Introduces a new language constant _ACCESS (de: 'Zugriff', en: 'Access', fr: 'Accès', pl: 'Dostęp', ru/uk: 'Доступ') placed alphabetically before the existing _SUPERUSER constant. Used as the column header and checkbox label in the admins module to distinguish plain module access from full super-admin access.
Core changes:
- All six admin language files (de, en, fr, pl, ru, uk):
Added define('_ACCESS', '<translation>') between _SUBCATEGORY and _SUPERUSER so alphabetical ordering is preserved
Benefits:
Enables the admins list to display a distinct 'Access' column header instead of reusing _SUPERUSER for a non-binary indicator
- Single-source translation for 'Access' across the whole admin panel
Technical notes:
_SUPERUSER ('Full access') is kept unchanged for backward compat with existing super-admin badge tooltips
The checkbox that grants unrestricted access to all modules was previously labelled 'Full access' in UI and documentation. This commit updates only the help/info pages so the label matches the upcoming constant rename in the codebase.
Core changes:
- Admin info pages — all six language variants (de, en, fr, pl, ru, uk):
Updated label references from 'Full access' / 'Vollzugriff' / 'Полный доступ' / 'Повний доступ' / 'Accès complet' / 'Pełny dostęp' to the shorter 'Access' / 'Zugriff' / 'Доступ' / 'Доступ' / 'Accès' / 'Dostęp' respectively
- Fixed missing newline at end of file in de, en, fr, pl, uk variants
Benefits:
- Documentation stays in sync with the renamed UI label
- Consistent terminology across all language variants
Technical notes:
- ru.md: heading 'Опция «Полный доступ»' updated to 'Опция «Доступ»'
- Columns description updated in ru.md to match new column header
- No logic or template changes in this commit
Aligns the template with the new PHP-side escaping contract: scalar monitor vars no longer need {{{ }}} (raw). SVG chart title vars switch to {{ }} now that PHP drops htmlspecialchars(). Request & Performance section redistributed so icon rows are balanced left vs right.
Core changes:
- Scalar var escaping (templates/admin/partials/basic-monitor.html):
- {{{ cmsver/phpver/mysql }}} → {{ }} in version status block
- {{{ uptime/osname/servfull/servprot/servname/serverip/servport }}} → {{ }}
- {{{ diskfree/dskread/dskwrite }}} → {{ }}
- {{{ lastbackuprun/backupdirsz/cachedirsz/logsdirsz/uploadssz }}} → {{ }}
- {{{ failedlogins24h/errorlog24h }}} → {{ }}
- {{{ phpsapi/zend_eng/php_char/memlim/scriptmem/maxtime }}} → {{ }}
- {{{ postmax/upmax/maxvars/maxfileup/gdver/opcache_* }}} → {{ }}
- {{{ dbchar/dbtz/dbmaxpack/dbbuffpool/dbconn/dbcurname/dbuser }}} → {{ }}
- {{{ reqip/mempeak }}} → {{ }}
- SVG title vars {{{ tip_up/down/cpu/ram }}} → {{ tip_* }}
- Request & Performance layout:
- LEFT: Client IP, Request URI (sl-tip), Query String (sl-tip),
Execution Time, DB Queries — 2 icon rows- RIGHT: Accept Language (sl-tip), Cookies (sl-tip), User Agent (sl-tip),
DB Time, Memory Peak — 3 icon rows- Previously: LEFT had 4 icon rows, RIGHT had 1 → visible asymmetry fixed
Benefits:
- No double-escaping; template engine owns the XSS boundary via {{ }}
- Request & Performance card visually balanced: 2 vs 3 icon rows
- Accept Language / Cookies / User Agent grouped on right (browser headers)
Technical notes:
{{{ }}} retained only for vars that intentionally output HTML fragments (sl-tip HTML from getHtmlFrag): servroot, dbsqlmode, extlist_, req, lastsecurityevent24h, dbissueevent24h, syncurl, status icons
Replaces word-wrap on the monitor value column with proper single-line truncation. sl-tip cells need overflow: visible so the popup and hover scale animation are not clipped; plain cells keep overflow: hidden.
Core changes:
- Monitor value column (templates/admin/assets/css/theme.css):
- Replace word-wrap/overflow-wrap with overflow:hidden + text-overflow:ellipsis
- :has(.sl-tip) override: overflow:visible (popup and icon scale escape clip)
.sl-tip inside td: margin-right:4px + vertical-align:middle + top:1px (top:1px corrects 1px vertical offset measured via getBoundingClientRect)
.sl-note inside td: display:inline-block + max-width:calc(100% - 26px) enables self-truncation without touching td display or table-layout:fixed
- Remove .sl-monitor-info-icon rule (class deleted with old fragment)
Benefits:
- Label text truncates cleanly at cell boundary in all rows
- Popup content never truncated — shows full value on hover/click
- Icon and text vertically centered to the pixel across all rows
- table-layout:fixed column widths preserved (no flex on td)
Technical notes:
- display:flex on td breaks table-layout:fixed in Chrome (td shrinks ~38%)
- overflow:hidden on td clips position:absolute popup before JS fires
- position:fixed (JS sl-float-open) escapes all ancestor overflow clipping
Replaces the old getTooltipText() / getLogSnippet() approach with the unified sl-tip popup component. PHP no longer does manual escaping or text truncation — the template engine handles escaping via {{ }} and CSS handles visual truncation in the value column.
