addTroops and addABTroops are POSTed to directly, bypassing admin.php's
central csrf_verify(). Add csrf_verify() (after the admin access check, via
the shared GameEngine/Admin/csrf.php) and csrf_field() in their forms.
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Extract the per-branch defender target resolution and battle-environment
setup into two private helpers: resolveVillageTarget() and
resolveOasisTarget(). Each returns the target owner (tribe/alliance), map
info, conquest flag and the battle parameters (wall, armory/blacksmith
tech, residence, siege masonry); the village helper also returns the
evasion inputs. Both are read-only (no DB writes).
The foreach body keeps handleEvasion(), buildDefenderUnits() and
buildAttackerUnits() as explicit, ordered calls, so the village and oasis
branches are now symmetric orchestration.
Behaviour-preserving. The building/tech reads now run inside the helper
before handleEvasion(); they read buildings and technology only (never the
troops handleEvasion() may move), so the result is unchanged. A few
dead locals are dropped (playerunit, wallgid, w; the redundant
DefenderUnit/def_ab re-inits).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Extract the per-attack, target-independent context resolution (attacker
village/owner tribe and alliance, war references, base flags) into a
private helper. Read-only, behaviour-preserving: the three repeated
getCachedUser() lookups on the attacker owner are collapsed into one
(the user cache makes them idempotent).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The defender's units were gathered by two near-identical inline blocks
(village and oasis targets). Extract them into a single private method
buildDefenderUnits() returning the defender's own troops (normalised to
non-negative ints), the aggregated reinforcement totals (enforDefender) and
the raw reinforcement rows (enforcementarray).
Pure behaviour-preserving extraction:
- Both call sites assign the returned bundle; all downstream usages unchanged.
- The oasis reinforcement aggregation now uses the same isset-guarded loop as
the village one: identical numeric result, minus a latent PHP 8.3
"undefined array key" notice.
- The dead `$def_ab[$i] = 0` init that lived in the village normalisation loop
is dropped: it was unconditionally wiped by the later `$def_ab = []` before
any use.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The attacking army was built by two near-identical inline blocks (village
and oasis targets). Extract them into a single private method
buildAttackerUnits() that returns the Attacker unit array (u<start..end> +
uhero) together with the catapult / ram / chief / scout unit ids used in the
report. The oasis target keeps its Nature siege/chief slots (37/38/39) via
the $isoasis flag.
Pure behaviour-preserving extraction: both call sites now assign the returned
bundle, so all downstream usages remain unchanged. The unit-id picks are
initialised to null (they are always set for the real attacker tribes 1/2/3/5;
only the unreachable Nature-attacker case differs, which silences a latent
PHP 8.3 undefined-variable notice).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Move the ram-damage handling out of sendunitsComplete() into a dedicated
private method applyRamDamage(). For a normal attack (type 3) with rams, it
computes the new wall level, updates it in the database (recounting the
village population when the wall is destroyed), builds the report fragment,
and recalculates the battle when the wall level changed.
Pure behaviour-preserving extraction: the battle-recalc context is passed in
a single $ctx array; the call site keeps the t7 guard and assigns the
returned battlepart / info_ram, so all downstream usages remain unchanged.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Move the trapper resolution block out of sendunitsComplete() into a
dedicated private method calculateTrappedUnits(). It computes how many
incoming attacker units are caught in the defender's traps (Gaul trapper
or Natar capital), updates the trap counters and the prisoners table, and
subtracts the trapped troops from the attacking army.
Pure behaviour-preserving extraction: the inline `${'traped'.$i}`
variables are rehydrated at the call site from the returned bundle, so all
downstream usages remain unchanged.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Move the attacker/defender total-population computation (and the two
getProfileVillages() lookups that feed it) out of the per-attack loop into a
dedicated private method. Behaviour-preserving: the method takes the initial
$defpop/$attpop (0 for villages, 500 for the oasis branch) and accumulates onto
them exactly as before, and returns the village lists ($varray/$varray1) used
later for the can-destroy check and handleConquest().
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Follow-up to the unit/tribe rename: a few strings still used the old names.
