Журнал изменений

Rename all SCHEDULER* constants exceeding 18-char limit to comply with the updated constants.md naming rule (max 18 chars for lang constants). Add two new warning constants with a direct link to Security settings.

Core changes: - _SCHEDULER_NEXT_RUN → _SCHEDULER_NEXTRUN - _SCHEDULER_LAST_RUN → _SCHEDULER_LASTRUN - _SCHEDULER_DURATION → _SCHEDULER_RUNTIME - _SCHEDULER_SCHEDULE → _SCHEDULER_SCHED - _SCHEDULER_PRIORITY → _SCHEDULER_PRIO - _SCHEDULER_PRIORITY_INFO → _SCHEDULER_PRIOTIP - _SCHEDULER_PRIORITY_DUP → _SCHEDULER_PRIODUP - _SCHEDULER_UNLOCKED → _SCHEDULER_UNLOCKD - _SCHEDULER_URL_INFO → _SCHEDULER_URLINFO - _SCHEDULER_SYSTEM_INFO → _SCHEDULER_SYSINFO - _SCHEDULER_SCHEDULE_INFO → _SCHEDULER_CRONFMT - _SCHEDULER_WARN_DMAP → _SCHEDULER_WARNLOG - Add _SCHEDULER_WARN_DB, _SCHEDULER_WARNLOG, _SCHEDULER_WARN_GO (all 6 locales) - scheduler.php: show config warnings when log_b/log_d disabled, link to security settings

Benefits: - All SCHEDULER* constants now ≤18 chars (rule compliant) - Warnings inform admin where to enable the feature

Technical notes: - Updated in all 6 locales simultaneously (de, en, fr, pl, ru, uk) - Warning text uses correct semantic mapping: log_b=DB backup, log_d=file scan

File is runtime state and already covered by .gitignore (/storage/counter/*). Was tracked only because it existed in the index before the ignore rule.

Replace string-based function_exists() dispatch and four wrapper functions with a typed match dispatcher. System jobs are now identified by a fixed 'system' key in config instead of a callable handler string. Sitemap admin trigger is routed through the scheduler flow.

Core changes:

1. Dispatcher (core/system.php):

2. Add addSchedulerSystemJob() with match on 'backup'/'filescan'/'sitemap'/'newsletter' * Replaces dynamic function_exists($handler) call * Unknown system key returns failed status with explicit message

3. Remove addSchedulerBackup(), addSchedulerFilescan(), addSitemapTask() wrappers * Renamed doSitemap() to addSitemapTask() for naming consistency

4. Update addSchedulerRun() dispatch to call addSchedulerSystemJob()
5. Update getSchedulerJob() to normalize 'system' field instead of 'handler'
6. Update getSchedulerNextJob() validity checks to use type + system
7. Config (config/scheduler.php):

8. Replace 'handler' field with 'system' in all 4 system jobs * dbbackup -> system: backup * filescan -> system: filescan * newsletter -> system: newsletter * sitemap -> system: sitemap

9. Admin UI (admin/modules/scheduler.php):
10. Show 'system' value (readonly) instead of handler string
11. save() persists 'system' field instead of 'handler'
12. Remove 'handler' key from default new custom job
13. Sitemap admin (modules/sitemap/admin/index.php):

14. Replace direct doSitemap() call with addSchedulerRun('sitemap', 'manual') * Uses lock mechanism, prevents race conditions

Benefits: - Eliminates dynamic function dispatch via string from config (security improvement) - Single dispatch point for all system jobs - Consistent naming: addBackupTask, addFilescanTask, addSitemapTask

Technical notes: - BREAKING CHANGE: 'handler' field is no longer read at runtime - Existing configs without 'system' field will treat jobs as invalid - doSitemap() renamed to addSitemapTask(); all call sites updated - Verified: dbbackup, filescan, sitemap manual run successful; error logs clean

Harden authentication, SQL queries, and input handling across admin and modules; migrate Bootstrap 5 and HTMX to plugins/ with proper structure.

Core changes:

1. Authentication fixes (core/security.php, core/system.php, admin/index.php):
2. isAdmin(): remove substr() truncation on bcrypt hash (was 72 chars, now full)
3. is_user(): replace loose == with hash_equals() for timing-safe comparison
4. check_admin(), add_admin(): header('Location:') replaced with setRedirect()
5. logout(): raw SQL concatenation replaced with prepared statement + setRedirect()
6. changeeditor(): raw SQL replaced with prepared statement; $_POST → getVar()
7. login(): raw $_POST['aname'], $_POST['aemail'] → getVar()
8. SQL hardening — LIKE prepared statements (8 modules):

9. modules/news, media, files, links, faq, pages, shop: $let interpolation replaced with :let placeholder + ['let' => $let.'%'] params

10. modules/help: $let and $uid both replaced with named placeholders
11. news: removed redundant addslashes() on $let
12. Security headers (core/system.php):
13. Added X-Content-Type-Options: nosniff
14. Added X-Frame-Options: SAMEORIGIN
15. Added Referrer-Policy: strict-origin-when-cross-origin
16. Frontend plugin structure (plugins/, config/global.php):
17. Bootstrap 5 (CSS + JS bundle + Icons) moved to plugins/bootstrap/
18. HTMX moved from templates/admin/js/ to plugins/htmx/
19. bootstrap-icons.css, fonts/ removed from templates/admin/
20. script_f and css_f updated to reflect new paths
21. Scheduler module (admin/modules/scheduler.php, config/scheduler.php):
22. Full scheduler module implementation with cron-based job execution
23. Newsletter module (admin/modules/newsletter.php, config/newsletter.php):
24. Newsletter configuration and admin module updates

Benefits: - Timing-safe password comparison prevents brute-force timing attacks - Prepared statements on LIKE queries eliminate SQL injection vectors - Security headers protect against MIME sniffing, clickjacking, referrer leakage - Centralised plugin paths simplify future library updates

Technical notes: - bcrypt hashes are 60 chars; old 40-char substr caused login failure after migration - setRedirect() calls exit internally; explicit exit after header() no longer needed - params array passed as 10th arg to setArticleNumbers() — already supported

Small maintenance changes to newsletter module and sitemap configuration to align with scheduler-based job dispatch and updated admin panel.

