<base> is not working properly, use full URL instead

was causing issues in other templates

.gitattributes

@@ -3,8 +3,12 @@
 .gitignore export-ignore
 .github export-ignore
 .editorconfig export-ignore
-.travis.yml export-ignore
 _config.yml export-ignore
 release.sh export-ignore
 
+# cypress
+cypress export-ignore
+cypress.config.js export-ignore
+cypress.env.json
+
 *.sh text eol=lf

.github/workflows/cypress.yml

@@ -0,0 +1,120 @@
+name: Cypress
+on:
+  pull_request:
+    branches: [develop]
+  push:
+    branches: [develop]
+
+jobs:
+  cypress:
+    runs-on: ubuntu-latest
+    services:
+      mysql:
+        image: mysql:8.0
+        env:
+          MYSQL_ROOT_PASSWORD: root
+          MYSQL_DATABASE: myaac
+          MYSQL_USER: myaac
+          MYSQL_PASSWORD: myaac
+        ports:
+          - 3306/tcp
+        options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3
+    strategy:
+      fail-fast: false
+      matrix:
+        php-versions: [ '7.4', '8.0', '8.1' ]
+    name: MyAAC on PHP ${{ matrix.php-versions }}
+    steps:
+        - name: 📌 MySQL Start & init & show db
+          run: |
+            sudo /etc/init.d/mysql start
+            mysql -e 'CREATE DATABASE myaac;' -uroot -proot
+            mysql -e "SHOW DATABASES" -uroot -proot
+
+        - name: Checkout MyAAC
+          uses: actions/checkout@v3
+          with:
+            ref: develop
+
+        - name: Checkout TFS
+          uses: actions/checkout@v3
+          with:
+            repository: otland/forgottenserver
+            ref: 1.4
+            path: tfs
+
+        - name: Import TFS Schema
+          run: |
+              mysql -uroot -proot myaac < tfs/schema.sql
+
+        - name: Rename config.lua
+          run: mv tfs/config.lua.dist tfs/config.lua
+
+        - name: Replace mysqlUser
+          uses: jacobtomlinson/gha-find-replace@v2
+          with:
+            find: 'mysqlUser = "forgottenserver"'
+            replace: 'mysqlUser = "root"'
+            regex: false
+            include: 'tfs/config.lua'
+
+        - name: Replace mysqlPass
+          uses: jacobtomlinson/gha-find-replace@v2
+          with:
+              find: 'mysqlPass = ""'
+              replace: 'mysqlPass = "root"'
+              regex: false
+              include: 'tfs/config.lua'
+
+        - name: Replace mysqlDatabase
+          uses: jacobtomlinson/gha-find-replace@v2
+          with:
+              find: 'mysqlDatabase = "forgottenserver"'
+              replace: 'mysqlDatabase = "myaac"'
+              regex: false
+              include: 'tfs/config.lua'
+
+        - name: Setup PHP
+          uses: shivammathur/setup-php@v2
+          with:
+            php-version: ${{ matrix.php-versions }}
+            extensions: mbstring, dom, fileinfo, mysql, json, xml, pdo, pdo_mysql
+
+        - name: Get composer cache directory
+          id: composer-cache
+          run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+
+        - name: Cache composer dependencies
+          uses: actions/cache@v3
+          with:
+            path: ${{ steps.composer-cache.outputs.dir }}
+            # Use composer.json for key, if composer.lock is not committed.
+            # key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}
+            key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+            restore-keys: ${{ runner.os }}-composer-
+
+        - name: Install Composer dependencies
+          run: composer install --no-progress --prefer-dist --optimize-autoloader
+
+        - name: Run PHP server
+          run: nohup php -S localhost:8080 > php.log 2>&1 &
+
+        - name: Cypress Run
+          uses: cypress-io/github-action@v5
+          env:
+            CYPRESS_URL: http://localhost:8080
+            CYPRESS_SERVER_PATH: /home/runner/work/myaac/myaac/tfs
+
+        - name: Save screenshots
+          uses: actions/upload-artifact@v3
+          if: always()
+          with:
+            name: cypress-screenshots
+            path: cypress/screenshots
+
+        - name: Upload Cypress Videos
+          uses: actions/upload-artifact@v3
+          if: always()
+          with:
+            name: cypress-videos
+            path: cypress/videos

.github/workflows/phplint.yml

@@ -1,13 +1,16 @@
 name: PHP Linting
 on:
   pull_request:
-    branches: [master, develop]
+    branches: [develop]
   push:
-    branches: [master]
+    branches: [develop]
 
 jobs:
   phplint:
     runs-on: ubuntu-latest
     steps:
-        - uses: actions/checkout@v1
+      - uses: actions/checkout@v3
-        - uses: michaelw90/PHP-Lint@master
+      - uses: overtrue/phplint@8.2
+        with:
+          path: .
+          options: --exclude=*.log

.gitignore

@@ -9,6 +9,10 @@ vendor
 # npm
 node_modules
 
+# cypress
+cypress.env.json
+cypress/e2e/2-advanced-examples
+
 # created by release.sh
 releases
 tmp
@@ -53,6 +57,8 @@ plugins/*
 !plugins/example.json
 !plugins/account-create-hint.json
 !plugins/account-create-hint
+!plugins/email-confirmed-reward.json
+!plugins/email-confirmed-reward
 landing
 
 # system

.htaccess

@@ -6,11 +6,13 @@
 	Options -MultiViews
 </IfModule>
 
+<FilesMatch "^(CHANGELOG\.md|README\.md|composer\.json|composer\.lock|package\.json|package-lock\.json|cypress\.env\.json)$">
+	Require all denied
+</FilesMatch>
+
 <IfModule mod_rewrite.c>
 	RewriteEngine On
 
-	# you can put here your myaac root folder
-	# path relative to web root
 	#RewriteBase /myaac/
 
 	RewriteCond %{REQUEST_FILENAME} !-f

.travis.yml

@@ -1,18 +0,0 @@
-
-language: php
-php:
-  - 7.1
-  - 7.2
-  - 7.3
-  - 7.4
-  - 8.0
-
-cache:
-  directories:
-    - $HOME/.composer/cache
-
-before_script:
-  - composer require php-parallel-lint/php-parallel-lint --no-suggest --no-progress --no-interaction --no-ansi --quiet --optimize-autoloader
-
-script:
-  - php vendor/bin/parallel-lint --no-progress --no-colors --exclude vendor --exclude "system/libs/pot/OTS_DB_PDOQuery.php" .

CHANGELOG.md

@@ -1,9 +1,55 @@
 # Changelog
 
-## [0.9.0 - x.x.2020]
+## [0.9.0-alpha - 02.06.2023]
+
+Minimum PHP version for this release is 7.2.5.
 
 ### Added
+* reworked Admin Panel (@Leesneaks, @gpedro, @slawkens)
+  * updated to Bootstrap v4
+  * new Menu
+  * new Dashboard: statistics, server status
+  * new Admin Bar showed on top when admin logged in
+  * new page: Server Data, to reload server data
+  * new pages: mass account & teleport tools
+  * changelogs editor
+  * revised Accounts & Players editors
+  * option to add/modify menus with plugins
+  * option to enable/disable plugins
+  * better, updated TinyMCE editor (v6.x)
+    * with option to upload images
+  * list of open source libraries used in project
+* brand new charming installation page (by @fernandomatos)
+  * using Bootstrap
+* new pages router: nikic/fast-route, allowing for better customisation
+* Guild Wars support (available as plugin)
+* support for login and create account only by email (configurable)
+  * with no need for account name
+* Google ReCAPTCHA v3 support (available as plugin)
+* automatically load towns names from .OTBM file
+* support for Account Number
+  * suggest account number option
+* many new functions, hooks and configurables
+* better Exception Handler (Whoops - https://github.com/filp/whoops)
+* add Cypress testing
 
 ### Changed
+* Composer is now used for external libraries like: Twig, PHPMailer, fast-route etc.
+* mail support is disabled on fresh install, can be manually enabled by user
+* disable add php pages in admin panel for security. Option to disable plugins upload
+* visitors counter shows now user browser, and also if its bot
+* changes in required and optional PHP extensions
+* reworked Pages:
+	* Bans
+		* works now for TFS 1.x
+	* Highscores
+		* frags works for TFS 1.x
+		* cached
+	* creatures
+* moved pages to Twig:
+  * experience stages
+* update player_deaths entries on name change
+* change_password email to be more informal
 
 ### Fixed
+* hundrets of bug fixes, mostly patched from 0.8, so it makes no sense writing them again here

CREDITS

@@ -1,3 +1,3 @@
 * Gesior.pl (2007 - 2008)
-* Slawkens (2009 - 2022)
+* Slawkens (2009 - 2023)
 * Contributors listed in CONTRIBUTORS.txt

README.md

@@ -36,7 +36,7 @@ Official website: https://my-aac.org
 			chmod 660 images/guilds
 			chmod 660 images/houses
 			chmod 660 images/gallery
-			chmod -R 770 system/cache
+			chmod -R 760 system/cache
 
 	Visit http://your_domain/install (http://localhost/install) and follow instructions in the browser.
 

admin/index.php

@@ -1,9 +1,10 @@
 <?php
+
 // few things we'll need
 require '../common.php';
 
-define('ADMIN_PANEL', true);
+const ADMIN_PANEL = true;
-define('MYAAC_ADMIN', true);
+const MYAAC_ADMIN = true;
 
 if(file_exists(BASE . 'config.local.php')) {
 	require_once BASE . 'config.local.php';
@@ -18,8 +19,8 @@ if(file_exists(BASE . 'install') && (!isset($config['installed']) || !$config['i
 $content = '';
 
 // validate page
-$page = isset($_GET['p']) ? $_GET['p'] : '';
+$page = $_GET['p'] ?? '';
-if(empty($page) || preg_match("/[^a-zA-Z0-9_\-]/", $page))
+if(empty($page) || preg_match("/[^a-zA-Z0-9_\-\/.]/", $page))
 	$page = 'dashboard';
 
 $page = strtolower($page);
@@ -28,6 +29,11 @@ define('PAGE', $page);
 require SYSTEM . 'functions.php';
 require SYSTEM . 'init.php';
 
+// verify myaac tables exists in database
+if(!$db->hasTable('myaac_account_actions')) {
+	throw new RuntimeException('Seems that the table <strong>myaac_account_actions</strong> of MyAAC doesn\'t exist in the database. This is a fatal error. You can try to reinstall MyAAC by visiting <a href="' . BASE_URL . 'install">this</a> url.');
+}
+
 if(config('env') === 'dev') {
 	ini_set('display_errors', 1);
 	ini_set('display_startup_errors', 1);
@@ -42,30 +48,40 @@ $hooks->load();
 require SYSTEM . 'status.php';
 require SYSTEM . 'login.php';
 require SYSTEM . 'migrate.php';
-require ADMIN . 'includes/functions.php';
+require __DIR__ . '/includes/functions.php';
 
 $twig->addGlobal('config', $config);
 $twig->addGlobal('status', $status);
 
+if (ACTION == 'logout') {
+	require SYSTEM . 'logout.php';
+}
+
 // if we're not logged in - show login box
 if(!$logged || !admin()) {
 	$page = 'login';
 }
 
 // include our page
-$file = SYSTEM . 'pages/admin/' . $page . '.php';
+$file = __DIR__ . '/pages/' . $page . '.php';
 if(!@file_exists($file)) {
+	if (strpos($page, 'plugins/') !== false) {
+		$file = BASE . $page;
+	}
+	else {
 		$page = '404';
 		$file = SYSTEM . 'pages/404.php';
+	}
 }
 
 ob_start();
-include($file);
+if($hooks->trigger(HOOK_ADMIN_BEFORE_PAGE)) {
+	require $file;
+}
 
 $content .= ob_get_contents();
 ob_end_clean();
 
 // template
 $template_path = 'template/';
-require ADMIN . $template_path . 'template.php';
+require __DIR__ . '/' . $template_path . 'template.php';
-?>

admin/pages/accounts.php

@@ -10,12 +10,17 @@
 defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Account editor';
-$admin_base = BASE_URL . 'admin/?p=accounts';
+$admin_base = ADMIN_URL . '?p=accounts';
 $use_datatable = true;
 
 if ($config['account_country'])
 	require SYSTEM . 'countries.conf.php';
 
+$nameOrNumberColumn = 'name';
+if (USE_ACCOUNT_NUMBER) {
+	$nameOrNumberColumn = 'number';
+}
+
 $hasSecretColumn = $db->hasColumn('accounts', 'secret');
 $hasCoinsColumn = $db->hasColumn('accounts', 'coins');
 $hasPointsColumn = $db->hasColumn('accounts', 'premium_points');
@@ -31,8 +36,8 @@ if ($config['account_country']) {
 	foreach ($config['countries'] as $code => $c)
 		$countries[$code] = $c;
 }
-$web_acc = array("None", "Admin", "Super Admin", "(Admin + Super Admin)");
+$web_acc = ACCOUNT_WEB_FLAGS;
-$acc_type = array("None", "Normal", "Tutor", "Senior Tutor", "Gamemaster", "God");
+$acc_type = config('account_types');
 ?>
 
 <link rel="stylesheet" type="text/css" href="<?php echo BASE_URL; ?>tools/css/jquery.datetimepicker.css"/ >
@@ -48,16 +53,16 @@ else if (isset($_REQUEST['search'])) {
 	if (strlen($search_account) < 3 && !Validator::number($search_account)) {
 		echo_error('Player name is too short.');
 	} else {
-		$query = $db->query('SELECT `id` FROM `accounts` WHERE `name` = ' . $db->quote($search_account));
+		$query = $db->query('SELECT `id` FROM `accounts` WHERE `' . $nameOrNumberColumn . '` = ' . $db->quote($search_account));
 		if ($query->rowCount() == 1) {
 			$query = $query->fetch();
 			$id = (int)$query['id'];
 		} else {
-			$query = $db->query('SELECT `id`, `name` FROM `accounts` WHERE `name` LIKE ' . $db->quote('%' . $search_account . '%'));
+			$query = $db->query('SELECT `id`, `' . $nameOrNumberColumn . '` FROM `accounts` WHERE `' . $nameOrNumberColumn . '` LIKE ' . $db->quote('%' . $search_account . '%'));
 			if ($query->rowCount() > 0 && $query->rowCount() <= 10) {
 				$str_construct = 'Do you mean?<ul class="mb-0">';
 				foreach ($query as $row)
-					$str_construct .= '<li><a href="' . $admin_base . '&id=' . $row['id'] . '">' . $row['name'] . '</a></li>';
+					$str_construct .= '<li><a href="' . $admin_base . '&id=' . $row['id'] . '">' . $row[$nameOrNumberColumn] . '</a></li>';
 				$str_construct .= '</ul>';
 				echo_error($str_construct);
 			} else if ($query->rowCount() > 10)
@@ -70,7 +75,6 @@ else if (isset($_REQUEST['search'])) {
 ?>
 <div class="row">
 	<?php
-	$groups = new OTS_Groups_List();
 	if ($id > 0) {
 		$account = new OTS_Account();
 		$account->load($id);
@@ -146,7 +150,7 @@ else if (isset($_REQUEST['search'])) {
 			$web_lastlogin = strtotime($_POST['web_lastlogin']);
 			verify_number($web_lastlogin, 'Web Last login', 11);
 
-			if (!$error) {
+			if (!$error && $hooks->trigger(HOOK_ADMIN_ACCOUNTS_SAVE_POST, ['account_id' => $account->getId(), 'account_email' =>  $account->getEMail()])) {
 				if (USE_ACCOUNT_NAME) {
 					$account->setName($name);
 				}
@@ -186,8 +190,7 @@ else if (isset($_REQUEST['search'])) {
 				$account->setCustomField('web_lastlogin', $web_lastlogin);
 
 				if (isset($password)) {
-					$config_salt_enabled = $db->hasColumn('accounts', 'salt');
+					if (USE_ACCOUNT_SALT) {
-					if ($config_salt_enabled) {
 						$salt = generateRandomString(10, false, true, true);
 						$password = $salt . $password;
 						$account->setCustomField('salt', $salt);
@@ -196,7 +199,7 @@ else if (isset($_REQUEST['search'])) {
 					$password = encrypt($password);
 					$account->setPassword($password);
 
-					if ($config_salt_enabled)
+					if (USE_ACCOUNT_SALT)
 						$account->setCustomField('salt', $salt);
 				}
 
@@ -205,7 +208,7 @@ else if (isset($_REQUEST['search'])) {
 			}
 		}
 	} else if ($id == 0) {
-		$accounts_db = $db->query('SELECT `id`, `name`' . ($hasTypeColumn ? ',type' : ($hasGroupColumn ? ',group_id' : '')) . ' FROM `accounts` ORDER BY `id` ASC');
+		$accounts_db = $db->query('SELECT `id`, `' . $nameOrNumberColumn . '`' . ($hasTypeColumn ? ',type' : ($hasGroupColumn ? ',group_id' : '')) . ' FROM `accounts` ORDER BY `id` ASC');
 		?>
 		<div class="col-12 col-sm-12 col-lg-10">
 			<div class="card card-info card-outline">
@@ -217,7 +220,7 @@ else if (isset($_REQUEST['search'])) {
 						<thead>
 						<tr>
 							<th>ID</th>
-							<th>Name</th>
+							<th><?= ($nameOrNumberColumn == 'number' ? 'Number' : 'Name'); ?></th>
 							<?php if($hasTypeColumn || $hasGroupColumn): ?>
 							<th>Position</th>
 							<?php endif; ?>
@@ -228,7 +231,7 @@ else if (isset($_REQUEST['search'])) {
 						<?php foreach ($accounts_db as $account_lst): ?>
 							<tr>
 								<th><?php echo $account_lst['id']; ?></th>
-								<td><?php echo $account_lst['name']; ?></a></td>
+								<td><?php echo $account_lst[$nameOrNumberColumn]; ?></a></td>
 								<?php if($hasTypeColumn || $hasGroupColumn): ?>
 								<td>
 									<?php if ($hasTypeColumn) {
@@ -286,6 +289,11 @@ else if (isset($_REQUEST['search'])) {
 											<label for="name">Account Name:</label>
 											<input type="text" class="form-control" id="name" name="name" autocomplete="off" value="<?php echo $account->getName(); ?>"/>
 										</div>
+									<?php elseif (USE_ACCOUNT_NUMBER): ?>
+										<div class="col-12 col-sm-12 col-lg-4">
+											<label for="name">Account Number:</label>
+											<input type="text" class="form-control" id="name" name="name" autocomplete="off" value="<?php echo $account->getNumber(); ?>"/>
+										</div>
 									<?php endif; ?>
 									<div class="col-12 col-sm-12 col-lg-5">
 										<div class="form-check">

admin/pages/changelog.php

@@ -17,18 +17,18 @@ if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 
 $title = 'Changelog';
 $use_datatable = true;
-define('CL_LIMIT', 600); // maximum changelog body length
+const CL_LIMIT = 600; // maximum changelog body length
 ?>
 
 <link rel="stylesheet" type="text/css" href="<?php echo BASE_URL; ?>tools/css/jquery.datetimepicker.css"/ >
 <script src="<?php echo BASE_URL; ?>tools/js/jquery.datetimepicker.js"></script>
 <?php
-$id = isset($_GET['id']) ? $_GET['id'] : 0;
+$id = $_GET['id'] ?? 0;
 require_once LIBS . 'changelog.php';
 
 if(!empty($action))
 {
-	$id = isset($_REQUEST['id']) ? $_REQUEST['id'] : null;
+	$id = $_REQUEST['id'] ?? null;
 	$body = isset($_REQUEST['body']) ? stripslashes($_REQUEST['body']) : null;
 	$create_date = isset($_REQUEST['createdate']) ? (int)strtotime($_REQUEST['createdate'] ): null;
 	$player_id = isset($_REQUEST['player_id']) ? (int)$_REQUEST['player_id'] : null;
@@ -37,9 +37,9 @@ if(!empty($action))
 
 	$errors = array();
 
-	if($action == 'add') {
+	if($action == 'new') {
 
-		if(Changelog::add($body, $type, $where, $player_id, $create_date, $errors)) {
+		if(isset($body) && Changelog::add($body, $type, $where, $player_id, $create_date, $errors)) {
 			$body = '';
 			$type = $where = $player_id = $create_date = 0;
 
@@ -110,15 +110,14 @@ if($action == 'edit' || $action == 'new') {
 	$account_players->orderBy('group_id', POT::ORDER_DESC);
 	$twig->display('admin.changelog.form.html.twig', array(
 		'action' => $action,
-		'cl_link_form' => constant('ADMIN_URL').'?p=changelog&action=' . ($action == 'edit' ? 'edit' : 'add'),
+		'cl_link_form' => constant('ADMIN_URL').'?p=changelog&action=' . ($action == 'edit' ? 'edit' : 'new'),
-		'cl_id' => isset($id) ? $id : null,
+		'cl_id' => $id ?? null,
-		'body' => isset($body) ? htmlentities($body, ENT_COMPAT, 'UTF-8') : '',
+		'body' => isset($body) ? escapeHtml($body) : '',
-		'create_date' => isset($create_date) ? $create_date : '',
+		'create_date' => $create_date ?? '',
-		'player' => isset($player) && $player->isLoaded() ? $player : null,
+		'player_id' => $player_id ?? null,
-		'player_id' => isset($player_id) ? $player_id : null,
 		'account_players' => $account_players,
-		'type' => isset($type) ? $type : 0,
+		'type' => $type ?? 0,
-		'where' => isset($where) ? $where : 0,
+		'where' => $where ?? 0,
 		'log_type' => $log_type,
 		'log_where' => $log_where,
 	));

admin/pages/dashboard.php

@@ -47,10 +47,6 @@ $tmp = '';
 if (fetchDatabaseConfig('site_closed_message', $tmp))
 	$closed_message = $tmp;
 
