Commit Graph

230 Commits

Author SHA1 Message Date
novgorodschi catalin 0edb95203d Added Milestone On Install
Added Milestone On Install
2026-07-01 11:05:44 +03:00
novgorodschi catalin 3af041df8c Fix issue #320
Fix issue #320 - now you can delete village
2026-06-30 14:29:13 +03:00
Ferywir 12badfa84b fix(troops): apply Tournament Square bonus only beyond the threshold [#304] (#317)
procDistanceTime() multiplied the whole travel distance by the Tournament
Square speed factor as soon as the distance reached TS_THRESHOLD. That
made the trip time jump down at the threshold, so a target just past it
arrived dramatically sooner than a nearer one (e.g. a village 41 tiles
away raided faster than one 18 tiles away).

In T3.6 the Tournament Square only speeds up the part of the journey
beyond the threshold: the first TS_THRESHOLD tiles are walked at base
speed and the remainder at the boosted speed. Split the computation
accordingly so travel time stays monotonic with distance while still
rewarding a high-level square.

This is a long-standing bug, unrelated to the Generator refactor (which
only reformatted the same whole-distance multiplication). The same fix is
applied to the duplicate procDistanceTime() in Admin/database.php used by
the admin troop-return helper.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 09:01:16 +03:00
novgorodschi catalin 2fc35729b4 Fix admin log addVillage
Fix admin log addVillage
2026-06-30 08:21:55 +03:00
novgorodschi catalin e1847bc50b Fix #302
Fix add troops in addUser.php
2026-06-29 11:42:22 +03:00
Ferywir 8c1a6ad05b fix(admin): render a proper error page instead of a blank page on denial [#299] (#307)
Issue #299: posting to an admin Mod (eg editBuildings.php) could show an
essentially blank page. The admin panel and the game share the same PHP
session, so a game logout (session_destroy) — or a mobile browser dropping the
session cookie / serving a cached form with a stale token — wipes the admin
session. The Mod then stopped on a bare die('<h1>Access Denied</h1>') (or the
403 die() in csrf_verify()), which renders as a blank/broken page outside the
panel.

Add a shared admin_deny() helper in GameEngine/Admin/csrf.php that renders a
clean, self-contained, styled error page (with a "Return to Admin Panel" link)
and a no-store header, then exits. Wire it into csrf_verify() and replace every
bare "Access Denied" die() across the 42 admin Mods. Each Mod now loads
csrf.php at the top so admin_deny() is available before its first access check.

