THE INSTRUCTIONS in the download zip.  Note that from this point you will be able to use the auto updater on the dashboard. Please also note that your dashboard widgets will most likely not work. Please delete the widgets in the usersc/widgets folder and re-download from Spice Shaker.

5.0.7 (from 5.0.4) November 6, 2019 – Feature Release.  Adds the ability to update the UserSpice core with the "Check for Updates" button on the dashboard.  Also fixes the following issues.

PLEASE NOTE: 5.0.5 and 5.0.6 were internal releases for testing the update system.

  • 00729 Languages updated for new installs.  Use Spice Shaker get new languages on existing installs. (Dan Hoover)
  • 00728 Standard Template Updated and pushed along with this update. (Dan Hoover)
  • 00717 Resolved duplicate ids in admin_user (Dan Hoover)
  • 00721 Updated join thank you. (Dan Hoover)
  • 00724 Update the styling of the ip manager (usamusa)
  • 00724 Overhauled the styling of the plugin manager (usamusa)

5.0.4 (from 5.0.3) September 25, 2019 – Minor Release.  Note there is a patch under 4.4 that will allow you to go all the way from 4.4.x to here in one shot.

  • 00711 Fixed double login bug with Terms of Service Disabled (Dan Hoover)
  • 00393 Using latest recaptcha (v3) with curl. If you have v2 keys, you will need to update your recaptcha keys (Dan Hoover)
  • 00705 Added ability to use a separate template on a  per-page basis.  Just define $template_override = "mintly";  (for example) between init.php and prep.php on the page you want to have a different template.  (Dan Hoover)
  • 00707 Added IP to user login logging (Dan Hoover)
  • Added the ability to mix WordPress styling with your UserSpice project. See (skip to 4:45 to just see the effect)

5.0.3 Cumulative patch from 5.0.0,5.0.1, or 5.0.2  OR   5.0.2 to 5.03 – September 4, 2019 – Critical UpdateRUN update.php! – Fixes a dashboard bug that prevents a lot of AJAX settings from saving….and fixes a spelling mistake.  Here is a full diff of 5.0.1 to 5.0.3.

5.0.2 (From 5.0.1) (Download 5.0.3 patch above) – September 4, 2019 – RUN update.php! Minor bug fixes and patches.  Thanks to EVERYONE who submitted great, detailed bug reports.
4.4 users can expect an upgrade path from 4.4 in the coming weeks.  Recaptcha is not working at this time.

  • 00695 Resolved in admin dashboard and admin templates views (Dan Hoover)
  • 00694 Edited helpers.php (see below (Dan Hoover)
  • 00683 Russian language added to language pack in spice shaker (Dan Hoover)
  • 00692 Login TOS resolved! (Dan Hoover)
  • 00689 Removed the last few stray </img> tags (Dan Hoover)
  • 00691 Resolved along with other us_announcements issues (Dan Hoover)
  • 00687 Made new _admin_annoucnements view (Dan Hoover)
  • 00693 Added pre to getMyHooks function (Dan Hoover)
  • Misc template fixes.

5.0.1 (From 5.0.0) (Download 5.0.3 patch above) – August 31, 2019 – Minor bug fixes and patches.  Thanks to EVERYONE who submitted great, detailed bug reports.

  • 00682 Non DB Nav Fixed (Dan Hoover)
  • 00684 Added a few checks (Dan Hoover)
  • 00685 Updated schema in git repo (Dan Hoover)
  • 00686 This is already fixed in 5.0 (Dan Hoover)
  • 00643 Added the same check for checking if userspice is available (Dan Hoover)
  • 00666 Removed id in template (Dan Hoover)
  • 00667 Not possible in current setup (Dan Hoover)
  • 00673 Modified standard footer (Dan Hoover)
  • 00675 Removed </img> tag that was there for some unknown reason (Dan Hoover)
  • 00677 Removed </header> (Dan Hoover)
  • 00678 Added CDN popper.js to standard template (Dan Hoover)
  • 00674 Removed duplicate body tag (Dan Hoover)
  • 00679 Created new _configure_plugin_header to deal with plugin config header issue (Dan Hoover)
  • 00659 Div fixed in earlier commit (Dan Hoover)

UserSpice 4.4 Patches

5.0.7 (From 4.4.0 or later v4.4) – September 5, 2019 – BACKUP and FOLLOW THE INSTRUCTIONS in the download zip.

4.4.15 (from 4.4.14) – This was a patch to offer compatibility with the latest UserSpice APIs. If you cannot or will not update to the latest version of 4 or 5 to get this feature working, you can fix your 4.4 install with this patch to maintain your UserSpice services.

4.4.14 (from 4.4.11, 4.4.12 or 4.4.13) – June 13, 2019 – Security and Bugfixes – Run users/updates/

  • 00559 Removed front end Mass Messaging (Dan Hoover)
  • 00560 Containers, wrappers, and wells removed. (Dan Hoover)
  • 00567 DB Clean widget updated (Dan Hoover)
  • 00569 Resolved in another commit (Dan Hoover)
  • 00571 Added missing {} (Dan Hoover)
  • 00572 Improved hook features (Dan Hoover)
  • 00576 Removed duplicate line (Dan Hoover)
  • 00577 LDAP Plugin Updated (Dan Hoover)
  • 00578 LDAP plugin now updates F/L name on login (Dan Hoover)
  • 00579 Better description on email settings (Dan Hoover)
  • 00581 Some features pulled from dashboard access. (Dan Hoover)
  • 00582 Menu editor now saves sort. (Dan Hoover)
  • 00583 Bug reporter is now master only (Dan Hoover)
  • 00584 Added viewport to dashboard (Dan Hoover)
  • 00585 Removed features from dashboard access (Dan Hoover)
  • 00587 Fixed notifications (Dan Hoover)
  • 00590 Added Russian Language (Dan Hoover)
  • 00592 This is already fixed in 4.4.12/3 (Dan Hoover)
  • 00595 Changed language on email (Dan Hoover)
  • 00596 Removed autocomplete (Dan Hoover)
  • 00440 Removed ssp from logs (Dan Hoover)
  • 00555 Dashboard emails now sent in default system language (Dan Hoover)
  • 00598 Forgot Password will no longer show if the email is invalid, just says there is an error (Brandin Arsenault)
  • 00428 Minor redundancy fixes on Maintenance page (Brandin Arsenault)
  • 00521 Admin Forms will no longer autocomplete (Brandin Arsenault)
  • 00558 Optimized hasPerm Function (Brandin Arsenault)
  • 00602 Added containers to default template (Brandin Arsenault)

4.4.11 (from 4.4.09) –  April 28 2019 – SECURITY RELEASE – Run users/updates/ 

Fixes a known vulnerability in jQuery across all templates, even copies of our stock templates. Also added a new feature to allow you to grant access to portions of the admin dashboard to non-admin users.  New plugin hooks for creating more advanced plugins.

