Commit Graph

3278 Commits

Author SHA1 Message Date
novgorodschi catalin e1847bc50b Fix #302
Fix add troops in addUser.php
2026-06-29 11:42:22 +03:00
novgorodschi catalin b213630553 Merge branch 'master' of https://github.com/Shadowss/TravianZ 2026-06-29 10:25:53 +03:00
novgorodschi catalin beb960678f Some fix in admin panel
Some fix in admin Panel
2026-06-29 10:25:45 +03:00
Ferywir 8c1a6ad05b fix(admin): render a proper error page instead of a blank page on denial [#299] (#307)
Issue #299: posting to an admin Mod (eg editBuildings.php) could show an
essentially blank page. The admin panel and the game share the same PHP
session, so a game logout (session_destroy) — or a mobile browser dropping the
session cookie / serving a cached form with a stale token — wipes the admin
session. The Mod then stopped on a bare die('<h1>Access Denied</h1>') (or the
403 die() in csrf_verify()), which renders as a blank/broken page outside the
panel.

Add a shared admin_deny() helper in GameEngine/Admin/csrf.php that renders a
clean, self-contained, styled error page (with a "Return to Admin Panel" link)
and a no-store header, then exits. Wire it into csrf_verify() and replace every
bare "Access Denied" die() across the 42 admin Mods. Each Mod now loads
csrf.php at the top so admin_deny() is available before its first access check.

