Официальный сайт SLAED CMS
Ports the approved demo designs into the system: the voting widget gains animated results, live auto-refresh driven by the global live_u config, and unified play/stop status glyphs across every context.
Core changes:
- Voting widget (core/system.php, voting-widget/voting-view):
Widget wrapped in .sl-vote with data-sl-vote-live/url on active results; is_lead marks the leading answer (trophy follows the max)
- Result rows expose data-sl-votes/percent; counters wrapped for JS
Corner tool cluster: admin gear menu (now also in the block) before the status glyph, aligned to the block title line
Dormant go=1 getVotingView dispatcher case now echoes and serves as the live endpoint; closed polls never render live attributes
- Status glyphs (voting-home.html, theme.css, lang/*):
One 16px glyph everywhere: play-circle (success, pulse) while the poll is active, stop-circle (warning, static) when it has ended
Same inline typography as .sl-tip-icon so both pixel-snap alike; poll list rows show the marker before the info tip
- _VOTING_ACT/_VOTING_LIVE/_VOTING_END constants in six locales
- Client mechanics (plugins/system/slaed.js, theme.css):
setVoteBlocks: cold-start intro counts bars, percents and vote numbers up from zero; live polling tweens from previous values, moves the lead class and copies the votes/comments chips verbatim
Toggle animations honour data-sl-toggle-display; float panels can right-align to their trigger via data-sl-float-align=end and clamp to the trigger instead of the viewport edge
Any htmx .sl-but shows the system loading dots while its request is in flight; interactive option rows with accent-color controls
- Voting block query (blocks/voting.php):
Four display modes collapsed into one prepared query; random mode uses ORDER BY RAND() LIMIT 1 instead of loading every id
Benefits:
- Polls feel alive without page reloads and respect reduced motion
- Status is readable at a glance in the block, the module and lists
Technical notes:
- Live updates re-render fully only when the answer set changes
- The totals chip updates without digit animation by request
Rebuilds the sidebar user block on a universal PHP data contract, fixes four long-standing bugs found along the way and standardises every cookie and frontend session key on the configurable user_c prefix.
Core changes:
- User block (blocks/user_info.php, block-user-info.html):
Private message counters via one prepared query, cached in the session for 60s and invalidated by deletePrivatCounts() on every mailbox mutation and on logout (core/user.php)
Group and points meta line with next-group progress data (ngroup_name/points/pct), groups resolved in a single query
Fixes: sidebar login posted user_pass without a CSRF token (never worked), logout pointed at unknown op sl-logout, settings pointed at the account overview, inbox links led to the missing privat module
- Unread badge .sl-pm-new replaces the autoplay-blocked audio alert
- Session summary (core/system.php, session-summary/session-row):
Counters aggregated in one query; detail rows load lazily through the new getUserSessionRows endpoint (hx-trigger click once)
- Table markup replaced with the div grid shared with the admin theme
Optional auto-refresh driven by the new live_u config (admin field plus _LIVE_UPD constant in all six admin locales)
- State naming and cookies (core/security.php, core/system.php):
Cookies and frontend $_SESSION keys follow $conf[user_c]-<feature>; legacy stats_id/shop cookies migrated with one-release fallbacks
Cart links carry the CSRF token the go=2 gate demanded (the cart was silently broken); emptying the cart now clears cookie and superglobal
- Avatar defaults (core/user.php, uploads/avatars/default):
getUserAvatarUrl() is the single resolver: user.svg, guest.svg and deleted.svg replace the 0/00.gif magic strings across seven call sites; registration stores an empty avatar and the resolver decides
- Avatar gallery accepts .svg and excludes system files by name
Benefits:
- Sidebar login, logout and cart actually work again
- One config knob (live_u) will drive every live block
- Distribution-safe: pure PHP, no server-specific rules
Technical notes:
getCookies() filters to [a-zA-Z0-9_-]; base64 cookies are read from $_COOKIE directly with the user_c prefix
- Old default/00.gif rows in the users table fall back gracefully
Adds six standalone HTML showcases used to iterate on the sidebar user block and the voting widget before porting the chosen designs into the lite theme.