  • 00515 Added a time option to the form manager (Dan Hoover)
  • 00535 Now allowing numbers in form names but no symbols (Dan Hoover)
  • 00538 Fixed some includes in superhero theme (Dan Hoover)
  • 00543 Fixed some form actions that caused errors on certain servers (Dan Hoover)
  • 00545 Removed padding (Dan Hoover)
  • 00546 Remove meta information from admin_menu (Dan Hoover)
  • 00547 Replaced validation string (Dan Hoover)
  • 00548 Saving state of most datatables (Dan Hoover)
  • 00549 Moved Google Analytics to inside body tag (Dan Hoover)
  • 00550 Some meta tags moved to usersc/includes/head_tags.php (Dan Hoover)
  • 00551 FB now logging IP on login (Dan Hoover)
  • 00494 Re-implemented custom settings (Dan Hoover)
  • 00497 Added type of money to forms (Dan Hoover)
  • 00508 Changed some form editor formatting (Dan Hoover)
  • 00509 Form help opens in a new tab (Dan Hoover)

4.4.09 (from 4.4.08) – OR Cumulative Update from 4.4.01,2,3,4,5,6, 7, 8 to 9 – April 11, 2019 – Run users/updates/ if doing the cumulative update.

  • 00528 Moved annoucement code to the bottom for better loading
  • 00525 Fixed dropdown value errors on email settings
  • 00524 Added users/includes/dashboard_language.php and changed some lang function logic
  • 00527 Moved favicon.ico
  • 00510 Fixed JS error
  • 00529 Found stray ?> in users/includes/facebook_oauth.php
  • 00533 Made plugin footers available both front and backend.
  • 00519
  • 00532 Implemented new language keys for emails
  • 00530 If statement modified to make sure announcement messages are shown

4.4.08 (from 4.4.07)  – April 11, 2019 – Run users/updates/ There are database updates that are recommended, and may be some in previous versions to be applied.

  • 00510
  • 00517
  • 00500 Added a fallback to en-US if $save is not defined
  • 00512 Removed second join_cap
  • 00492 Added suggested example
  • 00502 Made db update to warn of this and significant changes to the user agreement file
  • 00514 Added pt-PT from Flávio
  • 00513 Dashboard reworked, existing content converted to full width modules
  • 00511 Put a javascript widget in usersc/templates/default.footer.php
  • 00466 Changed div tags to nav
  • 00506 Added links for everything except widgets
  • 00507 Added some {}
  • 00504 Bulgarian Added
  • 00470 Implemented Usamusa's fixes
  • 00501 Implemented Usamusa's fixes

4.4.07 (Use 4.4.09 update) -April 5, 2019 – Run users/updates/ There are database updates that are recommended, and may be some in previous versions to be applied.

NOTE: If you were already on 4.4.06, you can use this patch to just go from .06 to .07 and you don't need to run users/updates.

.07 – Fixed some bootstrap 3 bugs that affected some users in somewhat rare circumstances.

.06 – Way too many changes to list individually, so see the changelog for a complete list. The big feature is a new MULTI LANGUAGE front end.  Every page that your end user will see can be translated into other languages.  See this video for a detailed description of how to do this.  The back end (admin panel) will be translated in a future version, but for now, it is English only.

4.4.04 (use 4.4.09 Patch) – March 9, 2019 – Run users/updates/ There are database updates that are recommended, and may be some in previous versions to be applied.

  • 00461 Bumped version to 4.4.04
  • 00450 Fixed footer on users/messages.php
  • 00453 Updated group_menus and users login ints to 11 and unsigned in database
  • 00456 Resolved token undefined error on Admin Login Settings
  • 00455 Resolved token undefined error on Admin Registration Settings
  • 00454 Resolved token undefined error on Admin General Settings
  • 00459 Removed the delete button from the default permission levels
  • 00451 Usersc Composer only included if the autoload file exists

4.4.03 (use 4.4.08 Patch)- March 2, 2019 – Run users/updates/ There are important database updates that are required, that you may have missed in the past versions as well.

  • 00449 Bumped Version to 4.4.03
  • 00447 Disabled autocomplete on Admin Users
  • 00442 Made validation errors on Users in ACP visible
  • 00414 Update system rewrite
  • 00436 Manage Sessions kill button updated for BS4 compatibility
  • 00405 reAuth will no longer be unset on account.php
  • 00430 admin_verify.php uses the new nav engine
  • 00433 Usersc Composer is now included in helpers by default
  • 00438 User creation exceptions now return the DB error for you to use
  • 00435 Restored code for admin session management
  • 00437 Updated tomfoolery.js and header fixes for Session Management

March 1, 2019 – Important Note about upgrading to 4.4

Please note that UserSpice 4.4 features a new template system, by default continues with BS3 and has the ability to handle BS4 and other templates available in the future. That being said, you may notice some pages not working, including navigation, despite the page itself looking okay. This is due to adjustments to code that breaks existing scripts including onclicks and hovers, and requires updated navigation. If you are using Database Navigation, this is a fairly simple change, and you will require minor adjustments.

**In the header and footer of all pages you want to match to the existing UserSpice theme and template system** you must replace:

The header.php and navigation.php includes to:

require_once $abs_us_root.$us_url_root.'users/includes/template/prep.php';

The page footer and html footer should be replaced, above custom scripts to be:

require_once $abs_us_root . $us_url_root . 'usersc/templates/' . $settings->template . '/footer.php';

If you did not rely on UserSpice core pages in your custom code, you will more than likely not face issues, but if you regularly duplicated pages and used the regular UserSpice CSS and Javascript you will need to make these adjustments.

Thank you,

Brandin & Dan.

4.4.02 (use 4.4.09 Patch) – February 6, 2019 – Run users/update.php It may not do anything, but some people missed an important update. This fixes that. Minor bug fixes. New version of Facebook Graph due to them breaking something. Thank you so much to everyone who helped with these and to all those who are helping bring multilanguage support to an upcoming version.

4.4.01(From 4.3.25 or 4.3.26) – January 24, 2019 – This is it! Widgets, Templates, Plugins! Fantastic dashboard.  Come and get it! Thanks to everyone who made this happen. Please note, if you were one of the awesome people who helped beta test 4.4, there are updates to get you from beta to final over here.

UserSpice 4.3 Patches

4.3.26(From 4.3.25) – December 15, 2018 – Important security update. Fixed a few bugs on join.php. Fixed a bug in session management. Added UserSpice 4.4's announcement feature so you can be alerted of future security features.

