Последнии сообщения форума
Update security.php, database.php, and modules/content/admin/index.php to use the canonical input/label-hint/table/edit-tip fragments and add CSRF token verification to all mutating operations in the security module.
Core changes:
- Security module CSRF hardening (admin/modules/security.php):
bansave(), passsave(), configsave(), delete(): add checkSiteToken() guard at function entry; render _TOKENMISS alert and return early on failure
- All delete action URLs now include &token=getSiteToken() query parameter
- banlist() ban-add form: hidden token field added via getTplHiddenInput()
- passwd() form: hidden token field added
- config() configsave form: hidden array now passed to config-div.html loop
- Fragment migration (admin/modules/security.php):
getTplAdminHintLabel() → $tpl->getHtmlFrag('label-hint', [...]) for IP/CIDR, admin file, and dump-skip labels
getTplTextInput() → $tpl->getHtmlFrag('input', [...]) for blocker_cookie and afile text inputs
- Database module (admin/modules/database.php):
getHtmlFrag('admin-input', [...]) → getHtmlFrag('input', [...]) for both submit buttons in dump()
- Content module (modules/content/admin/index.php):
content(): list view migrated from getTplAdminTableHead/getTplAdminTableRow to $tpl->getHtmlFrag('table', [...]) with head array of column descriptors
- Row rendering migrated to getHtmlFrag('table-row') + getHtmlFrag('table-row-content')
- Action menu migrated to getHtmlFrag('edit-tip', [...]) with CSRF token on delete URL
- Title cell migrated to getHtmlFrag('title-tip', ['items' => [...]]) + cutstr()
add(): form rows converted to array-based descriptor format; input/label-hint fragments used for title and RSS URL fields; getTplRefreshTimeSelect() for refresh select; getTplAddDateTime() for date picker; fields_in() replaced by getTplAddFieldRows(); body preview replaced by getTplPreviewContent()
- Field input normalised: getVar('post', 'field[]', 'raw') + filterFields()
Benefits: - CSRF coverage extended to all mutating security module operations - Consistent fragment usage eliminates module-specific HTML builders - content/add form now uses the same add-div layout as other modules
Technical notes: - checkSiteToken() added to bansave (ids 1/2/3), passsave, configsave, delete - config-div.html hidden loop expects array of ['nameattr', 'valueattr'] maps - field[] input now read as raw array and normalised via filterFields()
Update three core utility functions in core/system.php to delegate to the canonical helper functions introduced in helpers.php, removing inline HTML construction and aligning with the array-based template API.
Core changes:
- ad_save() (core/system.php):
- Replaced inline <select>/<input> HTML with getTplSaveAction()
Passes name, valu, op, noprev as array; logic for preview/delete options is now in getTplSaveAction() and save-action-item.html
- preview() (core/system.php):
- Replaced manual filterMarkdown + getHtmlPart('preview') call with getTplPreviewContent()
Renamed $textc parameter to $field to match the field-string convention used by getTplPreviewContent() and getTplViewFieldRows()
- Returns empty string when all inputs are blank (handled by getTplPreviewContent)
- cutstr() (core/system.php):
- Replaced if/elseif/elseif chain for $end selection with match expression
Benefits: - ad_save() and preview() are now pure data-passthrough wrappers - Eliminates duplicate HTML logic between system.php and the new helpers - cutstr() match expression is more idiomatic PHP 8+
Technical notes: - preview() signature change: $textc → $field; all call sites already pass field strings - No behaviour change for any of the three functions
Introduce six reusable helper functions that build admin and frontend HTML from prepared data structures and canonical fragments, replacing inline HTML construction scattered across modules.
