Журнал изменений

Continues the systematic migration of admin modules to the canonical new/* fragment layer, replacing all legacy helper functions and old fragment names with the new unified API. Adds CSRF token protection to all state-changing operations and introduces new template fragments for comments and pagination.

Core changes:

1. Admin module — admins (admin/modules/admins.php):
2. Replace getTplAdminNavi() → getTplAdminTabs() throughout
3. Migrate all form fields to new/input, new/checkbox, new/select, new/textarea
4. Inline getAdminself() and getAdminmods() into call sites; remove dead functions
5. Add checkSiteToken() guard to save() and delete()
6. Switch delete() from POST aid to GET req with token validation
7. Migrate table head to array format for new/table fragment
8. Admin module — blocks (admin/modules/blocks.php):
9. Replace all getTplAdminNavi() → getTplAdminTabs()
10. Migrate all form rows to new/form with row array structure
11. Add checkSiteToken() guard to addsave() and filecode()
12. Validate bfile via regex before use; sanitize filenames in filecode()
13. Fix block-file code extraction regex (cleaner preg_replace approach)
14. Pass getSiteToken() into getAdminBlockList()
15. Admin module — categories (admin/modules/categories.php):
16. Same API migration pattern as admins/blocks
17. Admin module — comments (admin/modules/comments.php):
18. Same API migration pattern; new comment and bulk-action fragments
19. System layer (core/system.php):
20. Supporting changes for new fragment API helpers
21. New template fragments:
22. templates/admin/fragments/comment-bulk-actions.html
23. templates/admin/fragments/comment.html
24. templates/admin/fragments/new/label-item.html
25. templates/admin/fragments/pagenum.html
26. templates/admin/fragments/pager-link.html
27. Updated fragments:
28. admin-admins-delete-form.html — adapted to new API shape
29. admin-admins-permission-cell.html — adapted to new API shape
30. templates/admin/assets/css/new.css — style adjustments

Benefits: - CSRF protection on all mutating admin operations - Uniform new/* fragment API across all migrated modules - Input validation tightened (bfile, lang filters)

Technical notes: - getAdminself() and getAdminmods() removed; logic inlined at call sites - delete() now reads aid from req (GET) instead of POST - Backward compatibility with old fragment names dropped intentionally

Backup of core/helpers.php prior to legacy function removal. Kept for reference during the migration wave.

Establishes the canonical new/* fragment base layer for the admin panel and migrates modules/content and admin/modules/security to the new API. Also consolidates core/helpers.php by removing legacy helper functions.

Core changes:

1. New fragment base layer (templates/admin/fragments/new/):

2. Added 30+ structural fragments: form, div-row, div, input, textarea, select, checkbox, radio, button, submit, hidden, label-hint, title-tip, alert, edit-tip, pager, pager-link, pager-dots, table, table-row, table-row-content, th, tabs, tabs-link, tabs-panel, module-head, user-search, row-actions, radio-group, div-collapse

3. Added new.css with full sl-* class definitions for all new fragments
4. Added box.html partial as canonical content box wrapper
5. Content module (modules/content/admin/index.php):
6. Migrated all functions to new fragment API
7. Replaced setArticleNumbers() with getTplPager() helper
8. rows passed as arrays, not string concatenation
9. Prepared SQL with named placeholders throughout
10. Security module (admin/modules/security.php):
11. Further alignment with new fragment contracts
12. Updated language constants across all 6 lang files
13. Core consolidation (core/helpers.php, core/system.php):
14. Removed legacy helper functions migrated to fragments
15. Reduced helpers.php by ~1200 lines

Benefits: - Unified admin output through neutral structural fragment contracts - sl-* CSS naming convention enforced throughout new layer - Legacy sl_* calls replaced in migrated modules

Technical notes: - system.css pruned of styles now covered by new.css - tabs.js updated to data-* runtime contract - getTplPager() replaces setArticleNumbers() for admin pagination

Complete the admin fragment refactor for security.php: replace the monolithic admin-security-ban-user-form fragment and getTplAdminForm calls with typed sub-fragments (add-div-input, add-div-textarea, add-div-check, add-div-collapse, add-div-user-search, tabs-panels). Delete stale planning docs now superseded by .agents/ + .rules/.