4.3.25 (From 4.3.24) – June 17, 2018 – Important security update. Many thanks to the white hat hackers out there that help make our code better. This update changes the way we handle detecting the user's ip address and removes the feature that checks if a username is taken.

4.3.24 (From 4.3.23) – May 15, 2018 – Important Security Patch for UserSpice 4.3 users, including a fix for a vulnerability on the Bio and Admin Pages. There is an update to run as well within this patch. This is very small update, but essential.

4.3.23 (From 4.3.20, 4.3.21 or 4.3.22) – April 26, 2018 – Hotfix for 4.3.21 and 4.3.22 to fix an auto-logout bug. Session Manager is being disabled, although you can enable it, some users are experiencing issues with it logging out users for no reason. You are welcome to use it, but know there could be a bug that will prevent usage of your site, and we are not aware of the fix yet.

Previous Notes:

April 25, 2018 – Hello everyone, Brandin here. Dan is working away hard on some extra UserSpice features so I completed most of this update-although Dan pitched in some Form Builder stuff 😉

This is a HUGE update-and although didn't get its own major version push, it contains over 31 resolved bugs, with thousands of lines of modified code, updated composer packages and our very own security function-Session Management. UserSpice is now tracking Sessions for all users (similar to how some popular Social Media sites do) so you can end remote sessions, and on password resets these sessions will be ended to. With this, comes a powerful tool on users/admin_manage_sessions.php which can almost instantly log every user out of your site. There is a confirmation box and warnings around, and this can only be triggered from a user in the master account array, regardless of who has access to the page! Please be very careful with this tool, and test it greatly (of course not on your live site 😉 ) so we can get some feedback on it. As always, if you face any bugs, please report them to!

Recommended Upgrade Info:
-If you have not manually loaded any packages into Composer other than the built-in UserSpice ones, please delete the users/vendor folder (don't worry, the update will re-add it!)
-If you get an error about an update on update.php, run it again!
-Running update.php is ESSENTIAL for this upgrade to work.
-If you are a larger scale site, keep an eye on your load time and consider disabling Session Management.

  • 00161 Remove error on page_footer session manager (Brandin Arsenault)
  • 00059 forms.php (Brandin Arsenault)
  • 00034 If you change your password any remote sessions should be destroyed (Brandin Arsenault)
  • 00157 Make killAllSessions master account array only (Brandin Arsenault)
  • 00023 Character "&" (Brandin Arsenault)
  • 00026 hasPerm needs isLoggedIn check before ID (Brandin Arsenault)
  • 00029 Settings are not refreshed after custom (Brandin Arsenault)
  • 00086 User Settings email change (Brandin Arsenault)
  • 00098 User Settings for OAuth Users (Brandin Arsenault)
  • 00113 usersc-check for matching users on insert and match perms (Brandin Arsenault)
  • 00128 Are we sure Admin Verify Timeout is being used? (Brandin Arsenault)
  • 00129 us_fingerprint_assets does not have Fingerprint_Added (Brandin Arsenault)
  • 00130 Line 80 on twofa.php is incorrect (Brandin Arsenault)
  • 00131 manage2fa.php IP code wrong (Brandin Arsenault)
  • 00132 _admin_stats.php (Brandin Arsenault)
  • 00133 Redirect after creating form (Brandin Arsenault)
  • 00134 Reset Links from ACP invalid (Brandin Arsenault)
  • 00136 Add X-Editable CSS (Brandin Arsenault)
  • 00138 Composer.Json is missing some packages (Brandin Arsenault)
  • 00139 Update composer packages (Brandin Arsenault)
  • 00140 Update twofa security (Brandin Arsenault)
  • 00141 Global $us_url_root for verifyAdmin (Brandin Arsenault)
  • 00142 Two FA assets being inserted every time (Brandin Arsenault)
  • 00143 Two FA check failing (Brandin Arsenault)
  • 00147 verify_new error (Brandin Arsenault)
  • 00148 New Google Users die (Brandin Arsenault)
  • 00149 Have to revert all changes to params (Brandin Arsenault)
  • 00152 twofa.php API URL is not cross-compatible (Brandin Arsenault)
  • 00153 Manage 2Fa IP Echo Wrong (Brandin Arsenault)
  • 00154 Two FA Fingerprint Compare is wrong (Brandin Arsenault)
  • 00155 Fingerprinting and Session Tracking (Brandin Arsenault)

4.3.20 (From 4.3.19) –  April 21, 2018 – Brandin & Dan here! This is a pretty large update, and as always, but especially with this update, you should backup your DB and files first! You can review the tickets below including the information in the hyperlink for some more detailed stuff.

  • 00118 Allow overriding un-completed updates (Brandin Arsenault)
  • 00117 Remove botched Fingerprinting Updates (Brandin Arsenault)
  • 00110 2FA Assets Broken (Brandin Arsenault)
  • 00059 forms.php (Dan Hoover)
  • 00080 Fix form builder if required dropdown/etc is added later (Dan Hoover)
  • 00116 Create multi-database support (Dan Hoover)
  • 00115 Autocomplete on admin_pin should be disabled (Brandin Arsenault)
  • 00114 PIN codes don't have to be numbers! (Brandin Arsenault)
  • 00104 Can't make disable_2fa private? (Brandin Arsenault)
  • 00105 Admin option to reset User PIN (Brandin Arsenault)
  • 00103 Don't allow reauth on admin_pin (Brandin Arsenault)
  • 00101 admin_user.php JS file call not cross-compatible (Brandin Arsenault)
  • 00106 if local was commented out for reauth (Brandin Arsenault)
  • 00108 Fix to time2str() function in us_helpers.php (Brandin Arsenault)
  • 00112 isAdmin needs $isLoggedIn (Brandin Arsenault)

4.3.19 (From 4.3.18) –  April 14, 2018 – Brandin here! This is a pretty large update, and as always, but especially with this update, you should backup your DB and files first! Review the tickets below including the information near them for some more detailed stuff. We changed our tracking method mid-way through this release so some of the tickets may have more details than what I included below. Please pay some particular attention to the changes to Two FA, reAuth and the Dump/DND functions.

00100 Track the date the use enrolls in 2FA



Updates: 4A6BdJHyvP4a

00066 Redirect after confirmation of permissions

00075 Clean up dnd and dump functions
New Functions: isAdmin(),isLocalhost()

Updated Functions: dump,dnd, both allow optional parameters of adminOnly and localhostOnly

00099 Allow hasPerm to default to current user ID

00097 Advancements in admin_verify technology
We’ve done a large overhaul on the Admin Verification system of UserSpice. We are now allowing pin-based verification which is set when a user hits admin_verify for the first time after this update. The User can reset the PIN via user_settings.php. The Admin can now set if ReAuth is even enabled, and the amount of time in minutes for verification to be checked. This is being done in conjunction with the recent move of reAuth from the DB to Session variables, and eventually once the system is proven, we will build the items into the session variables as a progression to reduce load on the DB.