Core changes:
- getTplAddFieldRows() (core/helpers.php):
- Parses module field definitions from $conf['fields'][$mod]
- Returns array of ['label_html', 'field_html'] rows for add-div layout
- Dispatches to add-field fragment for text(1), textarea(2), select(3)
- Delegates to getTplAddDateTime() for date(5) and datetime(4) types
- getTplAddDateTime() (core/helpers.php):
- Renders a date/datetime-local picker paired with a hidden canonical value field
- Uses static counter for unique IDs across multiple instances on one page
- Returns add-datetime fragment HTML
- getTplRefreshTimeSelect() (core/helpers.php):
- Renders a fixed-interval <select> (15m/30m/1h/5h/10h/24h)
- Uses refresh-select-time fragment; defaults to 3600 when value is empty/zero
- getTplViewFieldRows() (core/helpers.php):
- Renders read-only labelled rows from field string + module field definitions
- Applies filterMarkdown+filterReplaceText for textarea(2) type fields
- Returns view-field fragment HTML per visible field
- getTplPreviewContent() (core/helpers.php):
- Assembles full preview block: title, body_a, body_b, field rows
- Uses getHtmlPart('preview-content') for page-level layout
- Returns empty string when all inputs are blank
- getTplSaveAction() (core/helpers.php):
- Renders save/delete/preview <select> + hidden op + submit button
- Accepts name, valu, op, noprev keys; conditionally includes delete/preview options
- Uses save-action + save-action-item fragments
Benefits: - Centralises HTML assembly logic; modules only supply data arrays - Eliminates repeated inline HTML for date pickers, field loops, and save controls - Consistent escaping and fragment usage across all call sites
Technical notes: - getTplAddFieldRows() uses filterFields() to normalise array field input - getTplAddDateTime() relies on add-datetime fragment with hidden_id/picker_id pair - getTplSaveAction() replaces the ad_save() inline HTML builder in core/system.php
Introduce a complete set of shared, reusable admin fragments that replace the old module-specific ones, and rename preview pages to preview-content across all four themes to align with the new getTplPreviewContent() API.
Core changes:
- New admin fragments (templates/admin/fragments/):
- input.html — generic <input> with optional maxlength, placeholder, required
- label-hint.html — label with inline hint text
- edit-tip.html — action menu with view/edit/delete links (replaces inline action builders)
- table.html — full <table> wrapper with optional head array or raw head_html
- table-row.html — <tr> wrapper with optional class/attr
- table-row-content.html — content module table row cells (id, title, date, reads, status, actions)
- title-tip-item.html — single item inside a sl_tip nav tooltip
- view-field.html — labelled read-only field for preview pane
- add-field.html — dynamic form field (text, textarea, select) for module field definitions
- add-div.html, add-div-row.html, add-div-item.html, add-div-hidden.html — add-form layout
- add-datetime.html — date/datetime picker with hidden canonical value field
- refresh-select-time.html — interval select (15m…24h)
- save-action.html, save-action-item.html — save/delete/preview select + submit button
- navi-tabs-wrap.html, config-div-hidden.html — supporting layout helpers
- Updated fragments:
- config-div.html — hidden inputs now rendered via {% for item in hidden %} loop
- title-tip.html — supports content_html, content, items array, and label_text modes
- Deleted legacy fragments:
- admin-input.html, admin-hint-label.html — replaced by input.html, label-hint.html
- admin-table.html, admin-table-row.html — replaced by table.html, table-row.html
- admin-content-add-rows.html, admin-content-list-row.html — replaced by generic equivalents
- Preview pages/partials renamed across all themes (admin, default, lite, simple):
- preview.html → preview-content.html (page + partial)
- CSS additions (system.css for admin/default/lite, theme.css for simple):
- Add .sl-preview-, .sl-add-, .sl-save-action styling for new fragment layouts
Benefits: - Eliminates module-specific fragment duplication across admin and content modules - Uniform fragment API (array-based data) matches PHP helper function signatures - preview-content name now matches getTplPreviewContent() and getHtmlPart() call sites
Technical notes: - Deleted fragments had no remaining callers after prior refactor commits - config-div.html hidden loop requires array of ['nameattr', 'valueattr'] maps - title-tip.html is backward-compatible: all four variable modes are supported
Rename legacy admin helper functions to follow the getTpl* naming convention across core/admin.php, completing the function-rename pass started in previous refactor commits. Remove ~210 frontend fragment files that were erroneously tracked under templates/admin/fragments/.