-echo '<div class="row">';
-$twig->display('admin.dashboard.html.twig', array());
-echo '</div>';
-
 $configAdminPanelModules = config('admin_panel_modules');
 if (isset($configAdminPanelModules)) {
 	echo '<div class="row">';

admin/pages/login.php

@@ -10,9 +10,15 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Login';
 
-$twig->display('admin.login.html.twig', array(
+require PAGES . 'account/login.php';
-	'logout' => ($action == 'logout' ? 'You have  been logged out!'  : ''),
+if ($logged) {
+	header('Location: ' . ADMIN_URL);
+	return;
+}
+
+$twig->display('admin.login.html.twig', [
+	'logout' => (ACTION == 'logout' ? 'You have  been logged out!'  : ''),
 	'account' => USE_ACCOUNT_NAME ? 'Name' : 'Number',
 	'account_login_by' => getAccountLoginByLabel(),
-	'errors' => isset($errors)? $errors : ''
+	'errors' => $errors ?? ''
-));
+]);

admin/pages/mailer.php

@@ -16,7 +16,7 @@ if (!hasFlag(FLAG_CONTENT_MAILER) && !superAdmin()) {
 }
 
 if (!config('mail_enabled')) {
-	echo 'Mail support disabled.';
+	echo 'Mail support disabled in config.';
 	return;
 }
 

admin/pages/mass_account.php

@@ -22,23 +22,23 @@ function admin_give_points($points)
 	global $db, $hasPointsColumn;
 
 	if (!$hasPointsColumn) {
-		error('Points not supported.');
+		displayMessage('Points not supported.');
 		return;
 	}
 
 	$statement = $db->prepare('UPDATE `accounts` SET `premium_points` = `premium_points` + :points');
 	if (!$statement) {
-		error('Failed to prepare query statement.');
+		displayMessage('Failed to prepare query statement.');
 		return;
 	}
 
 	if (!$statement->execute([
 		'points' => $points
 	])) {
-		error('Failed to add points.');
+		displayMessage('Failed to add points.');
 		return;
 	}
-	success($points . ' points added to all accounts.');
+	displayMessage($points . ' points added to all accounts.', true);
 }
 
 function admin_give_coins($coins)
@@ -46,24 +46,24 @@ function admin_give_coins($coins)
 	global $db, $hasCoinsColumn;
 
 	if (!$hasCoinsColumn) {
-		error('Coins not supported.');
+		displayMessage('Coins not supported.');
 		return;
 	}
 
 	$statement = $db->prepare('UPDATE `accounts` SET `coins` = `coins` + :coins');
 	if (!$statement) {
-		error('Failed to prepare query statement.');
+		displayMessage('Failed to prepare query statement.');
 		return;
 	}
 
 	if (!$statement->execute([
 		'coins' => $coins
 	])) {
-		error('Failed to add coins.');
+		displayMessage('Failed to add coins.');
 		return;
 	}
 
-	success($coins . ' coins added to all accounts.');
+	displayMessage($coins . ' coins added to all accounts.', true);
 }
 
 function query_add_premium($column, $value_query, $condition_query = '1=1', $params = [])
@@ -72,12 +72,12 @@ function query_add_premium($column, $value_query, $condition_query = '1=1', $par
 
 	$statement = $db->prepare("UPDATE `accounts` SET `{$column}` = $value_query WHERE $condition_query");
 	if (!$statement) {
-		error('Failed to prepare query statement.');
+		displayMessage('Failed to prepare query statement.');
 		return false;
 	}
 
 	if (!$statement->execute($params)) {
-		error('Failed to add premium days.');
+		displayMessage('Failed to add premium days.');
 		return false;
 	}
 
@@ -89,7 +89,7 @@ function admin_give_premdays($days)
 	global $db, $freePremium;
 
 	if ($freePremium) {
-		error('Premium days not supported. Free Premium enabled.');
+		displayMessage('Premium days not supported. Free Premium enabled.');
 		return;
 	}
 
@@ -101,14 +101,14 @@ function admin_give_premdays($days)
 		if (query_add_premium('premend', '`premend` + :value', '`premend` > :now', ['value' => $value, 'now' => $now])) {
 			// set premend
 			if (query_add_premium('premend', ':value', '`premend` <= :now', ['value' => $now + $value, 'now' => $now])) {
-				success($days . ' premium days added to all accounts.');
+				displayMessage($days . ' premium days added to all accounts.', true);
 				return;
 			} else {
-				error('Failed to execute set query.');
+				displayMessage('Failed to execute set query.');
 				return;
 			}
 		} else {
-			error('Failed to execute append query.');
+			displayMessage('Failed to execute append query.');
 			return;
 		}
 
@@ -123,20 +123,20 @@ function admin_give_premdays($days)
 			if (query_add_premium('lastday', '`lastday` + :value', '`lastday` > :now', ['value' => $value, 'now' => $now])) {
 				// set lastday
 				if (query_add_premium('lastday', ':value', '`lastday` <= :now', ['value' => $now + $value, 'now' => $now])) {
-					success($days . ' premium days added to all accounts.');
+					displayMessage($days . ' premium days added to all accounts.', true);
 					return;
 				} else {
-					error('Failed to execute set query.');
+					displayMessage('Failed to execute set query.');
 					return;
 				}
-				success($days . ' premium days added to all accounts.');
+
 				return;
 			} else {
-				error('Failed to execute append query.');
+				displayMessage('Failed to execute append query.');
 				return;
 			}
 		} else {
-			error('Failed to execute set days query.');
+			displayMessage('Failed to execute set days query.');
 			return;
 		}
 
@@ -149,21 +149,21 @@ function admin_give_premdays($days)
 		if (query_add_premium('premium_ends_at', '`premium_ends_at` + :value', '`premium_ends_at` > :now', ['value' => $value, 'now' => $now])) {
 			// set premium_ends_at
 			if (query_add_premium('premium_ends_at', ':value', '`premium_ends_at` <= :now', ['value' => $now + $value, 'now' => $now])) {
-				success($days . ' premium days added to all accounts.');
+				displayMessage($days . ' premium days added to all accounts.', true);
 				return;
 			} else {
-				error('Failed to execute set query.');
+				displayMessage('Failed to execute set query.');
 				return;
 			}
 		} else {
-			error('Failed to execute append query.');
+			displayMessage('Failed to execute append query.');
 			return;
 		}
 
 		return;
 	}
 
-	error('Premium Days not supported.');
+	displayMessage('Premium Days not supported.');
 }
 
 if (isset($_POST['action']) && $_POST['action']) {
@@ -171,12 +171,12 @@ if (isset($_POST['action']) && $_POST['action']) {
 	$action = $_POST['action'];
 
 	if (preg_match("/[^A-z0-9_\-]/", $action)) {
-		error('Invalid action.');
+		displayMessage('Invalid action.');
 	} else {
 		$value = isset($_POST['value']) ? intval($_POST['value']) : 0;
 
 		if (!$value) {
-			error('Please fill all inputs');
+			displayMessage('Please fill all inputs');
 		} else {
 			switch ($action) {
 				case 'give-points':
@@ -189,14 +189,27 @@ if (isset($_POST['action']) && $_POST['action']) {
 					admin_give_premdays($value);
 					break;
 				default:
-					error('Action ' . $action . 'not found.');
+					displayMessage('Action ' . $action . 'not found.');
 			}
 		}
 	}
 }
-
+else {
-$twig->display('admin.tools.account.html.twig', array(
+	$twig->display('admin.tools.account.html.twig', array(
 		'hasCoinsColumn' => $hasCoinsColumn,
 		'hasPointsColumn' => $hasPointsColumn,
 		'freePremium' => $freePremium,
-));
+	));
+}
+
+function displayMessage($message, $success = false) {
+	global $twig, $hasCoinsColumn, $hasPointsColumn, $freePremium;
+
+	$success ? success($message): error($message);
+
+	$twig->display('admin.tools.account.html.twig', array(
+		'hasCoinsColumn' => $hasCoinsColumn,
+		'hasPointsColumn' => $hasPointsColumn,
+		'freePremium' => $freePremium,
+	));
+}

admin/pages/mass_teleport.php

@@ -0,0 +1,116 @@
+<?php
+/**
+ * Teleport Admin Tool
+ *
+ * @package   MyAAC
+ * @author    Slawkens <slawkens@gmail.com>
+ * @author    Lee
+ * @copyright 2020 MyAAC
+ * @link      https://my-aac.org
+ */
+defined('MYAAC') or die('Direct access not allowed!');
+
+$title = 'Mass Teleport Actions';
+
+function admin_teleport_position($x, $y, $z) {
+	global $db;
+	$statement = $db->prepare('UPDATE `players` SET `posx` = :x, `posy` = :y, `posz` = :z');
+	if (!$statement) {
+		displayMessage('Failed to prepare query statement.');
+		return;
+	}
+
+	if (!$statement->execute([
+		'x' => $x, 'y' => $y, 'z' => $z
+	])) {
+		displayMessage('Failed to execute query.');
+		return;
+	}
+
+	displayMessage('Player\'s position updated.', true);
+}
+
+function admin_teleport_town($town_id) {
+	global $db;
+	$statement = $db->prepare('UPDATE `players` SET `town_id` = :town_id');
+	if (!$statement) {
+		displayMessage('Failed to prepare query statement.');
+		return;
+	}
+
+	if (!$statement->execute([
+		'town_id' => $town_id
+	])) {
+		displayMessage('Failed to execute query.');
+		return;
+	}
+
+	displayMessage('Player\'s town updated.', true);
+}
+
+if (isset($_POST['action']) && $_POST['action'])    {
+
+	$action = $_POST['action'];
+
+	if (preg_match("/[^A-z0-9_\-]/", $action)) {
+		displayMessage('Invalid action.');
+	} else {
+
+		$playersOnline = 0;
+		if($db->hasTable('players_online')) {// tfs 1.0
+			$query = $db->query('SELECT count(*) AS `count` FROM `players_online`');
+		} else {
+			$query = $db->query('SELECT count(*) AS `count` FROM `players` WHERE `players`.`online` > 0');
+		}
+
+		$playersOnline = $query->fetch(PDO::FETCH_ASSOC);
+		if ($playersOnline['count'] > 0) {
+			displayMessage('Please, close the server before execute this action otherwise players will not be affected.');
+			return;
+		}
+
+		$town_id = isset($_POST['town_id']) ? intval($_POST['town_id']) : null;
+		$posx = isset($_POST['posx']) ? intval($_POST['posx']) : null;
+		$posy = isset($_POST['posy']) ? intval($_POST['posy']) : null;
+		$posz = isset($_POST['posz']) ? intval($_POST['posz']) : null;
+		$to_temple = $_POST['to_temple'] ?? null;
+
+		switch ($action) {
+			case 'set-town':
+				if (!$town_id) {
+					displayMessage('Please fill all inputs');
+					return;
+				}
+
+				if (!isset($config['towns'][$town_id])) {
+					displayMessage('Specified town does not exist');
+					return;
+				}
+
+				admin_teleport_town($town_id);
+				break;
+			case 'set-position':
+				if (!$to_temple &&  ($posx < 0 || $posx > 65535 || $posy < 0 || $posy > 65535|| $posz < 0 || $posz > 16)) {
+					displayMessage('Invalid Position');
+					return;
+				}
+
+				admin_teleport_position($posx, $posy, $posz);
+				break;
+			default:
+				displayMessage('Action ' . $action . 'not found.');
+		}
+	}
+
+}
+else {
+	$twig->display('admin.tools.teleport.html.twig', array());
+}
+
+
+function displayMessage($message, $success = false) {
+	global $twig;
+
+	$success ? success($message): error($message);
+	$twig->display('admin.tools.teleport.html.twig', array());
+}

admin/pages/menus.php

@@ -93,7 +93,7 @@ if (isset($_REQUEST['template'])) {
 								if (isset($menus[$id])) {
 									foreach ($menus[$id] as $i => $menu):
 										?>
-										<li class="ui-state-default" id="list-<?php echo $id ?>-<?php echo $i ?>"><label>Name:</label> <input type="text" name="menu[<?php echo $id ?>][]" value="<?php echo $menu['name'] ?>"/>
+										<li class="ui-state-default" id="list-<?php echo $id ?>-<?php echo $i ?>"><label>Name:</label> <input type="text" name="menu[<?php echo $id ?>][]" value="<?php echo escapeHtml($menu['name']); ?>"/>
 											<label>Link:</label> <input type="text" name="menu_link[<?php echo $id ?>][]" value="<?php echo $menu['link'] ?>"/>
 											<input type="hidden" name="menu_blank[<?php echo $id ?>][]" value="0"/>
 											<label><input class="blank-checkbox" type="checkbox" <?php echo($menu['blank'] == 1 ? 'checked' : '') ?>/><span title="Open in New Window">New Window</span></label>

admin/pages/news.php

@@ -23,8 +23,8 @@ if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 header('X-XSS-Protection:0');
 
 // some constants, used mainly by database (cannot by modified without schema changes)
-define('TITLE_LIMIT', 100);
+define('NEWS_TITLE_LIMIT', 100);
-define('BODY_LIMIT', 65535); // maximum news body length
+define('NEWS_BODY_LIMIT', 65535); // maximum news body length
 define('ARTICLE_TEXT_LIMIT', 300);
 define('ARTICLE_IMAGE_LIMIT', 100);
 
@@ -43,12 +43,12 @@ if(!empty($action))
 	$forum_section = isset($_REQUEST['forum_section']) ? $_REQUEST['forum_section'] : null;
 	$errors = array();
 
-	if($action == 'add') {
+	if($action == 'new') {
 		if(isset($forum_section) && $forum_section != '-1') {
 			$forum_add = Forum::add_thread($p_title, $body, $forum_section, $player_id, $account_logged->getId(), $errors);
 		}
 
-		if(News::add($p_title, $body, $type, $category, $player_id, isset($forum_add) && $forum_add != 0 ? $forum_add : 0, $article_text, $article_image, $errors)) {
+		if(isset($p_title) && News::add($p_title, $body, $type, $category, $player_id, isset($forum_add) && $forum_add != 0 ? $forum_add : 0, $article_text, $article_image, $errors)) {
 			$p_title = $body = $comments = $article_text = $article_image = '';
 			$type = $category = $player_id = 0;
 
@@ -115,21 +115,21 @@ if($action == 'edit' || $action == 'new') {
 	$twig->display('admin.news.form.html.twig', array(
 		'action' => $action,
 		'news_link' => getLink(PAGE),
-		'news_link_form' => '?p=news&action=' . ($action == 'edit' ? 'edit' : 'add'),
+		'news_link_form' => '?p=news&action=' . ($action == 'edit' ? 'edit' : 'new'),
-		'news_id' => isset($id) ? $id : null,
+		'news_id' => $id ?? null,
-		'title' => isset($p_title) ? $p_title : '',
+		'title' => $p_title ?? '',
-		'body' => isset($body) ? htmlentities($body, ENT_COMPAT, 'UTF-8') : '',
+		'body' => isset($body) ? escapeHtml($body) : '',
-		'type' => isset($type) ? $type : null,
+		'type' => $type ?? null,
 		'player' => isset($player) && $player->isLoaded() ? $player : null,
-		'player_id' => isset($player_id) ? $player_id : null,
+		'player_id' => $player_id ?? null,
 		'account_players' => $account_players,
-		'category' => isset($category) ? $category : 0,
+		'category' => $category ?? 0,
 		'categories' => $categories,
 		'forum_boards' => getForumBoards(),
-		'forum_section' => isset($forum_section) ? $forum_section : null,
+		'forum_section' => $forum_section ?? null,
-		'comments' => isset($comments) ? $comments : null,
+		'comments' => $comments ?? null,
-		'article_text' => isset($article_text) ? $article_text : null,
+		'article_text' => $article_text ?? null,
-		'article_image' => isset($article_image) ? $article_image : null
+		'article_image' => $article_image ?? null
 	));
 }
 

admin/pages/open_source.php

@@ -1,16 +1,14 @@
 <?php
 /**
- * Account confirm mail
+ * Open Source libraries
- * Keept for compability
  *
  * @package   MyAAC
  * @author    Slawkens <slawkens@gmail.com>
- * @copyright 2019 MyAAC
+ * @copyright 2023 MyAAC
  * @link      https://my-aac.org
  */
 defined('MYAAC') or die('Direct access not allowed!');
 
-if($action == 'confirm_email') {
+$title = 'Open Source';
-	require_once PAGES . 'account/confirm_email.php';
+
-}
+$twig->display('admin.open_source.html.twig');
-?>

admin/pages/pages.php

@@ -18,13 +18,18 @@ if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 
 header('X-XSS-Protection:0');
 
-$name = $p_title = '';
+$name = $p_title = null;
 $groups = new OTS_Groups_List();
 
 $php = false;
 $enable_tinymce = true;
 $access = 0;
 
+// some constants, used mainly by database (cannot by modified without schema changes)
+define('PAGE_TITLE_LIMIT', 30);
+define('PAGE_NAME_LIMIT', 30);
+define('PAGE_BODY_LIMIT', 65535); // maximum page body length
+
 if (!empty($action)) {
 	if ($action == 'delete' || $action == 'edit' || $action == 'hide')
 		$id = $_REQUEST['id'];
@@ -50,12 +55,13 @@ if (!empty($action)) {
 	$errors = array();
 	$player_id = 1;
 
-	if ($action == 'add') {
+	if ($action == 'new') {
-		if (Pages::add($name, $p_title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
+		if (isset($p_title) && Pages::add($name, $p_title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
 			$name = $p_title = $body = '';
 			$player_id = $access = 0;
 			$php = false;
 			$enable_tinymce = true;
+			success('Added successful.');
 		}
 	} else if ($action == 'delete') {
 		if (Pages::delete($id, $errors))
@@ -70,15 +76,18 @@ if (!empty($action)) {
 			$enable_tinymce = $_page['enable_tinymce'] == '1';
 			$access = $_page['access'];
 		} else {
-			Pages::update($id, $name, $p_title, $body, $player_id, $php, $enable_tinymce, $access);
+			if(Pages::update($id, $name, $p_title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
 				$action = $name = $p_title = $body = '';
 				$player_id = 1;
 				$access = 0;
 				$php = false;
 				$enable_tinymce = true;
+				success('Updated successful.');
+			}
 		}
 	} else if ($action == 'hide') {
-		Pages::toggleHidden($id, $errors);
+		Pages::toggleHidden($id, $errors, $status);
+		success(($status == 1 ? 'Show' : 'Hide') . ' successful.');
 	}
 
 	if (!empty($errors))
@@ -106,7 +115,7 @@ $twig->display('admin.pages.form.html.twig', array(
 	'title' => $p_title,
 	'php' => $php,
 	'enable_tinymce' => $enable_tinymce,
-	'body' => isset($body) ? htmlentities($body, ENT_COMPAT, 'UTF-8') : '',
+	'body' => isset($body) ? escapeHtml($body) : '',
 	'groups' => $groups->getGroups(),
 	'access' => $access
 ));
@@ -117,6 +126,48 @@ $twig->display('admin.pages.html.twig', array(
 
 class Pages
 {
+	static public function verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
+	{
+		if(!isset($title[0]) || !isset($body[0])) {
+			$errors[] = 'Please fill all inputs.';
+			return false;
+		}
+		if(strlen($name) > PAGE_NAME_LIMIT) {
+			$errors[] = 'Page name cannot be longer than ' . PAGE_NAME_LIMIT . ' characters.';
+			return false;
+		}
+		if(strlen($title) > PAGE_TITLE_LIMIT) {
+			$errors[] = 'Page title cannot be longer than ' . PAGE_TITLE_LIMIT . ' characters.';
+			return false;
+		}
+		if(strlen($body) > PAGE_BODY_LIMIT) {
+			$errors[] = 'Page content cannot be longer than ' . PAGE_BODY_LIMIT . ' characters.';
+			return false;
+		}
+		if(!isset($player_id) || $player_id == 0) {
+			$errors[] = 'Player ID is wrong.';
+			return false;
+		}
+		if(!isset($php) || ($php != 0 && $php != 1)) {
+			$errors[] = 'Enable PHP is wrong.';
+			return false;
+		}
+		if ($php == 1 && !getBoolean(config('admin_pages_php_enable'))) {
+			$errors[] = 'PHP pages disabled on this server. To enable go to config.php and change admin_pages_php_enable to "yes".';
+			return false;
+		}
+		if(!isset($enable_tinymce) || ($enable_tinymce != 0 && $enable_tinymce != 1)) {
+			$errors[] = 'Enable TinyMCE is wrong.';
+			return false;
+		}
+		if(!isset($access) || $access < 0 || $access > PHP_INT_MAX) {
+			$errors[] = 'Access is wrong.';
+			return false;
+		}
+
+		return true;
+	}
+
 	static public function get($id)
 	{
 		global $db;
@@ -129,8 +180,11 @@ class Pages
 
 	static public function add($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
 	{
+		if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
+			return false;
+		}
+
 		global $db;
-		if (isset($name[0]) && isset($title[0]) && isset($body[0]) && $player_id != 0) {
 		$query = $db->select(TABLE_PREFIX . 'pages', array('name' => $name));
 		if ($query === false)
 			$db->insert(TABLE_PREFIX . 'pages',
@@ -146,14 +200,16 @@ class Pages
 			);
 		else
 			$errors[] = 'Page with this link already exists.';
-		} else
-			$errors[] = 'Please fill all inputs.';
 
 		return !count($errors);
 	}
 
-	static public function update($id, $name, $title, $body, $player_id, $php, $enable_tinymce, $access)
+	static public function update($id, $name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
 	{
+		if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
+			return false;
+		}
+
 		global $db;
 		$db->update(TABLE_PREFIX . 'pages',
 			array(
@@ -166,6 +222,8 @@ class Pages
 				'access' => $access
 			),
 			array('id' => $id));
+
+		return true;
 	}
 
 	static public function delete($id, &$errors)
@@ -182,15 +240,18 @@ class Pages
 		return !count($errors);
 	}
 