This is the presentation fix Shadow asked for ("we must receive an error not
blank page"). The deeper root cause (admin and game sharing one PHP session) is
left for a follow-up: giving the admin panel its own session cookie name.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-29 10:25:18 +03:00
novgorodschi catalin 7504045386 Fix #305
Fix Equites Caesaris Academy Level
2026-06-29 10:06:43 +03:00
novgorodschi catalin ba07c83029 Fix img natar
Fix img natar
2026-06-29 09:37:40 +03:00
novgorodschi catalin 9f98acfa5f Fix bug #303
Bug fix: $oasisowned was fetched but never applied — this is the
"time to overflow" timer's own, independent recomputation of the
production rate (used only for display here), and it silently
excluded oasis bonuses entirely. Village::getCropProd()/getWoodProd()
etc. (which actually grow the stored resource in the DB on every
page load via processProduction()) do add a flat 25% per matching
oasis (Village::sortOasis()), so the real stockpile was growing
faster than this timer's denominator assumed — understating the
rate, and therefore overstating the time remaining. Mirrored here
with the same counting + application order (oasis bonus on the raw
field total, then the building bonus below on top of that), so this
rate matches the one actually used to fill the storage.
2026-06-29 09:34:39 +03:00
novgorodschi catalin c6d6582ac7 Temporary fix #293
Temporary fix #293 until we move in en.php
2026-06-29 08:17:26 +03:00
novgorodschi catalin a998edc205 Fix #294 code for brewery
Fix #294 now brewery is fully coded!
2026-06-29 08:02:09 +03:00
novgorodschi catalin b4e54c6ac3 Fix #291
// Bug fix: RemoveXSS() calls htmlspecialchars() (&,<,>,",' -> entities).
        // Every display site for these values ALREADY escapes correctly on output
        // (links.tpl's safeHTML(), and preference.tpl's edit-row value=""), so
        // encoding here too meant a saved "&" was stored as literal "&amp;" text
        // in the DB, then got escaped AGAIN on redisplay — surviving one level of
        // browser entity-decoding as visible "&amp;". Worse, it silently broke
        // any saved link with a real query parameter after the first one (e.g.
        // build.php?gid=16&t=99): the stored value no longer had a real "&"
        // separator there, so "t" was never received as its own GET param.
        // strip_tags() (for name) + mysqli_real_escape_string() (below, for SQL)
        // are sufficient at save time; HTML-escaping belongs only at display time.
2026-06-29 07:49:49 +03:00
novgorodschi catalin 757e0fcc8e Fix #292 gold club addraid/edit raid
Fix gold club -> add raid and edit raid duplicate
2026-06-29 07:48:24 +03:00
novgorodschi catalin bd9a1f886e Fix #296
Fix TREASURY ARTEFACTS AREA SORTING
2026-06-29 07:46:57 +03:00
novgorodschi catalin 5d6562f4b5 Added case for Players attackers
Added case for Players attackers @Ferywir must be added in Translate file please
2026-06-26 13:06:55 +03:00
novgorodschi catalin e1dd434f5b Fix Statistiken & Credits
Fix Statistiken & Credits
2026-06-26 12:42:16 +03:00
novgorodschi catalin 4561a84a2a fix hero regen
fix hero regen
2026-06-26 11:33:47 +03:00
novgorodschi catalin 0dea1068b3 Fix visualisation in report
Fix visualisation in report
2026-06-26 11:14:42 +03:00
novgorodschi catalin 21d50a1bc6 Fix warsim security issue & hero building
Fix warsim security issue & hero building
2026-06-26 09:10:47 +03:00
novgorodschi catalin 0991c5c906 File sysmsg remove
File sysmsg remove, no need anymore is moved into admin panel
2026-06-26 07:43:24 +03:00
Ferywir fa1057d277 Refactor(Technology): de-duplicate unit-summing and tidy getUpkeep() [#219] (#289) 2026-06-26 06:30:38 +03:00
Ferywir 0e13ae23be Refactor(Technology): split trainUnit() into focused helpers [#219] (#288) 2026-06-26 06:29:37 +03:00
Ferywir 082ad85697 Refactor(Technology): make getTrainingList() table-driven [#219] (#287) 2026-06-25 15:45:05 +03:00
novgorodschi catalin 8f204ec4ae Compact checkvacation function
Compact checkvacation function to reduce query
2026-06-25 14:35:04 +03:00
Ferywir 596f007139 Refactor(Units): extract resolveCatapultTargets() from sendTroops() [#219] (#284)
sendTroops() inlined ~65 lines deciding the catapult targets ctar1/ctar2: the
"Rivals great confusion" artefact lookup, the rally-point-level-driven list of
invalid target buildings, the troop/level eligibility rules and the Teuton
Brewery / artefact adjustments. Move that whole block into
resolveCatapultTargets(&$post, $data), which mutates $post['ctar1']/['ctar2'] by
reference exactly as before; sendTroops() now calls it before building the
attack. None of the block's locals were used afterwards. Behaviour-preserving.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 13:44:42 +03:00
Ferywir 58469ea024 Refactor(Units): split checkErrors() into focused validators [#219] (#283) 2026-06-25 13:28:47 +03:00
Ferywir db3953d825 Refactor(Units): extract buildHeroStats() to de-duplicate Hero() [#219] (#282)
Both branches of Hero() (single hero when !$all, full list when $all) computed
the same five derived stats (atk/di/dc/ob/db) and assembled a byte-identical
hero stat array from a getHero() entry plus its unit base data. Extract that
into buildHeroStats($hero, $herodata) and call it from both branches.
Behaviour-preserving.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 12:43:26 +03:00
Ferywir 1e661b7a03 Refactor(Units): collapse the duplicated procUnits() cases 1-4 [#219] (#281)
Cases 1 to 4 of the procUnits() switch had a byte-identical body (send troops
when the rally-point form is submitted, otherwise load the unit form). Stack the
four case labels and keep a single shared body via switch fall-through.
Behaviour-preserving.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 12:37:54 +03:00
Ferywir 06089df64c Refactor(Technology): merge upgradeSword/upgradeArmour into upgradeWeaponOrArmour() [#219] (#280)
upgradeSword() and upgradeArmour() were near-identical: the only differences
were the AB-tech key prefix ('b' vs 'a'), the building type whose level gates
the research (Smithy 12 vs Armoury 13) and the matching bid building data
($bid12 vs $bid13). Merge them into a single upgradeWeaponOrArmour($get, $type)
parameterised by the prefix, deriving the building type from it, and route both
procTechno() cases through it. Resolves the pre-existing //TODO. Behaviour-
preserving.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 12:20:26 +03:00
novgorodschi catalin c37e8b23d9 Update version & hall of fame
Update version & hall of fame
2026-06-25 11:07:19 +03:00
novgorodschi catalin fe6ff01396 Fix Some PHP 8+ view error in Build & Credits
Fix Some PHP 8+ view error in Build & Credits