Core changes:
- Function renames (core/admin.php):
- adminFlagBox() → getTplAdminFlagBox()
- adminDeleteAction() → getTplDeleteAction()
- adminLinkAction() → getTplLinkAction()
- adminAjaxAction() → getTplAdminAjaxAction()
- adminTitleTip() → getTplAdminTitleTip()
- adminTitleTipLabel() → getTplAdminTipLabel()
- adminNoteLabel() → getTplAdminNoteLabel()
- adminMoveControls() → getTplAdminMoveControls()
- adminMenuItems() → getTplAdminActionMenu()
- adminCategoryRow/Table → getTplAdminCategoryRow/Table()
- adminBlockRow/Table → getTplAdminBlockRow/Table()
- adminFilesRow/Table → getTplAdminFilesRow/Table()
- adminFilePreview() → getTplAdminFilePreview()
- adminDangerText() → getTplAdminDangerText()
- Module fix (admin/modules/newsletter.php):
- Added missing $token to global declaration
- Fragment cleanup (templates/admin/fragments/):
Removed ~210 frontend fragments (account/, forum/, shop/, voting/, editor/, media/, whois/*, etc.) that do not belong in admin/fragments/
- Modified link-btn.html (minor tweak)
Benefits: - All admin rendering helpers now share the getTpl* prefix — consistent API - Removes dead template files that were never loaded by the admin layer - Reduces template directory noise by ~210 files
Technical notes: - All call sites in core/admin.php updated atomically — no external callers - Deleted fragments were not referenced by admin code; frontend uses its own template directories
Replace string-concatenation pattern ($rows .= getTplAdminFormRow(...)) with array descriptors ($rows[] = ['label_html' => ..., 'field_html' => ...]) across all 18 admin modules; getTplAdminRowsTable() now renders arrays internally, eliminating per-module fragment rendering calls.
Core changes:
- Row rendering (core/helpers.php):
getTplAdminRowsTable() extended to accept array|string * array items dispatched to admin-form-row / admin-form-wide / raw_html * string path preserved for backward compat
- Admin modules (admin/modules/*.php):
- All 18 modules converted: $rows string → $rows[] array descriptors
- adminInfoRow() call sites renamed to getTplAdminInfoRow() (core/admin.php)
- Fragments (templates/admin/fragments/):
- Added: config-div, config-div-row, config-div-item, config-div-content
- Added: admin-menu-item, admin-lang-switch-item, bootstrap-icon
Removed: 24 obsolete per-module inline fragments (security, database, messages, newsletter, referers, scheduler, lang, uploads, form-conf, etc.)
- CSS (templates/admin/assets/css/system.css):
- +96 lines of admin UI styles supporting new fragment layout
Benefits: - Removes ~330 lines of net HTML/PHP, centralises row rendering in one helper - Obsolete one-off fragments eliminated, reducing template surface area - Consistent data-driven API for admin form construction across all modules
Technical notes: - getTplAdminRowsTable() remains backward compatible with string input - Deleted fragments were not referenced anywhere outside their own modules - No changes to public-facing templates or user-facing logic
Remove manual CSRF token passing from all admin module actions and forms now that checkSiteToken() auto-reads the token from the request context. Update getHtmlFrag() calls to use renamed fragments and canonical variable keys.