-	static public function toggleHidden($id, &$errors)
+	static public function toggleHidden($id, &$errors, &$status)
 	{
 		global $db;
 		if (isset($id)) {
 			$query = $db->select(TABLE_PREFIX . 'pages', array('id' => $id));
-			if ($query !== false)
+			if ($query !== false) {
 				$db->update(TABLE_PREFIX . 'pages', array('hidden' => ($query['hidden'] == 1 ? 0 : 1)), array('id' => $id));
-			else
+				$status = $query['hidden'];
+			}
+			else {
 				$errors[] = 'Page with id ' . $id . ' does not exists.';
+			}
 		} else
 			$errors[] = 'id not set';
 

admin/pages/phpinfo.php

@@ -16,4 +16,4 @@ if (!function_exists('phpinfo')) { ?>
 	<?php return;
 }
 ?>
-<iframe src="<?php echo BASE_URL; ?>admin/tools/phpinfo.php" width="1024" height="550"></iframe>
+<iframe src="<?php echo ADMIN_URL; ?>tools/phpinfo.php" width="1024" height="550"></iframe>

admin/pages/players.php

@@ -10,7 +10,7 @@
 defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Player editor';
-$player_base = BASE_URL . 'admin/?p=players';
+$player_base = ADMIN_URL . '?p=players';
 
 $use_datatable = true;
 require_once LIBS . 'forum.php';
@@ -634,9 +634,9 @@ else if (isset($_REQUEST['search'])) {
 											<label for="look_addons" class="control-label">Addons:</label>
 											<select name="look_addons" id="look_addons" class="form-control custom-select">
 												<?php
-												$addon_type = array(0, 1, 2, 3);
+												$addon_type = array("None", "First", "Second", "Both");
 												foreach ($addon_type as $id => $s_name) {
-													echo '<option value=' . $s_name . ($id == $player->getLookAddons() ? ' selected' : '') . '>' . $s_name . '</option>';
+													echo '<option value=' . $id . ($id == $player->getLookAddons() ? ' selected' : '') . '>' . $s_name . '</option>';
 												}
 												?>
 											</select>
@@ -663,7 +663,14 @@ else if (isset($_REQUEST['search'])) {
 									</div>
 									<div class="col-12 col-sm-12 col-lg-6">
 										<label for="lastip" class="control-label">Last IP:</label>
-										<input type="text" class="form-control" id="lastip" name="lastip" autocomplete="off" maxlength="10" value="<?php echo longToIp($player->getLastIP()); ?>" readonly/>
+										<input type="text" class="form-control" id="lastip" name="lastip" autocomplete="off" maxlength="10" value="<?php
+										if (strlen($player->getLastIP()) > 11) {
+											echo inet_ntop($player->getLastIP());
+										}
+										else {
+											echo longToIp($player->getLastIP());
+										}
+										?>" readonly/>
 									</div>
 								</div>
 								<?php if ($db->hasColumn('players', 'loss_experience')): ?>

admin/pages/plugins.php

@@ -0,0 +1,136 @@
+<?php
+/**
+ * Plugins
+ *
+ * @package   MyAAC
+ * @author    Slawkens <slawkens@gmail.com>
+ * @copyright 2019 MyAAC
+ * @link      https://my-aac.org
+ */
+defined('MYAAC') or die('Direct access not allowed!');
+$title = 'Plugin manager';
+$use_datatable = true;
+
+require_once LIBS . 'plugins.php';
+
+if (!getBoolean(config('admin_plugins_manage_enable'))) {
+	warning('Plugin installation and management is disabled in config.<br/>If you wish to enable, go to config.php and change <b>admin_plugins_manage_enable</b> to "yes".');
+}
+else {
+	$twig->display('admin.plugins.form.html.twig');
+
+	if (isset($_REQUEST['uninstall'])) {
+		$uninstall = $_REQUEST['uninstall'];
+
+		if (Plugins::uninstall($uninstall)) {
+			success('Successfully uninstalled plugin ' . $uninstall);
+		} else {
+			error('Error while uninstalling plugin ' . $uninstall . ': ' . Plugins::getError());
+		}
+	} else if (isset($_REQUEST['enable'])) {
+		$enable = $_REQUEST['enable'];
+		if (Plugins::enable($enable)) {
+			success('Successfully enabled plugin ' . $enable);
+		} else {
+			error('Error while enabling plugin ' . $enable . ': ' . Plugins::getError());
+		}
+	} else if (isset($_REQUEST['disable'])) {
+		$disable = $_REQUEST['disable'];
+		if (Plugins::disable($disable)) {
+			success('Successfully disabled plugin ' . $disable);
+		} else {
+			error('Error while disabling plugin ' . $disable . ': ' . Plugins::getError());
+		}
+	} else if (isset($_FILES['plugin']['name'])) {
+		$file = $_FILES['plugin'];
+		$filename = $file['name'];
+		$tmp_name = $file['tmp_name'];
+		$type = $file['type'];
+
+		$name = explode('.', $filename);
+		$accepted_types = array('application/zip', 'application/x-zip-compressed', 'multipart/x-zip', 'application/x-compressed', 'application/octet-stream', 'application/zip-compressed');
+
+		if (isset($file['error'])) {
+			$error = 'Error uploading file';
+			switch ($file['error']) {
+				case UPLOAD_ERR_OK:
+					$error = false;
+					break;
+				case UPLOAD_ERR_INI_SIZE:
+				case UPLOAD_ERR_FORM_SIZE:
+					$error .= ' - file too large (limit of ' . ini_get('upload_max_filesize') . ' bytes). You can enlarge the limits by changing "upload_max_filesize" in php.ini';
+					break;
+				case UPLOAD_ERR_PARTIAL:
+					$error .= ' - file upload was not completed.';
+					break;
+				case UPLOAD_ERR_NO_FILE:
+					$error .= ' - zero-length file uploaded.';
+					break;
+				default:
+					$error .= ' - internal error #' . $file['error'];
+					break;
+			}
+		}
+
+		if (isset($error) && $error != false) {
+			error($error);
+		} else {
+			if (is_uploaded_file($file['tmp_name'])) {
+				$filetype = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
+				if ($filetype == 'zip') // check if it is zipped/compressed file
+				{
+					$tmp_filename = pathinfo($filename, PATHINFO_FILENAME);
+					$targetzip = BASE . 'plugins/' . $tmp_filename . '.zip';
+
+					if (move_uploaded_file($tmp_name, $targetzip)) { // move uploaded file
+						if (Plugins::install($targetzip)) {
+							foreach (Plugins::getWarnings() as $warning) {
+								warning($warning);
+							}
+
+							$info = Plugins::getPluginJson();
+							success((isset($info['name']) ? '<strong>' . $info['name'] . '</strong> p' : 'P') . 'lugin has been successfully installed.');
+						} else {
+							$error = Plugins::getError();
+							error(!empty($error) ? $error : 'Unexpected error happened while installing plugin. Please try again later.');
+						}
+
+						unlink($targetzip); // delete the Zipped file
+					} else
+						error('There was a problem with the upload. Please try again.');
+				} else {
+					error('The file you are trying to upload is not a .zip file. Please try again.');
+				}
+			} else {
+				error('Error uploading file - unknown error.');
+			}
+		}
+	}
+}
+
+$plugins = array();
+foreach (get_plugins(true) as $plugin) {
+	$string = file_get_contents(BASE . 'plugins/' . $plugin . '.json');
+	$plugin_info = json_decode($string, true);
+
+	if (!$plugin_info) {
+		warning('Cannot load plugin info ' . $plugin . '.json');
+	} else {
+		$disabled = (strpos($plugin, 'disabled.') !== false);
+		$pluginOriginal = ($disabled ? str_replace('disabled.', '', $plugin) : $plugin);
+		$plugins[] = array(
+			'name' => $plugin_info['name'] ?? '',
+			'description' => $plugin_info['description'] ?? '',
+			'version' => $plugin_info['version'] ?? '',
+			'author' => $plugin_info['author'] ?? '',
+			'contact' => $plugin_info['contact'] ?? '',
+			'file' => $pluginOriginal,
+			'enabled' => !$disabled,
+			'uninstall' => isset($plugin_info['uninstall'])
+		);
+	}
+}
+
+$twig->display('admin.plugins.html.twig', array(
+	'plugins' => $plugins
+));

admin/pages/tools.php

@@ -21,7 +21,7 @@ if (preg_match("/[^A-z0-9_\-]/", $tool)) {
 	return;
 }
 
-$file = SYSTEM . 'pages/admin/tools/' . $tool . '.php';
+$file = ADMIN . 'tools/' . $tool . '.php';
 
 if (@file_exists($file)) {
 	require $file;

admin/pages/visitors.php

@@ -8,6 +8,11 @@
  * @link      https://my-aac.org
  */
 defined('MYAAC') or die('Direct access not allowed!');
+
+use DeviceDetector\DeviceDetector;
+use DeviceDetector\Parser\Client\Browser;
+use DeviceDetector\Parser\OperatingSystem;
+
 $title = 'Visitors';
 $use_datatable = true;
 
@@ -30,6 +35,31 @@ function compare($a, $b)
 $tmp = $visitors->getVisitors();
 usort($tmp, 'compare');
 
+foreach ($tmp as &$visitor) {
+	$userAgent = $visitor['user_agent'] ?? '';
+	if (!strlen($userAgent) || $userAgent == 'unknown') {
+		$browser = 'Unknown';
+	}
+	else {
+		$dd = new DeviceDetector($userAgent);
+		$dd->parse();
+
+		if ($dd->isBot()) {
+			$bot = $dd->getBot();
+			$message = '(Bot) %s, <a href="%s" target="_blank">%s</a>';
+			$browser = sprintf($message, $bot['category'], $bot['url'], $bot['name']);
+		}
+		else {
+			$osFamily = OperatingSystem::getOsFamily($dd->getOs('name'));
+			$browserFamily = Browser::getBrowserFamily($dd->getClient('name'));
+
+			$browser = $osFamily . ', ' . $browserFamily;
+		}
+	}
+
+	$visitor['browser'] = $browser;
+}
+
 $twig->display('admin.visitors.html.twig', array(
 	'config_visitors_counter_ttl' => $config['visitors_counter_ttl'],
 	'visitors' => $tmp

admin/template/menus.php

@@ -4,23 +4,23 @@ $menus = [
 	['name' => 'Dashboard', 'icon' => 'tachometer-alt', 'order' => 10, 'link' => 'dashboard'],
 	['name' => 'News', 'icon' => 'newspaper', 'order' => 20, 'link' =>
 		[
-			['name' => 'View', 'link' => 'news', 'order' => 10],
+			['name' => 'View', 'link' => 'news', 'icon' => 'list', 'order' => 10],
-			['name' => 'Add news', 'link' => 'news&action=new&type=1', 'order' => 20],
+			['name' => 'Add news', 'link' => 'news&action=new&type=1', 'icon' => 'plus', 'order' => 20],
-			['name' => 'Add ticker', 'link' => 'news&action=new&type=2', 'order' => 30],
+			['name' => 'Add ticker', 'link' => 'news&action=new&type=2', 'icon' => 'plus', 'order' => 30],
-			['name' => 'Add article', 'link' => 'news&action=new&type=3', 'order' => 40],
+			['name' => 'Add article', 'link' => 'news&action=new&type=3', 'icon' => 'plus', 'order' => 40],
 		],
 	],
 	['name' => 'Changelogs', 'icon' => 'newspaper', 'order' => 30, 'link' =>
 		[
-			['name' => 'View', 'link' => 'changelog', 'order' => 10],
+			['name' => 'View', 'link' => 'changelog', 'icon' => 'list', 'order' => 10],
-			['name' => 'Add', 'link' => 'changelog&action=new', 'order' => 20],
+			['name' => 'Add', 'link' => 'changelog&action=new', 'icon' => 'plus', 'order' => 20],
 		],
 	],
 	['name' => 'Mailer', 'icon' => 'envelope', 'order' => 40, 'link' => 'mailer', 'disabled' => !config('mail_enabled')],
 	['name' => 'Pages', 'icon' => 'book', 'order' => 50, 'link' =>
 		[
-			['name' => 'View', 'link' => 'pages', 'order' => 10],
+			['name' => 'View', 'link' => 'pages', 'icon' => 'list', 'order' => 10],
-			['name' => 'Add', 'link' => 'pages&action=new', 'order' => 20],
+			['name' => 'Add', 'link' => 'pages&action=new', 'icon' => 'plus', 'order' => 20],
 		],
 	],
 	['name' => 'Menus', 'icon' => 'list', 'order' => 60, 'link' => 'menus'],
@@ -28,23 +28,23 @@ $menus = [
 	['name' => 'Server Data', 'icon' => 'gavel', 'order' => 80, 'link' => 'data'],
 	['name' => 'Editor', 'icon' => 'edit', 'order' => 90, 'link' =>
 		[
-			['name' => 'Accounts', 'link' => 'accounts', 'order' => 10],
+			['name' => 'Accounts', 'link' => 'accounts', 'icon' => 'users', 'order' => 10],
-			['name' => 'Players', 'link' => 'players', 'order' => 20],
+			['name' => 'Players', 'link' => 'players', 'icon' => 'user-astronaut', 'order' => 20],
 		],
 	],
 	['name' => 'Tools', 'icon' => 'tools', 'order' => 100, 'link' =>
 		[
-			['name' => 'Mass Account Actions', 'link' => 'tools&tool=account', 'order' => 10],
+			['name' => 'Mass Account Actions', 'link' => 'mass_account', 'icon' => 'globe', 'order' => 10],
-			['name' => 'Mass Teleport Actions', 'link' => 'tools&tool=teleport', 'order' => 20],
+			['name' => 'Mass Teleport Actions', 'link' => 'mass_teleport', 'icon' => 'globe', 'order' => 20],
-			['name' => 'Notepad', 'link' => 'notepad', 'order' => 30],
+			['name' => 'Notepad', 'link' => 'notepad', 'icon' => 'marker', 'order' => 30],
-			['name' => 'phpinfo', 'link' => 'phpinfo', 'order' => 40],
+			['name' => 'phpinfo', 'link' => 'phpinfo', 'icon' => 'server', 'order' => 40],
 		],
 	],
 	['name' => 'Logs', 'icon' => 'bug', 'order' => 110, 'link' =>
 		[
-			['name' => 'Logs', 'link' => 'logs', 'order' => 10],
+			['name' => 'Logs', 'link' => 'logs', 'icon' => 'book', 'order' => 10],
-			['name' => 'Reports', 'link' => 'reports', 'order' => 20],
+			['name' => 'Reports', 'link' => 'reports', 'icon' => 'book', 'order' => 20],
-			['name' => 'Visitors', 'icon' => 'user', 'link' => 'visitors', 'order' => 30],
+			['name' => 'Visitors', 'link' => 'visitors', 'icon' => 'user', 'order' => 30],
 		],
 	],
 ];

admin/template/template.php

@@ -2,6 +2,7 @@
 <!doctype html>
 <html lang="en">
 <head>
+	<?php $hooks->trigger(HOOK_ADMIN_HEAD_START); ?>
 	<?php echo template_header(true); ?>
 	<title><?php echo (isset($title) ? $title . ' - ' : '') . $config['lua']['serverName'];?></title>
 	<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
@@ -16,8 +17,10 @@
 	<script src="<?php echo BASE_URL; ?>tools/js/respond.min.js"></script>
 	<![endif]-->
 	<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,300italic,400italic,600italic">
+	<?php $hooks->trigger(HOOK_ADMIN_HEAD_END); ?>
 </head>
 <body class="sidebar-mini ">
+<?php $hooks->trigger(HOOK_ADMIN_BODY_START); ?>
 <?php if ($logged && admin()) { ?>
 	<div class="wrapper">
 		<nav class="main-header navbar navbar-expand navbar-white navbar-light">
@@ -79,12 +82,12 @@
 										$nav_construct .= ' active';
 										$used_menu = true;
 									}
-									$nav_construct .= '"><i class="far fa-' . (isset($sub_menu['icon']) ? $sub_menu['icon'] : 'circle') . ' nav-icon"></i><p>' . $sub_menu['name'] . '</p></a></li>';
+									$nav_construct .= '"><i class="fas fa-' . ($sub_menu['icon'] ?? 'circle') . ' nav-icon"></i><p>' . $sub_menu['name'] . '</p></a></li>';
 								}
 								?>
 								<li class="nav-item has-treeview<?php echo($used_menu ? ' menu-open' : '') ?>">
 									<a href="#" class="nav-link<?php echo($used_menu ? ' active' : '') ?>">
-										<i class="nav-icon fas fa-<?php echo(isset($menu['icon']) ? $menu['icon'] : 'link') ?>"></i>
+										<i class="nav-icon fas fa-<?php echo($menu['icon'] ?? 'link') ?>"></i>
 										<p><?php echo $menu['name'] ?></p><i class="right fas fa-angle-left"></i>
 									</a>
 									<ul class="nav nav-treeview">
@@ -159,6 +162,9 @@
 
 				<p><h5><a href="http://my-aac.org/" target="_blank"><i class="fas fa-shoe-prints"></i> MyAAC Official</a></h5>
 				<small>Goto MyAAC Official Website</small></p>
+
+				<p><h5><a href="?p=open_source"><i class="fas fa-wrench"></i> Open Source</a></h5>
+				<small>View Open Source Software MyAAC is using</small></p>
 			</div>
 		</aside>
 
@@ -192,5 +198,6 @@ if ($logged && admin()) {
 <script src="<?php echo BASE_URL; ?>tools/js/datatables.bs.min.js"></script>
 <?php } ?>
 <script src="<?php echo BASE_URL; ?>tools/js/adminlte.min.js"></script>
+<?php $hooks->trigger(HOOK_ADMIN_BODY_END); ?>
 </body>
 </html>

common.php

@@ -23,19 +23,21 @@
  * @copyright 2019 MyAAC
  * @link      https://my-aac.org
  */
-if (version_compare(phpversion(), '7.1', '<')) die('PHP version 7.1 or higher is required.');
+if (version_compare(phpversion(), '7.2.5', '<')) die('PHP version 7.2.5 or higher is required.');
 
 const MYAAC = true;
-const MYAAC_VERSION = '0.9.0-dev';
+const MYAAC_VERSION = '0.9.0-alpha';
-const DATABASE_VERSION = 33;
+const DATABASE_VERSION = 35;
 const TABLE_PREFIX = 'myaac_';
 define('START_TIME', microtime(true));
 define('MYAAC_OS', stripos(PHP_OS, 'WIN') === 0 ? 'WINDOWS' : (strtoupper(PHP_OS) === 'DARWIN' ? 'MAC' : 'LINUX'));
 define('IS_CLI', in_array(php_sapi_name(), ['cli', 'phpdb']));
 
 // account flags
+const FLAG_NONE = 0;
 const FLAG_ADMIN = 1;
 const FLAG_SUPER_ADMIN = 2;
+const FLAG_SUPER_BOTH = 3;
 const FLAG_CONTENT_PAGES = 4;
 const FLAG_CONTENT_MAILER = 8;
 const FLAG_CONTENT_NEWS = 16;
@@ -49,14 +51,27 @@ const FLAG_CONTENT_FAQ = 2048;
 const FLAG_CONTENT_MENUS = 4096;
 const FLAG_CONTENT_PLAYERS = 8192;
 
+// account access types
+const ACCOUNT_WEB_FLAGS = [
+	FLAG_NONE => 'None',
+	FLAG_ADMIN =>'Admin',
+	FLAG_SUPER_ADMIN => 'Super Admin',
+	FLAG_SUPER_BOTH =>'(Admin + Super Admin)',
+];
+
 // news
 const NEWS = 1;
 const TICKER = 2;
 const ARTICLE = 3;
 
+// here you can change location of admin panel
+// you need also to rename folder "admin"
+// this may improve security
+const ADMIN_PANEL_FOLDER = 'admin';
+
 // directories
 const BASE = __DIR__ . '/';
-const ADMIN = BASE . 'admin/';
+const ADMIN = BASE . ADMIN_PANEL_FOLDER . '/';
 const SYSTEM = BASE . 'system/';
 const CACHE = SYSTEM . 'cache/';
 const LOCALE = SYSTEM . 'locale/';
@@ -95,8 +110,10 @@ const TFS_LAST = TFS_03;
 // other definitions
 const ACCOUNT_NUMBER_LENGTH = 8;
 
-session_save_path(SESSIONS_DIR);
+if (!IS_CLI) {
-session_start();
+	session_save_path(SESSIONS_DIR);
+	session_start();
+}
 
 // basedir
 $basedir = '';
@@ -105,7 +122,7 @@ $size = count($tmp) - 1;
 for($i = 1; $i < $size; $i++)
 	$basedir .= '/' . $tmp[$i];
 
-$basedir = str_replace(['/admin', '/install', '/tools'], '', $basedir);
+$basedir = str_replace(['/' . ADMIN_PANEL_FOLDER, '/install', '/tools'], '', $basedir);
 define('BASE_DIR', $basedir);
 
 if(!IS_CLI) {
@@ -121,11 +138,9 @@ if(!IS_CLI) {
 
 	define('SERVER_URL', 'http' . (isset($_SERVER['HTTPS'][0]) && strtolower($_SERVER['HTTPS']) === 'on' ? 's' : '') . '://' . $baseHost);
 	define('BASE_URL', SERVER_URL . BASE_DIR . '/');
-	define('ADMIN_URL', SERVER_URL . BASE_DIR . '/admin/');
+	define('ADMIN_URL', SERVER_URL . BASE_DIR . '/' . ADMIN_PANEL_FOLDER . '/');
 
