Release notes

Changelog

Every meaningful change to SoShiny, dated and categorized.

July 2026

Security Jul 1, 2026

Security hardening

A full source security review led to hardening across access control, file uploads, and public endpoints — tighter role-assignment rules, safer image handling, and stricter scoping on a few public URLs. No action needed on your end.

June 2026

Security Jun 19, 2026

Spam protection on public request forms

The community finder, claim, and join forms now silently block automated bot submissions with a honeypot + timing check, on top of existing CSRF and per-IP rate limiting. No change for real visitors.

May 2026

Security May 10, 2026 See it live →

Per-board-member opt-in for the public landing

Board members are no longer auto-listed on /{slug}/ — they have to explicitly opt in via /dashboard/directory.php (Edit member → "Show in Meet your board"). Default is off. Migration 011 added show_on_public_landing to users; existing rows default to 0 so nobody is exposed without consent.

Security May 10, 2026 See it live →

Super admins can reset any user's password

User edit form on /admin/users.php now has a Change Password section. Set a new bcrypt-hashed password directly, or click Generate Random for a 14-char password from a non-ambiguous charset (no I/l/O/0). Saving invalidates any outstanding password-reset tokens for that user. Audit-logged separately as user.password_changed_admin.

Security May 9, 2026 See it live →

Password reset flow + change-password card

Added /forgot.php and /reset.php with SHA-256 hashed tokens, 1-hour TTL, single-use, anti-enumeration messaging. Plus a 'Change your password' card on /dashboard/settings.php for already-logged-in users. Outstanding password reset tokens are invalidated when the user changes their password.