This is the presentation fix Shadow asked for ("we must receive an error not
blank page"). The deeper root cause (admin and game sharing one PHP session) is
left for a follow-up: giving the admin panel its own session cookie name.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-29 10:25:18 +03:00
Ferywir d0479a55ce fix(profile): store profile descriptions raw to stop double-escaping (#273) 2026-06-24 06:51:24 +03:00
Ferywir e17bb3dec6 fix(admin): verify CSRF token in maintenance admin Mods [#139] (#269) 2026-06-23 17:01:20 +03:00
Ferywir 886f421f50 fix(admin): verify CSRF token in server-settings admin Mods [#139] (#268) 2026-06-23 16:12:54 +03:00
Ferywir 6472b30bd2 fix(admin): verify CSRF token in message admin Mods [#139] (#264)
sendMessage, massmessage and sysmessage are POSTed to directly, bypassing
admin.php's central csrf_verify(). Add csrf_verify() (after the admin access
check, via the shared GameEngine/Admin/csrf.php) and csrf_field() in their
forms (Newmessage.tpl, massmessage.tpl, sysmessage.tpl; the mass/sys templates
have both a prepare and an execute form).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:49:32 +03:00
Ferywir fb225b562f fix(admin): repair broken admin-log variables in medals Mod (#262)
The post-delete admin-log block referenced variables that were never defined
($admid/$adminID/$medalid/$uid), so on PHP 8.1+ (mysqli throws on error) the
malformed INSERT raised an uncaught mysqli_sql_exception → HTTP 500 after the
medal was already deleted. Use the correct ids ($admid from session, $uid from
POST), look up the target player's username (escaped), and redirect to the
sanitized $uid.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:12:04 +03:00
Ferywir 8a3a67d175 fix(admin): verify CSRF token in alliance/medal admin Mods [#139] (#261)
editAli, delAli, medals, delallymedal, delallymedalbyaid, delallymedalbyweek
and deletemedalbyweek are POSTed to directly, bypassing admin.php's central
csrf_verify(). Add csrf_verify() (after the admin access check, via the shared
GameEngine/Admin/csrf.php) and csrf_field() in their forms (playermedals.tpl,
editAli.tpl, delAli.tpl, delmedal.tpl, allymedals.tpl, delallymedal.tpl).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:11:32 +03:00
Ferywir ca991408c1 fix(admin): verify CSRF token in village admin Mods [#139] (#259)
editVillageOwner, renameVillage, editBuildings and editResources are POSTed
to directly, bypassing admin.php's central csrf_verify(). Add csrf_verify()
(after the admin access check, via the shared GameEngine/Admin/csrf.php) and
csrf_field() in their forms (editVillage.tpl, village.tpl, editResources.tpl).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 10:31:08 +03:00
Ferywir 8d1a1cab38 fix(admin): verify CSRF token in troop admin Mods [#139] (#258)
addTroops and addABTroops are POSTed to directly, bypassing admin.php's
central csrf_verify(). Add csrf_verify() (after the admin access check, via
the shared GameEngine/Admin/csrf.php) and csrf_field() in their forms.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 08:43:18 +03:00
Ferywir b880622fd1 fix(admin): route password/protection pages and align username validation (#257) 2026-06-23 06:55:13 +03:00
Ferywir e49069a9c6 fix(admin): verify CSRF token in player-management admin Mods [#139] (#256) 2026-06-23 06:54:03 +03:00
Ferywir 6888a09b5f fix(admin): let editPlus subtract Plus/bonus days as the form advertises (#254) 2026-06-22 18:41:28 +03:00
Ferywir 6e79c47951 fix(admin): verify CSRF token in Plus/Gold admin Mods [#139] (#253) 2026-06-22 18:40:43 +03:00
novgorodschi catalin b9d36ba311 Fix also in admin panel removexss
Fix also in admin panel removexss
2026-06-22 12:40:07 +03:00
Ferywir b7e943ea90 fix(admin): wire CSRF token into admin.php-routed forms [#139] (#244) 2026-06-20 06:44:12 +03:00
Ferywir 1a797bab80 fix(admin): prevent SQL injection in editAccess Mod [#139] (#241) 2026-06-19 13:30:25 +03:00
Ferywir 9c726a05b9 fix(admin): re-check admin rank in addUsers Mod (defense-in-depth) [#139] (#240) 2026-06-18 19:09:02 +03:00
Ferywir 827354a622 feat(admin): add transparent debug error-log mode
Add an admin-controlled debug mode that captures PHP errors of all
players into var/log/debug-players.log, to hunt remaining PHP 8.3 bugs
from real play sessions. Fully transparent to players: no redirect, no
gameplay change, errors are never displayed.

- DB: new debug_log table (one row), mirroring the maintenance pattern.
- Database: getDebugMode()/setDebugMode()/setDebugSettings(), defensive
  when the table is absent (no blank page).
- Session: register a custom error + shutdown handler when enabled; the
  handler runs even when php.ini error_reporting masks warnings/notices,
  so capture is complete without a Docker rebuild. Auto-disables after a
  configurable window.
- DebugErrorLogger: size-capped file with a single .log.1 rotation,
  honours the @ operator, never throws.
- Admin: new "Debug Error Log" page (levels, size cap, auto-off, on-page
  viewer, clear, download) + debugLog action mod.
- Menu: admin-only quick on/off widget (TZ_DEBUG_ON/OFF, EN/FR/RO).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-12 17:18:39 +03:00
Ferywir 20804d9182 feat: IP ban support (#185) (#188) 2026-06-09 15:15:27 +03:00
Catalin Novgorodschi fabe77e3b8 Update delAli.php fiz 2026-06-09 11:06:32 +03:00
Catalin Novgorodschi 695a4352e8 Fix delAli.php blank page
Fix del ali blank page
2026-06-09 08:07:23 +03:00
Catalin Novgorodschi 00de16b2ec Code backend for delete user
Code backend for delete user
2026-06-09 08:05:40 +03:00
novgorodschi catalin 524a352946 Fix forgot for editBuildings name
Fix forgot for editBuildings name
2026-06-05 13:10:59 +03:00
novgorodschi catalin efbb2bc89a Fix lang server set
Fix lang server set
2026-06-04 13:19:10 +03:00
Catalin Novgorodschi 28ddc72c01 Merge pull request #175 from Ferywir/feat/per-user-language
Add per-user language selection (closes #166)
2026-06-04 13:15:24 +03:00
novgorodschi catalin 1a4014218c Fix something broken
Fix something broken
2026-06-04 12:35:53 +03:00
TravianZ Patcher 421915f774 Add per-user language selection (issue #166)
The profile already had a language selector (Templates/Profile/preference.tpl)
that saved the choice into users.lang and $_SESSION['lang'], but the saved
preference was never used to actually load the language: every page loads
include("Lang/".LANG.".php") with the server-wide LANG constant, so changing
the language in the profile had no visible effect.

