Журнал изменений

Small maintenance changes to newsletter module and sitemap configuration to align with scheduler-based job dispatch and updated admin panel.

Core changes:

1. Newsletter (admin/modules/newsletter.php, admin/info/newsletter/*.html):
2. Minor adjustments following scheduler integration refactor
3. Sitemap (config/sitemap.php, modules/sitemap/admin/index.php, sitemap.xml):
4. Sitemap config and admin panel aligned with current module structure
5. sitemap.xml regenerated

Benefits: - Consistent state after scheduler refactor - Info pages reflect current system behavior

Expands the security statistics panel to cover all files in storage/logs/, replacing the .log-only filter with a label-based allowlist approach. Removes hardcoded .log extension throughout; .json files (dump_map, monitor) are now handled via an $ext exception map.

Core changes:

1. Security module (admin/modules/security.php):

2. $labels array extended: database, dump, dump_log, dump_map, error_file, error_php, error_site, error_sql, hack, log, log_admin, log_user, monitor, warn

3. $ext map: ['dump_map' => 'json', 'monitor' => 'json']
4. security(): replaced preg_match('.log') with skip-list + isset($labels)
5. fileview(), down(), del(): use $ext[$file] ?? 'log' for path and filename
6. confsave(): persists sess_d, sess_b, log_b, log_d; dump_skip field added
7. Info pages (admin/info/security/*.html — all 6):
8. Reference to hardcoded interval setting replaced with Scheduler module link
9. Config (config/security.php):
10. dump_skip default removed (now managed via Scheduler/confsave)
11. log_d default adjusted

Benefits: - .json log files (dump_map, monitor) now visible and downloadable in UI - No unknown files shown: only keys present in $labels are rendered - .htaccess and index.html automatically skipped

Technical notes: - filterVar strips dots, so file extensions cannot be passed via URL - Extension is derived server-side from $ext map with 'log' fallback

Introduces a configurable task scheduler with cron-format schedules, per-job state tracking, lock/timeout protection, and a HTMX-powered live status panel. Replaces hardcoded filereport/backup/sitemap/newsletter triggers in index.php with a unified scheduler dispatch.

Core changes:

1. Scheduler module (admin/modules/scheduler.php):
2. Live status table with HTMX auto-refresh per job
3. Add/edit/delete custom jobs, unlock stuck jobs, manual run trigger
4. Cron-format schedule field with format hint
5. Scheduler engine (core/system.php):
6. getSchedulerConfig(), getSchedulerDir(), getSchedulerFile()
7. addSchedulerRun(): dispatches filereport, backup, sitemap, newsletter
8. checkSchedulerAccess(): validates cron/manual token access
9. dump.json renamed to dump_map.json to avoid key conflict with dump.log
10. Dispatcher (index.php):
11. New case 'scheduler' in go==3 branch: validates access, runs job, returns JSON
12. Config (config/scheduler.php, config/modules.php):
13. Default scheduler config with system jobs (filescan, backup, sitemap, newsletter)
14. scheduler module entry added to modules.php
15. Lang (admin/lang/*.php — all 6 languages):

16. SCHEDULER* constants: status, last_run, last_ok, next_run, trigger, duration, fails, schedule, handler, priority, lock, unlock, run, jobkey, url, saved, deleted, unlocked, running, idle, addjob, editjob, url_info, system_info, saveerr, manual, batch, schedule_info

17. _SEC_STAT_DB, _SEC_STAT_DMAP, _SEC_STAT_MON: security log labels for database.log, dump_map.json, monitor.json

Benefits: - Decoupled scheduling from HTTP request cycle - Per-job state files with lock/timeout prevent concurrent execution - Extensible: custom jobs configurable without code changes

Technical notes: - Job state stored in storage/logs/scheduler/<job>.json - Cron schedule validated server-side; manual runs bypass schedule check - dump_map.json replaces dump.json (breaking: rename existing file)

Integrate the preserved local work back into master after fast-forwarding the branch to the latest origin/master state. This keeps the remote updates and the local language, configuration, setup, and test changes together without any history rewrite.

Core changes:

1. Remote synchronization (master):
2. Fast-forward local master to origin/master
3. Keep upstream changes from the latest GitHub state
4. Local work integration (config, language, setup, tests):
5. Merge the backup branch with the preserved local changes
6. Resolve the config/global.php conflict in favor of the saved local sitekey

Benefits: - Leaves master up to date with GitHub and your local work intact - Provides a recoverable backup branch and commit history - Avoids destructive Git operations and force-based workflows

Technical notes: - Merge commit created after fast-forward sync - No rebase and no history rewrite - Working tree should be clean after commit

Preserve the current in-progress local work on language files, configuration, and setup flow before updating master from origin/master. This creates a safe restore point for merge-based synchronization without rewriting history.