Core changes:

1. Ban form (admin/modules/security.php):

2. Replace getTplAdminForm/getTplAdminFormRow with add-div fragment * IP/CIDR ban form migrated to typed row data arrays * User ban form replaces admin-security-ban-user-form monolith * mail/collapse row uses new add-div-collapse + add-div-check

3. Fix getVar key: 'name' -> 'uname' in user ban lookup
4. Replace admin-uploads-config-tabs with tabs-panels fragment
5. New canonical fragments (templates/admin/fragments/):
6. add-div-check.html, add-div-collapse.html, add-div-input.html
7. add-div-submit.html, add-div-textarea.html, add-div-user-search.html
8. tabs-panels.html, tabs-panels-item.html
9. Removed legacy fragments:
10. admin-conf-save.html, admin-security-ban-user-form.html, form-submit.html
11. Docs cleanup:
12. Delete ADMIN_PLAN.md, FRONTEND_PLAN.md, RAW_SLOTS_ADMIN.md
13. Update TEMPLATES.md and TEMPLATE_STATUS.md to reflect new fragment set

Benefits: - All admin forms now use a uniform typed-row API - Monolithic per-form fragments replaced by composable sub-fragments - Stale planning docs removed; authoritative specs live in .agents/.rules/

Update security.php, database.php, and modules/content/admin/index.php to use the canonical input/label-hint/table/edit-tip fragments and add CSRF token verification to all mutating operations in the security module.

Core changes:

1. Security module CSRF hardening (admin/modules/security.php):

2. bansave(), passsave(), configsave(), delete(): add checkSiteToken() guard at function entry; render _TOKENMISS alert and return early on failure

3. All delete action URLs now include &token=getSiteToken() query parameter
4. banlist() ban-add form: hidden token field added via getTplHiddenInput()
5. passwd() form: hidden token field added
6. config() configsave form: hidden array now passed to config-div.html loop
7. Fragment migration (admin/modules/security.php):

8. getTplAdminHintLabel() → $tpl->getHtmlFrag('label-hint', [...]) for IP/CIDR, admin file, and dump-skip labels

9. getTplTextInput() → $tpl->getHtmlFrag('input', [...]) for blocker_cookie and afile text inputs

10. Database module (admin/modules/database.php):

11. getHtmlFrag('admin-input', [...]) → getHtmlFrag('input', [...]) for both submit buttons in dump()

12. Content module (modules/content/admin/index.php):

13. content(): list view migrated from getTplAdminTableHead/getTplAdminTableRow to $tpl->getHtmlFrag('table', [...]) with head array of column descriptors

14. Row rendering migrated to getHtmlFrag('table-row') + getHtmlFrag('table-row-content')
15. Action menu migrated to getHtmlFrag('edit-tip', [...]) with CSRF token on delete URL
16. Title cell migrated to getHtmlFrag('title-tip', ['items' => [...]]) + cutstr()

17. add(): form rows converted to array-based descriptor format; input/label-hint fragments used for title and RSS URL fields; getTplRefreshTimeSelect() for refresh select; getTplAddDateTime() for date picker; fields_in() replaced by getTplAddFieldRows(); body preview replaced by getTplPreviewContent()

18. Field input normalised: getVar('post', 'field[]', 'raw') + filterFields()

Benefits: - CSRF coverage extended to all mutating security module operations - Consistent fragment usage eliminates module-specific HTML builders - content/add form now uses the same add-div layout as other modules

Technical notes: - checkSiteToken() added to bansave (ids 1/2/3), passsave, configsave, delete - config-div.html hidden loop expects array of ['nameattr', 'valueattr'] maps - field[] input now read as raw array and normalised via filterFields()

Update three core utility functions in core/system.php to delegate to the canonical helper functions introduced in helpers.php, removing inline HTML construction and aligning with the array-based template API.