Core changes:
- Monitor module (admin/modules/monitor.php):
- Delete getTooltipText() — replaced by getHtmlFrag('info-tooltip', ...)
- Delete getLogSnippet() — inlined as preg_replace('/\s+/', ' ', trim())
- Remove htmlspecialchars() from all scalar monitor vars (template escapes)
- Remove htmlspecialchars() from SVG chart title vars (tip_up/down/cpu/ram)
Replace getTooltipText() calls with getHtmlFrag('info-tooltip', [...]) for: servroot, dbsqlmode, extlist_on/off, all reqXxx vars,
lastsecurityevent24h, dbissueevent24h- Add global \$tpl to getMonitorTemplateVars() (required for getHtmlFrag)
- Deleted fragment templates:
- templates/admin/fragments/monitor-info-icon.html (old title= tooltip)
- templates/admin/fragments/monitor-tooltip-text.html (old short+icon)
Benefits:
- Single consistent popup component (sl-tip) across the entire admin UI
- Popup shows full untruncated content; CSS handles label truncation
- No double-escaping risk — template engine owns XSS boundary
Technical notes:
- getHtmlFrag('info-tooltip', ...) outputs raw HTML — use {{{ }}} in tpl
- Plain scalar vars now use {{ }} (auto-escaped) in template
- Log snippet whitespace normalization preserved inline at both call sites
Routine config regeneration after structural changes to global.php. Fingerprint and sitekey are derived values — no manual logic changed.
Core changes:
- Config fingerprint (config/local.php):
- base_fingerprint updated to reflect current global.php hash
- Global config (config/global.php):
- sitekey rotated as part of standard config refresh cycle
Benefits:
- Config integrity check will pass on next bootstrap
- No functional or behavioral change
Technical notes:
- Fingerprint is computed automatically by the config management tool
- sitekey is used for CSRF token generation
Flash messages generated before the admin module head (e.g. save confirmations) were lost because module-head.html had no render point for them. getTplAdminTabs() now passes flash_html and the partial outputs it directly below the tab bar.
Core changes:
- Admin tab helper (core/helpers.php):
- Pass flash_html => getFlashHtml() to module-head partial
- Module head partial (templates/admin/partials/module-head.html):
- Render {{{ flash_html }}} below tabs when present
- System (core/system.php):
- Extract \$time local var before array_replace for readability
- Fix DB debug text separator: ". Ø" → "/ Ø" (typographic correction)
Benefits:
- Flash messages (save/error notices) now always visible after redirect
- DB stats panel separator matches the visual design convention
Technical notes:
- getFlashHtml() consumes the flash session entry on first call
- Separator change is display-only; no data or logic affected
checkPerms() returns a permission-warning banner that must appear above the form. It was incorrectly assigned to \$body, overwriting the form before it was built. Moving it to \$cont ensures the banner is always rendered in the correct position regardless of form output.
Core changes:
- Auto Links config (modules/auto_links/admin/index.php):
- \$body = checkPerms(...) → \$cont .= checkPerms(...)
- \$body = \$tpl->getHtmlPart('form', ...) stays separate
- Changelog config (modules/changelog/admin/index.php):
- Same fix in config() function
- Also removed stale checkPerms() call from changelog() view
- Contact config (modules/contact/admin/index.php):
- Same fix pattern
Benefits:
- Permission banners now appear above the form, not silently lost
- Consistent output-routing across all module config views
- No logic change — only output variable assignment corrected
Technical notes:
- \$cont accumulates pre-form output; \$body holds the main form HTML
- Pattern now matches all other admin module config functions
Introduce a self-contained demo HTML in the project docs folder that showcases candidate hover treatments for Bootstrap-Icons-based controls. The page is intended as a design reference, not as production code.
Core changes:
- Demo page (docs/icon-hover-gradient-demo.html):
Standalone HTML with inline CSS that compares several icon-hover effects (gradients, glow, scale, shimmer)
Pulls the existing Bootstrap Icons stylesheet from templates/admin/assets/vendor so the icons render exactly as they do in the admin theme
- No JavaScript dependencies; the page is fully static
Benefits:
Provides a visual reference when iterating on admin button or icon hover styles without spinning up the full admin shell
- Lives under docs/ so it stays out of any production build pipeline
Technical notes:
- Pure documentation asset; not linked from runtime templates
Safe to open directly from disk because all styles are inline and the vendor stylesheet uses a relative path
- Can be retired later without affecting any shipped feature
Refresh the _meta.base_fingerprint snapshot stored in
config/local.php so it reflects the new defaults bundled in
config/global.php (refreshed admin logo and rotated site security
key). The fingerprint is the local override layer’s view of the upstream
default state and must move forward in lockstep.
Core changes:
- Local configuration meta (config/local.php):
Replace
_meta.base_fingerprintwith the hash that matches the currentconfig/global.php- Prevents the override layer from flagging the new defaults as
stale on first bootBenefits:
- Configuration loader recognises the new baseline immediately
- No spurious "defaults changed" indication after pulling the release
Technical notes:
- Pure metadata update; no behavior depends on the literal value
Always lands as the final commit in a config-defaults rotation so it reflects the fully-committed upstream state