Журнал изменений

Rename legacy admin helper functions to follow the getTpl* naming convention across core/admin.php, completing the function-rename pass started in previous refactor commits. Remove ~210 frontend fragment files that were erroneously tracked under templates/admin/fragments/.

Core changes:

1. Function renames (core/admin.php):
2. adminFlagBox() → getTplAdminFlagBox()
3. adminDeleteAction() → getTplDeleteAction()
4. adminLinkAction() → getTplLinkAction()
5. adminAjaxAction() → getTplAdminAjaxAction()
6. adminTitleTip() → getTplAdminTitleTip()
7. adminTitleTipLabel() → getTplAdminTipLabel()
8. adminNoteLabel() → getTplAdminNoteLabel()
9. adminMoveControls() → getTplAdminMoveControls()
10. adminMenuItems() → getTplAdminActionMenu()
11. adminCategoryRow/Table → getTplAdminCategoryRow/Table()
12. adminBlockRow/Table → getTplAdminBlockRow/Table()
13. adminFilesRow/Table → getTplAdminFilesRow/Table()
14. adminFilePreview() → getTplAdminFilePreview()
15. adminDangerText() → getTplAdminDangerText()
16. Module fix (admin/modules/newsletter.php):
17. Added missing $token to global declaration
18. Fragment cleanup (templates/admin/fragments/):

19. Removed ~210 frontend fragments (account/, forum/, shop/, voting/, editor/, media/, whois/*, etc.) that do not belong in admin/fragments/

20. Modified link-btn.html (minor tweak)

Benefits: - All admin rendering helpers now share the getTpl* prefix — consistent API - Removes dead template files that were never loaded by the admin layer - Reduces template directory noise by ~210 files

Technical notes: - All call sites in core/admin.php updated atomically — no external callers - Deleted fragments were not referenced by admin code; frontend uses its own template directories

Replace string-concatenation pattern ($rows .= getTplAdminFormRow(...)) with array descriptors ($rows[] = ['label_html' => ..., 'field_html' => ...]) across all 18 admin modules; getTplAdminRowsTable() now renders arrays internally, eliminating per-module fragment rendering calls.

Core changes:

1. Row rendering (core/helpers.php):

2. getTplAdminRowsTable() extended to accept array|string * array items dispatched to admin-form-row / admin-form-wide / raw_html * string path preserved for backward compat

3. Admin modules (admin/modules/*.php):
4. All 18 modules converted: $rows string → $rows[] array descriptors
5. adminInfoRow() call sites renamed to getTplAdminInfoRow() (core/admin.php)
6. Fragments (templates/admin/fragments/):
7. Added: config-div, config-div-row, config-div-item, config-div-content
8. Added: admin-menu-item, admin-lang-switch-item, bootstrap-icon

9. Removed: 24 obsolete per-module inline fragments (security, database, messages, newsletter, referers, scheduler, lang, uploads, form-conf, etc.)

10. CSS (templates/admin/assets/css/system.css):
11. +96 lines of admin UI styles supporting new fragment layout

Benefits: - Removes ~330 lines of net HTML/PHP, centralises row rendering in one helper - Obsolete one-off fragments eliminated, reducing template surface area - Consistent data-driven API for admin form construction across all modules

Technical notes: - getTplAdminRowsTable() remains backward compatible with string input - Deleted fragments were not referenced anywhere outside their own modules - No changes to public-facing templates or user-facing logic

Remove manual CSRF token passing from all admin module actions and forms now that checkSiteToken() auto-reads the token from the request context. Update getHtmlFrag() calls to use renamed fragments and canonical variable keys.