Core changes:
- User block labs (demo/user-block-*.html):
42 full-block variants: logged-in, guest, geo details and 2026 trends
- surfaces (glassmorphism, liquid glass, neumorphism), bento, density
- live session feed, accordions, group-progress ring, drag constructor
- All variants reuse real block data and lite theme tokens/classes
- Voting block lab (demo/voting-block.html):
17 variants for form and results states on the real widget anatomy
- system-markup section with effects layered on sl-* selectors only
- merged live variant that became the shipped widget behaviour
Benefits:
Design decisions reviewed in-browser against real markup before touching templates
- Serves as a reference gallery for future block redesigns
Query controls move into a single-row .sl-search-panel; results render as a divider list (.sl-search-line) with breadcrumb, title, clamped snippet and meta chips. Adds fragments/search-form.html and a demo/ reference page.
One H1 per page: page/module titles render H1, de-polluted pager/footer/ sidebar/related/category headings down to their proper level, and view sub-headings normalized. Heading sizes tokenized (--sl-h1..--sl-h4 in base.css) with framework classes wired to them in theme.css; getModuleNavi gains an is_heading flag so view pages do not emit a second H1.
home.html and app.html were ~98% duplicate; the common chrome moves into partials/site-header.html and partials/site-footer.html, slimming both layouts to include stubs. Footer/admin home links point at "/" instead of "index.php"; app.html marks the content region with a <main> landmark.
Portable, PHP-level redirects in core/security.php (proxy-aware via X-Forwarded-Proto, GET-only, default off):
- bare /index.php -> / (301) to kill the duplicate homepage URL
- opt-in forcessl (http->https) and forcehost (www->canonical homeurl host)
Admin config SEO tab gains forcessl/forcehost toggles (constants in all 6 languages); getPublicUrl() returns root with trailing slash; help doc admin/info/config/ru.md documents canonical behavior and the new toggles.
Rename the Magistral webfont from Magistral-Book.woff2 to magistral.woff2 and update the @font-face src plus the PERFORMANCE.md caching example to match. Same binary, lowercase/simpler name.
Core changes:
- Font asset (templates/lite/assets/css):
- Rename fonts/Magistral-Book.woff2 to fonts/magistral.woff2
- base.css @font-face src updated to fonts/magistral.woff2
- Docs (docs/PERFORMANCE.md):
- Update font caching-caveat example to magistral.woff2
Technical notes:
- Byte-identical file (26808 bytes); no remaining refs to old name
Move hardcoded & and hand-built HTMX markup out of PHP: URL producers now pass a raw & URL as data, and fragments escape it once at the output boundary via {{ }}. Removes the last inconsistency where URL-bearing HTMX attributes still followed the legacy escape-at-source + markup-in-PHP pattern.
Core changes:
- Link/tab/button fragments (templates/{lite,admin}/fragments):
- tabs-link.html: add hx_get/hx_target/hx_swap block, URL escaped via {{ }}
button.html: add hx-post block (hx_post/hx_include/hx_target/hx_swap/ hx_on_click/hx_on_after), URL escaped; JS validation stays raw passthrough
- link fragment already had is_htmx (hx-get="{{ href }}") — reused as-is
- PHP producers now emit data, not markup:
- core/admin.php: upload file links use is_htmx + hx_target (drops & blob)
- admin/modules/uploads.php: upload tabs pass raw hx_get/hx_target
- core/user.php: comment/PM submit forms pass raw hx_post + hx_* fields
- Docs:
- Remove docs/PROMPT_HREF_AMPERSAND.md (task complete)
Benefits:
- Single escape at the sink; &amp; structurally impossible
- Unified hx_* field vocabulary across link/tabs-link/button fragments
- Removes duplicated URL (href + hand-built hx-get) in upload links
Technical notes:
- getSafe() = htmlspecialchars(ENT_QUOTES|ENT_SUBSTITUTE, UTF-8)
- Verified live: comment form, admin upload tabs — single &, zero &amp;
- Additive change; legacy link_attr/input_attr passthrough kept for other uses
Track the Magistral-Book.woff2 asset referenced by the base.css @font-face declaration, completing the font migration whose base.css update and legacy WOFF2 removal landed in the previous commit.