ADD COLUMN pin varchar(255) DEFAULT NULL AFTER `password`;

ALTER TABLE settings

ADD COLUMN admin_verify tinyint(1) NOT NULL,

ADD COLUMN admin_verify_timeout int(9) NOT NULL;

UPDATE settings SET admin_verify=1,settings.admin_verify_timeout=120 WHERE id=1;

Updates: 69FbVbv4Jtrz

00084 Incorrect redirect after creating a new form

00043 MQTT tables does not load

00091 Omit disabled users from User Management List
We added a new button to the bottom of admin_users.php that can trigger the view of all users

00093 FORCE updates on new install

00055 Link on "Database out of date…" warning not /usersc compatible

00028 Your old password can be the same as your new…

00010 Two FA is not compatible with OAuth currently

00071 Allow destroying of fingerprints
We’ve added a feature into the Two FA Fingerprinting system that allows users to destroy and view fingerprint asset information on manage2fa.php.

00088 Couple of non usersc compatible links

00060 Make the expiry time for $vericode_expiry in join.php a site setting

00061 Delete forms

00083 Limit usersc redirect to only files in the 'users' folder

00081 Remove Experimental From backup options

00079 Add and document skip field on displayForm function

00078 Get displaySingleItem update from RFID System

00064 My cloaking got deleted!
We’ve moved cloaking to admin_user.php and made it a users-table permission

00068 Should email_test be UID 1 only?

00072 double checking what should be compared…

00073 Registration – Add Text Letting User Know Link Expires and To Check Their Junk Mail

4.3.18 (From 4.3.17) –  March 29, 2018 – Brandin here! Finally pushing updates on my own 🙂 This is a small update, but focused on baking Admin Verify (reAuth) and Two Factor Authentication a little more.

We moved reAuth out of the database and into the Session Data. This allows for less querying on the database on all of the secure pages. Although very minimal load, every bit helps! This allows means no easy manipulation of this data, which is a good thing, I promise! The other problem with having reAuth stored in the database is it was based on user-account, not user-session. So if you verify yourself on one PC while someone else is using your account maliciously elsewhere, they would then have access to all of the secured pages, defeating the purpose of reAuth.

Two Factor Authentication now has the ability to Fingerprint users and use this as a way to authenticate them. Similar to other systems such as Google and Facebook, your session is Fingerprinted and if you pass two factor authentication, it remembers your fingerprint for 30 days. There is not currently a way to destroy this, but this is still very much a work in progress. If you want to use the Fingerprint anywhere, you can use $_SESSION['fingerprint'];.

Don't forget to report any bugs to the UserSpice Bug Tracker.

4.3.17 (From 4.3.16) –  March 22, 2018 – MUCH appreciation to Brandin, John and the community for having my back on this update.  I'm in the middle of a job change (and move) and everyone has really pitched in to help report and fix bugs and been so patient.  You can view details on any of the bugs by clicking on them.

Not all of the cancel buttons are cross-compatible
Update LoI68El211ON botches update.php
reAuth should be spam-proof
Link on "Database out of date…" warning not /usersc compatible
2FA buttons on accounts.php not /usersc compatible
admin_logs should be sorted by logid not logdate
randomstring isn't overwriteable
forgot_password link is not cross compatible
_email_adminUser.php spelling mistake
Cron manager page typo
Facebook Login on admin_social should be above the FB settings
Update user: not check for new or old values
Missing return in permissionNameExists function
Facebook login broken
Join redirect got added before loggers again

4.3.16 (From 4.3.14) –  March 12, 2018 –

NOTE: There were a few bugs in the massive code changes for 4.3.15. If you already upgraded to .15 you can download this to just get the changes.

New advanced form builder features (documentation here) give you even more control over your form processing.   We've updated our bug tracking to a new custom system built by Brandin.  You'll soon get even better bug/update tracking. For now, here are the fixes and improvements.

Advanced form processing allows you to do more things between when the user submits the form and the info is processed.
All pages in the /users folder are now usersc compatible. Simply copy a file to usersc and edit way. Don't edit our core files!
A cookie fix was provided by a user on our subreddit.
2 Validate class updates were provided by gtilflm (aka gtrrewdfszx)
The DB driven menu now properly supports external urls (thanks Slimey!)
You can now specify the sender name and email address in the email function. Note that if you were using that for attachments, you may have to add another parameter to your code.
Brandin fixed a password reset bug that was pointed out by multiple users. Sorry for the frustration there.
The install folder is now deleted on first update.  If you've added stuff to this folder, it will fail, which is a good thing.


4.3.14 (From 4.3.13) –  February 18, 2018 – New form builder feature (documentation here) can drastically cut down your development time with forms and tables.  It's pretty fleshed out, but expect improvements as the community gets its hands on it.  Addresses the following issues from the UserSpice bug tracker.  (Feel free to submit bugs/feature requests to

#067 Patched an array to string conversion issue on login.php
#066 Verify hold patch on verify.php – unable to patch init.php
#063 Reformatted page titles via update.php
#062 Spelling mistake on ACP
#057 Disable 2FA unexpected } fix
#055 2FA was not showing the form if no referrer (which rarely would be)
#054 api/index.php removal of securePage, wrapped with isLoggedIn function, repaired error output
#052 Login logger was double logging, too much logging, too much!
#051 Options tag not closed on _admin_css_settings
#043 messages.php was missing CSRF token check, added
#041 Vericodes needed to be baked more, 15 minute expiry added and is only valid on request
#012 Usernames that are numbers are finally allowed! We have patched this extremely old issue in the Users class
#053 Add Mark Unread option to Admin Notifications

4.3.13 (From 4.3.10,11,or 12) –  February 7, 2018 – Fly Eagles Fly! – Cumulative patch because we've done several updates in the last few weeks.

Addresses the following issues from the UserSpice bug tracker.  (Feel free to submit bugs/feature requests to

#007 oauth_success redesign, minor cosmetic changes, added redirect option in usersc/includes/oauth_redirect.php
#008 DB class update, added getColCount and getColMeta
#014 Allow custom hooks in db-driven nav, see usersc/includes/database_navigation_custom_loops.php
#015 Allow custom loops for lognote replacements, done in us_helpers, see helper for more details, you can now replace the lognote with this new helper
#018 2FA is not complete, removed from login page, made standalone, fixed APIs and namespace issues, updated settings included header lock, admin_user disable, and setting to disable and disabled + reset
#019 Disable registration, this highly requested feature is now done, and is compatible with Facebook and Google OAuth! Uses will now see "Registration Disabled" on join.php and the link will be hidden from the header. OAuth users without accounts that sign in from login.php will be greeted with the disabled page as well, and no account will be created. This is controlled from the ACP.
#042 disable autocomplete on admin.php forms to avoid breaking, for security as well
#045 Disable autocomplete on user_settings password fields for security
#046 Master Accounts should override permission_restriction settings, this logic was added
#049 permission_restrictions was being ignored, added logic to admin_user

Notes from 4.3.12 – Lots of bug fixes by Brandin. Probably mostly my type0s.

