Discourse Signatures

Am I crazy here or is there no validation on the user input signature image URL at all?
Basically a user can input whatever they want and it will be pushed to other users?

Also, why is the URL signature db size set to 32_000?
Why would anyone need 32000 characters for a URL to an image?

Spooky

I modified the css to this in order to hard code a max height and width;

.signature-img {
  max-width: 600px;
  max-height: 100px;
  width: auto;
  height: auto;
  display: block;
  margin: 5px 0;
}

I changed signature URL max size to 250 in plugin.rb

  register_user_custom_field_type("signature_url", :string, max_length: 250)
  register_user_custom_field_type("signature_raw", :string, max_length: 250)

I added this to the bottom of “on(:user_updated) do |user|” in plugin.rb (I won’t be using advanced mode)

    # Validate the URL if not in advanced mode
    if !SiteSetting.signatures_advanced_mode && user.custom_fields["signature_url"]
      url = user.custom_fields["signature_url"]

      # Strict validation: only HTTPS, only certain image file types
      unless url =~ /\Ahttps:\/\/[a-zA-Z0-9.\-\/_]+\.(png|jpe?g|gif|webp)(\?[a-zA-Z0-9=&]+)?\z/
        Rails.logger.warn("[discourse-signatures] Rejected invalid signature_url for user #{user.id}: #{url.inspect}")
        user.custom_fields["signature_url"] = nil
        user.save
      end
    end

If I’m doing anything wrong here (Never worked with Discourse before), please correct it and show me the right way to do it.

Because 250 is not enough…

This is the whole idea of a signature. Same thing goes for a forum, people input stuff and other people get to see it. Crazy world huh?

When Discourse is upgraded to 3.5.0.beta8 (3.5.0.beta9-dev is also a problem), it is found that the user edited the signature and cannot save it (although it shows saved but does not take effect), it is still normal on 3.5.0.beta7. Hope to fix it soon, as many plugins from beta7 to beta8 are built-in.

We have a specific use case for signatures and I’m wondering if it would be relatively easy to make some changes.

1. I agree that I’d like to see sigs for only specific groups in the UI, I’m not good with CSS.
2. We are using our Discourse as both a community, and as a support ticket system. Is there any way that we could get a setting to “Only display signatures in X categories.”

We really only need them in our support section where most of our interactions are done via e-mail.

4 posts were split to a new topic: Feature request: include sig in email notifications

Anyone good with css know how to:

1. Limit the ability to have a signature to only specific group(s)?

2. Limit the max image size and text size for the signature to keep it less spammy

I believe you can use this:

You can right-click > Inspect to get an id/class of an element to hide with display:none. I’m afraid I’m on my phone now so I can’t check the classes/ids .

Hey guys.

Is this plugin still available?

I can’t seem to find it …

Screenshot 2026-02-19 at 14.56.201655×812 93.7 KB

It’s not included-in-core , so you’d need to install it separately.

Thanks. I’m horrible with figuring that stuff out. No idea how I would even do this. Should be a setting. So much easier. No idea why any group would want to allow signatures for all. Also wish there was an option to hide the “Enable Signatures - See user signatures below posts” setting.

Should also be an option to limit character count in a text signature and limit image size for a banner sig.

Wish I knew css lol

Ok, for those who want to really make their signatures work better for their group (especially if you want to use the options to have a signature as part of a paid upgrade/subscription), here is code (and reasoning behind it) that I think makes it way better, and can help you drive more upgrades. Took me a ton of tries, but it’s working. Pay attention to where you need to replace “XXXXX” parts.

I wanted to accomplish the following 2 things:

A) I wanted to disable the ability to NOT view signatures. This means that those users who do upgrade know that their signature will be seen by everyone.

B) I wanted ONLY a certain group to have the ability to create a signature.