This wires it up:

- Introduce SERVER_LANG (the server default) and make LANG the EFFECTIVE
  display language, resolved from the player's saved preference
  ($_SESSION['lang']) with a fallback to SERVER_LANG
  (install/data/constant_format.tpl).
  SECURITY: the value is sanitized to [a-z_] and the target Lang/<x>.php
  file must exist, otherwise we fall back to the server default. This
  prevents Local File Inclusion via include("Lang/".LANG.".php").

- Seed $_SESSION['lang'] from users.lang on login (GameEngine/Session.php,
  PopulateVar), so the chosen language applies right after logging in.

- Keep the SERVER default intact when an admin saves settings: the admin
  config regenerators and the "Server Settings"/config displays now use
  SERVER_LANG (the server default) instead of the per-user LANG, so an
  admin browsing in their own language can't accidentally overwrite the
  server default (6 Admin/Mods/edit*.php + editServerSet.tpl + config.tpl).

Note: existing installs must also add SERVER_LANG + the LANG resolution to
their generated GameEngine/config.php (and the Admin/Mods/constant_format.tpl
copy) since config is generated at install time.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-04 09:07:57 +02:00
TravianZ Patcher 903c4a3285 Add missing handler for admin "Create System Message"
The admin panel had a "Create System Message" page (admin.php?p=sysmessage
-> Admin/Templates/sysmessage.tpl) whose form posts to
GameEngine/Admin/Mods/sysmessage.php, but that backend file never existed,
so submitting returned a 404 (Not Found).

Add the handler implementing the prepare -> confirm -> execute flow used by
the template. On execute it displays a global system message to all players
using the existing mechanism (writes Templates/text.tpl from
text_format.tpl and sets users.ok = 1), same as the legacy sysmsg.php.
%TEKST% is escaped for the PHP double-quoted string context to avoid
breakage/injection.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-04 07:34:57 +02:00
novgorodschi catalin b495dcb559 Some fix
Some fix
2026-06-02 12:58:20 +03:00
novgorodschi catalin 547e164143 Edit some access for MH user and recreate mass messaage
Edit some access for MH user and recreate mass message and new maintenance system view for admins
2026-06-02 10:59:35 +03:00
novgorodschi catalin 2eaa92fc03 Fix gold log script
Fix gold log script
2026-06-02 08:10:46 +03:00
novgorodschi catalin dbe20c49b5 Some last fix for logs! 2026-05-28 13:22:27 +03:00
novgorodschi catalin 1b119d2a35 Fix special medals
Fix special medals
2026-05-26 14:42:19 +03:00
novgorodschi catalin 24fb80371d Fix special medal system
Fix special medal system
2026-05-26 12:34:50 +03:00
novgorodschi catalin 8c3ab3e5eb Fix some bugs + added (coded delAli)
Fix some bugs + added (coded delAli)
2026-05-25 12:37:33 +03:00
novgorodschi catalin a4e2c506a8 Redesign Admin Panel
Full frontend & backend redesign and refactor
2026-05-25 10:23:39 +03:00
novgorodschi catalin 3fa16f13b2 Full Refactor Admin Panel & Logs
Full Refactor Admin Panel & Logs (now you can see detailed logs in admin panel) - ONLY BACKED
2026-05-22 11:29:37 +03:00
novgorodschi catalin 05bfde9063 Remove some unused code and some fix
Remove some unused code and some fix
2026-05-21 13:12:21 +03:00
novgorodschi catalin 878ecec687 Added Account transactions with History
Added Account transactions with History
2026-05-21 11:23:45 +03:00
Catalin Novgorodschi 1dde2599f3 fix addUsers.tpl 2025-10-23 09:59:39 +03:00
Catalin Novgorodschi 4a387bac0c @lietuvis10 fix for addUser
@lietuvis10 fix for addUser
2025-10-23 09:54:41 +03:00
Catalin Novgorodschi 59c1114b1c Change some text on license TravianZ 2025-02-11 11:22:22 +02:00
221V 18571d70b1 fix sql export-import - use html entities 2025-02-06 21:00:09 +02:00
nixpc e39ca488a9 Fix CVE-2023-36995 2023-07-06 23:02:00 +02:00
Shadow 4c68d8dd39 Update to version 8.3.5
Many Fixes
2022-02-18 13:56:17 +02:00