 	//define('CURRENT_URL', BASE_URL . $_SERVER['REQUEST_URI']);
-
-	require SYSTEM . 'exception.php';
 }
 
 $autoloadFile = VENDOR . 'autoload.php';

composer.json

@@ -9,6 +9,11 @@
         "phpmailer/phpmailer": "^6.1",
         "composer/semver": "^3.2",
         "twig/twig": "^2.0",
-        "erusev/parsedown": "^1.7"
+        "erusev/parsedown": "^1.7",
+        "nikic/fast-route": "^1.3",
+        "matomo/device-detector": "^6.0"
+    },
+    "require-dev": {
+        "filp/whoops": "^2.15"
     }
 }

config.php

@@ -73,7 +73,7 @@ $config = array(
 	'database_user' => '',
 	'database_password' => '',
 	'database_name' => '',
-	'database_log' => false, // should database queries be logged and and saved into system/logs/database.log?
+	'database_log' => false, // should database queries be logged and saved into system/logs/database.log?
 	'database_socket' => '', // set if you want to connect to database through socket (example: /var/run/mysqld/mysqld.sock)
 	'database_persistent' => false, // use database permanent connection (like server), may speed up your site
 
@@ -103,7 +103,14 @@ $config = array(
 	'account_login_by_email_fallback' => false, // allow also additionally login by Account Name/Number (for users that might forget their email)
 	'account_create_auto_login' => false, // auto login after creating account?
 	'account_create_character_create' => true, // allow directly to create character on create account page?
-	'account_mail_verify' => false, // force users to confirm their email addresses when registering account
+	'account_mail_verify' => false, // force users to confirm their email addresses when registering
+	'account_mail_confirmed_reward' => [ // reward users for confirming their E-Mails
+		// account_mail_verify needs to be enabled too
+		'premium_days' => 0,
+		'premium_points' => 0,
+		'coins' => 0,
+		'message' => 'You received %d %s for confirming your E-Mail address.' // example: You received 20 premium points for confirming your E-Mail address.
+	],
 	'account_mail_unique' => true, // email addresses cannot be duplicated? (one account = one email)
 	'account_mail_block_plus_sign' => true, // block email with '+' signs like test+box@gmail.com (help protect against spamming accounts)
 	'account_premium_days' => 0, // default premium days on new account
@@ -135,24 +142,24 @@ $config = array(
 	'smtp_secure' => '', // What kind of encryption to use on the SMTP connection. Options: '', 'ssl' (GMail) or 'tls' (Microsoft Outlook)
 	'smtp_debug' => false, // set true to debug (you will see more info in error.log)
 
-	// Google reCAPTCHA (prevent spam bots)
-	'recaptcha_enabled' => false, // enable recaptcha verification code
-	'recaptcha_type' => 'v3', // 'v2-checkbox', 'v2-invisible', 'v3'
-	'recaptcha_site_key' => '', // get your own site and secret keys at https://www.google.com/recaptcha
-	'recaptcha_secret_key' => '',
-	// following option apply only for ReCaptcha v2-checkbox
-	'recaptcha_v2_theme' => 'light', // light, dark
-	// following option apply only for ReCaptcha v3
-	// min score for validation, between 0 - 1.0
-	// https://developers.google.com/recaptcha/docs/v3#interpreting_the_score
-	'recaptcha_v3_min_score' => 0.5,
-
 	//
 	'generate_new_reckey' => true,				// let player generate new recovery key, he will receive e-mail with new rec key (not display on page, hacker can't generate rec key)
 	'generate_new_reckey_price' => 20,			// price for new recovery key
 	'send_mail_when_change_password' => true,	// send e-mail with new password when change password to account
 	'send_mail_when_generate_reckey' => true,	// send e-mail with rec key (key is displayed on page anyway when generate)
 
+	// you may need to adjust this for older tfs versions
+	// by removing Community Manager
+	'account_types' => [
+		'None',
+		'Normal',
+		'Tutor',
+		'Senior Tutor',
+		'Gamemaster',
+		'Community Manager',
+		'God',
+	],
+
 	// genders (aka sex)
 	'genders' => array(
 		0 => 'Female',
@@ -292,6 +299,10 @@ $config = array(
 	'status_interval' => 60,
 
 	// admin panel
+	'admin_plugins_manage_enable' => 'yes', // you can disable possibility to upload and uninstall plugins, for security
+	// enable support for plain php pages in admin panel, for security
+	// existing pages still will be working, so you need to delete them manually
+	'admin_pages_php_enable' => 'no',
 	'admin_panel_modules' => 'statistics,web_status,server_status,lastlogin,created,points,coins,balance',    // default - statistics,web_status,server_status,lastlogin,created,points,coins,balance
 
 	// other

cypress.config.js

@@ -0,0 +1,9 @@
+const { defineConfig } = require("cypress");
+
+module.exports = defineConfig({
+  e2e: {
+    setupNodeEvents(on, config) {
+      // implement node event listeners here
+    },
+  },
+});

cypress/e2e/1-install.cy.js

@@ -0,0 +1,75 @@
+describe('Install MyAAC', () => {
+	beforeEach(() => {
+		// Cypress starts out with a blank slate for each test
+		// so we must tell it to visit our website with the `cy.visit()` command.
+		// Since we want to visit the same URL at the start of all our tests,
+		// we include it in our beforeEach function so that it runs before each test
+		cy.visit(Cypress.env('URL'))
+	})
+
+	it('Go through installer', () => {
+		cy.visit(Cypress.env('URL') + '/install/?step=welcome')
+		cy.wait(1000)
+
+		cy.screenshot('install-welcome')
+
+		// step 1 - Welcome
+		cy.get('select[name="lang"]').select('en')
+
+		//cy.get('input[type=button]').contains('Next »').click()
+
+		cy.get('form').submit()
+
+		// step 2 - License
+		// just skip
+		cy.contains('GNU/GPL License');
+		cy.get('form').submit()
+
+		// step 3 - Requirements
+		cy.contains('Requirements check');
+
+		cy.get('#step').then(elem => {
+			elem.val('config');
+		});
+
+		cy.get('form').submit()
+
+		// step 4 - Configuration
+		cy.contains('Basic configuration');
+
+		cy.get('#vars_server_path').click().clear().type(Cypress.env('SERVER_PATH'))
+		cy.get('#vars_mail_admin').click().clear().type('noone@example.net')
+
+		cy.get('[type="checkbox"]').uncheck() // usage statistics uncheck
+
+		cy.wait(1000)
+
+		cy.get('form').submit()
+
+		// check if there is any error
+
+
+		// step 5 - Import Schema
+		cy.contains('Import MySQL schema');
+
+		// AAC is not installed yet, this message should not come
+		cy.contains('Seems AAC is already installed. Skipping importing MySQL schema..').should('not.exist')
+
+		cy.contains('[class="alert alert-success"]', 'Local configuration has been saved into file: config.local.php').should('be.visible')
+
+		cy.get('form').submit()
+
+		// step 6 - Admin Account
+		cy.get('#vars_email').click().clear().type('admin@my-aac.org')
+		cy.get('#vars_account').click().clear().type('admin')
+		cy.get('#vars_password').click().clear().type('test1234')
+		cy.get('#vars_password_confirm').click().clear().type('test1234')
+		cy.get('#vars_player_name').click().clear().type('Admin')
+
+		cy.get('form').submit()
+
+		cy.contains('[class="alert alert-success"]', 'Congratulations', { timeout: 30000 }).should('be.visible')
+
+		cy.screenshot('install-finish')
+	})
+})

cypress/e2e/2-create-account.cy.js

@@ -0,0 +1,33 @@
+describe('Create Account Page', () => {
+	beforeEach(() => {
+		// Cypress starts out with a blank slate for each test
+		// so we must tell it to visit our website with the `cy.visit()` command.
+		// Since we want to visit the same URL at the start of all our tests,
+		// we include it in our beforeEach function so that it runs before each test
+		cy.visit(Cypress.env('URL') + '/index.php/account/create')
+	})
+
+	it('Create Test Account', () => {
+		cy.screenshot('create-account-page')
+
+		cy.get('#account_input').type('tester')
+		cy.get('#email').type('tester@example.com')
+
+		cy.get('#password').type('test1234')
+		cy.get('#password2').type('test1234')
+
+		cy.get('#character_name').type('Slaw')
+
+		cy.get('#sex1').check()
+		cy.get('#vocation1').check()
+		cy.get('#accept_rules').check()
+
+		cy.get('#createaccount').submit()
+
+		// no errors please
+		cy.contains('The Following Errors Have Occurred:').should('not.exist')
+
+		// ss of post page
+		cy.screenshot('create-account-page-post')
+	})
+})

cypress/fixtures/example.json

@@ -0,0 +1,5 @@
+{
+  "name": "Using fixtures to represent data",
+  "email": "hello@cypress.io",
+  "body": "Fixtures are a great way to mock data for responses to routes"
+}

cypress/support/commands.js

@@ -0,0 +1,25 @@
+// ***********************************************
+// This example commands.js shows you how to
+// create various custom commands and overwrite
+// existing commands.
+//
+// For more comprehensive examples of custom
+// commands please read more here:
+// https://on.cypress.io/custom-commands
+// ***********************************************
+//
+//
+// -- This is a parent command --
+// Cypress.Commands.add('login', (email, password) => { ... })
+//
+//
+// -- This is a child command --
+// Cypress.Commands.add('drag', { prevSubject: 'element'}, (subject, options) => { ... })
+//
+//
+// -- This is a dual command --
+// Cypress.Commands.add('dismiss', { prevSubject: 'optional'}, (subject, options) => { ... })
+//
+//
+// -- This will overwrite an existing command --
+// Cypress.Commands.overwrite('visit', (originalFn, url, options) => { ... })

cypress/support/e2e.js

@@ -0,0 +1,20 @@
+// ***********************************************************
+// This example support/e2e.js is processed and
+// loaded automatically before your test files.
+//
+// This is a great place to put global configuration and
+// behavior that modifies Cypress.
+//
+// You can change the location of this file or turn off
+// automatically serving support files with the
+// 'supportFile' configuration option.
+//
+// You can read more here:
+// https://on.cypress.io/configuration
+// ***********************************************************
+
+// Import commands.js using ES2015 syntax:
+import './commands'
+
+// Alternatively you can use CommonJS syntax:
+// require('./commands')

index.php

@@ -28,18 +28,22 @@ require_once 'common.php';
 require_once SYSTEM . 'functions.php';
 
 $uri = $_SERVER['REQUEST_URI'];
+if(false !== strpos($uri, 'index.php')) {
+	$uri = str_replace_first('/index.php', '', $uri);
+}
 
-$tmp = BASE_DIR;
+if(0 === strpos($uri, '/')) {
-if(!empty($tmp))
-	$uri = str_replace(BASE_DIR . '/', '', $uri);
-else
 	$uri = str_replace_first('/', '', $uri);
+}
 
-$uri = str_replace(array('index.php/', '?'), '', $uri);
+if(preg_match("/^[A-Za-z0-9-_%'+\/]+\.png$/i", $uri)) {
-define('URI', $uri);
+	if (!empty(BASE_DIR)) {
-
+		$tmp = explode('.', str_replace_first(str_replace_first('/', '', BASE_DIR) . '/', '', $uri));
-if(preg_match("/^[A-Za-z0-9-_%'+]+\.png$/i", $uri)) {
+	}
+	else {
 		$tmp = explode('.', $uri);
+	}
+
 	$_REQUEST['name'] = urldecode($tmp[0]);
 
 	chdir(TOOLS . 'signature');
@@ -47,7 +51,7 @@ if(preg_match("/^[A-Za-z0-9-_%'+]+\.png$/i", $uri)) {
 	exit();
 }
 
-if(preg_match("/^(.*)\.(gif|jpg|png|jpeg|tiff|bmp|css|js|less|map|html|php|zip|rar|gz|ttf|woff|ico)$/i", $_SERVER['REQUEST_URI'])) {
+if(preg_match("/^(.*)\.(gif|jpg|png|jpeg|tiff|bmp|css|js|less|map|html|zip|rar|gz|ttf|woff|ico)$/i", $_SERVER['REQUEST_URI'])) {
 	http_response_code(404);
 	exit;
 }
@@ -74,106 +78,6 @@ if((!isset($config['installed']) || !$config['installed']) && file_exists(BASE .
 	throw new RuntimeException('Setup detected that <b>install/</b> directory exists. Please visit <a href="' . BASE_URL . 'install">this</a> url to start MyAAC Installation.<br/>Delete <b>install/</b> directory if you already installed MyAAC.<br/>Remember to REFRESH this page when you\'re done!');
 }
 
-$found = false;
-if(empty($uri) || isset($_REQUEST['template'])) {
-	$_REQUEST['p'] = 'news';
-	$found = true;
-}
-else {
-	$tmp = strtolower($uri);
-	if(!preg_match('/[^A-z0-9_\-]/', $uri) && file_exists(SYSTEM . 'pages/' . $tmp . '.php')) {
-		$_REQUEST['p'] = $uri;
-		$found = true;
-	}
-	else {
-		$rules = array(
-			'/^account\/manage\/?$/' => array('subtopic' => 'accountmanagement'),
-			'/^account\/create\/?$/' => array('subtopic' => 'createaccount'),
-			'/^account\/lost\/?$/' => array('subtopic' => 'lostaccount'),
-			'/^account\/logout\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'logout'),
-			'/^account\/password\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'change_password'),
-			'/^account\/register\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'register'),
-			'/^account\/register\/new\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'register_new'),
-			'/^account\/email\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'change_email'),
-			'/^account\/info\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'change_info'),
-			'/^account\/character\/create\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'create_character'),
-			'/^account\/character\/name\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'change_name'),
-			'/^account\/character\/sex\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'change_sex'),
-			'/^account\/character\/delete\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'delete_character'),
-			'/^account\/character\/comment\/[A-Za-z0-9-_%+\']+\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'change_comment', 'name' => '$3'),
-			'/^account\/character\/comment\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'change_comment'),
-			'/^account\/confirm_email\/[A-Za-z0-9-_]+\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'confirm_email', 'v' => '$2'),
-			'/^bans\/[0-9]+\/?$/' => array('subtopic' => 'bans', 'page' => '$1'),
-			'/^characters\/[A-Za-z0-9-_%+\']+$/' => array('subtopic' => 'characters', 'name' => '$1'),
-			'/^changelog\/[0-9]+\/?$/' => array('subtopic' => 'changelog', 'page' => '$1'),
-			'/^commands\/add\/?$/' => array('subtopic' => 'commands', 'action' => 'add'),
-			'/^commands\/edit\/?$/' => array('subtopic' => 'commands', 'action' => 'edit'),
-			'/^creatures\/[A-Za-z0-9-_%+\']+$/' => array('subtopic' => 'creatures', 'creature' => '$1'),
-			'/^faq\/add\/?$/' => array('subtopic' => 'faq', 'action' => 'add'),
-			'/^faq\/edit\/?$/' => array('subtopic' => 'faq', 'action' => 'edit'),
-			'/^forum\/add_board\/?$/' => array('subtopic' => 'forum', 'action' => 'add_board'),#
-			'/^forum\/edit_board\/?$/' => array('subtopic' => 'forum', 'action' => 'edit_board'),
-			'/^forum\/board\/[0-9]+\/?$/' => array('subtopic' => 'forum', 'action' => 'show_board', 'id' => '$2'),
-			'/^forum\/board\/[0-9]+\/[0-9]+\/?$/' => array('subtopic' => 'forum', 'action' => 'show_board', 'id' => '$2', 'page' => '$3'),
-			'/^forum\/thread\/[0-9]+\/?$/' => array('subtopic' => 'forum', 'action' => 'show_thread', 'id' => '$2'),
-			'/^forum\/thread\/[0-9]+\/[0-9]+\/?$/' => array('subtopic' => 'forum', 'action' => 'show_thread', 'id' => '$2', 'page' => '$3'),
-			'/^gallery\/add\/?$/' => array('subtopic' => 'gallery', 'action' => 'add'),
-			'/^gallery\/edit\/?$/' => array('subtopic' => 'gallery', 'action' => 'edit'),
-			'/^gallery\/[0-9]+\/?$/' => array('subtopic' => 'gallery', 'image' => '$1'),
-			'/^gifts\/history\/?$/' => array('subtopic' => 'gifts', 'action' => 'show_history'),
-			'/^guilds\/[A-Za-z0-9-_%+\']+$/' => array('subtopic' => 'guilds', 'action' => 'show', 'guild' => '$1'),
-			'/^highscores\/[A-Za-z0-9-_]+\/[A-Za-z0-9-_]+\/[0-9]+\/?$/' => array('subtopic' => 'highscores', 'list' => '$1', 'vocation' => '$2', 'page' => '$3'),
-			'/^highscores\/[A-Za-z0-9-_]+\/[0-9]+\/?$/' => array('subtopic' => 'highscores', 'list' => '$1', 'page' => '$2'),
-			'/^highscores\/[A-Za-z0-9-_]+\/[A-Za-z0-9-_]+\/?$/' => array('subtopic' => 'highscores', 'list' => '$1', 'vocation' => '$2'),
-			'/^highscores\/[A-Za-z0-9-_\']+\/?$/' => array('subtopic' => 'highscores', 'list' => '$1'),
-			'/^news\/add\/?$/' => array('subtopic' => 'news', 'action' => 'add'),
-			'/^news\/edit\/?$/' => array('subtopic' => 'news', 'action' => 'edit'),
-			'/^news\/archive\/?$/' => array('subtopic' => 'newsarchive'),
-			'/^news\/archive\/[0-9]+\/?$/' => array('subtopic' => 'newsarchive', 'id' => '$2'),
-			'/^polls\/[0-9]+\/?$/' => array('subtopic' => 'polls', 'id' => '$1'),
-			'/^spells\/[A-Za-z0-9-_%]+\/[A-Za-z0-9-_]+\/?$/' => array('subtopic' => 'spells', 'vocation' => '$1', 'order' => '$2'),
-			'/^houses\/view\/?$/' => array('subtopic' => 'houses', 'page' => 'view')
-		);
-
-		foreach($rules as $rule => $redirect) {
-			if (preg_match($rule, $uri)) {
-				$tmp = explode('/', $uri);
-				/* @var $redirect array */
-				foreach($redirect as $key => $value) {
-
-					if(strpos($value, '$') !== false) {
-						$value = str_replace('$' . $value[1], $tmp[$value[1]], $value);
-					}
-
-					$_REQUEST[$key] = $value;
-					$_GET[$key] = $value;
-				}
-
-				$found = true;
-				break;
-			}
-		}
-	}
-}
-
-// define page visited, so it can be used within events system
-$page = isset($_REQUEST['subtopic']) ? $_REQUEST['subtopic'] : (isset($_REQUEST['p']) ? $_REQUEST['p'] : '');
-if(empty($page) || !preg_match('/^[A-z0-9\_\-]+$/', $page)) {
-	$tmp = URI;
-	if(!empty($tmp)) {
-		$page = $tmp;
-	}
-	else {
-		if(!$found)
-			$page = '404';
-		else
-			$page = 'news';
-	}
-}
-
-$page = strtolower($page);
-define('PAGE', $page);
-
 $template_place_holders = array();
 
 require_once SYSTEM . 'init.php';
@@ -194,6 +98,8 @@ require_once SYSTEM . 'status.php';
 $twig->addGlobal('config', $config);
 $twig->addGlobal('status', $status);
 
+require_once SYSTEM . 'router.php';
+
 require SYSTEM . 'migrate.php';
 
 $hooks->trigger(HOOK_STARTUP);
@@ -242,35 +148,6 @@ if($config['visitors_counter'])
 	$visitors = new Visitors($config['visitors_counter_ttl']);
 }
 
-// page content loading
-if(!isset($content[0]))
-	$content = '';
-$load_it = true;
-
-// check if site has been closed
-$site_closed = false;
-if(fetchDatabaseConfig('site_closed', $site_closed)) {
-	$site_closed = ($site_closed == 1);
-	if($site_closed) {
-		if(!admin())
-		{
-			$title = getDatabaseConfig('site_closed_title');
-			$content .= '<p class="note">' . getDatabaseConfig('site_closed_message') . '</p><br/>';
-			$load_it = false;
-		}
-
-		if(!$logged)
-		{
-			ob_start();
-			require SYSTEM . 'pages/accountmanagement.php';
-			$content .= ob_get_contents();
-			ob_end_clean();
-			$load_it = false;
-		}
-	}
-}
-define('SITE_CLOSED', $site_closed);
-
 // backward support for gesior
 if($config['backward_support']) {
 	define('INITIALIZED', true);
@@ -279,7 +156,6 @@ if($config['backward_support']) {
 	$layout_name = $template_path;
 	$news_content = '';
 	$tickers_content = '';
-	$subtopic = PAGE;
 	$main_content = '';
 
 	$config['access_admin_panel'] = 2;
@@ -309,68 +185,6 @@ if($config['backward_support']) {
 		$config['status']['serverStatus_' . $key] = $value;
 }
 