Core changes:

1. Language and config updates (admin/lang/.php, lang/.php, config/*.php):
2. Save current local edits across translations and configuration files
3. Preserve in-progress constant and module/security adjustments
4. Setup and test updates (setup/index.php, tests/LanguageConstantsUsageTest.php):
5. Save local setup workflow changes
6. Preserve related test adjustments for later integration

Benefits: - Provides a recoverable checkpoint before remote synchronization - Reduces risk of losing uncommitted work during merge operations - Keeps the update flow aligned with repository safety rules

Technical notes: - No history rewrite - Local backup commit only - Backward compatibility to be validated after merge

• database: simplify navi() signature, remove unused $opt and $legacy params
• database: align op/case/handler to project standard (del/del/del())
• database: replace filter_input() with getVar() for consistency
• database: fix $conf['db']['name'] → $dbname for safe query building
• database: translate German comments to English, fix parse-branch indent
• database: use LOGS_DIR constant in addDblog()
• monitor: rename monitor_metrics.json → monitor.json

Three bug fixes identified via error log analysis (2517 entries, period 2026-03-13 to 2026-03-15). Closes the dominant error (2504 occurrences) and hardens input validation against encoded path traversal probes.

Core changes:

1. Search module (modules/search/index.php):

2. Guard $conf['search'] with is_array() before accessing ['mods'] * $conf['search'] is a string when config is scalar, causing TypeError * Affected every bot crawling ?name=search (Bing, Google, Baidu, etc.)

3. Monitor (admin/modules/monitor.php):

4. Check open_basedir before calling is_dir() on extension_dir * Used array_reduce over PATH_SEPARATOR-split paths * Avoids E_WARNING when ext dir is outside allowed open_basedir paths

5. Security (core/security.php):

6. Extend $quote pattern in checkGet: '../' → '..[/\%]' * Now catches ../ (direct), ..\ (Windows), ..% (URL-encoded: ..%2F etc.) * Blocks double-encoded path traversal (e.g. %252F) after PHP auto-decode

Benefits: - Eliminates 2504 TypeError entries from error_php.log - Removes 9 recurring open_basedir warnings in monitor - Path traversal attempts now logged to hack.log via addHackReport()

Technical notes: - No config or schema changes - Backward compatible

Extended monitor.php with exec() fallbacks for /proc/meminfo, /proc/cpuinfo, /proc/net/dev when open_basedir blocks direct file reads; lscpu/nproc/free used as secondary sources. Improved getMetricStorePath() to resolve writable directory dynamically. Added unloaded PHP extensions detection.

Core changes: - monitor.php: exec-fallbacks for Linux /proc reads, dynamic metrics path, lscpu/nproc support, unloaded extensions list - core/system.php: no-image.png fallback for missing upload files; onerror handler on BB/Markdown img tags; better alt text from filename - security.php + config/security.php: new dump_skip config field with textarea UI and sanitized save logic - modules/forum/index.php: rename $massiv→$rows, $params→$pars; cleaner named placeholders - modules/account/admin/index.php: fix SQL WHERE clauses with table alias u. - admin/info/admins/ru.html → ru.md migration; add admin/info/monitor/ help pages - templates: add no-image.png to all three themes; add find/view admin icons

Benefits: - Monitor works on hosts with restricted open_basedir - Broken images show placeholder instead of broken icon - dump_skip allows excluding paths from file change scanner - Forum and account SQL queries more robust against ambiguous column names

Comprehensive fix and cleanup across the codebase following DB schema update that renamed the lastip column to ip in _users table, plus runtime bug fixes found during load testing.

Core changes:

1. Column rename lastip → ip (core/system.php, modules/account/index.php, modules/account/admin/index.php, admin/index.php, modules/users/index.php, modules/money/index.php, modules/search/index.php, modules/links/index.php): - All SQL queries updated: SELECT ip, UPDATE SET ip, WHERE ip LIKE - Template references updated: $userinfo['ip'], edithome display

2. Bug fix: savehome() cookie rebuild (modules/account/index.php): - Replace getUserInfo() (could return null → TypeError on array access)

 with direct variables from earlier SELECT already in scope

• Eliminates "Trying to access array offset on null" at setCookies call

1. Bug fix: PM TypeError (core/user.php addPmMsg, setPmSaved, deletePmMsg): - $stop[] array passed as string $stop to getPmView() → TypeError - Fix: implode('<br>', (array)$stop) before call - Initialize $stop/$info as '' in setPmSaved to avoid undefined vars - Replace literal 0 with '' for typed string params

2. Bug fix: SQL HY093 in help module (modules/help/index.php): - Duplicate named param :postid used twice in INSERT (uid and aid cols) - PDO with ATTR_EMULATE_PREPARES=false rejects duplicate named params - Fix: rename to :uid/:aid with separate keys in params array

3. Monitor: direct APCu calls (admin/modules/monitor.php): - Replace call_user_func('apcu_fetch/store', ...) with direct calls - Cleaner, faster, phpstan-friendly

4. Newsletter: column rename mail → email (admin/modules/newsletter.php): - SELECT email FROM _money (was: mail)

5. system.php show_files() guards: - Initialize $files, $contents, $a before conditional block - Division by zero protection: ($a > 0) ? ceil($a/$connum) : 0 - isset() → !empty() for $contents[$i] check

6. SQL schema cleanup (setup/sql/): - table.sql: lastip → ip column definition - table_update6_3.sql: migration updated - Remove batch_migrate.sql and table_update6_3_finalize_local.sql

Benefits: - Eliminates all load-test-discovered TypeErrors and SQL errors - Schema consistency: ip column name uniform across code and DB - No more null-guard needed on getUserInfo() return path