Admin Verify is now on by default when cloaking.  Cloaking does not cause you to mark your users notificaitons as read.  Fixed a spellign mistake.  Fixed some migration issues.  Lots of notification/logging fixes. Thanks Brandin.

Notes from 4.3.11 – What started off as just grabbing some low-hanging fruit updates, turned into a pretty big update.

– Brandin fixed a lot of nagging bugs like $_GET variables being stripped if the user was logged out and last login not being logged when you use Oauth.
– John made some nice changes to the notification popup and helped with the auto-popup feature.
– New (optional) auto notification popup feature forces open the notification window when a new notification pops up. Great for corporate environments where notifications can be critical.
Security Update – Cron jobs are now disabled by default and your existing ones have been disabled until you step through a security hoop.  You will get a notification when you run the update.php and one will be on your cron manager.

Please note, due to database changes, you need to run update.php, which you'll be reminded to do when you visit the admin panel.

4.3.10 (From 4.3.9) –  December 12, 2017 – New Cloaking feature! Note that this is not the final UI experience, but we wanted to get the feature out there so people can play with it. As it stands right now, if your user id is in the $master_account (as defined in users/init.php) you have the ability to "cloak" into another user.  There is a lot of discussion about how to make this feature convenient, yet still relatively difficult to implement so you don't give it to someone by accident, hence hard coding the user id's you want to be able to use it in init.php. The same thing goes for the backup feature. Please understand that giving someone access to the backup feature allows them to fully export your source code and your database, so it's REALLY important that you don't take this power lightly.   Let's discuss in the forums.  Lots of other bug fixes. Thanks to Brandin and gtilflm for all their help.  Gtilflm came up with the proof of concept to make the whole cloaking thing work.

4.3.9 (From 4.3.8) –  December 2, 2017 – Make sure you update to 4.3.8 and run its update.php file before you go to 4.3.9 as this version gets rid of a lot of patches which patched other patches. If I'm feeling ambitious, I may make a patch straight from 4.2.11/12 to 4.3.10 or something so people don't have to step through the bugs from previous version. They're not terrible, but it's good to see 4.3 being more "battle tested" by all the people who are putting it through its paces.

-Fixed a bug where users were asking to re-verify their password immediately after logging in.
-Fixed a bug where the time was not being correctly entered on notifications for some users in some circumstances.
-Fixed some code that should have been commented out (only affected certain versions).
-Cleaned up update.php.
-Made several changes to the fresh install sql file (does not affect updaters).
-Fixed an error where valid users were being incorrectly logged as banned. They weren't actually banned, it was just showing up in the logs that they were.
-Fixed migrations.php so users are alerted in the admin dashboard if they have migrations that have not been run yet.  In the past, people would forget to run that and then wonder why the heck this garbage software is running so bad.  This give puts the blame on you, the end user, where it belongs 🙂

4.3.8 (From 4.3.4,5,6,0r 7) –  November 27, 2017 – YOU MUST run users/update.php to get the latest db updates.  You should be LOGGED IN when you run this update.  If you're not, edit your update.php file by temporarily deleting or commenting out line 5 (the securePage function).

Cumulative update.  Lots of stuff in here.  The skeleton of a password strength meter and Google 2 factor authentication are here and are available to play with, but they aren't fully ready.  To play with 2fa, you have to go into the settings table manually and change twofa from 0 to 1.  Many thanks to gtilflm and Jeff and Brandin and Quackles and Trioxin and all the other people in the forums who have been working hard to making UserSpice great.  It's coming along. I'm sure there will be some bug fixes. There are lots of code changes in this one and it was a very stressful one at that, so expect a .9 somewhere in the next week.  

4.3.4 (From 4.3.2 or 4.3.3) –  November 16, 2017 – Lots of bug fixes.  Lots of database changes, so be sure to back up first.  Thanks for everyone's contributions and patience!

-Added sorting and fixed resort on admin_users.php -Added lock to show if use is permissions = 0 or 1 on admin_users.php -Added page name to admin_pages.php -Changed _admin_stats ucfirst to echousername -Fixed bug with cron_manager links and cron not logging after certain amount of crons -Was missing title from fetchAllPages helper -Fixed a bug where last_confirm was not updated on login -Changed the design of admin_logs to use built in paginate -Fixed bug with multi-calls on admin_logs_manager, removed unusable enable/disable button, removed table-responsive div class as it was causing an extra horizontal scrollbar -Fixed a bug where SQL was not able to import settings as DEFAULT was not defined

4.3.2 (From 4.2.11/12 or 4.3.0/1) –  November 11, 2017 – This is a major milestone and is a massive update from 4.2.11.  Absolutely backup your database and your files.  Dumping all the files from this patch will immediately break your site.  Simply navigate to your site and you will be walked through the upgrade process.  Depending on how you "got" to version 4.2.11, you may be asked to make some changes (simplifications) to your users/init.php file.  Things like your recaptcha keys, copyright notice, and other settings that really didn't need to be in init.php are now in the settings table of the db.  Feel free to ask questions in the forums.  More and more documentation will be coming out soon. Enjoy and thanks to everyone in the community who supported the project. NOTE: If there are weird issues with dates and times on crons, logs, or notifications, those will be fixed soon. We just had get out patches to make sure everyone has the tables themselves. After that, we can make the proper schema and logic adjustments. Note2: If you are updating from UserSpice 4.3.x, you will get warnings that tables already exist when you run patchme.php. That's fine. You'll lose some logs, but they're new, so it shouldn't be a problem.

UserSpice 4.2 Patches

4.3.12 (From 4.2.12) –  February 3, 2018 – This is the big one! Bypass all the early hiccups with 4.3 and go straight to 4.3 stable. READ THE INSTRUCTIONS and follow them in order. Backup everything. I've tested this on a bunch of 4.2 installs, but you never know.

