template.php was loaded inside setThemeInclude() (called per-request during theme setup), which meant template helpers were unavailable during early bootstrap before theme selection. Moving the require_once to the top-level boot block ensures template functions are available as soon as core/system.php is loaded.
Core changes:
- Boot sequence (core/system.php):
Added require_once BASE_DIR.'/core/template.php' after security.php/legacy.php * Removed duplicate require_once from setThemeInclude()
- Trailing newline (core/legacy.php):
- Added missing EOF newline
Benefits: - Template helpers available earlier in request lifecycle - Eliminates hidden dependency on setThemeInclude() call order - Consistent require_once placement with other core files
Technical notes: - No behavior change for standard request flow - Backward compatibility: full
Rename all non-compliant local variables to lowercase-no-underscore format per refactoring-standards.md §5, and expand $lctx closure to add cookie/session key truncation with explicit truncation flags.
Core changes:
- $lctx closure (core/security.php):
Expanded with per-key truncation: $ck, $cktr, $sk, $sktr, $ctx * Limits cookie/session key arrays to 50 entries * Adds cookie_keys_truncated / session_keys_truncated flags when cut
- Renamed: query/post use $q/$p; empty arrays become stdClass for JSON
- HTTP error handler (core/security.php):
- $http_msg -> $httpmsg
- error_reporting_log() parameters and locals (core/security.php):
- $error_num -> $errno, $error_var -> $errmsg
- $error_file -> $errfile, $error_line -> $errline
- $level_map -> $levelmap, $php_err -> $phperr
- error_sql_log() locals (core/security.php):
- $sql_orig -> $sqlorig, $sql_bytes -> $sqlbytes
- $sql_hash -> $sqlhash, $sql_safe -> $sqlsafe
Benefits: - Consistent naming across entire security layer - No behavior change — pure rename refactor
Technical notes: - All renamed variables are local scope only; no public API change - Backward compatibility: full
Move admin panel help HTML files from flat naming convention (module-lang.html) to per-module subdirectory layout (module/lang.html), improving organization and making locale additions straightforward.
Core changes:
- Admin info pages (admin/info/):
Renamed all flat module-lang.html files to module/lang.html layout * Pattern: admins-ru.html → admins/ru.html * 22 modules × 6 locales (de, en, fr, pl, ru, uk) reorganized
Benefits: - Cleaner directory structure per module - Easier to add new locales without polluting the flat namespace - Consistent with standard i18n subdirectory conventions
Synchronize all project docs with the current state of SLAED CMS 6.3. Five files updated: README, UPGRADING, CONTRIBUTING, SECURITY, TEMPLATES.
Core changes:
- README.md:
- Update migration badge from 70% to 75%
- Remove "Frontend modules ~35% remaining" (all 26 modules complete)
- UPGRADING.md:
Add Breaking Changes: config/rewrite.php removed, $confu['anonym'] removed, setConfigFile() reserved guard, getConfig() skip list
- Update Version History status to ~75%, add three new Major Changes items
- CONTRIBUTING.md:
Expand language constants [!IMPORTANT] block with placement rule (language/.php for public, admin/language/.php for admin-only)
- Add "Config Files -> Reserved Config Files" section with table
- SECURITY.md:
- Add NDJSON format note to Logging & Error Handling section
- Add "Config Write Protection" block (setConfigFile guard + getConfig skip)
- docs/TEMPLATES.md:
Add "SEO Placeholder Variables" section documenting all 14 setHead() placeholders ([homeurl], [site], [logo], [loc], [time], [mtime], [title], [desc], [img], [ctitle], [type], [url], [headline], [author])
Benefits: - Documentation accurately reflects the current codebase - Contributors have clear guidance on language constant placement - Reserved config file rules are documented
Technical notes: - docs/TESTS.md and CODE_OF_CONDUCT.md required no changes
The plans directory was moved under docs/ to better organize project planning files alongside other documentation.
Core changes:
- .gitignore:
- Change 'plans/' to 'docs/plans/'
Technical notes: - No functional change to the codebase
The three reserved config stubs (system.php, header.php, chmod.php) previously returned null to signal they are not config arrays. Replace with an explicit die() guard consistent with other protected system files, and add the standard SLAED copyright header.