1. Go to Admin > Appearance > Themes & components > Components > Install > Create new

2. Add this code to the < head > tab:

<script>
// Wait for the basic page structure to load first
document.addEventListener("DOMContentLoaded", function() {
    
    // Set up the watcher
    const observer = new MutationObserver(function(mutations) {
        // Find all control labels on the page
        const labels = document.querySelectorAll('label.control-label');
        
        labels.forEach(label => {
            // Look for the specific Signatures label
            if (label.textContent.trim() === 'Enable Signatures') {
                // Find the main container holding both the label and the checkbox and hide it
                const controlGroup = label.closest('.control-group') || label.parentElement;
                if (controlGroup) {
                    controlGroup.style.display = 'none';
                }
            }
        });
    });

    // NOW start watching the body, since we know it exists
    observer.observe(document.body, { childList: true, subtree: true });
});
</script>

3. Add this code to the css tab (replace XXXXX with your group name):

/* Hide the signature section for everyone */
.user-preferences .control-group.signatures,
.user-preferences .signature-preferences,
.user-preferences div[data-setting-name="user_card_badge"] + .control-group {
    display: none !important;
}

/* Only show it if the 'user-is-XXXXX' class is present on the body */
body.user-is-XXXXX .user-preferences .control-group.signatures,
body.user-is-XXXXX .user-preferences .signature-preferences,
body.user-is-XXXXX .user-preferences div[data-setting-name="user_card_badge"] + .control-group {
    display: block !important;
}

3. Add this code to the < head > tag below the first block above (replace XXXXX with your group name):

<script>
(function() {
  const checkAccess = () => {
    // Discourse stores the current user's groups in this global object
    const user = window.Discourse && window.Discourse.User && window.Discourse.User.current();
    
    if (user && user.groups) {
      // Check if any group name matches "XXXXX"
      const is XXXXX = user.groups.some(g => g.name === 'XXXXX');
      
      if (isXXXXX) {
        document.body.classList.add('user-is-XXXXX');
      }
    }
  };

  // Run immediately
  checkAccess();

  // Run whenever the user navigates between pages
  document.addEventListener('discourse-ready', checkAccess);
  
  // Backup: Run again after 1 second to catch slow loads
  setTimeout(checkAccess, 1000);
})();
</script>

4. Add this code to the css tab below the first block above (replace XXXXX with your group name):

/* Hide the signature section for everyone */
.user-preferences .control-group.signatures,
.user-preferences .signature-preferences,
.user-preferences div[data-setting-name="user_card_badge"] + .control-group {
    display: none !important;
}

/* Only show it if the 'user-is-XXXXX' class is present on the body */
body.user-is-XXXXX .user-preferences .control-group.signatures,
body.user-is-XXXXX .user-preferences .signature-preferences,
body.user-is-XXXXX .user-preferences div[data-setting-name="user_card_badge"] + .control-group {
    display: block !important;
}

Done.

I am not a developer. All I know is this is working 100% on my site.

Also, to the plugin author – would LOVE the ability to limit the signature character count. I tried so many things but nothing worked.

I added the most requested features to the plugin in a branch

If y’all can give this branch a run and give feedback I can merge it next week.

Regarding the upgrade if it’s next week, how would this be done?

How do we test this? Sorry for the noob question. Would prefer this over what I came up with above. Also, would it be possible to add an option to toggle off image signatures and only allow text-based ones? Thank you!

Hi Long! Are you sef-hosting your Discourse site? If so, you can install the plugin using the instructions linked in the first post.

Personally I’d recommend waiting until Falco’s branch is finalized and merged.

Yes, self hosting. I have the plugin installed. Once that branch is finalized and merged it will auto update? Thanks!

You change your plugin line on the app.yml to be like this

- sudo -E -u discourse git clone -b feature/group-category-restrictions git@github.com:discourse/discourse-signatures.git

Thank you. I will wait for the updated plugin. I’m less likely to mess that up

This might be a dumb question, but when update is merged does the plugin automatically update and we will see the new options in the settings?

No, I believe you’ll need to update it manually.