TO DO :  Full audit in build directory
2026-06-25 10:54:58 +03:00
Catalin Novgorodschi 23708a2e54 Fix critic bug typo critic: $refValule
Fix critic bug typo critic: $refValule
2026-06-24 20:24:35 +03:00
Ferywir 49ce36fd99 Refactor(Automation): TO-DO list items 7-9 [#266] (#278) 2026-06-24 18:21:30 +03:00
Ferywir e13586a2d7 fix(market): reject resource sends above the warehouse stock (#277) 2026-06-24 17:25:55 +03:00
Ferywir 045f72a6e8 Refactor(Automation): clean up the Automation.php TO-DO list [#266] (#276) 2026-06-24 17:25:22 +03:00
novgorodschi catalin 13d54b7184 Added some graphics TravianZ
Added some graphics TravianZ
2026-06-24 13:45:05 +03:00
Ferywir e432eeef95 fix(rally-point): show incoming hero column for attacks [#267] (#274) 2026-06-24 06:59:24 +03:00
Ferywir d0479a55ce fix(profile): store profile descriptions raw to stop double-escaping (#273) 2026-06-24 06:51:24 +03:00
Ferywir c0bbf2bfbe fix(admin): escape stored player values in admin templates [#139] (#272) 2026-06-23 22:00:51 +03:00
Ferywir 90c5cdd97c fix(admin): escape reflected filter param in report/msg templates [#139] (#271) 2026-06-23 17:59:00 +03:00
Ferywir 749a55aaf5 fix(admin): escape reflected request params in admin templates [#139] (#270) 2026-06-23 17:37:11 +03:00
Ferywir e17bb3dec6 fix(admin): verify CSRF token in maintenance admin Mods [#139] (#269) 2026-06-23 17:01:20 +03:00
Ferywir 886f421f50 fix(admin): verify CSRF token in server-settings admin Mods [#139] (#268) 2026-06-23 16:12:54 +03:00
novgorodschi catalin c98bcf266b Set white font to view name
Set white font to view name
2026-06-23 14:45:38 +03:00
novgorodschi catalin 31b13873e8 Fix Server Settings in Admin Panel
Fix Server Settings in Admin Panel + fix New function in admin.php
2026-06-23 14:40:23 +03:00
novgorodschi catalin 8d492bebd3 Update some files & remove unused code
Update some files & remove unused code
2026-06-23 13:43:17 +03:00
Ferywir 6472b30bd2 fix(admin): verify CSRF token in message admin Mods [#139] (#264)
sendMessage, massmessage and sysmessage are POSTed to directly, bypassing
admin.php's central csrf_verify(). Add csrf_verify() (after the admin access
check, via the shared GameEngine/Admin/csrf.php) and csrf_field() in their
forms (Newmessage.tpl, massmessage.tpl, sysmessage.tpl; the mass/sys templates
have both a prepare and an execute form).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:49:32 +03:00
novgorodschi catalin 5f86fdcbf6 Merge branch 'master' of https://github.com/Shadowss/TravianZ 2026-06-23 11:13:05 +03:00
novgorodschi catalin a9be6204db Added TravianZ Logo
Added TravianZ Logo
2026-06-23 11:12:58 +03:00
Ferywir fb225b562f fix(admin): repair broken admin-log variables in medals Mod (#262)
The post-delete admin-log block referenced variables that were never defined
($admid/$adminID/$medalid/$uid), so on PHP 8.1+ (mysqli throws on error) the
malformed INSERT raised an uncaught mysqli_sql_exception → HTTP 500 after the
medal was already deleted. Use the correct ids ($admid from session, $uid from
POST), look up the target player's username (escaped), and redirect to the
sanitized $uid.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:12:04 +03:00
Ferywir 8a3a67d175 fix(admin): verify CSRF token in alliance/medal admin Mods [#139] (#261)
editAli, delAli, medals, delallymedal, delallymedalbyaid, delallymedalbyweek
and deletemedalbyweek are POSTed to directly, bypassing admin.php's central
csrf_verify(). Add csrf_verify() (after the admin access check, via the shared
GameEngine/Admin/csrf.php) and csrf_field() in their forms (playermedals.tpl,
editAli.tpl, delAli.tpl, delmedal.tpl, allymedals.tpl, delallymedal.tpl).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:11:32 +03:00
Ferywir e4658f250f fix(admin): route alliance management pages [#139] (#260)
The alliance/editAli/delAli pages are linked all over the admin panel
(?p=alliance&aid=, ?p=editAli, ?p=delAli) but were never in
admin_validated_page()'s whitelist, so admin.php fell back to search.tpl and
the pages never showed. Add them to the whitelist plus switch cases for the
breadcrumb (the templates resolve $aid/$alidata themselves from $_GET, like
editSitter/editPassword).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:06:03 +03:00