-if($load_it)
-{
-	if(SITE_CLOSED && admin())
-		$content .= '<p class="note">Site is under maintenance (closed mode). Only privileged users can see it.</p>';
-
-	if($config['backward_support']) {
-		require SYSTEM . 'compat/pages.php';
-		require SYSTEM . 'compat/classes.php';
-	}
-
-	$ignore = false;
-
-	$logged_access = 1;
-	if($logged && $account_logged && $account_logged->isLoaded()) {
-		$logged_access = $account_logged->getAccess();
-	}
-
-	$success = false;
-	$tmp_content = getCustomPage($page, $success);
-	if($success) {
-		$content .= $tmp_content;
-		if(hasFlag(FLAG_CONTENT_PAGES) || superAdmin()) {
-			$pageInfo = getCustomPageInfo($page);
-			$content = $twig->render('admin.pages.links.html.twig', array(
-					'page' => array('id' => $pageInfo !== null ? $pageInfo['id'] : 0, 'hidden' => $pageInfo !== null ? $pageInfo['hidden'] : '0')
-				)) . $content;
-		}
-	} else {
-		$file = $template_path . '/pages/' . $page . '.php';
-		if(!@file_exists($file))
-		{
-			$file = SYSTEM . 'pages/' . $page . '.php';
-			if(!@file_exists($file))
-			{
-				$page = '404';
-				$file = SYSTEM . 'pages/404.php';
-			}
-		}
-	}
-
-	ob_start();
-	if($hooks->trigger(HOOK_BEFORE_PAGE)) {
-		if(!$ignore)
-			require $file;
-	}
-
-	if($config['backward_support'] && isset($main_content[0]))
-		$content .= $main_content;
-
-	$content .= ob_get_contents();
-	ob_end_clean();
-	$hooks->trigger(HOOK_AFTER_PAGE);
-}
-
-if($config['backward_support']) {
-	$main_content = $content;
-	if(!isset($title))
-		$title = ucfirst($page);
-
-	$topic = $title;
-}
-
 /**
  * @var OTS_Account $account_logged
  */

install/includes/schema.sql

@@ -1,4 +1,4 @@
-SET @myaac_database_version = 33;
+SET @myaac_database_version = 35;
 
 CREATE TABLE `myaac_account_actions`
 (
@@ -203,6 +203,7 @@ CREATE TABLE `myaac_monsters` (
 	`mana` int(11) NOT NULL DEFAULT 0,
 	`exp` int(11) NOT NULL,
 	`health` int(11) NOT NULL,
+	`look` VARCHAR(255) NOT NULL DEFAULT '',
 	`speed_lvl` int(11) NOT NULL default 1,
 	`use_haste` tinyint(1) NOT NULL,
 	`voices` text NOT NULL,
@@ -330,6 +331,7 @@ CREATE TABLE `myaac_visitors`
 	`ip` VARCHAR(45) NOT NULL,
 	`lastvisit` INT(11) NOT NULL DEFAULT 0,
 	`page` VARCHAR(2048) NOT NULL,
+	`user_agent` VARCHAR(255) NOT NULL DEFAULT '',
 	UNIQUE (`ip`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8;
 

install/includes/twig_error.html

@@ -1,4 +1,4 @@
-We have detected that you don't have access to write to the system/cache directory. Under linux you can fix it by using this two command, where first one should be enough (for apache):<br/><br/><span class="console">chown -R www-data.www-data /var/www/*</span><br/><span class="console">chmod -R 660 system/cache</span>
+We have detected that you don't have access to write to the system/cache directory. Under linux you can fix it by using this two command, where first one should be enough (for apache):<br/><br/><span class="console">chown -R www-data.www-data /var/www/*</span><br/><span class="console">chmod -R 760 system/cache</span>
 
 <style type="text/css">
 .console {

install/index.php

@@ -26,13 +26,13 @@ $twig = new Twig_Environment($twig_loader, array(
 ));
 
 // load installation status
-$step = isset($_POST['step']) ? $_POST['step'] : 'welcome';
+$step = $_REQUEST['step'] ?? 'welcome';
 
 $install_status = array();
 if(file_exists(CACHE . 'install.txt')) {
 	$install_status = unserialize(file_get_contents(CACHE . 'install.txt'));
 
-	if(!isset($_POST['step'])) {
+	if(!isset($_REQUEST['step'])) {
 		$step = isset($install_status['step']) ? $install_status['step'] : '';
 	}
 }
@@ -70,7 +70,7 @@ if($step == 'database') {
 
 		$key = str_replace('var_', '', $key);
 
-		if(in_array($key, array('account', 'password', 'email', 'player_name'))) {
+		if(in_array($key, array('account', 'account_id', 'password', 'password_confirm', 'email', 'player_name'))) {
 			continue;
 		}
 
@@ -110,18 +110,17 @@ if($step == 'database') {
 	}
 }
 else if($step == 'admin') {
-	$config_failed = true;
+	if(!file_exists(BASE . 'config.local.php') || !isset($config['installed']) || !$config['installed']) {
-	if(file_exists(BASE . 'config.local.php') && isset($config['installed']) && $config['installed'] && isset($_SESSION['saved'])) {
-		$config_failed = false;
-	}
-
-	if($config_failed) {
 		$step = 'database';
 	}
+	else {
+		$_SESSION['saved'] = true;
+	}
 }
 else if($step == 'finish') {
 	$email = $_SESSION['var_email'];
 	$password = $_SESSION['var_password'];
+	$password_confirm = $_SESSION['var_password_confirm'];
 	$player_name = $_SESSION['var_player_name'];
 
 	// email check
@@ -163,6 +162,9 @@ else if($step == 'finish') {
 	else if(!Validator::password($password)) {
 		$errors[] = $locale['step_admin_password_error_format'];
 	}
+	else if($password != $password_confirm) {
+		$errors[] = $locale['step_admin_password_confirm_error_not_same'];
+	}
 
 	// player name check
 	if(empty($player_name)) {

install/steps/5-database.php

@@ -55,12 +55,30 @@ if(!$error) {
 			error($database_error);
 		}
 		else {
+			if(!$db->hasTable('accounts')) {
+				$tmp = str_replace('$TABLE$', 'accounts', $locale['step_database_error_table']);
+				error($tmp);
+				$error = true;
+			}
+
+			if(!$db->hasTable('players')) {
+				$tmp = str_replace('$TABLE$', 'players', $locale['step_database_error_table']);
+				error($tmp);
+				$error = true;
+			}
+
+			if(!$db->hasTable('guilds')) {
+				$tmp = str_replace('$TABLE$', 'guilds', $locale['step_database_error_table']);
+				error($tmp);
+				$error = true;
+			}
+
+			if(!$error) {
 				$twig->display('install.installer.html.twig', array(
 					'url' => 'tools/5-database.php',
 					'message' => $locale['loading_spinner']
 				));
 
-			if(!$error) {
 				if(!Validator::email($_SESSION['var_mail_admin'])) {
 					error($locale['step_config_mail_admin_error']);
 					$error = true;
@@ -86,7 +104,7 @@ if(!$error) {
 					unset($_SESSION['saved']);
 
 					$locale['step_database_error_file'] = str_replace('$FILE$', '<b>' . BASE . 'config.local.php</b>', $locale['step_database_error_file']);
-					warning($locale['step_database_error_file'] . '<br/>
+					error($locale['step_database_error_file'] . '<br/>
 						<textarea cols="70" rows="10">' . $content . '</textarea>');
 				}
 			}
@@ -98,7 +116,7 @@ if(!$error) {
 <div class="text-center m-3">
 	<form action="<?php echo BASE_URL; ?>install/" method="post">
 		<input type="hidden" name="step" id="step" value="admin" />
-		<?php echo next_buttons(true, $error ? false : true);
+		<?php echo next_buttons(true, !$error);
 		?>
 	</form>
 </div>

install/steps/7-finish.php

@@ -8,15 +8,14 @@ if(isset($config['installed']) && $config['installed'] && !isset($_SESSION['save
 else {
 	require SYSTEM . 'init.php';
 	if(!$error) {
-		if(USE_ACCOUNT_NAME)
+		if(USE_ACCOUNT_NAME || USE_ACCOUNT_NUMBER)
 			$account = isset($_SESSION['var_account']) ? $_SESSION['var_account'] : null;
 		else
 			$account_id = isset($_SESSION['var_account_id']) ? $_SESSION['var_account_id'] : null;
 
 		$password = $_SESSION['var_password'];
 
-		$config_salt_enabled = $db->hasColumn('accounts', 'salt');
+		if(USE_ACCOUNT_SALT)
-		if($config_salt_enabled)
 		{
 			$salt = generateRandomString(10, false, true, true);
 			$password = $salt . $password;
@@ -66,7 +65,6 @@ else {
 			$new_account->setPassword(encrypt($password));
 			$new_account->setEMail($email);
 
-			$new_account->unblock();
 			$new_account->save();
 
 			$new_account->setCustomField('created', time());
@@ -75,7 +73,7 @@ else {
 			$account_used = &$new_account;
 		}
 
-		if($config_salt_enabled)
+		if(USE_ACCOUNT_SALT)
 			$account_used->setCustomField('salt', $salt);
 
 		$account_used->setCustomField('web_flags', FLAG_ADMIN + FLAG_SUPER_ADMIN);
@@ -83,7 +81,7 @@ else {
 		if($db->hasColumn('accounts', 'group_id'))
 			$account_used->setCustomField('group_id', $groups->getHighestId());
 		if($db->hasColumn('accounts', 'type'))
-			$account_used->setCustomField('type', 5);
+			$account_used->setCustomField('type', 6);
 
 		if(!$player_db->isLoaded())
 			$player->setAccountId($account_used->getId());

install/template/template.php

@@ -4,7 +4,7 @@
 	<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $locale['encoding']; ?>" />
 	<meta name="viewport" content="width=device-width, initial-scale=1">
 	<title>MyAAC - <?php echo $locale['installation']; ?></title>
-	<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.0.0-beta1/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-giJF6kkoqNQ00vy+HMDP7azOuL0xtbfIcaT9wjKHr8RbDVddVHyTfAAsrekwKmP1" crossorigin="anonymous">
+	<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-rbsA2VBKQhggwzxH7pPCaAqO46MgnOM80zW1RWuH61DGLwZJEdK2Kadq2F9CUG65" crossorigin="anonymous">
 	<link rel="stylesheet" type="text/css" href="template/style.css" />
 	<script type="text/javascript" src="<?php echo BASE_URL; ?>tools/js/jquery.min.js"></script>
 </head>
@@ -29,7 +29,7 @@
 								$progress = ($i == 6) ? 100 : $i * 16;
 							}
 
-							echo '<li' . ($step == $value ? ' class="list-group-item active"' : ' class="list-group-item"') . '>' . ++$i . '. ' . $locale['step_' . $value] . '</li>';
+							echo '<li class="list-group-item' . ($step == $value ? ' active' : '') . '">' . ++$i . '. ' . $locale['step_' . $value] . '</li>';
 						}
 
 					?>

install/tools/5-database.php

@@ -23,24 +23,6 @@ if(!$error) {
 	}
 }
 
-if(!$db->hasTable('accounts')) {
-	$locale['step_database_error_table'] = str_replace('$TABLE$', 'accounts', $locale['step_database_error_table']);
-	error($locale['step_database_error_table']);
-	return;
-}
-
-if(!$db->hasTable('players')) {
-	$locale['step_database_error_table'] = str_replace('$TABLE$', 'players', $locale['step_database_error_table']);
-	error($locale['step_database_error_table']);
-	return;
-}
-
-if(!$db->hasTable('guilds')) {
-	$locale['step_database_error_table'] = str_replace('$TABLE$', 'guilds', $locale['step_database_error_table']);
-	error($locale['step_database_error_table']);
-	return;
-}
-
 if($db->hasTable(TABLE_PREFIX . 'account_actions')) {
 	$locale['step_database_error_table_exist'] = str_replace('$TABLE$', TABLE_PREFIX . 'account_actions', $locale['step_database_error_table_exist']);
 	warning($locale['step_database_error_table_exist']);
@@ -73,13 +55,8 @@ else {
 		success($locale['step_database_adding_field'] . ' accounts.key...');
 }
 
-if(!$db->hasColumn('accounts', 'blocked')) {
-	if(query("ALTER TABLE `accounts` ADD `blocked` TINYINT(1) NOT NULL DEFAULT FALSE COMMENT 'internal usage' AFTER `key`;"))
-		success($locale['step_database_adding_field'] . ' accounts.blocked...');
-}
-
 if(!$db->hasColumn('accounts', 'created')) {
-	if(query("ALTER TABLE `accounts` ADD `created` INT(11) NOT NULL DEFAULT 0 AFTER `" . ($db->hasColumn('accounts', 'group_id') ? 'group_id' : 'blocked') . "`;"))
+	if(query("ALTER TABLE `accounts` ADD `created` INT(11) NOT NULL DEFAULT 0 AFTER `" . ($db->hasColumn('accounts', 'group_id') ? 'group_id' : 'key') . "`;"))
 		success($locale['step_database_adding_field'] . ' accounts.created...');
 }
 

login.php

@@ -127,8 +127,7 @@ switch ($action) {
 			$account->find($inputAccountName);
 		}
 
-		$config_salt_enabled = fieldExist('salt', 'accounts');
+		$current_password = encrypt((USE_ACCOUNT_SALT ? $account->getCustomField('salt') : '') . $request->password);
-		$current_password = encrypt(($config_salt_enabled ? $account->getCustomField('salt') : '') . $request->password);
 
 		if (!$account->isLoaded() || $account->getPassword() != $current_password) {
 			sendError(($inputEmail != false ? 'Email' : 'Account name') . ' or password is not correct.');

nginx-sample.conf

@@ -7,6 +7,23 @@ server {
 	# increase max file upload
 	client_max_body_size 10M;
 
+	# this is very important, be sure its in your nginx conf - it prevents access to logs etc.
+	location ~ /system {
+		deny all;
+		return 404;
+	}
+
+	# block .htaccess
+	location ~ /\.ht {
+		deny all;
+	}
+
+	# block git files and folders
+	location ~ /\.git {
+		return 404;
+		deny all;
+	}
+
 	location / {
 		try_files $uri $uri/ /index.php;
 	}
@@ -15,15 +32,6 @@ server {
 		include snippets/fastcgi-php.conf;
 		fastcgi_read_timeout 240;
 		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
-		# for ubuntu 22.04+ it will be php8.1-sock
+		# for ubuntu 22.04+ it will be php8.1-fpm.-sock
-	}
-
-	location ~ /\.ht {
-		deny all;
-	}
-
-	location /system {
-		deny all;
-		return 404;
 	}
 }

package.json

@@ -0,0 +1,5 @@
+{
+  "devDependencies": {
+    "cypress": "^12.12.0"
+  }
+}

plugins/.htaccess

@@ -1,11 +1,3 @@
 <IfModule mod_autoindex.c>
 	Options -Indexes
 </IfModule>
-
-<IfVersion < 2.4>
-    order allow,deny
-    deny from all
-</IfVersion>
-<IfVersion >= 2.4>
-    Require all denied
-</IfVersion>

plugins/account-create-hint/hint.html.twig

@@ -1,3 +1,3 @@
 To play on {{ config.lua.serverName }} you need an account.
-All you have to do to create your new account is to enter an account {% if constant('USE_ACCOUNT_NAME') %}name{% else %}number{% endif %}, password{% if config.recaptcha_enabled %}, confirm reCAPTCHA{% endif %}{% if config.account_country %}, country{% endif %} and your email address.
+All you have to do to create your new account is to enter an account {% if constant('USE_ACCOUNT_NAME') %}name{% else %}number{% endif %}, password{% if config.account_country %}, country{% endif %} and your email address.
 Also you have to agree to the terms presented below. If you have done so, your account {% if constant('USE_ACCOUNT_NAME') %}name{% else %}number{% endif %} will be shown on the following page and your account password will be sent to your email address along with further instructions. If you do not receive the email with your password, please check your spam filter.<br/><br/>

plugins/email-confirmed-reward.json

@@ -0,0 +1,17 @@
+{
+	"name": "EMail Confirmed Reward",
+	"description": "Reward users for confirming their E-Mail.",
+	"version": "1.0",
+	"author": "MyAAC Authors",
+	"contact": "www.my-aac.org",
+	"hooks": {
+		"mail-confirmed-reward": {
+			"type": "EMAIL_CONFIRMED",
+			"file": "plugins/email-confirmed-reward/reward.php"
+		}
+	},
+	"uninstall": [
+		"plugins/email-confirmed-reward.json",
+		"plugins/email-confirmed-reward"
+	]
+}

plugins/email-confirmed-reward/reward.php

@@ -0,0 +1,33 @@
+<?php
+defined('MYAAC') or die('Direct access not allowed!');
+
+$reward = config('account_mail_confirmed_reward');
+
+$hasCoinsColumn = $db->hasColumn('accounts', 'coins');
+if ($reward['coins'] > 0 && $hasCoinsColumn) {
+	log_append('email_confirm_error.log', 'accounts.coins column does not exist.');
+}
+
+if (!isset($account) || !$account->isLoaded()) {
+	log_append('email_confirm_error.log', 'Account not loaded.');
+	return;
+}
+
+if ($reward['premium_points'] > 0) {
+	$account->setCustomField('premium_points', (int)$account->getCustomField('premium_points') + $reward['premium_points']);
+
+	success(sprintf($reward['message'], $reward['premium_points'], 'premium points'));
+}
+
+if ($reward['coins'] > 0 && $hasCoinsColumn) {
+	$account->setCustomField('coins', (int)$account->getCustomField('coins') + $reward['coins']);
+
+	success(sprintf($reward['message'], $reward['coins'], 'coins'));
+}
+
+if ($reward['premium_days'] > 0) {
+	$account->setPremDays($account->getPremDays() + $reward['premium_days']);
+	$account->save();
+
+	success(sprintf($reward['message'], $reward['premium_days'], 'premium days'));
+}

plugins/example.json

@@ -6,31 +6,38 @@
 	"author": "nobody",
 	"contact": "nobody@example.org",
 	"require": {
-		"myaac": "0.4.3",
+		"myaac": "0.9.0",
-		"myaac_": ">=0.7,<1.0", // support for defining versions like in composer (since 0.8)
+		"myaac_": ">=0.9,<1.0",
-		"php": "5.2.0",
+		"php": "7.4",
-		"php_": ">5.4,<7.0", // support for defining versions like in composer (since 0.8)
+		"php_": ">7.4,<8.0",
 		"database": "21",
-		"php-ext": "curl", // php extension needs to be installed (since 0.8)
+		"php-ext": "curl",
-		"ext-curl": ">5.0", // php extension with version specifiec (since 0.8)
+		"ext-curl": ">5.0",
-		"table": "accounts", // table need to exist in database (since 0.8)
+		"table": "accounts",
-		"column": "players.online" // column need to exist in database (since 0.8)
+		"column": "players.online"
 	},
 	"install": "plugins/example/install.php",
 	"uninstall": [
 		"plugins/example.json",
 		"plugins/example-directory",
 		"templates/other-directory"
-		/***
-		 this is example of multi line comment
-		 	1. list example
-		 	2. something
-		 ****/
 	],
 	"hooks": {
 		"Example Hook": {
 			"type": "BEFORE_PAGE",
 			"file": "plugins/example/before.php"
 		}
+	},
+	"routes": {
+		"First Route": {
+			"pattern": "/YourAwesomePage/{name:string}/{page:int}",
+			"file": "plugins/your-plugin/your-awesome-page.php",
+			"method": "GET",
+			"priority": "130"
+		},
+		"Redirect Example": {
+			"redirect_from": "/redirectExample",
+			"redirect_to": "account/manage"
+		}
 	}
  }

release.sh

@@ -22,7 +22,7 @@ if [ $1 = "prepare" ]; then
 	mkdir -p tmp
 
 	# get myaac from git archive
-	git archive --format zip --output tmp/myaac.zip master
+	git archive --format zip --output tmp/myaac.zip 0.9
 
 	cd tmp/ || exit
 
@@ -35,6 +35,11 @@ if [ $1 = "prepare" ]; then
 	unzip -q myaac.zip -d $dir
 	rm myaac.zip
 