Core changes:

1. Newsletter (admin/modules/newsletter.php, admin/info/newsletter/*.html):
2. Minor adjustments following scheduler integration refactor
3. Sitemap (config/sitemap.php, modules/sitemap/admin/index.php, sitemap.xml):
4. Sitemap config and admin panel aligned with current module structure
5. sitemap.xml regenerated

Benefits: - Consistent state after scheduler refactor - Info pages reflect current system behavior

Expands the security statistics panel to cover all files in storage/logs/, replacing the .log-only filter with a label-based allowlist approach. Removes hardcoded .log extension throughout; .json files (dump_map, monitor) are now handled via an $ext exception map.

Core changes:

1. Security module (admin/modules/security.php):

2. $labels array extended: database, dump, dump_log, dump_map, error_file, error_php, error_site, error_sql, hack, log, log_admin, log_user, monitor, warn

3. $ext map: ['dump_map' => 'json', 'monitor' => 'json']
4. security(): replaced preg_match('.log') with skip-list + isset($labels)
5. fileview(), down(), del(): use $ext[$file] ?? 'log' for path and filename
6. confsave(): persists sess_d, sess_b, log_b, log_d; dump_skip field added
7. Info pages (admin/info/security/*.html — all 6):
8. Reference to hardcoded interval setting replaced with Scheduler module link
9. Config (config/security.php):
10. dump_skip default removed (now managed via Scheduler/confsave)
11. log_d default adjusted

Benefits: - .json log files (dump_map, monitor) now visible and downloadable in UI - No unknown files shown: only keys present in $labels are rendered - .htaccess and index.html automatically skipped

Technical notes: - filterVar strips dots, so file extensions cannot be passed via URL - Extension is derived server-side from $ext map with 'log' fallback

Introduces a configurable task scheduler with cron-format schedules, per-job state tracking, lock/timeout protection, and a HTMX-powered live status panel. Replaces hardcoded filereport/backup/sitemap/newsletter triggers in index.php with a unified scheduler dispatch.

Core changes:

1. Scheduler module (admin/modules/scheduler.php):
2. Live status table with HTMX auto-refresh per job
3. Add/edit/delete custom jobs, unlock stuck jobs, manual run trigger
4. Cron-format schedule field with format hint
5. Scheduler engine (core/system.php):
6. getSchedulerConfig(), getSchedulerDir(), getSchedulerFile()
7. addSchedulerRun(): dispatches filereport, backup, sitemap, newsletter
8. checkSchedulerAccess(): validates cron/manual token access
9. dump.json renamed to dump_map.json to avoid key conflict with dump.log
10. Dispatcher (index.php):
11. New case 'scheduler' in go==3 branch: validates access, runs job, returns JSON
12. Config (config/scheduler.php, config/modules.php):
13. Default scheduler config with system jobs (filescan, backup, sitemap, newsletter)
14. scheduler module entry added to modules.php
15. Lang (admin/lang/*.php — all 6 languages):

16. SCHEDULER* constants: status, last_run, last_ok, next_run, trigger, duration, fails, schedule, handler, priority, lock, unlock, run, jobkey, url, saved, deleted, unlocked, running, idle, addjob, editjob, url_info, system_info, saveerr, manual, batch, schedule_info

17. _SEC_STAT_DB, _SEC_STAT_DMAP, _SEC_STAT_MON: security log labels for database.log, dump_map.json, monitor.json

Benefits: - Decoupled scheduling from HTTP request cycle - Per-job state files with lock/timeout prevent concurrent execution - Extensible: custom jobs configurable without code changes

Technical notes: - Job state stored in storage/logs/scheduler/<job>.json - Cron schedule validated server-side; manual runs bypass schedule check - dump_map.json replaces dump.json (breaking: rename existing file)

Integrate the preserved local work back into master after fast-forwarding the branch to the latest origin/master state. This keeps the remote updates and the local language, configuration, setup, and test changes together without any history rewrite.

Core changes:

1. Remote synchronization (master):
2. Fast-forward local master to origin/master
3. Keep upstream changes from the latest GitHub state
4. Local work integration (config, language, setup, tests):
5. Merge the backup branch with the preserved local changes
6. Resolve the config/global.php conflict in favor of the saved local sitekey

Benefits: - Leaves master up to date with GitHub and your local work intact - Provides a recoverable backup branch and commit history - Avoids destructive Git operations and force-based workflows

Technical notes: - Merge commit created after fast-forward sync - No rebase and no history rewrite - Working tree should be clean after commit

Preserve the current in-progress local work on language files, configuration, and setup flow before updating master from origin/master. This creates a safe restore point for merge-based synchronization without rewriting history.

Core changes:

1. Language and config updates (admin/lang/.php, lang/.php, config/*.php):
2. Save current local edits across translations and configuration files
3. Preserve in-progress constant and module/security adjustments
4. Setup and test updates (setup/index.php, tests/LanguageConstantsUsageTest.php):
5. Save local setup workflow changes
6. Preserve related test adjustments for later integration

Benefits: - Provides a recoverable checkpoint before remote synchronization - Reduces risk of losing uncommitted work during merge operations - Keeps the update flow aligned with repository safety rules

Technical notes: - No history rewrite - Local backup commit only - Backward compatibility to be validated after merge