Core changes:

1. CSRF token removal from forms and action guards (admin/modules/*.php):
2. Removed getSiteToken() calls and hidden token inputs from all module forms

3. Removed explicit checkSiteToken(getVar(...)) guards from save/delete handlers * Token validation still occurs inside checkSiteToken() via getRequestToken()

4. Affected modules: admins, categories, comments, database, favorites, fields, groups, lang, messages, modules, newsletter, privat, referers, replace, scheduler, statistic, template, uploads

5. Fragment name updates (admin/modules/*.php, core/admin.php):
6. admin-action-link → comment-action-link
7. admin-action-ajax → comment-action-ajax (via getTplAdminAjaxAction)
8. Added required class/target keys for comment-action-link calls
9. Core admin updates (core/admin.php):
10. getAdminBlockList(): add optional $token string param (unused, reserved)
11. getAdminInfo(): remove manual token check; remove token hidden input from form
12. System bootstrap (core/system.php):
13. Minor alignment/cleanup with no behavioral change

Benefits: - Eliminates 30+ boilerplate token-extract-and-check blocks across modules - CSRF protection remains active via centralized getRequestToken() - Consistent fragment naming across all call sites

Technical notes: - Implicit CSRF validation: token must arrive via header or POST/GET param - No change to token generation or scope logic - admin/index.php: CRLF→LF line ending normalization only

Rename all template variable keys in helper functions to canonical single-word names and eliminate redundant fragment files by merging them into existing general-purpose fragments with conditional params.

Core changes:

1. Helper variable key renames (core/helpers.php):
2. getTplAdminFlagBox: css_class→class, label_text→label
3. getTplAdminNoteLabel: switches to span-btn fragment; label_text→label, title_attr→title
4. getTplAdminTitleTip: switches to title-tip fragment (was admin-title-tip)
5. getTplAdminAjaxAction: switches to comment-action-ajax fragment (was admin-action-ajax)
6. getTplAdminTabOpen: list_class→class, list_id→id
7. getTplAdminTabLink: is_selected→selected, attrs removed (unused)
8. getTplAdminInfoCount: count_text→count, css_class→class
9. getTplAdminTableHead: th-nosort merged into th with nosort=true param
10. Fragment deletions (all four themes: admin, default, lite, simple):
11. Deleted: admin-action-ajax.html (replaced by comment-action-ajax)
12. Deleted: admin-action-link.html (replaced by comment-action-link)
13. Deleted: admin-note-label.html (replaced by span-btn)
14. Deleted: admin-title-tip.html (replaced by title-tip)
15. Deleted: th-nosort.html (merged into th with nosort flag)
16. Updated: th.html to handle nosort conditional rendering
17. Updated: admin-security-*.html to match new variable key names

Benefits: - Fewer fragment files to maintain across themes - Consistent single-word key naming convention throughout helpers - th fragment handles both sort and no-sort columns via one template

Technical notes: - Fragment renames are breaking changes for any direct getHtmlFrag() callers - All call sites in admin modules updated in the following commit - No functional HTML output changes

Extend the CSRF layer with a dedicated token-reader and a smarter checkSiteToken() that auto-resolves the token from the request context, eliminating the need for callers to pass the token explicitly.

Core changes:

1. CSRF token reader (core/security.php):

2. Add getRequestToken(): reads token from X-CSRF-Token header, X-XSRF-Token header, POST param, GET param, $_REQUEST fallback * Priority: header > POST > GET > $_REQUEST * Trims whitespace, returns empty string when absent

3. CSRF validator (core/security.php):

4. Change checkSiteToken() signature: $tok defaults to '' (auto-read) * If $tok is empty, calls getRequestToken() automatically * Adds cross-scope fallback: non-ajax scopes also accept global 'ajax' token

Benefits: - Callers no longer need to extract and pass the token manually - HTMX / fetch requests sending X-CSRF-Token header work out of the box - One central place for all token extraction logic

Technical notes: - Backward compatible: callers that still pass $tok explicitly continue to work - Scope fallback is one-way: ajax-scoped checks do not accept scope-specific tokens

The shared/ fallback mechanism was reverted in the previous session. Physical files were already deleted; this commit syncs git tracking to match the filesystem state.

Remove 52 dead/duplicate fragments from all 3 frontend themes (default, lite, simple) and replace direct getHtmlFrag() calls with canonical helpers where they already exist.

Core changes:

1. Dead fragments removed (templates/default|lite|simple/fragments/):

2. 49 fragments with 0 frontend callers (admin-*, block wrappers, comment-action-delete, editor-files-, navi-tabs-, pager-, rating-, voting-close/open/stat-text, td-check, form-checkall, spoiler, etc.)