+	cd $dir || exit
+
+	# dependencies
+	composer install
+
 	echo "Now you can make changes to $dir. When you are ready, type 'release.sh pack'"
 	exit
 fi

system/autoload.php

@@ -1,206 +0,0 @@
-<?php
-namespace MyAAC;
-
-$loader = new \MyAAC\Psr4AutoloaderClass;
-
- // register the autoloader
-$loader->register();
-
-// register the base directories for the namespace prefix
-$loader->addNamespace('Composer\Semver', LIBS . 'semver');
-$loader->addNamespace('Twig', LIBS . 'Twig');
-/**
- * An example of a general-purpose implementation that includes the optional
- * functionality of allowing multiple base directories for a single namespace
- * prefix.
- *
- * Given a foo-bar package of classes in the file system at the following
- * paths ...
- *
- *     /path/to/packages/foo-bar/
- *         src/
- *             Baz.php             # Foo\Bar\Baz
- *             Qux/
- *                 Quux.php        # Foo\Bar\Qux\Quux
- *         tests/
- *             BazTest.php         # Foo\Bar\BazTest
- *             Qux/
- *                 QuuxTest.php    # Foo\Bar\Qux\QuuxTest
- *
- * ... add the path to the class files for the \Foo\Bar\ namespace prefix
- * as follows:
- *
- *      <?php
- *      // instantiate the loader
- *      $loader = new \Example\Psr4AutoloaderClass;
- *
- *      // register the autoloader
- *      $loader->register();
- *
- *      // register the base directories for the namespace prefix
- *      $loader->addNamespace('Foo\Bar', '/path/to/packages/foo-bar/src');
- *      $loader->addNamespace('Foo\Bar', '/path/to/packages/foo-bar/tests');
- *
- * The following line would cause the autoloader to attempt to load the
- * \Foo\Bar\Qux\Quux class from /path/to/packages/foo-bar/src/Qux/Quux.php:
- *
- *      <?php
- *      new \Foo\Bar\Qux\Quux;
- *
- * The following line would cause the autoloader to attempt to load the
- * \Foo\Bar\Qux\QuuxTest class from /path/to/packages/foo-bar/tests/Qux/QuuxTest.php:
- *
- *      <?php
- *      new \Foo\Bar\Qux\QuuxTest;
- */
-class Psr4AutoloaderClass
-{
-	/**
-	 * An associative array where the key is a namespace prefix and the value
-	 * is an array of base directories for classes in that namespace.
-	 *
-	 * @var array
-	 */
-	protected $prefixes = array();
-
-	/**
-	 * Register loader with SPL autoloader stack.
-	 *
-	 * @return void
-	 */
-	public function register()
-	{
-		spl_autoload_register(array($this, 'loadClass'));
-	}
-
-	/**
-	 * Adds a base directory for a namespace prefix.
-	 *
-	 * @param string $prefix The namespace prefix.
-	 * @param string $base_dir A base directory for class files in the
-	 * namespace.
-	 * @param bool $prepend If true, prepend the base directory to the stack
-	 * instead of appending it; this causes it to be searched first rather
-	 * than last.
-	 * @return void
-	 */
-	public function addNamespace($prefix, $base_dir, $prepend = false)
-	{
-		// normalize namespace prefix
-		$prefix = trim($prefix, '\\') . '\\';
-
-		// normalize the base directory with a trailing separator
-		$base_dir = rtrim($base_dir, DIRECTORY_SEPARATOR) . '/';
-
-		// initialize the namespace prefix array
-		if (isset($this->prefixes[$prefix]) === false) {
-			$this->prefixes[$prefix] = array();
-		}
-
-		// retain the base directory for the namespace prefix
-		if ($prepend) {
-			array_unshift($this->prefixes[$prefix], $base_dir);
-		} else {
-			array_push($this->prefixes[$prefix], $base_dir);
-		}
-	}
-
-	/**
-	 * Loads the class file for a given class name.
-	 *
-	 * @param string $class The fully-qualified class name.
-	 * @return mixed The mapped file name on success, or boolean false on
-	 * failure.
-	 */
-	public function loadClass($class)
-	{
-		if (0 === strpos($class, 'Twig_')) {
-			$file = LIBS . 'Twig/' . str_replace(array('_', "\0"), array('/', ''), $class).'.php';
-
-			if((config('env') === 'dev') && !is_file($file)) {
-				return false;
-			}
-
-			require $file;
-			return false;
-		}
-
-		// the current namespace prefix
-		$prefix = $class;
-
-		// work backwards through the namespace names of the fully-qualified
-		// class name to find a mapped file name
-		while (false !== $pos = strrpos($prefix, '\\')) {
-
-			// retain the trailing namespace separator in the prefix
-			$prefix = substr($class, 0, $pos + 1);
-
-			// the rest is the relative class name
-			$relative_class = substr($class, $pos + 1);
-
-			// try to load a mapped file for the prefix and relative class
-			$mapped_file = $this->loadMappedFile($prefix, $relative_class);
-			if ($mapped_file) {
-				return $mapped_file;
-			}
-
-			// remove the trailing namespace separator for the next iteration
-			// of strrpos()
-			$prefix = rtrim($prefix, '\\');
-		}
-
-		// never found a mapped file
-		return false;
-	}
-
-	/**
-	 * Load the mapped file for a namespace prefix and relative class.
-	 *
-	 * @param string $prefix The namespace prefix.
-	 * @param string $relative_class The relative class name.
-	 * @return mixed Boolean false if no mapped file can be loaded, or the
-	 * name of the mapped file that was loaded.
-	 */
-	protected function loadMappedFile($prefix, $relative_class)
-	{
-		// are there any base directories for this namespace prefix?
-		if (isset($this->prefixes[$prefix]) === false) {
-			return false;
-		}
-
-		// look through base directories for this namespace prefix
-		foreach ($this->prefixes[$prefix] as $base_dir) {
-
-			// replace the namespace prefix with the base directory,
-			// replace namespace separators with directory separators
-			// in the relative class name, append with .php
-			$file = $base_dir
-				. str_replace('\\', '/', $relative_class)
-				. '.php';
-
-			// if the mapped file exists, require it
-			if ($this->requireFile($file)) {
-				// yes, we're done
-				return $file;
-			}
-		}
-
-		// never found it
-		return false;
-	}
-
-	/**
-	 * If a file exists, require it from the file system.
-	 *
-	 * @param string $file The file to require.
-	 * @return bool True if the file exists, false if not.
-	 */
-	protected function requireFile($file)
-	{
-		if (config('env') !== 'dev' || file_exists($file)) {
-			require $file;
-			return true;
-		}
-		return false;
-	}
-}

system/compat/pages.php

@@ -10,6 +10,18 @@
 defined('MYAAC') or die('Direct access not allowed!');
 switch($page)
 {
+	case 'createaccount':
+		$page = 'account/create';
+		break;
+
+	case 'accountmanagement':
+		$page = 'account/manage';
+		break;
+
+	case 'lostaccount':
+		$page = 'account/lost';
+		break;
+
 	case 'whoisonline':
 		$page = 'online';
 		break;
@@ -18,6 +30,10 @@ switch($page)
 		$page = 'news';
 		break;
 
+	case 'newsarchive':
+		$page = 'news/archive';
+		break;
+
 	case 'tibiarules':
 		$page = 'rules';
 		break;
@@ -37,4 +53,3 @@ switch($page)
 	default:
 		break;
 }
-?>

system/exception.php

@@ -1,4 +1,25 @@
 <?php
+/**
+ * Exception handler
+ *
+ * @package   MyAAC
+ * @author    Slawkens <slawkens@gmail.com>
+ * @copyright 2023 MyAAC
+ * @link      https://my-aac.org
+ */
+
+if (class_exists(\Whoops\Run::class)) {
+	$whoops = new \Whoops\Run;
+	if(IS_CLI) {
+		$whoops->pushHandler(new \Whoops\Handler\PlainTextHandler);
+	}
+	else {
+		$whoops->pushHandler(new \Whoops\Handler\PrettyPageHandler);
+	}
+
+	$whoops->register();
+	return;
+}
 
 require LIBS . 'SensitiveException.php';
 
@@ -23,6 +44,8 @@ function exception_handler($exception) {
 
 	$backtrace_formatted = nl2br($exception->getTraceAsString());
 
+	$message = $message . "<br/><br/>File: {$exception->getFile()}<br/>Line: {$exception->getLine()}";
+
 	// display basic error message without template
 	// template is missing, why? probably someone deleted templates dir, or it wasn't downloaded right
 	$template_file = SYSTEM . 'templates/exception.html.twig';

system/functions.php

@@ -7,12 +7,11 @@
  * @copyright 2019 MyAAC
  * @link      https://my-aac.org
  */
+defined('MYAAC') or die('Direct access not allowed!');
 
 use PHPMailer\PHPMailer\PHPMailer;
 use Twig\Loader\ArrayLoader as Twig_ArrayLoader;
 
-defined('MYAAC') or die('Direct access not allowed!');
-
 function message($message, $type, $return)
 {
 	if(IS_CLI) {
@@ -62,20 +61,20 @@ function getFullLink($page, $name, $blank = false) {
 function getLink($page, $action = null)
 {
 	global $config;
-	return BASE_URL . ($config['friendly_urls'] ? '' : '?') . $page . ($action ? '/' . $action : '');
+	return BASE_URL . ($config['friendly_urls'] ? '' : 'index.php/') . $page . ($action ? '/' . $action : '');
 }
 function internalLayoutLink($page, $action = null) {return getLink($page, $action);}
 
 function getForumThreadLink($thread_id, $page = NULL)
 {
 	global $config;
-	return BASE_URL . ($config['friendly_urls'] ? '' : '?') . 'forum/thread/' . (int)$thread_id . (isset($page) ? '/' . $page : '');
+	return BASE_URL . ($config['friendly_urls'] ? '' : 'index.php/') . 'forum/thread/' . (int)$thread_id . (isset($page) ? '/' . $page : '');
 }
 
 function getForumBoardLink($board_id, $page = NULL)
 {
 	global $config;
-	return BASE_URL . ($config['friendly_urls'] ? '' : '?') . 'forum/board/' . (int)$board_id . (isset($page) ? '/' . $page : '');
+	return BASE_URL . ($config['friendly_urls'] ? '' : 'index.php/') . 'forum/board/' . (int)$board_id . (isset($page) ? '/' . $page : '');
 }
 
 function getPlayerLink($name, $generate = true)
@@ -90,7 +89,7 @@ function getPlayerLink($name, $generate = true)
 			$name = $player->getName();
 	}
 
-	$url = BASE_URL . ($config['friendly_urls'] ? '' : '?') . 'characters/' . urlencode($name);
+	$url = BASE_URL . ($config['friendly_urls'] ? '' : 'index.php/') . 'characters/' . urlencode($name);
 
 	if(!$generate) return $url;
 	return generateLink($url, $name);
@@ -100,7 +99,7 @@ function getMonsterLink($name, $generate = true)
 {
 	global $config;
 
-	$url = BASE_URL . ($config['friendly_urls'] ? '' : '?') . 'creatures/' . urlencode($name);
+	$url = BASE_URL . ($config['friendly_urls'] ? '' : 'index.php/') . 'creatures/' . urlencode($name);
 
 	if(!$generate) return $url;
 	return generateLink($url, $name);
@@ -118,7 +117,7 @@ function getHouseLink($name, $generate = true)
 			$name = $house->fetchColumn();
 	}
 
-	$url = BASE_URL . ($config['friendly_urls'] ? '' : '?') . 'houses/' . urlencode($name);
+	$url = BASE_URL . ($config['friendly_urls'] ? '' : 'index.php/') . 'houses/' . urlencode($name);
 
 	if(!$generate) return $url;
 	return generateLink($url, $name);
@@ -126,17 +125,16 @@ function getHouseLink($name, $generate = true)
 
 function getGuildLink($name, $generate = true)
 {
-	global $db, $config;
+	global $config;
 
-	if(is_numeric($name))
+	if(is_numeric($name)) {
-	{
+		$name = getGuildNameById($name);
-		$guild = $db->query(
+		if ($name === false) {
-			'SELECT `name` FROM `guilds` WHERE `id` = ' . (int)$name);
+			$name = 'Unknown';
-		if($guild->rowCount() > 0)
+		}
-			$name = $guild->fetchColumn();
 	}
 
-	$url = BASE_URL . ($config['friendly_urls'] ? '' : '?') . 'guilds/' . urlencode($name);
+	$url = BASE_URL . ($config['friendly_urls'] ? '' : 'index.php/') . 'guilds/' . urlencode($name);
 
 	if(!$generate) return $url;
 	return generateLink($url, $name);
@@ -268,6 +266,13 @@ function getForumBoards()
 	return array();
 }
 
+// TODO:
+// convert forum threads links from just forum/ID
+// INTO: forum/thread-name-id, like in XenForo
+//function convertForumThreadTitle($title) {
+//	return str_replace(' ', '-', strtolower($title));
+//}
+
 /**
  * Retrieves data from myaac database config.
  *
@@ -749,10 +754,10 @@ function get_browser_languages()
 {
 	$ret = array();
 
-	$acceptLang = $_SERVER['HTTP_ACCEPT_LANGUAGE'];
+	if(empty($_SERVER['HTTP_ACCEPT_LANGUAGE']))
-	if(!isset($acceptLang[0]))
 		return $ret;
 
+	$acceptLang = $_SERVER['HTTP_ACCEPT_LANGUAGE'];
 	$languages = strtolower($acceptLang);
 	// $languages = 'pl,en-us;q=0.7,en;q=0.3 ';
 	// need to remove spaces from strings to avoid error
@@ -785,16 +790,21 @@ function get_templates()
  * Generates list of installed plugins
  * @return array $plugins
  */
-function get_plugins()
+function get_plugins($disabled = false): array
 {
-	$ret = array();
+	$ret = [];
 
 	$path = PLUGINS;
-	foreach(scandir($path, 0) as $file) {
+	foreach(scandir($path, SCANDIR_SORT_ASCENDING) as $file) {
 		$file_ext = pathinfo($file, PATHINFO_EXTENSION);
 		$file_name = pathinfo($file, PATHINFO_FILENAME);
-		if ($file === '.' || $file === '..' || $file === 'disabled' || $file === 'example.json' || $file_ext !== 'json' || is_dir($path . $file))
+		if ($file === '.' || $file === '..' || $file === 'example.json' || $file_ext !== 'json' || is_dir($path . $file)) {
 			continue;
+		}
+
+		if (!$disabled && strpos($file, 'disabled.') !== false) {
+			continue;
+		}
 
 		$ret[] = str_replace('.json', '', $file_name);
 	}
@@ -1145,6 +1155,12 @@ function clearCache()
 		global $template_name;
 		if ($cache->fetch('template_ini' . $template_name, $tmp))
 			$cache->delete('template_ini' . $template_name);
+
+		if ($cache->fetch('plugins_hooks', $tmp))
+			$cache->delete('plugins_hooks');
+
+		if ($cache->fetch('plugins_routes', $tmp))
+			$cache->delete('plugins_routes');
 	}
 
 	deleteDirectory(CACHE . 'signatures', ['index.html'], true);
@@ -1152,6 +1168,12 @@ function clearCache()
 	deleteDirectory(CACHE . 'plugins', ['index.html'], true);
 	deleteDirectory(CACHE, ['signatures', 'twig', 'plugins', 'index.html'], true);
 
+	// routes cache
+	$routeCacheFile = CACHE . 'route.cache';
+	if (file_exists($routeCacheFile)) {
+		unlink($routeCacheFile);
+	}
+
 	return true;
 }
 
@@ -1170,7 +1192,7 @@ function getCustomPageInfo($page)
 
 	return null;
 }
-function getCustomPage($page, &$success)
+function getCustomPage($page, &$success): string
 {
 	global $db, $twig, $title, $ignore, $logged_access;
 
@@ -1510,6 +1532,54 @@ function getAccountLoginByLabel()
 	return $ret;
 }
 
+function camelCaseToUnderscore($input)
+{
+	return ltrim(strtolower(preg_replace('/[A-Z]([A-Z](?![a-z]))*/', '_$0', $input)), '_');
+}
+
+function removeIfFirstSlash(&$text) {
+	if(strpos($text, '/') === 0) {
+		$text = str_replace_first('/', '', $text);
+	}
+};
+
+function escapeHtml($html) {
+	return htmlentities($html, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
+}
+
+function getGuildNameById($id)
+{
+	global $db;
+
+	$guild = $db->query('SELECT `name` FROM `guilds` WHERE `id` = ' . (int)$id);
+
+	if($guild->rowCount() > 0) {
+		return $guild->fetchColumn();
+	}
+
+	return false;
+}
+
+function getGuildLogoById($id)
+{
+	global $db;
+
+	$logo = 'default.gif';
+
+	$query = $db->query('SELECT `logo_name` FROM `guilds` WHERE `id` = ' . (int)$id);
+	if ($query->rowCount() == 1) {
+
+		$query = $query->fetch(PDO::FETCH_ASSOC);
+		$guildLogo = $query['logo_name'];
+
+		if (!empty($guildLogo) && file_exists(GUILD_IMAGES_DIR . $guildLogo)) {
+			$logo = $guildLogo;
+		}
+	}
+
+	return BASE_URL . GUILD_IMAGES_DIR . $logo;
+}
+
 // validator functions
 require_once LIBS . 'validator.php';
 require_once SYSTEM . 'compat/base.php';

system/hooks.php

@@ -30,6 +30,7 @@ define('HOOK_CHARACTERS_AFTER_CHARACTERS', ++$i);
 define('HOOK_LOGIN', ++$i);
 define('HOOK_LOGIN_ATTEMPT', ++$i);
 define('HOOK_LOGOUT', ++$i);
+define('HOOK_ACCOUNT_CHANGE_PASSWORD_POST', ++$i);
 define('HOOK_ACCOUNT_CREATE_BEFORE_FORM', ++$i);
 define('HOOK_ACCOUNT_CREATE_BEFORE_BOXES', ++$i);
 define('HOOK_ACCOUNT_CREATE_BETWEEN_BOXES_1', ++$i);
@@ -39,8 +40,8 @@ define('HOOK_ACCOUNT_CREATE_BEFORE_ACCOUNT', ++$i);
 define('HOOK_ACCOUNT_CREATE_AFTER_ACCOUNT', ++$i);
 define('HOOK_ACCOUNT_CREATE_AFTER_EMAIL', ++$i);
 define('HOOK_ACCOUNT_CREATE_AFTER_COUNTRY', ++$i);
+define('HOOK_ACCOUNT_CREATE_AFTER_PASSWORD', ++$i);
 define('HOOK_ACCOUNT_CREATE_AFTER_PASSWORDS', ++$i);
-define('HOOK_ACCOUNT_CREATE_AFTER_RECAPTCHA', ++$i);
 define('HOOK_ACCOUNT_CREATE_BEFORE_CHARACTER_NAME', ++$i);
 define('HOOK_ACCOUNT_CREATE_AFTER_CHARACTER_NAME', ++$i);
 define('HOOK_ACCOUNT_CREATE_AFTER_SEX', ++$i);
@@ -48,10 +49,30 @@ define('HOOK_ACCOUNT_CREATE_AFTER_VOCATION', ++$i);
 define('HOOK_ACCOUNT_CREATE_AFTER_TOWNS', ++$i);
 define('HOOK_ACCOUNT_CREATE_BEFORE_SUBMIT_BUTTON', ++$i);
 define('HOOK_ACCOUNT_CREATE_AFTER_FORM', ++$i);
-define('HOOK_ACCOUNT_CREATE_AFTER_SUBMIT', ++$i);
+define('HOOK_ACCOUNT_CREATE_POST', ++$i);
+define('HOOK_ACCOUNT_LOGIN_BEFORE_PAGE', ++$i);
+define('HOOK_ACCOUNT_LOGIN_BEFORE_ACCOUNT', ++$i);
+define('HOOK_ACCOUNT_LOGIN_AFTER_ACCOUNT', ++$i);
+define('HOOK_ACCOUNT_LOGIN_BEFORE_PASSWORD', ++$i);
+define('HOOK_ACCOUNT_LOGIN_AFTER_PASSWORD', ++$i);
+define('HOOK_ACCOUNT_LOGIN_AFTER_REMEMBER_ME', ++$i);
+define('HOOK_ACCOUNT_LOGIN_AFTER_PAGE', ++$i);
+define('HOOK_ACCOUNT_LOGIN_POST', ++$i);
+define('HOOK_ADMIN_HEAD_END', ++$i);
+define('HOOK_ADMIN_HEAD_START', ++$i);
+define('HOOK_ADMIN_BODY_START', ++$i);
+define('HOOK_ADMIN_BODY_END', ++$i);
+define('HOOK_ADMIN_BEFORE_PAGE', ++$i);
 define('HOOK_ADMIN_MENU', ++$i);
-define('HOOK_FIRST', HOOK_STARTUP);
+define('HOOK_ADMIN_LOGIN_AFTER_ACCOUNT', ++$i);
-define('HOOK_LAST', HOOK_ADMIN_MENU);
+define('HOOK_ADMIN_LOGIN_AFTER_PASSWORD', ++$i);
+define('HOOK_ADMIN_LOGIN_AFTER_SIGN_IN', ++$i);
+define('HOOK_ADMIN_ACCOUNTS_SAVE_POST', ++$i);
+define('HOOK_EMAIL_CONFIRMED', ++$i);
+define('HOOK_GUILDS_AFTER_INVITED_CHARACTERS', ++$i);
+
+const HOOK_FIRST = HOOK_STARTUP;
+define('HOOK_LAST', $i);
 
 require_once LIBS . 'plugins.php';
 class Hook
@@ -119,5 +140,7 @@ class Hooks
 		foreach(Plugins::getHooks() as $hook) {
 			$this->register($hook['name'], $hook['type'], $hook['file']);
 		}
+
+		Plugins::clearWarnings();
 	}
 }

system/init.php

@@ -18,6 +18,10 @@ if(!isset($config['installed']) || !$config['installed']) {
 	throw new RuntimeException('MyAAC has not been installed yet or there was error during installation. Please install again.');
 }
 
+if(config('env') === 'dev') {
+	require SYSTEM . 'exception.php';
+}
+
 date_default_timezone_set($config['date_timezone']);
 // take care of trailing slash at the end
 if($config['server_path'][strlen($config['server_path']) - 1] !== '/')
@@ -34,6 +38,10 @@ $cache = Cache::getInstance();
 // twig
 require_once SYSTEM . 'twig.php';
 
+// action, used by many pages
+$action = $_REQUEST['action'] ?? '';
+define('ACTION', $action);
+
 // trim values we receive
 if(isset($_POST))
 {
@@ -128,6 +136,7 @@ require_once SYSTEM . 'database.php';
 
 define('USE_ACCOUNT_NAME', $db->hasColumn('accounts', 'name'));
 define('USE_ACCOUNT_NUMBER', $db->hasColumn('accounts', 'number'));
+define('USE_ACCOUNT_SALT', $db->hasColumn('accounts', 'salt'));
 