Core changes:
- CSRF token removal from forms and action guards (admin/modules/*.php):
- Removed getSiteToken() calls and hidden token inputs from all module forms
Removed explicit checkSiteToken(getVar(...)) guards from save/delete handlers * Token validation still occurs inside checkSiteToken() via getRequestToken()
Affected modules: admins, categories, comments, database, favorites, fields, groups, lang, messages, modules, newsletter, privat, referers, replace, scheduler, statistic, template, uploads
- Fragment name updates (admin/modules/*.php, core/admin.php):
- admin-action-link → comment-action-link
- admin-action-ajax → comment-action-ajax (via getTplAdminAjaxAction)
- Added required class/target keys for comment-action-link calls
- Core admin updates (core/admin.php):
- getAdminBlockList(): add optional $token string param (unused, reserved)
- getAdminInfo(): remove manual token check; remove token hidden input from form
- System bootstrap (core/system.php):
- Minor alignment/cleanup with no behavioral change
Benefits: - Eliminates 30+ boilerplate token-extract-and-check blocks across modules - CSRF protection remains active via centralized getRequestToken() - Consistent fragment naming across all call sites
Technical notes: - Implicit CSRF validation: token must arrive via header or POST/GET param - No change to token generation or scope logic - admin/index.php: CRLF→LF line ending normalization only
Rename all template variable keys in helper functions to canonical single-word names and eliminate redundant fragment files by merging them into existing general-purpose fragments with conditional params.
Core changes:
- Helper variable key renames (core/helpers.php):
- getTplAdminFlagBox: css_class→class, label_text→label
- getTplAdminNoteLabel: switches to span-btn fragment; label_text→label, title_attr→title
- getTplAdminTitleTip: switches to title-tip fragment (was admin-title-tip)
- getTplAdminAjaxAction: switches to comment-action-ajax fragment (was admin-action-ajax)
- getTplAdminTabOpen: list_class→class, list_id→id
- getTplAdminTabLink: is_selected→selected, attrs removed (unused)
- getTplAdminInfoCount: count_text→count, css_class→class
- getTplAdminTableHead: th-nosort merged into th with nosort=true param
- Fragment deletions (all four themes: admin, default, lite, simple):
- Deleted: admin-action-ajax.html (replaced by comment-action-ajax)
- Deleted: admin-action-link.html (replaced by comment-action-link)
- Deleted: admin-note-label.html (replaced by span-btn)
- Deleted: admin-title-tip.html (replaced by title-tip)
- Deleted: th-nosort.html (merged into th with nosort flag)
- Updated: th.html to handle nosort conditional rendering
- Updated: admin-security-*.html to match new variable key names
Benefits: - Fewer fragment files to maintain across themes - Consistent single-word key naming convention throughout helpers - th fragment handles both sort and no-sort columns via one template
Technical notes: - Fragment renames are breaking changes for any direct getHtmlFrag() callers - All call sites in admin modules updated in the following commit - No functional HTML output changes
Extend the CSRF layer with a dedicated token-reader and a smarter checkSiteToken() that auto-resolves the token from the request context, eliminating the need for callers to pass the token explicitly.
Core changes:
- CSRF token reader (core/security.php):
Add getRequestToken(): reads token from X-CSRF-Token header, X-XSRF-Token header, POST param, GET param, $_REQUEST fallback * Priority: header > POST > GET > $_REQUEST * Trims whitespace, returns empty string when absent
- CSRF validator (core/security.php):
Change checkSiteToken() signature: $tok defaults to '' (auto-read) * If $tok is empty, calls getRequestToken() automatically * Adds cross-scope fallback: non-ajax scopes also accept global 'ajax' token
Benefits: - Callers no longer need to extract and pass the token manually - HTMX / fetch requests sending X-CSRF-Token header work out of the box - One central place for all token extraction logic
Technical notes: - Backward compatible: callers that still pass $tok explicitly continue to work - Scope fallback is one-way: ajax-scoped checks do not accept scope-specific tokens
The shared/ fallback mechanism was reverted in the previous session. Physical files were already deleted; this commit syncs git tracking to match the filesystem state.