3. 2 lite-specific dead fragments: lite-faq-random-link, lite-head-banner
4. 1 duplicate resolved: admin-title-tip (canonical: title-tip)
5. Duplicate fragments resolved:

6. recommend-mail-link → files-external-link (identical content) modules/recommend/index.php updated

7. contact-admin-option → getTplSelectOption() migration modules/contact/index.php updated

8. Direct getHtmlFrag('form-option') → getTplSelectOption() (10 calls):
9. modules/forum/index.php (2 calls, $sel variable removed)
10. modules/pages, files, media, faq, links, news, jokes, help/index.php

Benefits: - Fragment count: 388 → 336 per theme (-52 default/simple, -54 lite) - All direct form-option calls now route through canonical helper - Frontend and admin themes now have consistent, non-overlapping fragment sets

Technical notes: - block-* fragments in blocks/ system kept intact (indirect callers) - files-external-link kept as canonical for generic target=_blank links - form-option fragment kept (still used by getTplSelectOption())

Eliminate duplicate, dead and module-specific admin fragments by migrating all list-head patterns to getTplAdminTableHead() and fixing shared helper canonical fragment references.

Core changes:

1. Admin helpers (core/helpers.php):
2. getTplAdminTableHead(): use th/th-nosort fragments, not inline HTML
3. getTplAdminTableCells(): use td fragment, not inline HTML
4. getTplAdminSection(): use admin-section-heading fragment
5. getTplAdminTabClose(): use admin-tab-list-close fragment
6. getTplAjaxAction(): fix canonical back to comment-action-ajax
7. getTplDeleteAction(): fix canonical to action-delete
8. Admin modules (21 files):
9. Replace getHtmlFrag('admin-*-list-head') with getTplAdminTableHead([])
10. admin/modules/: groups, messages, modules, newsletter, referers, security

11. modules/*/admin/index.php: account, auto_links, clients, content, faq, files, help, jokes, links, media, money, news, order, pages, search, voting

12. Admin fragments (templates/admin/fragments/):
13. Delete 83 dead fragments (list-head, account-*, orphans)

14. Restore incorrectly removed: td, th, th-nosort, admin-section-heading, admin-tab-list-close, admin-admins-permission-empty, comment-action-ajax

Benefits: - Admin fragment count: 569 → 486 (-83) - Single canonical path for all table headers via getTplAdminTableHead() - Shared helpers use correct fragment names for all theme contexts

Technical notes: - comment-action-ajax stays canonical for getTplAjaxAction() (shared, used in frontend) - action-delete is canonical for getTplDeleteAction() (all themes) - admin-whois-list-head.html kept (colspan=2, needs getTplAdminTableHead() extension)

Reverts Phase 2: themes (lite, default, simple, admin) are self-contained and must not depend on a shared/ fallback directory.

Core changes: - templates/shared/: deleted - templates/lite/, default/, simple/: all 388 files restored - templates/admin/fragments/: 113 files restored - core/classes/template.php: removed $shared property, shared fallback in getFile(), and shared path check in checkFile()

Benefits: - Each theme is fully portable and independent - No hidden cross-theme dependencies

Admin Phase 2: remove 113 fragments from templates/admin/ that are byte-identical to templates/shared/ — engine fallback now serves them transparently.

system.php migration: move setModuleNavi, setNaviLower, setPageNumbers, setArticleNumbers from core/system.php to core/helpers.php, establishing helpers.php as the single rendering layer for both frontend and admin.

Core changes: - templates/admin/fragments/: 347 → 234 files (-113) - core/helpers.php: +4 functions (setModuleNavi, setNaviLower, setPageNumbers, setArticleNumbers) - core/system.php: -4 functions (same, removed)

Benefits: - All fragment-rendering helpers are now in one place (core/helpers.php) - Admin area no longer duplicates shared fragments — maintained in one location - Zero call-site changes required (function names unchanged)

Technical notes: - All 4 migrated functions rely on global $tpl/$db/$conf/$afile — unchanged - setArticleNumbers internally calls setPageNumbers — order preserved in helpers.php - php -l passes on both modified files