 // load vocation names
 $tmp = '';

system/libs/CreateCharacter.php

@@ -251,11 +251,13 @@ class CreateCharacter
 			}
 		}
 
+		if ($db->hasTable('player_items') && $db->hasColumn('player_items', 'pid') && $db->hasColumn('player_items', 'sid') && $db->hasColumn('player_items', 'itemtype')) {
 			$loaded_items_to_copy = $db->query("SELECT * FROM player_items WHERE player_id = ".$char_to_copy->getId()."");
 			foreach($loaded_items_to_copy as $save_item) {
 				$blob = $db->quote($save_item['attributes']);
 				$db->query("INSERT INTO `player_items` (`player_id` ,`pid` ,`sid` ,`itemtype`, `count`, `attributes`) VALUES ('".$player->getId()."', '".$save_item['pid']."', '".$save_item['sid']."', '".$save_item['itemtype']."', '".$save_item['count']."', $blob);");
 			}
+		}
 
 		global $twig;
 		$twig->display('success.html.twig', array(

system/libs/GoogleReCAPTCHA.php

@@ -1,84 +0,0 @@
-<?php
-
-class GoogleReCAPTCHA
-{
-	private static $errorMessage = '';
-	private static $errorType;
-
-	const ERROR_MISSING_RESPONSE = 1;
-	const ERROR_INVALID_ACTION = 2;
-	const ERROR_LOW_SCORE = 3;
-	const ERROR_NO_SUCCESS = 4;
-
-	public static function verify($action = '')
-	{
-		if (!isset($_POST['g-recaptcha-response']) || empty($_POST['g-recaptcha-response'])) {
-			self::$errorType = self::ERROR_MISSING_RESPONSE;
-			self::$errorMessage = "Please confirm that you're not a robot.";
-			return false;
-		}
-
-		$recaptchaApiUrl = 'https://www.google.com/recaptcha/api/siteverify';
-		$secretKey = config('recaptcha_secret_key');
-
-		$recaptchaResponse = $_POST['g-recaptcha-response'];
-		$ip = $_SERVER['REMOTE_ADDR'];
-		$params = 'secret='.$secretKey.'&response='.$recaptchaResponse.'&remoteip='.$ip;
-
-		if (function_exists('curl_version')) {
-			$curl_connection = curl_init($recaptchaApiUrl);
-
-			curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 5);
-			curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
-			curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
-			curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 0);
-			curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $params);
-
-			$response = curl_exec($curl_connection);
-			curl_close($curl_connection);
-		} else {
-			$response = file_get_contents($recaptchaApiUrl . '?' . $params);
-		}
-
-		$json = json_decode($response);
-
-		$recaptchaType = config('recaptcha_type');
-		if ($recaptchaType === 'v3') { // score based
-			//log_append('recaptcha.log', 'recaptcha_score: ' . $json->score . ', action:' . $json->action);
-
-			if (!isset($json->action) || $json->action !== $action) {
-				self::$errorType = self::ERROR_INVALID_ACTION;
-				self::$errorMessage = 'Google ReCaptcha returned invalid action.';
-				return false;
-			}
-
-			if (!isset($json->score) || $json->score < config('recaptcha_v3_min_score')) {
-				self::$errorType = self::ERROR_LOW_SCORE;
-				self::$errorMessage = 'Your Google ReCaptcha score was too low.';
-				return false;
-			}
-		}
-
-		if (!isset($json->success) || !$json->success) {
-			self::$errorType = self::ERROR_NO_SUCCESS;
-			self::$errorMessage = "Please confirm that you're not a robot.";
-			return false;
-		}
-
-		return true;
-	}
-
-	/**
-	 * @return string
-	 */
-	public static function getErrorMessage() {
-		return self::$errorMessage;
-	}
-
-	/**
-	 * @return int
-	 */
-	public static function getErrorType() {
-		return self::$errorType;
-	}
-}

system/libs/cache.php

@@ -110,4 +110,21 @@ class Cache
 	 * @return bool
 	 */
 	public function enabled() {return false;}
+
+	public static function remember($key, $ttl, $callback)
+	{
+		$cache = self::getInstance();
+		if(!$cache->enabled()) {
+			return $callback();
+		}
+
+		$value = null;
+		if ($cache->fetch($key, $value)) {
+			return unserialize($value);
+		}
+
+		$value = $callback();
+		$cache->set($key, serialize($value),$ttl);
+		return $value;
+	}
 }

system/libs/creatures.php

@@ -82,6 +82,9 @@ class Creatures {
 			$armor = $monster->getArmor();
 			$defensev = $monster->getDefense();
 
+			//load look
+			$look = $monster->getLook();
+
 			//load monster flags
 			$flags = $monster->getFlags();
 			if(!isset($flags['summonable']))
@@ -147,6 +150,7 @@ class Creatures {
 						'armor' => $armor,
 						'race' => $race,
 						'loot' => json_encode($loot),
+						'look' => json_encode($look),
 						'summons' => json_encode($summons)
 					));
 

system/libs/news.php

@@ -8,12 +8,12 @@ class News
 			$errors[] = 'Please fill all inputs.';
 			return false;
 		}
-		if(strlen($title) > TITLE_LIMIT) {
+		if(strlen($title) > NEWS_TITLE_LIMIT) {
-			$errors[] = 'News title cannot be longer than ' . TITLE_LIMIT . ' characters.';
+			$errors[] = 'News title cannot be longer than ' . NEWS_TITLE_LIMIT . ' characters.';
 			return false;
 		}
-		if(strlen($body) > BODY_LIMIT) {
+		if(strlen($body) > NEWS_BODY_LIMIT) {
-			$errors[] = 'News content cannot be longer than ' . BODY_LIMIT . ' characters.';
+			$errors[] = 'News content cannot be longer than ' . NEWS_BODY_LIMIT . ' characters.';
 			return false;
 		}
 		if(strlen($article_text) > ARTICLE_TEXT_LIMIT) {

system/libs/plugins.php

@@ -10,7 +10,7 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 
-function is_sub_dir($path = NULL, $parent_folder = SITE_PATH) {
+function is_sub_dir($path = NULL, $parent_folder = BASE) {
 
 	//Get directory path minus last folder
 	$dir = dirname($path);
@@ -41,24 +41,146 @@ function is_sub_dir($path = NULL, $parent_folder = SITE_PATH) {
 use Composer\Semver\Semver;
 
 class Plugins {
-	private static $warnings = array();
+	private static $warnings = [];
 	private static $error = null;
-	private static $plugin_json = array();
+	private static $plugin_json = [];
+
+	public static function getRoutes()
+	{
+		$cache = Cache::getInstance();
+		if ($cache->enabled()) {
+			$tmp = '';
+			if ($cache->fetch('plugins_routes', $tmp)) {
+				return unserialize($tmp);
+			}
+		}
+
+		$routes = [];
+		foreach(self::getAllPluginsJson() as $plugin) {
+			$warningPreTitle = 'Plugin: ' . $plugin['name'] . ' - ';
+
+			if (isset($plugin['routes'])) {
+				foreach ($plugin['routes'] as $_name => $info) {
+					// default method: get
+					$method = $info['method'] ?? ['GET'];
+					if ($method !== '*') {
+						$methods = is_string($method) ? explode(',', $info['method']) : $method;
+						foreach ($methods as $method) {
+							$method = strtolower($method);
+							if (!in_array($method, ['get', 'post', 'put', 'patch', 'delete', 'head'])) {
+								self::$warnings[] = $warningPreTitle . 'Not allowed method ' . $method . '... Disabling this route...';
+							}
+						}
+					}
+					else {
+						$methods = '*'; // all available methods
+					}
+
+					if (!isset($info['priority'])) {
+						$info['priority'] = 100; // default priority
+					}
+
+					if (isset($info['redirect_from'])) {
+						removeIfFirstSlash($info['redirect_from']);
+
+						$info['pattern'] = $info['redirect_from'];
+						if (!isset($info['redirect_to'])) {
+							self::$warnings[] = $warningPreTitle . 'redirect set without "redirect_to".';
+						}
+						else {
+							removeIfFirstSlash($info['redirect_to']);
+							$info['file'] = '__redirect__/' . $info['redirect_to'];
+						}
+					}
+
+					// replace first occurence of / in pattern if found (will be auto-added later)
+					removeIfFirstSlash($info['pattern']);
+
+					foreach ($routes as $id => &$route) {
+						if($route[1] == $info['pattern']) {
+							if($info['priority'] < $route[3]) {
+								self::$warnings[] = $warningPreTitle . "Duplicated route with lower priority: {$info['pattern']}. Disabling this route...";
+								continue 2;
+							}
+							else {
+								self::$warnings[] = $warningPreTitle . "Duplicated route with lower priority: {$route[1]} ({$route[3]}). Disabling this route...";
+								unset($routes[$id]);
+							}
+						}
+					}
+
+					$routes[] = [$methods, $info['pattern'], $info['file'], $info['priority']];
+				}
+			}
+		}
+/*
+		usort($routes, function ($a, $b)
+		{
+			// key 3 is priority
+			if ($a[3] == $b[3]) {
+				return 0;
+			}
+
+			return ($a[3] > $b[3]) ? -1 : 1;
+		});
+*/
+		// cleanup before passing back
+		// priority is not needed anymore
+		foreach ($routes as &$route) {
+			unset($route[3]);
+		}
+
+		if ($cache->enabled()) {
+			$cache->set('plugins_routes', serialize($routes), 600);
+		}
+
+		return $routes;
+	}
 
 	public static function getHooks()
 	{
 		$cache = Cache::getInstance();
 		if ($cache->enabled()) {
 			$tmp = '';
-			if ($cache->fetch('hooks', $tmp)) {
+			if ($cache->fetch('plugins_hooks', $tmp)) {
 				return unserialize($tmp);
 			}
 		}
 
 		$hooks = [];
-		foreach(get_plugins() as $filename) {
+		foreach(self::getAllPluginsJson() as $plugin) {
+			if (isset($plugin['hooks'])) {
+				foreach ($plugin['hooks'] as $_name => $info) {
+					if (defined('HOOK_'. $info['type'])) {
+						$hook = constant('HOOK_'. $info['type']);
+						$hooks[] = ['name' => $_name, 'type' => $hook, 'file' => $info['file']];
+					} else {
+						self::$warnings[] = 'Plugin: ' . $plugin['name'] . '. Unknown event type: ' . $info['type'];
+					}
+				}
+			}
+		}
+
+		if ($cache->enabled()) {
+			$cache->set('plugins_hooks', serialize($hooks), 600);
+		}
+
+		return $hooks;
+	}
+
+	public static function getAllPluginsJson($disabled = false)
+	{
+		$cache = Cache::getInstance();
+		if ($cache->enabled()) {
+			$tmp = '';
+			if ($cache->fetch('plugins', $tmp)) {
+				return unserialize($tmp);
+			}
+		}
+
+		$plugins = [];
+		foreach (get_plugins($disabled) as $filename) {
 			$string = file_get_contents(PLUGINS . $filename . '.json');
-			$string = self::removeComments($string);
 			$plugin = json_decode($string, true);
 			self::$plugin_json = $plugin;
 			if ($plugin == null) {
@@ -66,28 +188,19 @@ class Plugins {
 				continue;
 			}
 
-			if(isset($plugin['enabled']) && !getBoolean($plugin['enabled'])) {
+			if (isset($plugin['enabled']) && !getBoolean($plugin['enabled'])) {
 				self::$warnings[] = 'Skipping ' . $filename . '... The plugin is disabled.';
 				continue;
 			}
 
-			if (isset($plugin['hooks'])) {
+			$plugins[] = $plugin;
-				foreach ($plugin['hooks'] as $_name => $info) {
-					if (defined('HOOK_'. $info['type'])) {
-						$hook = constant('HOOK_'. $info['type']);
-						$hooks[] = ['name' => $_name, 'type' => $hook, 'file' => $info['file']];
-					} else {
-						self::$warnings[] = 'Plugin: ' . $filename . '. Unknown event type: ' . $info['type'];
-					}
-				}
-			}
 		}
 
 		if ($cache->enabled()) {
-			$cache->set('hooks', serialize($hooks), 600);
+			$cache->set('plugins', serialize($plugins), 600);
 		}
 
-		return $hooks;
+		return $plugins;
 	}
 
 	public static function install($file) {
@@ -130,7 +243,6 @@ class Plugins {
 		}
 
 		$string = file_get_contents($file_name);
-		$string = self::removeComments($string);
 		$plugin_json = json_decode($string, true);
 		self::$plugin_json = $plugin_json;
 		if ($plugin_json == null) {
@@ -225,29 +337,61 @@ class Plugins {
 						}
 
 						if(in_array($req, array('php-ext', 'php-extension'))) { // require php extension
-							if(!extension_loaded($version)) {
+							$tmpDisplayError = false;
-								self::$error = "This plugin requires php extension: " . $version . " to be installed.";
+							$explode = explode(',', $version);
+
+							foreach ($explode as $item) {
+								if(!extension_loaded($item)) {
+									$errors[] = "This plugin requires php extension: " . $item . " to be installed.";
+									$tmpDisplayError = true;
+								}
+							}
+
+							if ($tmpDisplayError) {
+								self::$error = implode('<br/>', $errors);
 								$continue = false;
 								break;
 							}
 						}
 						else if($req == 'table') {
-							if(!$db->hasTable($version)) {
+							$tmpDisplayError = false;
-								self::$error = "This plugin requires table: " . $version . " to exist in the database.";
+							$explode = explode(',', $version);
+							foreach ($explode as $item) {
+								if(!$db->hasTable($item)) {
+									$errors[] = "This plugin requires table: " . $item . " to exist in the database.";
+									$tmpDisplayError = true;
+								}
+							}
+
+							if ($tmpDisplayError) {
+								self::$error = implode('<br/>', $errors);
 								$continue = false;
 								break;
 							}
 						}
 						else if($req == 'column') {
-							$tmp = explode('.', $version);
+							$tmpDisplayError = false;
+							$explode = explode(',', $version);
+							foreach ($explode as $item) {
+								$tmp = explode('.', $item);
+
 								if(count($tmp) == 2) {
 									if(!$db->hasColumn($tmp[0], $tmp[1])) {
-									self::$error = "This plugin requires database column: " . $tmp[0] . "." . $tmp[1] . " to exist in database.";
+										$errors[] = "This plugin requires database column: " . $tmp[0] . "." . $tmp[1] . " to exist in database.";
+										$tmpDisplayError = true;
+									}
+								}
+								else {
+									self::$warnings[] = "Invalid plugin require column: " . $item;
+								}
+							}
+
+							if ($tmpDisplayError) {
+								self::$error = implode('<br/>', $errors);
 								$continue = false;
 								break;
 							}
 						}
-						}
 						else if(strpos($req, 'ext-') !== false) {
 							$tmp = explode('-', $req);
 							if(count($tmp) == 2) {
@@ -298,7 +442,35 @@ class Plugins {
 		return false;
 	}
 
-	public static function uninstall($plugin_name)
+	public static function enable($pluginFileName): bool
+	{
+		return self::enableDisable($pluginFileName, true);
+	}
+
+	public static function disable($pluginFileName): bool
+	{
+		return self::enableDisable($pluginFileName, false);
+	}
+
+	private static function enableDisable($pluginFileName, $enable): bool
+	{
+		$filenameJson = $pluginFileName . '.json';
+		$fileExist = is_file(PLUGINS . ($enable ? 'disabled.' : '') . $filenameJson);
+		if (!$fileExist) {
+			self::$error = 'Cannot ' . ($enable ? 'enable' : 'disable') . ' plugin: ' . $pluginFileName . '. File does not exist.';
+			return false;
+		}
+
+		$result = rename(PLUGINS . ($enable ? 'disabled.' : '') . $filenameJson, PLUGINS . ($enable ? '' : 'disabled.') . $filenameJson);
+		if (!$result) {
+			self::$error = 'Cannot ' . ($enable ? 'enable' : 'disable') . ' plugin: ' . $pluginFileName . '. Permission problem.';
+			return false;
+		}
+
+		return true;
+	}
+
+	public static function uninstall($plugin_name): bool
 	{
 		$filename = BASE . 'plugins/' . $plugin_name . '.json';
 		if(!file_exists($filename)) {
@@ -306,9 +478,8 @@ class Plugins {
 			return false;
 		}
 		$string = file_get_contents($filename);
-		$string = self::removeComments($string);
 		$plugin_info = json_decode($string, true);
-		if($plugin_info == false) {
+		if(!$plugin_info) {
 			self::$error = 'Cannot load plugin info ' . $plugin_name . '.json';
 			return false;
 		}
@@ -378,6 +549,10 @@ class Plugins {
 		return self::$warnings;
 	}
 
+	public static function clearWarnings() {
+		self::$warnings = [];
+	}
+
 	public static function getError() {
 		return self::$error;
 	}
@@ -386,22 +561,6 @@ class Plugins {
 		return self::$plugin_json;
 	}
 
-	public static function removeComments($string) {
-		$string = preg_replace('!/\*.*?\*/!s', '', $string);
-		$string = preg_replace('/\n\s*\n/', "\n", $string);
-		//  Removes multi-line comments and does not create
-		//  a blank line, also treats white spaces/tabs
-		$string = preg_replace('!^[ \t]*/\*.*?\*/[ \t]*[\r\n]!s', '', $string);
-
-		//  Removes single line '//' comments, treats blank characters
-		$string = preg_replace('![ \t]*//.*[ \t]*[\r\n]!', '', $string);
-
-		//  Strip blank lines
-		$string = preg_replace("/(^[\r\n]*|[\r\n]+)[\s\t]*[\r\n]+/", "\n", $string);
-
-		return $string;
-	}
-
 	/**
 	 * Install menus
 	 * Helper function for plugins

system/libs/pot/OTS_Account.php

@@ -21,7 +21,6 @@
  * @property string $password Password.
  * @property string $eMail Email address.
  * @property int $premiumEnd Timestamp of PACC end.
- * @property bool $blocked Blocked flag state.
  * @property bool $deleted Deleted flag state.
  * @property bool $warned Warned flag state.
  * @property bool $banned Ban state.
@@ -39,7 +38,7 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
  * @var array
  * @version 0.1.5
  */
-    private $data = array('email' => '', 'blocked' => false, 'rlname' => '','location' => '', 'country' => '','web_flags' => 0, 'lastday' => 0, 'premdays' => 0, 'created' => 0);
+    private $data = array('email' => '', 'rlname' => '','location' => '', 'country' => '','web_flags' => 0, 'lastday' => 0, 'premdays' => 0, 'created' => 0);
 
 	public static $cache = array();
 
@@ -231,26 +230,22 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
  * @param int $id Account number.
  * @throws PDOException On PDO operation error.
  */
-    public function load($id, $fresh = false, $searchOnlyById = false)
+    public function load($id, $fresh = false)
     {
 		if(!$fresh && isset(self::$cache[$id])) {
 			$this->data = self::$cache[$id];
 			return;
 		}
 
-		$numberColumn = 'id';
 		$nameOrNumber = '';
-		if (!$searchOnlyById) {
 		if (USE_ACCOUNT_NAME) {
 			$nameOrNumber = '`name`,';
 		} else if (USE_ACCOUNT_NUMBER) {
 			$nameOrNumber = '`number`,';
-				$numberColumn = 'number';
-			}
 		}
 
         // SELECT query on database
-		$this->data = $this->db->query('SELECT `id`, ' . $nameOrNumber . '`password`, `email`, `blocked`, `rlname`, `location`, `country`, `web_flags`, ' . ($this->db->hasColumn('accounts', 'premdays') ? '`premdays`, ' : '') . ($this->db->hasColumn('accounts', 'lastday') ? '`lastday`, ' : ($this->db->hasColumn('accounts', 'premend') ? '`premend`,' : ($this->db->hasColumn('accounts', 'premium_ends_at') ? '`premium_ends_at`,' : ''))) . '`created` FROM `accounts` WHERE `' . $numberColumn . '` = ' . (int) $id)->fetch();
+		$this->data = $this->db->query('SELECT `id`, ' . $nameOrNumber . '`password`, `email`, `rlname`, `location`, `country`, `web_flags`, ' . ($this->db->hasColumn('accounts', 'premdays') ? '`premdays`, ' : '') . ($this->db->hasColumn('accounts', 'lastday') ? '`lastday`, ' : ($this->db->hasColumn('accounts', 'premend') ? '`premend`,' : ($this->db->hasColumn('accounts', 'premium_ends_at') ? '`premium_ends_at`,' : ''))) . '`created` FROM `accounts` WHERE `id` = ' . (int) $id)->fetch();
 		self::$cache[$id] = $this->data;
     }
 
@@ -268,8 +263,13 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
  */
     public function find($name)
     {
+		$nameOrNumberColumn = 'name';
+		if (USE_ACCOUNT_NUMBER) {
+			$nameOrNumberColumn = 'number';
+		}
+
         // finds player's ID
-        $id = $this->db->query('SELECT `id` FROM `accounts` WHERE `name` = ' . $this->db->quote($name) )->fetch();
+        $id = $this->db->query('SELECT `id` FROM `accounts` WHERE `' . $nameOrNumberColumn . '` = ' . $this->db->quote($name) )->fetch();
 
         // if anything was found
         if( isset($id['id']) )
@@ -345,7 +345,7 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
 	}
 