4.2.12 (From 4.2.11) –  November 11, 2017 – Security update!  We added a few security features to the password reset feature just to make things a little safer.  Vericodes are now longer and alphanumeric.  Note that even more robust features are coming in 4.3.1, but we thought everyone should have this patch. NOTE: There is a file that will go in your root called vericode.php.  This will update all your existing vericodes to the new format. It's not 100{3bc1fe685386cc4c3ab89a3f76566d8931e181ad17f08aed9ad73b30bf28114d} necessary but is a really good idea. Just go into your dashboard and click admin pages to get it into the system. Set it as admin only. Run vericode.php and then delete vericode.php.  To give you an idea, the current 6 digit numeric vericode could have been brute forced at 18.52 mins online (with a rate of 1000 guesses per second hitting your webserver, on average they would get in at 9.26 minutes).  The new code takes 4.01 trillion centuries at 1000 guesses a second.  Even a massive attack of 100 Trillion guesses a second would take 40.08 centuries.

4.2.11 (From 4.2.10) –  September 9, 2017 – Fixed two Facebook login bugs.  One fixed by user jdmfarms. Thanks for that.  Karsen fixed a search.js bug. Bladerunner fixed the pesky master account not found bug.  Enjoy everyone.

4.2.10 (From 4.2.9) –  August 13, 2017 – Relatively lightweight patch with improvements provided to the backup system by Firestorm and some SB Admin css edits as requested by Haydentech.  Note that since 4.3 and 4.2.x developments are occurring at the same time, I'm generally only pushing out updates that give additional usability to 4.2.x.  4.3 will be a (relatively) painless upgrade (fingers crossed) that provides lots of cool new features.

4.2.9 (From 4.2.6 or 4.2.7 or 4.2.8) –  July 2, 2017 –

BE SURE that admin_pages shows admin_backup as private and admin only after running the patch.

New backup feature provided by Firestorm.  Please not that this feature is EXPERIMENTAL. There is a readme file that explains that you need to make a modification to your init.php and run the patchme.php file.  If you are coming from 4.2.6 or 4.2.7, you also need to simply visit the admin_pages.php page in the dashboard so it can find your maintenance.php file. It should be public.

Right now the backup everything feature will recursively backup your backups. This is a problem that I'd like to look into as a community. None of my quick and dirty solutions worked.  You can find this feature by going to the admin dashboard and click the link at the top, right next to the check for updates link.

I know there are other things on my todo list. Lots of bug fixes and things like that, but they require more testing than I can do at the moment.  Slow and steady we'll get to this stuff.

4.2.8 (From 4.2.6 or 4.2.7) –  June 8, 2017 – Community issued patches. Thanks everyone! Again…busy season, just happy to have people in the community helping so much.  These are the "low hanging fruit" patches. There are 4 or 5 (non-critical) patches in my bug tracker that I'm working on, but I don't have time to write a database patch right now plus I have features I want to add at the same time.

PLEASE NOTE: You must go into the admin panel and click admin pages so your database can find the new maintenance.php file.

Lots of great stuff from user Firestorm.  A great update to the maintenance mode and a fallback for jquery when the cdn doesn't work. I need to get these fixes for bootstrap too.

User Jeff squashed the bug which was giving extra slashes.  Thanks Jeff!

Muhammedc tracked down a jquery bug in helpers.php.

4.2.6 (From 4.2.3 or 4.2.4 or 4.2.5) –  April 18, 2017 – Lots of little patches. Thanks to all the users who submitted this stuff (Brandin, Trioxin).  Here's a quick rundown.

Note: April – August is the busiest time of year for me in Alaska so I'm going to be concentrating on bug fixes rather than adding new features for the most part.
Note2: 4.2.4 was a botched release. Sorry about that.  Just apply this patch and you SHOULD be good to go.
Note3: 4.2.6 fixes a bug in user_settings.php  in 4.2.4 & 4.2.5.  If you already have 4.2.5 you, you can just update that one file along with users/includes/user_spice_ver.php

-Front end users are now forced to abide by your min/max password rules when editing passwords AFTER their account has been created.
-Admins can now edit passwords in admin_user.php
-A bug has been fixed in the "recent users" section of the admin panel if a user showed up in the list whose account has been deleted.
-A bug has been fixed for users who were redirected to the login page after being denied access
-A bug has been fixed regarding validation errors
-The bug for users who fail to check the terms and conditions box has finally been fixed. Sorry about that.

4.2.3 (From 4.2.2) – March 10, 2017 – SECURITY UPDATE – As part of our release update, our software is audited by a 3rd party looking for vulnerabilities.  Last full review was 4.1.8.  This one found some very minor bugs, but still worth fixing.  1 clickjacking vector was fixed in the header.  Also, now that js/css are being called from various CDNs, it is important to have integrity checks in those calls to make sure the code is not being modified by a man in the middle. This was fixed for all 3rd party CDN calls.  Additionally, I decided to change input fields from "text" to "password" for sensitive information in the admin dashboard and email settings to prevent people from seeing passwords. Note that out of necessity, these passwords/keys are stored in the clear in the database itself.  AND FINALLY – I think I found a universal fix for content sliding up under the header when resizing the screen.  Just in case it breaks stuff for you, this code is called in usersc/includes/bootstrap_corrections.php.  You can put whatever you want in there and it will be injected into the header.

4.2.2 (From 4.2.1d,e,f, or g) – March 6, 2017 – Rollup of previous bugfixes as well as new features.   Most of these changes primarily affect new installations by default but with a few changes in your init.php file, you should be up to speed.

Note: If you are upgrading and want to take advantage of the "Master Account" / Site offline feature, you must add the line…
$master_account = [1];
to your users/init.php file. This allows you to take your site offline to the public and still allow you to visit it for testing. Any user id's you want to be able to visit the site should be listed in that array.

New features:

New Check For Updates feature is built into the admin dashboard. This feature will be more automated over time. Because of this, version numbers will no longer have letters.

Master Account lets you mark the sign offline to everyone except the users whose ids are in the $master_account array in the init. Those users just see a warning message that the site is offline. login.php is always online.

Timezone is now set during installation.  Existing users should consider changing their timezone in  users/init.php unless you happen to live in Toronto.

Recaptcha is now fully disabled by default on installation (as opposed to only on join as it was before).


4.2.1g (From 4.2.1d OR 4.2.1e or 4.2.1f) – March 2, 2017 – Rollup of bugfixes for version d,e, and f.  Fixes header/footer bugs. Fixes a messaging bug in some browser versions.  Hopefully will fix some issues some users were having on some servers with jQuery. Removed double jQuery call in join form.  Just overwrite the files and you're good to go. Please give feedback in the forums.
New Feature: There are 2 new scripts in usersc/scripts. They allow you to take control over what happens if a user bumps into our "not logged in" or "doesn't have permission" checks.  You can do anything from database updates to redirecting them somewhere else. The sky's the limit.

