Issue #299: posting to an admin Mod (eg editBuildings.php) could show an
essentially blank page. The admin panel and the game share the same PHP
session, so a game logout (session_destroy) — or a mobile browser dropping the
session cookie / serving a cached form with a stale token — wipes the admin
session. The Mod then stopped on a bare die('<h1>Access Denied</h1>') (or the
403 die() in csrf_verify()), which renders as a blank/broken page outside the
panel.
Add a shared admin_deny() helper in GameEngine/Admin/csrf.php that renders a
clean, self-contained, styled error page (with a "Return to Admin Panel" link)
and a no-store header, then exits. Wire it into csrf_verify() and replace every
bare "Access Denied" die() across the 42 admin Mods. Each Mod now loads
csrf.php at the top so admin_deny() is available before its first access check.
This is the presentation fix Shadow asked for ("we must receive an error not
blank page"). The deeper root cause (admin and game sharing one PHP session) is
left for a follow-up: giving the admin panel its own session cookie name.
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
sendMessage, massmessage and sysmessage are POSTed to directly, bypassing
admin.php's central csrf_verify(). Add csrf_verify() (after the admin access
check, via the shared GameEngine/Admin/csrf.php) and csrf_field() in their
forms (Newmessage.tpl, massmessage.tpl, sysmessage.tpl; the mass/sys templates
have both a prepare and an execute form).
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
The post-delete admin-log block referenced variables that were never defined
($admid/$adminID/$medalid/$uid), so on PHP 8.1+ (mysqli throws on error) the
malformed INSERT raised an uncaught mysqli_sql_exception → HTTP 500 after the
medal was already deleted. Use the correct ids ($admid from session, $uid from
POST), look up the target player's username (escaped), and redirect to the
sanitized $uid.
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
editAli, delAli, medals, delallymedal, delallymedalbyaid, delallymedalbyweek
and deletemedalbyweek are POSTed to directly, bypassing admin.php's central
csrf_verify(). Add csrf_verify() (after the admin access check, via the shared
GameEngine/Admin/csrf.php) and csrf_field() in their forms (playermedals.tpl,
editAli.tpl, delAli.tpl, delmedal.tpl, allymedals.tpl, delallymedal.tpl).
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
editVillageOwner, renameVillage, editBuildings and editResources are POSTed
to directly, bypassing admin.php's central csrf_verify(). Add csrf_verify()
(after the admin access check, via the shared GameEngine/Admin/csrf.php) and
csrf_field() in their forms (editVillage.tpl, village.tpl, editResources.tpl).
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
addTroops and addABTroops are POSTed to directly, bypassing admin.php's
central csrf_verify(). Add csrf_verify() (after the admin access check, via
the shared GameEngine/Admin/csrf.php) and csrf_field() in their forms.
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Add an admin-controlled debug mode that captures PHP errors of all
players into var/log/debug-players.log, to hunt remaining PHP 8.3 bugs
from real play sessions. Fully transparent to players: no redirect, no
gameplay change, errors are never displayed.
- DB: new debug_log table (one row), mirroring the maintenance pattern.
- Database: getDebugMode()/setDebugMode()/setDebugSettings(), defensive
when the table is absent (no blank page).
- Session: register a custom error + shutdown handler when enabled; the
handler runs even when php.ini error_reporting masks warnings/notices,
so capture is complete without a Docker rebuild. Auto-disables after a
configurable window.
- DebugErrorLogger: size-capped file with a single .log.1 rotation,
honours the @ operator, never throws.
- Admin: new "Debug Error Log" page (levels, size cap, auto-off, on-page
viewer, clear, download) + debugLog action mod.
- Menu: admin-only quick on/off widget (TZ_DEBUG_ON/OFF, EN/FR/RO).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The profile already had a language selector (Templates/Profile/preference.tpl)
that saved the choice into users.lang and $_SESSION['lang'], but the saved
preference was never used to actually load the language: every page loads
include("Lang/".LANG.".php") with the server-wide LANG constant, so changing
the language in the profile had no visible effect.
This wires it up:
- Introduce SERVER_LANG (the server default) and make LANG the EFFECTIVE
display language, resolved from the player's saved preference
($_SESSION['lang']) with a fallback to SERVER_LANG
(install/data/constant_format.tpl).