Core changes:
- config/system.php, config/header.php, config/chmod.php:
- Add copyright header (Author, Copyright, License, Website)
- Replace 'return null' with: if (!defined('FUNC_FILE')) die('Illegal file access')
Benefits: - Consistent access protection across all restricted files - Standard SLAED file header present in all config stubs
Technical notes: - Files remain excluded from getConfig() merge via skip list in core/system.php - die() guard prevents direct HTTP access if .htaccess rules are misconfigured
Rename admin info HTML files in modules/content/admin/info/ from full language names to 2-letter locale codes, matching the convention used in other modules (news, pages, etc.).
Core changes:
- modules/content/admin/info/ (6 renames):
- english.html -> en.html
- french.html -> fr.html
- german.html -> de.html
- polish.html -> pl.html
- russian.html -> ru.html
- ukrainian.html -> uk.html
Benefits: - Consistent file naming across all module admin info directories - Aligns with the 2-letter locale code convention (en, de, fr, pl, ru, uk)
Technical notes: - File contents are preserved as-is - Admin panel loads info files by locale code; old names were unused
The rewrite.php file contained regex-based URL transformation rules managed through the admin editor. This functionality has been superseded: URL rewriting is now controlled exclusively by $conf['rewrite'] and server-level .htaccess rules. All include() calls and the rewrite() function were removed from the codebase in a prior cleanup.
Core changes:
- config/rewrite.php:
- File deleted (122 lines of legacy regex rewrite rules)
- admin/info/editor-*.html (6 language files):
- Remove "System SEF" tab description (referencing config/rewrite.php)
- Rename "Server SEF" tab to "Apache rules" for clarity
Benefits: - Removes dead code with no callers - Admin editor UI reflects the actual available tabs - Reduces confusion between PHP-level and server-level URL rewriting
Technical notes: - $conf['rewrite'] config key is preserved; controls mod_rewrite behavior - .htaccess-based rewriting remains fully functional
Protect reserved config files from being merged into $conf via getConfig() or accidentally overwritten via setConfigFile(). Three files serve system injection purposes (not config arrays) and must be excluded from glob merge.
Core changes:
- getConfig() (core/system.php):
- Replace single local.php check with explicit $skip array
- Skip list: local.php, system.php, header.php, chmod.php
- setConfigFile() (core/system.php):
- Add static $reserved guard at function entry point
- Reserved: system.php, header.php, chmod.php, local.php
- Calls with reserved filenames return silently without writing
Benefits: - Prevents accidental overwrite of system injection files - Eliminates false config merges from null-returning reserved files - Explicit skip list is self-documenting
Technical notes: - config/system.php, header.php, chmod.php return null by design - config/local.php provides per-environment overrides, must not be merged - Backward compatible: existing callers are unaffected
Remove the configurable anonymous user name ($confu['anonym']) and replace it with the static language constant _ANONYM defined in all six root language files. This eliminates a config option that had no practical need for per-site customization.
Core changes:
- Language files (language/*.php — 6 files):
Add define("_ANONYM", "...") between _AND and _ANSWER in all 6 languages * en: "Guest", ru: "Гость", de: "Gast", fr: "Invité", pl: "Gość", uk: "Гість"
- Admin language files (admin/language/*.php — 6 files):
- Remove define("_ANONYMOUSNAME", "...") from all 6 files
- Config and core (config/users.php, core/admin.php, core/security.php, core/user.php):
- Remove 'anonym' key from config/users.php
- Replace all $confu['anonym'] with _ANONYM
- Admin modules (modules/*/admin/index.php — 10 modules + account):
- Remove anonym form field from modules/account/admin/index.php
- Replace $confu['anonym'] with _ANONYM in 10 module admin files
- Block (blocks/block-user_info.php):
- Replace $confu['anonym'] with _ANONYM
Benefits: - Simplifies configuration (removes non-essential option) - Consistent anonymous name via i18n constant system - _ANONYM resides in language/*.php (globally loaded, not admin-only)
Technical notes: - _ANONYM is defined in language/.php, not admin/language/.php - core/security.php: collapsed $anon initialization into substr(_ANONYM, 0, 25)