Core changes:

1. ad_save() (core/system.php):
2. Replaced inline <select>/<input> HTML with getTplSaveAction()

3. Passes name, valu, op, noprev as array; logic for preview/delete options is now in getTplSaveAction() and save-action-item.html

4. preview() (core/system.php):
5. Replaced manual filterMarkdown + getHtmlPart('preview') call with getTplPreviewContent()

6. Renamed $textc parameter to $field to match the field-string convention used by getTplPreviewContent() and getTplViewFieldRows()

7. Returns empty string when all inputs are blank (handled by getTplPreviewContent)
8. cutstr() (core/system.php):
9. Replaced if/elseif/elseif chain for $end selection with match expression

Benefits: - ad_save() and preview() are now pure data-passthrough wrappers - Eliminates duplicate HTML logic between system.php and the new helpers - cutstr() match expression is more idiomatic PHP 8+

Technical notes: - preview() signature change: $textc → $field; all call sites already pass field strings - No behaviour change for any of the three functions

Introduce six reusable helper functions that build admin and frontend HTML from prepared data structures and canonical fragments, replacing inline HTML construction scattered across modules.

Core changes:

1. getTplAddFieldRows() (core/helpers.php):
2. Parses module field definitions from $conf['fields'][$mod]
3. Returns array of ['label_html', 'field_html'] rows for add-div layout
4. Dispatches to add-field fragment for text(1), textarea(2), select(3)
5. Delegates to getTplAddDateTime() for date(5) and datetime(4) types
6. getTplAddDateTime() (core/helpers.php):
7. Renders a date/datetime-local picker paired with a hidden canonical value field
8. Uses static counter for unique IDs across multiple instances on one page
9. Returns add-datetime fragment HTML
10. getTplRefreshTimeSelect() (core/helpers.php):
11. Renders a fixed-interval <select> (15m/30m/1h/5h/10h/24h)
12. Uses refresh-select-time fragment; defaults to 3600 when value is empty/zero
13. getTplViewFieldRows() (core/helpers.php):
14. Renders read-only labelled rows from field string + module field definitions
15. Applies filterMarkdown+filterReplaceText for textarea(2) type fields
16. Returns view-field fragment HTML per visible field
17. getTplPreviewContent() (core/helpers.php):
18. Assembles full preview block: title, body_a, body_b, field rows
19. Uses getHtmlPart('preview-content') for page-level layout
20. Returns empty string when all inputs are blank
21. getTplSaveAction() (core/helpers.php):
22. Renders save/delete/preview <select> + hidden op + submit button
23. Accepts name, valu, op, noprev keys; conditionally includes delete/preview options
24. Uses save-action + save-action-item fragments

Benefits: - Centralises HTML assembly logic; modules only supply data arrays - Eliminates repeated inline HTML for date pickers, field loops, and save controls - Consistent escaping and fragment usage across all call sites

Technical notes: - getTplAddFieldRows() uses filterFields() to normalise array field input - getTplAddDateTime() relies on add-datetime fragment with hidden_id/picker_id pair - getTplSaveAction() replaces the ad_save() inline HTML builder in core/system.php

Introduce a complete set of shared, reusable admin fragments that replace the old module-specific ones, and rename preview pages to preview-content across all four themes to align with the new getTplPreviewContent() API.

Core changes:

1. New admin fragments (templates/admin/fragments/):
2. input.html — generic <input> with optional maxlength, placeholder, required
3. label-hint.html — label with inline hint text
4. edit-tip.html — action menu with view/edit/delete links (replaces inline action builders)
5. table.html — full <table> wrapper with optional head array or raw head_html
6. table-row.html — <tr> wrapper with optional class/attr
7. table-row-content.html — content module table row cells (id, title, date, reads, status, actions)
8. title-tip-item.html — single item inside a sl_tip nav tooltip
9. view-field.html — labelled read-only field for preview pane
10. add-field.html — dynamic form field (text, textarea, select) for module field definitions
11. add-div.html, add-div-row.html, add-div-item.html, add-div-hidden.html — add-form layout
12. add-datetime.html — date/datetime picker with hidden canonical value field
13. refresh-select-time.html — interval select (15m…24h)
14. save-action.html, save-action-item.html — save/delete/preview select + submit button
15. navi-tabs-wrap.html, config-div-hidden.html — supporting layout helpers
16. Updated fragments:
17. config-div.html — hidden inputs now rendered via {% for item in hidden %} loop
18. title-tip.html — supports content_html, content, items array, and label_text modes
19. Deleted legacy fragments:
20. admin-input.html, admin-hint-label.html — replaced by input.html, label-hint.html
21. admin-table.html, admin-table-row.html — replaced by table.html, table-row.html
22. admin-content-add-rows.html, admin-content-list-row.html — replaced by generic equivalents
23. Preview pages/partials renamed across all themes (admin, default, lite, simple):
24. preview.html → preview-content.html (page + partial)
25. CSS additions (system.css for admin/default/lite, theme.css for simple):
26. Add .sl-preview-, .sl-add-, .sl-save-action styling for new fragment layouts

