Issue #299: posting to an admin Mod (eg editBuildings.php) could show an
essentially blank page. The admin panel and the game share the same PHP
session, so a game logout (session_destroy) — or a mobile browser dropping the
session cookie / serving a cached form with a stale token — wipes the admin
session. The Mod then stopped on a bare die('<h1>Access Denied</h1>') (or the
403 die() in csrf_verify()), which renders as a blank/broken page outside the
panel.
Add a shared admin_deny() helper in GameEngine/Admin/csrf.php that renders a
clean, self-contained, styled error page (with a "Return to Admin Panel" link)
and a no-store header, then exits. Wire it into csrf_verify() and replace every
bare "Access Denied" die() across the 42 admin Mods. Each Mod now loads
csrf.php at the top so admin_deny() is available before its first access check.
This is the presentation fix Shadow asked for ("we must receive an error not
blank page"). The deeper root cause (admin and game sharing one PHP session) is
left for a follow-up: giving the admin panel its own session cookie name.
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
sendMessage, massmessage and sysmessage are POSTed to directly, bypassing
admin.php's central csrf_verify(). Add csrf_verify() (after the admin access
check, via the shared GameEngine/Admin/csrf.php) and csrf_field() in their
forms (Newmessage.tpl, massmessage.tpl, sysmessage.tpl; the mass/sys templates
have both a prepare and an execute form).
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
The post-delete admin-log block referenced variables that were never defined
($admid/$adminID/$medalid/$uid), so on PHP 8.1+ (mysqli throws on error) the
malformed INSERT raised an uncaught mysqli_sql_exception → HTTP 500 after the
medal was already deleted. Use the correct ids ($admid from session, $uid from
POST), look up the target player's username (escaped), and redirect to the
sanitized $uid.
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
editAli, delAli, medals, delallymedal, delallymedalbyaid, delallymedalbyweek
and deletemedalbyweek are POSTed to directly, bypassing admin.php's central
csrf_verify(). Add csrf_verify() (after the admin access check, via the shared
GameEngine/Admin/csrf.php) and csrf_field() in their forms (playermedals.tpl,
editAli.tpl, delAli.tpl, delmedal.tpl, allymedals.tpl, delallymedal.tpl).
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
editVillageOwner, renameVillage, editBuildings and editResources are POSTed
to directly, bypassing admin.php's central csrf_verify(). Add csrf_verify()
(after the admin access check, via the shared GameEngine/Admin/csrf.php) and
csrf_field() in their forms (editVillage.tpl, village.tpl, editResources.tpl).
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
addTroops and addABTroops are POSTed to directly, bypassing admin.php's
central csrf_verify(). Add csrf_verify() (after the admin access check, via
the shared GameEngine/Admin/csrf.php) and csrf_field() in their forms.
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Add an admin-controlled debug mode that captures PHP errors of all
players into var/log/debug-players.log, to hunt remaining PHP 8.3 bugs
from real play sessions. Fully transparent to players: no redirect, no
gameplay change, errors are never displayed.
- DB: new debug_log table (one row), mirroring the maintenance pattern.
- Database: getDebugMode()/setDebugMode()/setDebugSettings(), defensive
when the table is absent (no blank page).
- Session: register a custom error + shutdown handler when enabled; the
handler runs even when php.ini error_reporting masks warnings/notices,
so capture is complete without a Docker rebuild. Auto-disables after a
configurable window.
- DebugErrorLogger: size-capped file with a single .log.1 rotation,
honours the @ operator, never throws.
- Admin: new "Debug Error Log" page (levels, size cap, auto-off, on-page
viewer, clear, download) + debugLog action mod.
- Menu: admin-only quick on/off widget (TZ_DEBUG_ON/OFF, EN/FR/RO).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The profile already had a language selector (Templates/Profile/preference.tpl)
that saved the choice into users.lang and $_SESSION['lang'], but the saved
preference was never used to actually load the language: every page loads
include("Lang/".LANG.".php") with the server-wide LANG constant, so changing
the language in the profile had no visible effect.
This wires it up:
- Introduce SERVER_LANG (the server default) and make LANG the EFFECTIVE
display language, resolved from the player's saved preference
($_SESSION['lang']) with a fallback to SERVER_LANG
(install/data/constant_format.tpl).
SECURITY: the value is sanitized to [a-z_] and the target Lang/<x>.php
file must exist, otherwise we fall back to the server default. This
prevents Local File Inclusion via include("Lang/".LANG.".php").
- Seed $_SESSION['lang'] from users.lang on login (GameEngine/Session.php,
PopulateVar), so the chosen language applies right after logging in.
- Keep the SERVER default intact when an admin saves settings: the admin
config regenerators and the "Server Settings"/config displays now use
SERVER_LANG (the server default) instead of the per-user LANG, so an
admin browsing in their own language can't accidentally overwrite the
server default (6 Admin/Mods/edit*.php + editServerSet.tpl + config.tpl).
Note: existing installs must also add SERVER_LANG + the LANG resolution to
their generated GameEngine/config.php (and the Admin/Mods/constant_format.tpl
copy) since config is generated at install time.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The admin panel had a "Create System Message" page (admin.php?p=sysmessage
-> Admin/Templates/sysmessage.tpl) whose form posts to
GameEngine/Admin/Mods/sysmessage.php, but that backend file never existed,
so submitting returned a 404 (Not Found).
Add the handler implementing the prepare -> confirm -> execute flow used by
the template. On execute it displays a global system message to all players
using the existing mechanism (writes Templates/text.tpl from
text_format.tpl and sets users.ok = 1), same as the legacy sysmsg.php.
%TEKST% is escaped for the PHP double-quoted string context to avoid
breakage/injection.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
+Added a medal of 10 years of playing in Travian.
Enabled (Disabled) during installation and in the
admin panel.
+If at least one of the new functions is enabled,
a corresponding section appears in the Manual
with a description of all the new functions and
shows which of them is Enabled or Disabled.
+Minor changes
+Added Enable (Disable) of information about the troops of Nature and Natars in the manual
NOTE 1: To play this version of the game, you need to reinstall the server OR you can simply add these lines of code into your file:
GameEngine/config.php
define("NEW_FUNCTIONS_MANUAL_NATURENATARS", false);
GameEngine/Admin/Mods/constant_format.tpl
define("NEW_FUNCTIONS_MANUAL_NATURENATARS", %NEW_FUNCTIONS_MANUAL_NATURENATARS%);
NOTE 2: pay special attention to the fact that these are two different records !!! If the records are entered incorrectly, you will receive a non-working code!
+Added the ability to Enable (Disable) the display of the targets of the catapults in the rally point
+Added the display of the village with a wonder of the world (as is done with the display of artifacts) in the viewing player profiles. Also this function is Enabled (Disable) during installation and in the admin panel.