         // UPDATE query on database
-        $this->db->exec('UPDATE `accounts` SET ' . ($this->db->hasColumn('accounts', 'name') ? '`name` = ' . $this->db->quote($this->data['name']) . ',' : '') . '`password` = ' . $this->db->quote($this->data['password']) . ', `email` = ' . $this->db->quote($this->data['email']) . ', `blocked` = ' . (int) $this->data['blocked'] . ', `rlname` = ' . $this->db->quote($this->data['rlname']) . ', `location` = ' . $this->db->quote($this->data['location']) . ', `country` = ' . $this->db->quote($this->data['country']) . ', `web_flags` = ' . (int) $this->data['web_flags'] . ', ' . ($this->db->hasColumn('accounts', 'premdays') ? '`premdays` = ' . (int) $this->data['premdays'] . ',' : '') . '`' . $field . '` = ' . (int) $this->data[$field] . ' WHERE `id` = ' . $this->data['id']);
+        $this->db->exec('UPDATE `accounts` SET ' . ($this->db->hasColumn('accounts', 'name') ? '`name` = ' . $this->db->quote($this->data['name']) . ',' : '') . '`password` = ' . $this->db->quote($this->data['password']) . ', `email` = ' . $this->db->quote($this->data['email']) . ', `rlname` = ' . $this->db->quote($this->data['rlname']) . ', `location` = ' . $this->db->quote($this->data['location']) . ', `country` = ' . $this->db->quote($this->data['country']) . ', `web_flags` = ' . (int) $this->data['web_flags'] . ', ' . ($this->db->hasColumn('accounts', 'premdays') ? '`premdays` = ' . (int) $this->data['premdays'] . ',' : '') . '`' . $field . '` = ' . (int) $this->data[$field] . ' WHERE `id` = ' . $this->data['id']);
     }
 
 /**
@@ -650,53 +650,6 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
         $this->data['email'] = (string) $email;
     }
 
-/**
- * Checks if account is blocked.
- *
- * <p>
- * Note: Since 0.0.3 version this method throws {@link E_OTS_NotLoaded E_OTS_NotLoaded} exception instead of triggering E_USER_WARNING.
- * </p>
- *
- * @version 0.0.3
- * @return bool Blocked state.
- * @throws E_OTS_NotLoaded If account is not loaded.
- */
-    public function isBlocked()
-    {
-        if( !isset($this->data['blocked']) )
-        {
-            throw new E_OTS_NotLoaded();
-        }
-
-        return $this->data['blocked'];
-    }
-
-/**
- * Unblocks account.
- *
- * <p>
- * This method only updates object state. To save changes in database you need to use {@link OTS_Account::save() save() method} to flush changed to database.
- * </p>
- */
-    public function unblock()
-    {
-        $this->data['blocked'] = false;
-    }
-
-/**
- * Blocks account.
- *
- * <p>
- * This method only updates object state. To save changes in databaseed to use {@link OTS_Account::save() save() method} to flush changed to database.
- * </p>
- */
-    public function block()
-    {
-        $this->data['blocked'] = true;
-    }
-
-
-
 /**
  * Reads custom field.
  *
@@ -1147,9 +1100,6 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
             case 'playersList':
                 return $this->getPlayersList();
 
-            case 'blocked':
-                return $this->isBlocked();
-
             case 'deleted':
                 return $this->isDeleted();
 
@@ -1195,17 +1145,6 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
                 $this->setPremiumEnd($value);
                 break;
 
-            case 'blocked':
-                if($value)
-                {
-                    $this->block();
-                }
-                else
-                {
-                    $this->unblock();
-                }
-                break;
-
             case 'deleted':
                 if($value)
                 {

system/libs/pot/OTS_Base_DB.php

@@ -92,27 +92,40 @@ abstract class OTS_Base_DB extends PDO implements IOTS_DB
 		return $ret;
     }
 
-	public function select($table, $where, $limit = null)
+	public function select($table, $where = [], $limit = null)
 	{
 		$fields = array_keys($where);
 		$values = array_values($where);
-		$query = 'SELECT * FROM ' . $this->tableName($table) . ' WHERE (';
+		$query = 'SELECT * FROM ' . $this->tableName($table);
+
+		if (!empty($where)) {
+			$query .= ' WHERE (';
 
 			$count = count($fields);
-		for ($i = 0; $i < $count; $i++)
+			for ($i = 0; $i < $count; $i++) {
-			$query.= $this->fieldName($fields[$i]).' = '.$this->quote($values[$i]).' AND ';
+				$query .= $this->fieldName($fields[$i]) . ' = ' . $this->quote($values[$i]) . ' AND ';
+			}
 
 			$query = substr($query, 0, -4);
+			$query .= ')';
+		}
+
 		if (isset($limit))
-			$query .=') LIMIT '.$limit.';';
+			$query .=' LIMIT '.$limit.';';
 		else
-			$query .=');';
+			$query .=';';
 
 		$query = $this->query($query);
-		if($query->rowCount() != 1) return false;
+		$rowCount = $query->rowCount();
+		if ($rowCount <= 0) return false;
+		else if ($rowCount == 1) {
 			return $query->fetch();
 		}
 
+		return $query->fetchAll();
+
+	}
+
 	public function insert($table, $data)
 	{
 		$fields = array_keys($data);

system/libs/pot/OTS_Monster.php

@@ -36,6 +36,7 @@
  * @property-read int $armor Armor rate.
  * @property-read array $defenses List of defenses.
  * @property-read array $attacks List of attacks.
+ * @property-read array $look List of looks.
  */
 class OTS_Monster extends DOMDocument
 {
@@ -273,6 +274,30 @@ class OTS_Monster extends DOMDocument
         return $loot;
     }
 
+/**
+ * Returns look of the monster.
+ * 
+ * @return array Look with all the attributes of the look.
+ * @throws DOMException On DOM operation error.
+ */
+    public function getLook()
+    {
+        $look = array();
+
+        $element = $this->documentElement->getElementsByTagName('look')->item(0);
+
+        $look['type'] = $element->getAttribute('type');
+        $look['typeex'] = $element->getAttribute('typeex');
+        $look['head'] = $element->getAttribute('head');
+        $look['body'] = $element->getAttribute('body');
+        $look['legs'] = $element->getAttribute('legs');
+        $look['feet'] = $element->getAttribute('feet');
+        $look['addons'] = $element->getAttribute('addons');
+        $look['corpse'] = $element->getAttribute('corpse');
+
+        return $look;
+    }
+
 /**
  * Returns all monster summons.
  *
@@ -560,6 +585,9 @@ class OTS_Monster extends DOMDocument
             case 'attacks':
                 return $this->getAttacks();
 
+            case 'look':
+                return $this->getLook();
+
             default:
                 throw new OutOfBoundsException();
         }

system/libs/pot/OTS_MonstersList.php

@@ -174,6 +174,7 @@ class OTS_MonstersList implements Iterator, Countable, ArrayAccess
  * @return OTS_Monster Monster.
  * @throws DOMException On DOM operation error.
  */
+	#[\ReturnTypeWillChange]
     public function current()
     {
         return $this->getMonster( key($this->monsters) );
@@ -187,7 +188,7 @@ class OTS_MonstersList implements Iterator, Countable, ArrayAccess
 /**
  * Moves to next iterator monster.
  */
-    public function next()
+    public function next(): void
     {
         next($this->monsters);
     }
@@ -197,6 +198,7 @@ class OTS_MonstersList implements Iterator, Countable, ArrayAccess
  *
  * @return string Current position key.
  */
+	#[\ReturnTypeWillChange]
     public function key()
     {
         return key($this->monsters);
@@ -207,7 +209,7 @@ class OTS_MonstersList implements Iterator, Countable, ArrayAccess
  *
  * @return bool If iterator has anything more.
  */
-    public function valid()
+    public function valid(): bool
     {
         return key($this->monsters) !== null;
     }
@@ -215,7 +217,7 @@ class OTS_MonstersList implements Iterator, Countable, ArrayAccess
 /**
  * Resets iterator index.
  */
-    public function rewind()
+    public function rewind(): void
     {
         reset($this->monsters);
     }
@@ -226,6 +228,7 @@ class OTS_MonstersList implements Iterator, Countable, ArrayAccess
  * @param string $offset Array key.
  * @return bool True if it's set.
  */
+	#[\ReturnTypeWillChange]
     public function offsetExists($offset)
     {
         return isset($this->monsters[$offset]);
@@ -239,6 +242,7 @@ class OTS_MonstersList implements Iterator, Countable, ArrayAccess
  * @return OTS_Monster Monster instance.
  * @throws DOMException On DOM operation error.
  */
+	#[\ReturnTypeWillChange]
     public function offsetGet($offset)
     {
         return $this->getMonster($offset);
@@ -251,6 +255,7 @@ class OTS_MonstersList implements Iterator, Countable, ArrayAccess
  * @param mixed $value Field value.
  * @throws E_OTS_ReadOnly Always - this class is read-only.
  */
+	#[\ReturnTypeWillChange]
     public function offsetSet($offset, $value)
     {
         throw new E_OTS_ReadOnly();
@@ -262,6 +267,7 @@ class OTS_MonstersList implements Iterator, Countable, ArrayAccess
  * @param string|int $offset Array key.
  * @throws E_OTS_ReadOnly Always - this class is read-only.
  */
+	#[\ReturnTypeWillChange]
     public function offsetUnset($offset)
     {
         throw new E_OTS_ReadOnly();

system/libs/pot/OTS_Player.php

@@ -398,7 +398,7 @@ class OTS_Player extends OTS_Row_DAO
 			}
 
             // UPDATE query on database
-            $this->db->query('UPDATE ' . $this->db->tableName('players') . ' SET ' . $this->db->fieldName('name') . ' = ' . $this->db->quote($this->data['name']) . ', ' . $this->db->fieldName('account_id') . ' = ' . $this->data['account_id'] . ', ' . $this->db->fieldName('group_id') . ' = ' . $this->data['group_id'] . ', ' . $this->db->fieldName('sex') . ' = ' . $this->data['sex'] . ', ' . $this->db->fieldName('vocation') . ' = ' . $this->data['vocation'] . ', ' . $this->db->fieldName('experience') . ' = ' . $this->data['experience'] . ', ' . $this->db->fieldName('level') . ' = ' . $this->data['level'] . ', ' . $this->db->fieldName('maglevel') . ' = ' . $this->data['maglevel'] . ', ' . $this->db->fieldName('health') . ' = ' . $this->data['health'] . ', ' . $this->db->fieldName('healthmax') . ' = ' . $this->data['healthmax'] . ', ' . $this->db->fieldName('mana') . ' = ' . $this->data['mana'] . ', ' . $this->db->fieldName('manamax') . ' = ' . $this->data['manamax'] . ', ' . $this->db->fieldName('manaspent') . ' = ' . $this->data['manaspent'] . ', ' . $this->db->fieldName('soul') . ' = ' . $this->data['soul'] . ', ' . $this->db->fieldName('lookbody') . ' = ' . $this->data['lookbody'] . ', ' . $this->db->fieldName('lookfeet') . ' = ' . $this->data['lookfeet'] . ', ' . $this->db->fieldName('lookhead') . ' = ' . $this->data['lookhead'] . ', ' . $this->db->fieldName('looklegs') . ' = ' . $this->data['looklegs'] . ', ' . $this->db->fieldName('looktype') . ' = ' . $this->data['looktype'] . $lookaddons . ', ' . $this->db->fieldName('posx') . ' = ' . $this->data['posx'] . ', ' . $this->db->fieldName('posy') . ' = ' . $this->data['posy'] . ', ' . $this->db->fieldName('posz') . ' = ' . $this->data['posz'] . ', ' . $this->db->fieldName('cap') . ' = ' . $this->data['cap'] . ', ' . $this->db->fieldName('lastlogin') . ' = ' . $this->data['lastlogin'] . ', ' . $this->db->fieldName('lastlogout') . ' = ' . $this->data['lastlogout'] . ', ' . $this->db->fieldName('lastip') . ' = ' . $this->data['lastip'] . ', ' . $this->db->fieldName('save') . ' = ' . (int) $this->data['save'] . ', ' . $this->db->fieldName('conditions') . ' = ' . $this->db->quote($this->data['conditions']) . ', `' . $skull_time . '` = ' . $this->data['skulltime'] . ', `' . $skull_type . '` = ' . (int) $this->data['skull'] . $guild_info . ', ' . $this->db->fieldName('town_id') . ' = ' . $this->data['town_id'] . $loss . $loss_items . ', ' . $this->db->fieldName('balance') . ' = ' . $this->data['balance'] . $blessings . $stamina . $direction . ' WHERE ' . $this->db->fieldName('id') . ' = ' . $this->data['id']);
+            $this->db->query('UPDATE ' . $this->db->tableName('players') . ' SET ' . $this->db->fieldName('name') . ' = ' . $this->db->quote($this->data['name']) . ', ' . $this->db->fieldName('account_id') . ' = ' . $this->data['account_id'] . ', ' . $this->db->fieldName('group_id') . ' = ' . $this->data['group_id'] . ', ' . $this->db->fieldName('sex') . ' = ' . $this->data['sex'] . ', ' . $this->db->fieldName('vocation') . ' = ' . $this->data['vocation'] . ', ' . $this->db->fieldName('experience') . ' = ' . $this->data['experience'] . ', ' . $this->db->fieldName('level') . ' = ' . $this->data['level'] . ', ' . $this->db->fieldName('maglevel') . ' = ' . $this->data['maglevel'] . ', ' . $this->db->fieldName('health') . ' = ' . $this->data['health'] . ', ' . $this->db->fieldName('healthmax') . ' = ' . $this->data['healthmax'] . ', ' . $this->db->fieldName('mana') . ' = ' . $this->data['mana'] . ', ' . $this->db->fieldName('manamax') . ' = ' . $this->data['manamax'] . ', ' . $this->db->fieldName('manaspent') . ' = ' . $this->data['manaspent'] . ', ' . $this->db->fieldName('soul') . ' = ' . $this->data['soul'] . ', ' . $this->db->fieldName('lookbody') . ' = ' . $this->data['lookbody'] . ', ' . $this->db->fieldName('lookfeet') . ' = ' . $this->data['lookfeet'] . ', ' . $this->db->fieldName('lookhead') . ' = ' . $this->data['lookhead'] . ', ' . $this->db->fieldName('looklegs') . ' = ' . $this->data['looklegs'] . ', ' . $this->db->fieldName('looktype') . ' = ' . $this->data['looktype'] . $lookaddons . ', ' . $this->db->fieldName('posx') . ' = ' . $this->data['posx'] . ', ' . $this->db->fieldName('posy') . ' = ' . $this->data['posy'] . ', ' . $this->db->fieldName('posz') . ' = ' . $this->data['posz'] . ', ' . $this->db->fieldName('cap') . ' = ' . $this->data['cap'] . ', ' . $this->db->fieldName('lastlogin') . ' = ' . $this->data['lastlogin'] . ', ' . $this->db->fieldName('lastlogout') . ' = ' . $this->data['lastlogout'] . ', ' . $this->db->fieldName('lastip') . ' = ' . $this->db->quote($this->data['lastip']) . ', ' . $this->db->fieldName('save') . ' = ' . (int) $this->data['save'] . ', ' . $this->db->fieldName('conditions') . ' = ' . $this->db->quote($this->data['conditions']) . ', `' . $skull_time . '` = ' . $this->data['skulltime'] . ', `' . $skull_type . '` = ' . (int) $this->data['skull'] . $guild_info . ', ' . $this->db->fieldName('town_id') . ' = ' . $this->data['town_id'] . $loss . $loss_items . ', ' . $this->db->fieldName('balance') . ' = ' . $this->data['balance'] . $blessings . $stamina . $direction . ' WHERE ' . $this->db->fieldName('id') . ' = ' . $this->data['id']);
         }
         // creates new player
         else
@@ -602,7 +602,7 @@ class OTS_Player extends OTS_Row_DAO
         }
 
         $account = new OTS_Account();
-        $account->load($this->data['account_id'], false, true);
+        $account->load($this->data['account_id']);
         return $account;
     }
 

system/libs/pot/OTS_SpellsList.php

@@ -308,7 +308,7 @@ class OTS_SpellsList implements IteratorAggregate, Countable
  * @since 0.1.5
  * @return AppendIterator Iterator for all spells.
  */
-    public function getIterator()
+    public function getIterator(): Traversable
     {
         $iterator = new AppendIterator();
         $iterator->append( new ArrayIterator($this->runes) );

system/libs/visitors.php

@@ -34,10 +34,12 @@ class Visitors
 		$this->cleanVisitors();
 
 		$ip = $_SERVER['REMOTE_ADDR'];
+		$userAgentShortened = substr($_SERVER['HTTP_USER_AGENT'] ?? 'unknown', 0, 255);
+
 		if($this->visitorExists($ip))
-			$this->updateVisitor($ip, $_SERVER['REQUEST_URI']);
+			$this->updateVisitor($ip, $_SERVER['REQUEST_URI'], $userAgentShortened);
 		else
-			$this->addVisitor($ip, $_SERVER['REQUEST_URI']);
+			$this->addVisitor($ip, $_SERVER['REQUEST_URI'], $userAgentShortened);
 	}
 
 	public function __destruct()
@@ -75,26 +77,26 @@ class Visitors
 		$db->exec('DELETE FROM ' . $db->tableName(TABLE_PREFIX . 'visitors') . ' WHERE ' . $db->fieldName('lastvisit') . ' < ' . (time() - $this->sessionTime * 60));
 	}
 
-	private function updateVisitor($ip, $page)
+	private function updateVisitor($ip, $page, $userAgent)
 	{
 		if($this->cacheEnabled) {
-			$this->data[$ip] = array('page' => $page, 'lastvisit' => time());
+			$this->data[$ip] = array('page' => $page, 'lastvisit' => time(), 'user_agent' => $userAgent);
 			return;
 		}
 
 		global $db;
-		$db->exec('UPDATE ' . $db->tableName(TABLE_PREFIX . 'visitors') . ' SET ' . $db->fieldName('lastvisit') . ' = ' . time() . ', ' . $db->fieldName('page') . ' = ' . $db->quote($page) . ' WHERE ' . $db->fieldName('ip') . ' = ' . $db->quote($ip));
+		$db->update(TABLE_PREFIX . 'visitors', ['lastvisit' => time(), 'page' => $page, 'user_agent' => $userAgent], ['ip' => $ip]);
 	}
 
-	private function addVisitor($ip, $page)
+	private function addVisitor($ip, $page, $userAgent)
 	{
 		if($this->cacheEnabled) {
-			$this->data[$ip] = array('page' => $page, 'lastvisit' => time());
+			$this->data[$ip] = array('page' => $page, 'lastvisit' => time(), 'user_agent' => $userAgent);
 			return;
 		}
 
 		global $db;
-		$db->exec('INSERT INTO ' . $db->tableName(TABLE_PREFIX . 'visitors') . ' (' . $db->fieldName('ip') . ' ,' . $db->fieldName('lastvisit') . ', ' . $db->fieldName('page') . ') VALUE (' . $db->quote($ip) . ', ' . time() . ', ' . $db->quote($page) . ')');
+		$db->insert(TABLE_PREFIX . 'visitors', ['ip' => $ip, 'lastvisit' => time(), 'page' => $page, 'user_agent' => $userAgent]);
 	}
 
 	public function getVisitors()
@@ -107,7 +109,7 @@ class Visitors
 		}
 
 		global $db;
-		return $db->query('SELECT ' . $db->fieldName('ip') . ', ' . $db->fieldName('lastvisit') . ', ' . $db->fieldName('page') . ' FROM ' . $db->tableName(TABLE_PREFIX . 'visitors') . ' ORDER BY ' . $db->fieldName('lastvisit') . ' DESC')->fetchAll();
+		return $db->query('SELECT ' . $db->fieldName('ip') . ', ' . $db->fieldName('lastvisit') . ', ' . $db->fieldName('page') . ', ' . $db->fieldName('user_agent') . ' FROM ' . $db->tableName(TABLE_PREFIX . 'visitors') . ' ORDER BY ' . $db->fieldName('lastvisit') . ' DESC')->fetchAll();
 	}
 
 	public function getAmountVisitors()

system/locale/de/install.php

@@ -20,7 +20,7 @@ $locale['not_loaded'] = 'Nicht geladen';
 $locale['loading_spinner'] = 'Bitte warten, installieren...';
 $locale['importing_spinner'] = 'Bitte warte, Daten werden importiert...';
 $locale['please_fill_all'] = 'Bitte füllen Sie alle Felder aus!';
-$locale['already_installed'] = 'MyAAC wurde bereits installiert. Bitte löschen <b>install/<b/> Verzeichnis. Wenn Sie MyAAC neu installieren möchten, löschen Sie die Datei <strong>config.local.php</strong> aus dem Hauptverzeichnis und aktualisieren Sie die Seite.';
+$locale['already_installed'] = 'MyAAC wurde bereits installiert. Bitte löschen <b>install/</b> Verzeichnis. Wenn Sie MyAAC neu installieren möchten, löschen Sie die Datei <strong>config.local.php</strong> aus dem Hauptverzeichnis und aktualisieren Sie die Seite.';
 
 // welcome
 $locale['step_welcome'] = 'Willkommen';
@@ -99,7 +99,10 @@ $locale['step_admin_account_id_error_same'] = 'Das Passwort darf nicht mit der K
 $locale['step_admin_password'] = 'Administrator Konto Passwort';
 $locale['step_admin_password_desc'] = 'Passwort für Ihr Administratorkonto.';
 $locale['step_admin_password_error_empty'] = 'Bitte geben Sie das Passwort für Ihr neues Konto ein.';
-$locale['step_admin_password_error_format'] = 'Ungültiges Passwortformat. Verwenden Sie nur a-Z und Ziffern 0-9. Mindestens 8, maximal 30 Zeichen.';
+$locale['step_admin_password_error_format'] = 'Ungültiges Passwortformat. Mindestens eine Buchstabe und eine Ziffer. Mindestens 8, maximal 30 Zeichen.';
+$locale['step_admin_password_confirm'] = 'Password wiederholen';
+$locale['step_admin_password_confirm_desc'] = 'Passwort für dein Konto wiederholen.';
+$locale['step_admin_password_confirm_error_not_same'] = 'Passwörter sind nicht gleich.';
 
 // finish
 $locale['step_finish_admin_panel'] = 'Admin Bereich';