Loomio

2026-05-11 (Loomio 3.0.24)

• Fixed: Prevent comment authors from editing or restoring comments that an admin has discarded.
• Fixed: Preserve group ownership when creating discussions from templates in grouped contexts.
• Improved: Hardened deployment/runtime behavior with trusted ingress IP allowlisting and exec-based Docker startup processes.
• Improved: Removed obsolete hocuspocus SQLite persistence and legacy document-list template calls.
• Improved: Background jobs now avoid retrying forever for records that have already been deleted.
• Maintenance: Updated dependencies including Devise, Vite, Bootsnap, Rollup, Sentry, Nokogiri, Puma, and tzinfo-data.

2026-05-06 (Loomio 3.0.23)

• Fixed: Do not notify the actor when they @mention their own group.
• Fixed: Improved German discussion context-menu translations and documented known translation traps.
• Fixed: Make received-email allow/block actions idempotent.
• Fixed: Retry mark-as-seen when concurrent requests hit a unique-constraint race.
• Fixed: Guard transcription analysis against detached blobs and non-rich-text records.
• Improved: Migrated legacy Document records to ActiveStorage attachments and removed the legacy Document model/workers.
• Improved: Removed Rails Pulse and related schema/dependency leftovers.
• Improved: Removed legacy loomio_channel_server setup.
• Improved: Raised the global request-per-IP throttle from 300 to 900 per 5 minutes.
• Improved: Made demo cloning more reliable by skipping Rails Pulse and bulk-writing translations.
• Maintenance: Updated dependencies including Nokogiri and Puma.

This release is mostly a security hardening pass across the whole app — auth flows, uploads, rate limiting, link previews, SSO, SQL input handling, and dependencies.

There's a new Single Transferable Vote (STV) poll type (beta — feedback welcome on GitHub)

We also added support for Cloudflare Turnstile challenge on sign-in, sign-up, and trial creation.

New

• STV (Single Transferable Vote) poll type — beta. Anonymous by default, results hidden until the poll closes. The form shows a warning asking users to report bugs and feedback on
  GitHub.
• Cloudflare Turnstile challenge on password sign-in, login-token requests, signup, and trial creation. Admin login-link sign-in bypasses the challenge; sign-in with a login code also
  bypasses it.
• Profile pictures via OAuth (OIDC defaults) on the OAuth client.
• Track email bounces separately from complaints.
• API v2b: new list endpoints for discussions and polls; limit/offset as the primary pagination params (per/from kept as aliases).
• Rails Pulse added for request monitoring (Blazer removed).

Security

• Hardened OAuth/SAML authentication flows; added Google and Nextcloud OAuth controller tests; trust SSO providers fully on auto-link.
• Fixed SQL injection in HasTimeframe via timeframe_for.
• Blocked SSRF in the link preview service; link previews now require auth and are throttled to 20/hour per user.
• Fixed operator precedence in the Group create ability.
• Restricted sensitive fields in serializers.
• Fixed trial email enumeration.
• Direct upload size limit (25 MB trial, 1 GB paid); blocked dangerous uploads.
• Stopped leaking errors in API responses; removed debug logging of secret tokens and emails from the hocuspocus controller.
• X-Robots-Tag: noindex header for non-public instances.
• Bumped vue-i18n to 9.14.5 (XSS + prototype pollution).
• Added Brakeman + bundler-audit to CI.
• Sent rate-limit events to Sentry (grouped by rule+IP to cut noise).
• Safelisted private-network IPs in rack_attack.
• Split the profile GET throttle (tight on email_status, looser elsewhere).
• Gave /bug_tunnel its own throttle and skipped Sentry alerts for it.

Fixes

• Refresh a user's groups after joining or being added to a group.
• Fix translator-mangled i18n interpolation vars + a CI check to catch regressions.
• Handle legacy ImageMagick-style variation keys and Vips::Error in the ActiveStorage variation translator.
• Return a token error on session failure when a login token is pending; translate sessions errors server-side; surface server errors on login code entry.
• Guard Events::PollExpired and real_participant fallback against nil / non-participant eventables.
• Fix demo poll cloning (missing opening_at/opened_at).
• Translation fixes: needs_a_rethink_meaning, "vote in" → "vote on", German typo in discard.

Internal

• Ruby 4.0.2; Puma 8; Vite 8; Vue Router 5; many dep bumps.
• Switched to Minitest/fixtures for group export and OAuth controller tests.

Changes to the Discussion and Poll templates UI. I've had people tell me they couldn't find how to create a template. Now there is a New template button, which opens the example templates page, you can use an example as the starting point for a new template.

Fewer discussion templates in a group by default. Updates to the Sense Check poll options, so they're more helpful.

• Materialize default discussion templates as DB records by @robguthrie in https://github.com/loomio/loomio/pull/12182
• Discussion template UI improvements by @robguthrie in https://github.com/loomio/loomio/pull/12181
• Add opening_at to polls for scheduled voting by @robguthrie in https://github.com/loomio/loomio/pull/12174
• Poll template updates by @robguthrie in https://github.com/loomio/loomio/pull/12184

This release also addresses a minor security issue, where a member of a group could see the names of secret subgroups they did not belong to, if they inspected the server responses of the reports controller.

Some fairly substantial changes here, with lots more work in the pipeline too, hold on to your hats!

Convert HAML view templates to Phlex

Using Phlex makes life easier. View code is just ruby. This makes maintaining all our server generated views so much easier.

Replace SocketIO with ActionCable (remove loomio_channel_server)

I'm on a mission to reduce the complexity of Loomio's architecture.

loomio_channel_server ran a SocketIO server to send realtime updates to connected clients. Now the rails app handles websocket connections directly.

Move hocuspocus server into the main Loomio repository

Another repository removed. We now include the hocuspocus collaboration server within the main Loomio repository.

Handle Matrix bot notfications from Rails app

We no longer use loomio_channel_server to host a matrix_bot_sdk. We do that work from the Rails app now.

Please see this loomio-deploy PR to read how to upgrade your server:
https://github.com/loomio/loomio-deploy/pull/130

The convenient thing about these changes is, even if you don't update your server setup, it will work correctly, you'll just have unused services.

As a result of this, there are two fewer repositories, and one fewer containers.

The intention is to eventually remove Redis from the system by switching to SolidCache and SolidQueue. Then we'll just have App, Worker, DB, Hocuspocus and Haraka services.

Bugfixes and improvements

• Fix OAuth login finding orphan identities instead of linked ones.
• Change user avatar email/print partial to say user name rather than initials - So you can give the print view of a thread to an AI chatbot and it can understand who is talking
• Add LOOMIO_VERIFY_PARTICIPANTS_ADMIN_ONLY to restrict verify participants to admins only - Recently we introduced the "Verify participants" feature on polls. This means you can audit who was invited to an anonyous poll (to ensure that the admin did not invite, eg fake accounts), without revealing how voters voted. This flag makes this feature only available to admins, for member privacy.
• Show specific errors in flash messages - Now when there is an error submitting a form, it will say what the problem is, rather than a generic "Please check the form".
• Add remove logo and cover photo to group settings - You can now remove your group logo if you want to.

• Removed the ability to set your profile picture from SSO provider list on change_picture_form.
• Massive rewrite of the rspec test suite to minitest. This drops the runtime from 14 to 3 minutes on Github Actions. Makes a huge difference in local development productivity.

Note.. in app version still says 3.0.18. I forgot to bump the version in the code before making this release.