4.2.1d (From 4.2.0 any version) – February 20, 2017 – New experimental message system. Ability to alter echouser function. Ability to allow username changes. Ability to have recaptcha for join form only.  This is a BIG update with a very complicated patch. PLEASE backup your files and database just in case.  Note, users of 4.2.0 final or 4.2.0b should run patchme420.php.  Users who were on a previous version of 4.2.1(rare) should run patchme421.php to fix a minor bug.

4.2.0b (From 4.2.0 Final) – February 18, 2017 – Bug fixes found by users after installing 4.2.0. Primarily around Facebook Oauth and showing the words UserSpice instead of your site_name as defined in the database.
4.2.0 Final (From 4.1.8c OR 4.2.0 Beta) – February 13, 2017 – Significant improvements from the "Release Candidate" below. See for documentation.   Expect to spend about 10-20 minutes getting the credentials for the social logins setup.  They're all disabled by default.

1. Backup your files and database and anything that's important to you.
2. If you have not upgraded to at least version 4.1.8c, do that before running this patch.
3. Copy all the files to your server, overwriting existing files.
4. Patch your database
a. If you're running version 4.1.8c run patchme418.php (ignore all errors)
b. If you're running version 4.2.0 beta, run patchme42beta.php (ignore all errors)
5. Delete both patchme files for security reasons.
6. Enjoy

4.2.0 Beta (From 4.1.8c) – November 27, 2016 – Beta but Stable – This is the release candidate for version 4.2.  It includes Facebook and Google social logins. See for documentation.   Expect to spend about 10-20 minutes getting the credentials for the social logins setup.  They're all disabled by default.

Note: YOU MUST PATCH YOUR DATABASE by running the patchme.php file in the root folder. This will give your database the default spaces to store all the new settings.

Note2: Because no data is migrated (i.e. changed) in this update, you can replace the changed files with ones from 4.1.8c to roll back your install even after patching the database. No harm no foul if you don't like it.

Also added in 4.2…

  • Password rules are now stored in the database with a new strength meter from user gtilflm (Note that symbol rule is suggested, not enforced).
  • Hooks have been put in for version comparision and automatic update detection.
  • Force SSL/HTTPS is no longer considered experimental
  • Admin pages is now a little clearer (red and green colors) if a page is private or public…thanks to picassoo for this.

UserSpice 4.1 Patches

4.1.8c (From 4.1.8b) – November 6, 2016 – Recommended Several bug fixes. Just unzip over your current install and replace files. Backup your stuff first. WARNING: if you are using the analytics.php file, this update will overwrite your customizations.  The main problem was bad commenting in the file.  You should probably just fix it manually. It's a new feature, so I'm sure it's not widely used yet.

install/install/includes/sql.sql – Not for upgraders, but new installers get cleaned up default sql with all the ids starting down low where they belong. Several useless things removed and proper auto-increments.
users/join.php – Got rid of 'company', reduced min username to 2.
users/views/_join.php – Got rid of 'company', reduced min username to 2.
usersc/includes/analytics.php – Fixed a bug that showed up in various annyoing ways on different systems. Caused AJAX and Headers Already Sent Errors.
users/includes/user_spice_ver.php – Obligatory


4.1.8b (From 4.1.7b) – October 31, 2016 – Super Strongly Recommended – I have had various people try to pound on UserSpice 4.0 and 4.1 and try to break things over the past 9 months, but I decided to do a full on pentest/secturity audit from several different automated firms.  There's good news.  There isn't a ton of "the sky is falling" stuff in the old code, but I've cleaned up a lot of stuff (with PLB's help) that will make your code more secure.  NOTE: I will be posting the full methodology and report and outstanding issues in a separate post.  For now…just update.

What you need to know:  Various new .htaccess files have been added. Bootstrap and FontAwesome have been updated to the latest versions.  If you use the custom scripts in the usersc folder, don't go overwriting your scripts willy-nilly. They were, however, what was causing the extra /'s in the urls.  I've fixed that. More details to come, but this is a BIG update with lots of files.

What's optional: The /usersc stuff and the css/js/fonts files are all optional, but adding the .htaccess files are strongly recommended if your server has directory listings turned on by default

4.1.7b – (From any version 4.1.3,4.1.4,4.1.4b,4.1.5,4.1.6,4.1.6b, or 4.1.7 )October 22, 2016 – Strongly Recommended – This patch includes everything in the one below, but also includes these bug fixes.

users/user_settings.php – A missing = sign was causing email addresses to become not verified even if email verification was turned off. This was a problem because if this happened, the user had no way to verify. Many thanks to Kighlander for finding this bug.
users/admin_users.php – Admins can now create usernames as short as two characters.  I also added back the automatically generated profile for new users.
users/includes/user_spice_ver.php – Gives you peace of mind that your UserSpice is up to date.

4.1.7 – (From any version 4.1.3,4.1.4,4.1.4b,4.1.5,4.1.6,or 4.1.6b)October 19, 2016 – Strongly Recommended – Let's just pretend that version 4.1.6 never happened, mmmkay?   This is a complete rollup release of all updates to take ANY userspice version 4.1.3 or later all the way up to 4.1.7.  The individual issues below are listed. This release in particular finally addresses encoding issues and has been thoroughly tested for email verification, password resetting, and all things email. If there is a use case I've missed, please let me know. It also fixes an unlikely but possible edit_profile.php bug. Much thanks to Nikolai, Sebastian, PLB, and Brian for pointing me in the right direction on this stuff.

4.1.6b – (From 4.1.5) – October 16, 2016 – NOT Recommended – Fixes a bunch of bugs found in the forums.   NOTE: To install this patch, unzip the patch over your current install, it will overwrite the following files.

Many thanks to everyone in the forums who submitted bugs and often bug fixes. You make patching this project MUCH easier.

Note: If you downloaded the "original 4.1.6 and you are missing some navigation links, just steal the navigation.php from this package"

This is a substantial bugfix, usability fix, and new feature release.  A post in the forums will give a little more info behind some of this stuff.

userc/includes/analytics.php – Added a place to put your custom Google or other Analytics code.
usersc/includes/custom_functions.php – Added a place to put your custom helpers/functions.
users/admin_users.php – When creating users in the backend, users who were created with a permission level other than "user" (such as admin), were not given "user" permission by default. This is fixed.
users/classes/Redirect.php – Added support for PLB's redirect with a message feature and custom redirects.  More on this in the forum at the post listed at the top of this bugfix.
users/classes/User.php – session_unset and session_destroy are now part of the class on logout.
users/edit_profile.php – It is possible that some users who upgraded may not have received this fix, so I'm re-pushing it out.
users/forgot_password.php – Fixed overzealous use of rawurlencode. Changed rawurlencode to urlencode.
users/helpers/language.php – Added an error message that was missing for manual account creation.
users/helpers/us_helpers.php – Added PLB's redirect, custom functions, and custom analytics.
users/includes/header.php – Test feature  – if an err get message is found in the url, it is sanitized and displayed.
users/includes/navigation.php – Capitalized the first letter of the username in the navigation bar – WARNING, if you've modified your navigation php, do not install this file or it will overwrite your changes.
users/includes/users_spice_ver.php – If you're rocking 4.1.6, you should see it in the admin panel. Major upgrade over the previous version of this file.
users/join.php – Lowered required username length to 2 for people who like to keep things simple or have names like Bo or Jo.
users/login.php – Put in the groundwork for AfterLoginGoto feature
users/user_settings.php – Corrected minimum password length to 6 as pointed out by user Angel.
users/views/_email_template_forgot_password.php -Fixed underzealous use of rawurlencode. Changed regular to raw.
users/views/_join.php – Starred currently required fields.