- MANUAL_UDESC_11: "Les Massues" -> "Les Combattants au gourdin" (U11),
so the in-game manual description matches the unit name.
- TZ_MACEMAN: "Massue" -> "Combattant au gourdin" (used as the U11 label in
the alliance forum troop picker).
- Conquest help text: the loyalty-reduction units listed "COMMANDANTS, CHEFS"
(old Teuton name) -> "CHEFS, CHEFS DE TRIBU", matching Senator/Chief/
Chieftain (Romain/Germain/Gaulois) like the English version.
- Wonder-of-the-World lore: anglicism "Natarian" -> "natarien/natarienne"
(empire natarien, capitale natarienne, menace natarienne), consistent with
the Natar unit names.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Tribe 2 renamed Teutons -> Germains (the French name for this tribe),
including all manual/tooltip/description texts and adjective forms
(heros germain, armee germaine, troupes germaines).
- Teuton units: Massueur -> Combattant au gourdin (U11),
Hallebardier -> Combattant a la lance (U12),
Chevalier teutonique -> Cavalier teuton (U16), Commandant -> Chef (U19).
- Roman units: Imperial -> Imperian (U3) and official Latin cavalry names
Equites Legati/Imperatoris/Caesaris (U4-U6).
- Gaul units: Foudre de Teutates -> Teutates accent (U24),
Haeduen -> Hedui (U26).
- Natar units: anglicism natarian -> natarien (U46/U49/U50) and
"artefact natarian" -> "artefact natarien" in building descriptions.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Extract the pre-casualty defender report block into a new private method
collectReinforcementReport(): reset and rebuild the reinforcement unit totals
($DefenderEnf) and per-tribe hero totals from a fresh re-select, fold
reinforcement heroes into the defender's hero count, build the "units sent"
report rows (own troops + reinforcements and their masked variants), and
(re)initialise the per-tribe dead-hero accumulator. The bundle is returned to
the caller and the defender's folded hero count is reassigned at the call site.
Pure behaviour-preserving extraction. Method name matches the maintainer's
roadmap for #155.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Extract the "kill other defence in village" block (reinforcement casualties)
into a new private method applyReinforcementCasualties(): compute each
reinforcement's dead units/hero, persist them (modifyEnforce), notify the
reinforcing players, and delete fully-wiped reinforcements. Dead counts are
accumulated into $alldead and dead heroes into $DefenderHeroesDeadArray (both
passed by reference); the tribe-presence flags (rom/ger/gal/nat/natar) are
returned to the caller.
Pure behaviour-preserving extraction. Also drops two dead recomputations of
$totalsend_att/$totaldead_att that sat inside the loop and were immediately
overwritten right after it.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Move the in-village defender casualty handling (kill ratio applied to the
defender's own troops + hero, persisted via modifyUnit) out of the giant
sendunitsComplete() loop into a dedicated private method returning the
$owndead map. Pure behaviour-preserving extraction; also drops a dead $u
variable that was assigned but never read.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
On some servers the NPC ("merchant") distribution screen could lock on
"Rest: NaN", hiding the trade button and making the NPC unusable. The "Rest"
value never returned to 0, so the player could not complete the trade.
Two layers of hardening:
* Client (Templates/Build/17_3.tpl):
- add a safe npcDiv() helper (returns 0 on a 0 divisor or non-finite value)
and route every division in portionOut() through it, so Infinity/NaN can no
longer leak into the inputs;
- in calculateRest(), coerce "Rest"/overall to a finite value (fall back to
the total when org4 cannot be parsed) so the submit button can always
reappear once the distribution is balanced;
- coerce each resource, $totalRes, $maxstore and $maxcrop to a valid,
non-negative integer before they reach the page/JS, so a resource computed
as NaN/INF cannot poison org4/summe in the first place.
* Server (Market::tradeResource): clamp each requested amount to [0, maxstore]
(crop to maxcrop) before persisting, so a forged or corrupted POST can no
longer write out-of-range resources.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add an admin-controlled debug mode that captures PHP errors of all
players into var/log/debug-players.log, to hunt remaining PHP 8.3 bugs
from real play sessions. Fully transparent to players: no redirect, no
gameplay change, errors are never displayed.