Benefits: - Eliminates module-specific fragment duplication across admin and content modules - Uniform fragment API (array-based data) matches PHP helper function signatures - preview-content name now matches getTplPreviewContent() and getHtmlPart() call sites

Technical notes: - Deleted fragments had no remaining callers after prior refactor commits - config-div.html hidden loop requires array of ['nameattr', 'valueattr'] maps - title-tip.html is backward-compatible: all four variable modes are supported

Rename legacy admin helper functions to follow the getTpl* naming convention across core/admin.php, completing the function-rename pass started in previous refactor commits. Remove ~210 frontend fragment files that were erroneously tracked under templates/admin/fragments/.

Core changes:

1. Function renames (core/admin.php):
2. adminFlagBox() → getTplAdminFlagBox()
3. adminDeleteAction() → getTplDeleteAction()
4. adminLinkAction() → getTplLinkAction()
5. adminAjaxAction() → getTplAdminAjaxAction()
6. adminTitleTip() → getTplAdminTitleTip()
7. adminTitleTipLabel() → getTplAdminTipLabel()
8. adminNoteLabel() → getTplAdminNoteLabel()
9. adminMoveControls() → getTplAdminMoveControls()
10. adminMenuItems() → getTplAdminActionMenu()
11. adminCategoryRow/Table → getTplAdminCategoryRow/Table()
12. adminBlockRow/Table → getTplAdminBlockRow/Table()
13. adminFilesRow/Table → getTplAdminFilesRow/Table()
14. adminFilePreview() → getTplAdminFilePreview()
15. adminDangerText() → getTplAdminDangerText()
16. Module fix (admin/modules/newsletter.php):
17. Added missing $token to global declaration
18. Fragment cleanup (templates/admin/fragments/):

19. Removed ~210 frontend fragments (account/, forum/, shop/, voting/, editor/, media/, whois/*, etc.) that do not belong in admin/fragments/

20. Modified link-btn.html (minor tweak)

Benefits: - All admin rendering helpers now share the getTpl* prefix — consistent API - Removes dead template files that were never loaded by the admin layer - Reduces template directory noise by ~210 files

Technical notes: - All call sites in core/admin.php updated atomically — no external callers - Deleted fragments were not referenced by admin code; frontend uses its own template directories

Replace string-concatenation pattern ($rows .= getTplAdminFormRow(...)) with array descriptors ($rows[] = ['label_html' => ..., 'field_html' => ...]) across all 18 admin modules; getTplAdminRowsTable() now renders arrays internally, eliminating per-module fragment rendering calls.

Core changes:

1. Row rendering (core/helpers.php):

2. getTplAdminRowsTable() extended to accept array|string * array items dispatched to admin-form-row / admin-form-wide / raw_html * string path preserved for backward compat

3. Admin modules (admin/modules/*.php):
4. All 18 modules converted: $rows string → $rows[] array descriptors
5. adminInfoRow() call sites renamed to getTplAdminInfoRow() (core/admin.php)
6. Fragments (templates/admin/fragments/):
7. Added: config-div, config-div-row, config-div-item, config-div-content
8. Added: admin-menu-item, admin-lang-switch-item, bootstrap-icon

9. Removed: 24 obsolete per-module inline fragments (security, database, messages, newsletter, referers, scheduler, lang, uploads, form-conf, etc.)

10. CSS (templates/admin/assets/css/system.css):
11. +96 lines of admin UI styles supporting new fragment layout

Benefits: - Removes ~330 lines of net HTML/PHP, centralises row rendering in one helper - Obsolete one-off fragments eliminated, reducing template surface area - Consistent data-driven API for admin form construction across all modules

Technical notes: - getTplAdminRowsTable() remains backward compatible with string input - Deleted fragments were not referenced anywhere outside their own modules - No changes to public-facing templates or user-facing logic