4.1.5 – (From 4.1.4b)September 11, 2016 – Recommended – Fixes a bunch of bugs found in the forums.   NOTE: To install this patch, unzip the patch over your current install, it will overwrite the following files.

Many thanks to PLB, Brian, and Anphung for the bug reports and patches.

users/_blank_pages/project_root.php – Fixes a bug where the securePage function was commented out by default
users/classes/Config.php – Adds a return false if no configuration data is found
users/classes/Input.php – Allows the input::get function to process arrays.
users/includes/user_spice_ver.php – Lets you know that you're now rocking 4.1.5
users/admin_users.php – Fixes yet another bug when you delete a user. This bug only showed up on certain configurations.
users/email_test.php – Better formatted email test and notes on debugging email configuration courtesy of PLB
users/forgot_password.php – We are now properly encoding email addresses to deal with people who have non-traditional addresses.
users/join.php – We are now properly encoding email addresses to deal with people who have non-traditional addresses.
users/user_settings.php – Added an explanation of how to change your profile pic.
users/verify.php – Changed line 27 to Redirect::to($us_url_root.'users/verify.php'); for people who were having verify redirect issues. Feel free to hard code this with something else if you need to.
users/verify_resend.php – We are now properly encoding email addresses to deal with people who have non-traditional addresses.

4.1.4b – (From 4.1.3)August 29, 2016 – Recommended – Fixes a bunch of bugs found in the forums.   NOTE: To install this patch, unzip the patch over your current install, it will overwrite the following files.

users/email_settings.php (your settings are safe in the database)
users/user_settings.php (again, your settings are safe)

Many of these patches are documented at  <a href="">Debugging With Dan</a>.

Bugs Fixed
-User was required to verify email even after resetting password (which requires proof of email).  Forum Discussion here. Credit: user plb
-Verify.php link was wrong – Forum Discussion here.  Credit: user plb.  Video here.
-Bio was not being created when a user was manually created.  Sorry, I can't find the original post to give credit 🙁  Video here.
-Email settings not being saved before testing. Forum Discussion here.  Credit: user plb.  Video here.
-User was able to (after verifying once) change their email address to anything.  Forum Discussion here. Credit: user plb. Video here.
-User could change username even if it was supposedly disallowed. Forum Discussion here. Credit: users plb and firestorm.  Video here.
-Error messages popped up when deleting a user since the manual user creation feature was added.   Forum Discussion Here. Credit: user firestorm. Video here.

PLEASE NOTE: There are a few more usability features coming soon.  I decided to break these bugs out so we could fix errors in this release and add features in the next one.

4.1.3 – (From 4.1.2)July 24, 2016 – Recommended – Fixes a few random database and usability bugs found in the forums. Gives better (working) guest tracking.  Also allows admins to create new users in the admin_users panel without having to walk through the join process.  NOTE: To install this patch, unzip the patch over your current install, it will overwrite the following files.

IN ADDITION: you also need to run the patchme.php file to make a quick update to your database. It is strongly recommended that you backup your files and your database first.

4.1.2 – (From 4.1.0 and/or 4.1.1) May 22, 2016 – Recommended – Fixes the initial bugs found on release of version 4.1. Updates the user class, various email functions and some built in helper functions. View 4.1.1 changelog here and the 4.1.2 changelog here.

UserSpice 4.0 Patches

(Current version is located in /users/includes/userspice/user_spice_ver.php)
4.0.0f – Note – If your server is blocking your css files after upgrading to 4.0.0f, the fastest fix is to delete the .htaccess files in all the subfolders.  Sorry about that. The same issue could be going on in the beta as well.  We will release a new version ASAP.

4.0.0e to 4.0.0f – April 11, 2016 – Strongly Recommended – This patch adds .htaccess files to folders that probably should have had them.  Your php files were always safe, but it's nice to shut down people who are playing around with urls.  Also included in this patch is a the ability to block a user.  Simply go to manage users, click a user's name, select block and update. They will be presented with a banned message.  It's something we were toying around with on the UserSpice 4.1 alpha and decided to roll out with the security update. This is an in-place update that adds a lot of .htaccess files and then replaces your existing us_helpers.php file, your admin_user file and your admin_user view.  It shouldn't break anything.  If you get strange errors of people being banned who shouldn't be, let us know in the forums, but everything has been tested and seems to work fine.  Best of all…no need to update your database. This structure was baked in all along in the users table as "permissions."  1 is not blocked, 0 (as in zero permissions) is blocked.

4.0.0d to 4.0.0e March 28, 2016 – Recommended – These are relatively simple bug fixes in 4.0 that I wanted to get out of the way before beginning on 4.1.  Thanks to everyone in the forums who is pointing this stuff out.  What's new? I rolled in that fix to the profile system that has been available for about a month into 4.0.0e.  Also fixed were some ugly errors if someone didn't enter a username or password or if you created a new page but never added it to the database.  Now UserSpice is much more clear about what's going on.  Also, "remember me" is no longer checked by default on the login form for security reasons.  There are 2 patches.

OR – This one will take you from ANY 4.0 release up to 4.0.0e.


4.0.0 to 4.0.0d – February 22, 2016Recommended – Apparently menus are hard. Especially conditional ones.  It's not a security vulnerability, but administrator links were coming up in regular users' menus. This patch fixes that.  There will be a completely new navigation overhaul in version 4.1, but this is a temporary solution to the problem. It can be unzipped and will work by dropping it right on top of any version of 4.0 from beta through 4.0.0c.

4.0.0 to 4.0.0cFebruary 17, 2016Recommended – This cumulative patch fixes a bug where the user was given a 404 when trying to reset their password from certain pages.  It also removes the version number from the header and puts it in a separate file. This allows us to change the version number without constantly modifying your header files.   You can install this patch on 4.0.0 or 4.0.0b (formerly referred to as 4.0.1). Because this bug could cause a bad user experience, it is recommended.

3.2.0 to 4.0.0 February 1, 2016.  Watch this video for more info…