- DB: new debug_log table (one row), mirroring the maintenance pattern.
- Database: getDebugMode()/setDebugMode()/setDebugSettings(), defensive
when the table is absent (no blank page).
- Session: register a custom error + shutdown handler when enabled; the
handler runs even when php.ini error_reporting masks warnings/notices,
so capture is complete without a Docker rebuild. Auto-disables after a
configurable window.
- DebugErrorLogger: size-capped file with a single .log.1 rotation,
honours the @ operator, never throws.
- Admin: new "Debug Error Log" page (levels, size cap, auto-off, on-page
viewer, clear, download) + debugLog action mod.
- Menu: admin-only quick on/off widget (TZ_DEBUG_ON/OFF, EN/FR/RO).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Implement the "Time Preference" section of the player preferences (issue
#198), which until now was stored in DB but never applied in-game.
procMtime() — the central date/time formatter used across reports, messages,
notices and troop movements — now honours the per-user settings:
- timezone: the stored value is mapped to a DateTimeZone, either a named
DST-aware region (Europe, UK, Turkey, Kolkata, Bangkok, New York,
Chicago, New Zealand) or a fixed UTC offset (general zones); timestamps
are converted before formatting.
- tformat: drives the date layout and 12h/24h clock (0=EU dd.mm.yy 24h,
1=US mm/dd/yy 12h, 2=UK dd/mm/yy 12h, 3=ISO yy/mm/dd 24h). tformat 0
keeps the previous EU output unchanged.
The today/yesterday sentinels are preserved (callers compare them) and are
computed in the player's timezone. The time-only path (mode 9) stays 24h
H:i:s because it feeds the live JS clock counters (unx.js), which parse
"H:i:s" by splitting on ":". A few alliance/report/farm-list rows that
combined procMtime's day part with a raw date('H:i') now take the time from
the same procMtime result, to avoid mixing timezones.
A second "local time" clock is shown next to the server-time one: a small
vanilla-JS snippet emitted once from menu.tpl finds the visible #tp1 clock
and appends a row ticking in the player's timezone (Date.now() + UTC offset),
independent of the browser timezone and of the unx.js counters. It aligns the
value under the server time, is skipped when the player's timezone matches
the server's, and lets the clock box grow so the extra row fits the frame.
Adds the LOCAL_TIME string (EN/FR/RO). When no player session is available
(admin / pre-login) procMtime falls back to the server timezone and EU
layout, i.e. the previous behaviour. Removes the last "not coded yet" tag
from the preferences form.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The #155 refactor that extracted buildCombatReport() turned one comma
into a literal dot in the non-scout data2 string:
...$info_chief.'.'.(isset($info_spy) ? ... // was ','
That dropped one CSV field, shifting every following field left by one
(hero troops t11, casualties, prisoners 182-192) and injecting a stray
"." into a numeric cell. Visible attack reports rendered with misplaced
hero/prisoner data, and the shifted text in the prisoner slots is what
made Templates/Notice/1.tpl array_sum() warn under PHP 8.
Restore the comma so the layout matches what the report template
(Notice/1.tpl) and the pre-refactor code expect. Reports stored before
this fix keep their corrupted string; the int-cast guard added in the
previous commit keeps them from re-emitting the warning.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
PHP 8.x turned several long-standing implicit accesses into runtime
warnings that flooded the error log during attacks and report viewing:
- Battle.report (Templates/Notice/1.tpl): the prisoner check ran
array_sum() over slots that may hold non-numeric text (the
"Information" line can shift indices), raising
"Addition is not supported on type string". Sum int-cast values.
- Database::getUnitsNumber(): movement/reinforcement arrays can be null
or miss tribe-specific unit keys, raising "Undefined array key" and
"Trying to access array offset on null". Null-coalesce to 0.
- Automation (combat resolver): $scout was only defined for scouting
attacks (type 1) yet always passed to buildCombatReport(), raising
"Undefined variable $scout". Initialize it for every attack type.
- Automation: the destroy-village check read $to['natar'] which is not
always set, raising "Undefined array key". Use empty().
Pure null-safety / behaviour-preserving changes; no gameplay logic
altered.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Ferywir