SECURITY: the value is sanitized to [a-z_] and the target Lang/<x>.php
file must exist, otherwise we fall back to the server default. This
prevents Local File Inclusion via include("Lang/".LANG.".php").
- Seed $_SESSION['lang'] from users.lang on login (GameEngine/Session.php,
PopulateVar), so the chosen language applies right after logging in.
- Keep the SERVER default intact when an admin saves settings: the admin
config regenerators and the "Server Settings"/config displays now use
SERVER_LANG (the server default) instead of the per-user LANG, so an
admin browsing in their own language can't accidentally overwrite the
server default (6 Admin/Mods/edit*.php + editServerSet.tpl + config.tpl).
Note: existing installs must also add SERVER_LANG + the LANG resolution to
their generated GameEngine/config.php (and the Admin/Mods/constant_format.tpl
copy) since config is generated at install time.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The admin panel had a "Create System Message" page (admin.php?p=sysmessage
-> Admin/Templates/sysmessage.tpl) whose form posts to
GameEngine/Admin/Mods/sysmessage.php, but that backend file never existed,
so submitting returned a 404 (Not Found).
Add the handler implementing the prepare -> confirm -> execute flow used by
the template. On execute it displays a global system message to all players
using the existing mechanism (writes Templates/text.tpl from
text_format.tpl and sets users.ok = 1), same as the legacy sysmsg.php.
%TEKST% is escaped for the PHP double-quoted string context to avoid
breakage/injection.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
+Added a medal of 10 years of playing in Travian.
Enabled (Disabled) during installation and in the
admin panel.
+If at least one of the new functions is enabled,
a corresponding section appears in the Manual
with a description of all the new functions and
shows which of them is Enabled or Disabled.
+Minor changes
+Added Enable (Disable) of information about the troops of Nature and Natars in the manual
NOTE 1: To play this version of the game, you need to reinstall the server OR you can simply add these lines of code into your file:
GameEngine/config.php
define("NEW_FUNCTIONS_MANUAL_NATURENATARS", false);
GameEngine/Admin/Mods/constant_format.tpl
define("NEW_FUNCTIONS_MANUAL_NATURENATARS", %NEW_FUNCTIONS_MANUAL_NATURENATARS%);
NOTE 2: pay special attention to the fact that these are two different records !!! If the records are entered incorrectly, you will receive a non-working code!
+Added the ability to Enable (Disable) the display of the targets of the catapults in the rally point
+Added the display of the village with a wonder of the world (as is done with the display of artifacts) in the viewing player profiles. Also this function is Enabled (Disable) during installation and in the admin panel.
+Plus and bonuses duration, can now be decreased or resetted, by
inserting a negative value of days
+Artifacts and artifacts villages created on a user account, won't
contain any troops
+Some clean up
+Added the "Artifacts" section in the Admin Panel, which contains two
options: return a deleted artifact to the Natars and create new
Artifacts, assigned to a specified player
+Return to Natars coded, in the village section of the Admin Panel
+Moved a lot of functions and costants from Automation.php to the "new"
class Artifacts.php
+Optimized a lot the whole Natars creation process, decreased the number
of query of about 600
+Optimized a lot the function which deletes a player's account, it's now
executed almost instantly, even with players with a lot of villages
+Redesigned the map spawn system, using a more Travian-like village
distribution
+Fixed a bug that did show a broken village in the artifact chronology,
if that village was destroyed
+Reduced the amount of redundant code (about 230 lines) for
27_1.tpl/27_2.tpl and 27_3.tpl
+Fixed a bug that permitted to build the Great Granary and the Great
Warehouse in the whole account, with only a village effect artifact
+Fixed a bug in the Admin Panel map that didn't permit to show village
informations, if that village contained single quotes in its name
+Enable (Disable) Vacation Mode
+Fixed an error displaying the icon to
delete the villages in the admin search
NOTE 1: To play this version of the game, you need
to reinstall the server OR you can simply add
these lines of code into your file:
GameEngine/config.php
define("NEW_FUNCTIONS_VACATION", false);
GameEngine/Admin/Mods/constant_format.tpl
define("NEW_FUNCTIONS_VACATION", %NEW_FUNCTIONS_VACATION%);
NOTE 2: pay special attention to the fact that these are two
different records !!! If the records are entered incorrectly,
you will receive a non-working code!