Merge branch 'develop' into feature/refactor-account-lost

* feat: rate limit settings

* fix: section label

* fix: real ip

* fix: real ip

.github/workflows/phpstan.yml

@@ -36,9 +36,8 @@ jobs:
         with:
           path: ${{ steps.composer-cache.outputs.dir }}
           # Use composer.json for key, if composer.lock is not committed.
-          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}
-          #key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
-          restore-keys: ${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
 
       - name: "Install composer dependencies"
         run: "composer install"

.gitignore

@@ -7,7 +7,6 @@ Thumbs.db
 
 # composer
 composer.phar
-composer.lock
 vendor
 
 # npm

CHANGELOG.md

@@ -1,6 +1,36 @@
 # Changelog
 
-## [1.0-beta - 02.02.2024]
+## [1.0-RC -23.07.2024]
+
+Changes since 1.0-beta:
+
+### Added
+* Feat: Hooks priority (https://github.com/slawkens/myaac/commit/dc17b701da053e04bfa64e21be9247a4f07505e1)
+* Make autoload of pages, commands and themes configurable (https://github.com/slawkens/myaac/commit/c1d4b4f80cd6bb85507ee9471e47013955a26a91)
+* Fraggers in characters page for TFS 1.x and canary (https://github.com/slawkens/myaac/commit/42f99c3edc8de39cccc5632cb42e88b24579c5a6)
+* New hooks: HOOK_INSTALL_FINISH, HOOK_ACCOUNT_CREATE_CHARACTER_* (https://github.com/slawkens/myaac/commit/08ac8ebade106521a5c7396faa5ce7006e629f7c, https://github.com/slawkens/myaac/commit/45dda5e834ff2059faea6ef9be2efa76f1723cbd)
+
+### Changed
+* Allow account_create_character_create even if account_mail_verify is activated (https://github.com/slawkens/myaac/commit/203e411b626fe62401a4b74a48420769e512aa39)
+* Create guild_rank entries, in case MySQL trigger not loaded (https://github.com/slawkens/myaac/commit/d9c1b2507c81f306970642b35e4bf5f7cc04a6f2, https://github.com/slawkens/myaac/commit/47a19e85dd84e9f3b39a1b29cfc2c04b004832b9)
+* Set Admin Account verified by default (https://github.com/slawkens/myaac/commit/cd49dfc79942f3301ce9c0b8d899b9f39bda9a41)
+* Refactor account routes into sub folders (https://github.com/slawkens/myaac/commit/bdc0c43d3fd3a51030c3e916bdb9f008468f5ecd)
+* Order towns by id (https://github.com/slawkens/myaac/commit/9ea2a5067fc4b75de395f381577b18914132ad84)
+* Do not create news about myaac, if any news already exist (on installation (https://github.com/slawkens/myaac/commit/504242fb846b73b56b87bc1e39d070687ad7f5b4)
+
+### Fixed
+* Not working google recaptcha plugin (https://github.com/slawkens/myaac/commit/a1bcb217ecf4e21fd58da4ba491da1852029898a)
+* Not working account create if account_country is disabled (https://github.com/slawkens/myaac/commit/933b681a9fcdbb6283e0469b3806d2ded492d232)
+* Account verify - do not allow login without verified email (Thanks @anyeor, https://github.com/slawkens/myaac/commit/fcb13f3c0fb8ceafda0bd614a229a26a269432bd)
+* Detect tools/ext exists on install to prevent broken installs (https://github.com/slawkens/myaac/commit/10a739773c4f2911876bc802a0ee0537c3e00a92)
+* Cache reloading each time page refreshes (https://github.com/slawkens/myaac/commit/ec96985872057340112f65073efc0c4bf86dddb0)
+* Highscores frags for TFS 1.x and canary (https://github.com/slawkens/myaac/commit/a04d186c22912915f0a7873dfe677ef3b5a23c79)
+* Monsters page: monster not found exception (https://github.com/slawkens/myaac/commit/ef79b99b8acc179f14b8475547347d9daca27512)
+* Fixed bug if \<flags\> are not present in monster.xml (https://github.com/slawkens/myaac/commit/57b47ab7983f625c7c0ef4f5303a4d07ef172786)
+* fastRoute duplicate errors (https://github.com/slawkens/myaac/commit/4c0739d3e93812dff0c33849ea3f38e4e49113ac)
+* useGuildNick displaying (https://github.com/slawkens/myaac/commit/0db0ec1aa47e044c26bc403ff5078a2115d086f8)
+
+## [1.0-beta - 18.05.2024]
 
 Minimum PHP version for this release is 8.1.
 
@@ -22,7 +52,7 @@ Minimum PHP version for this release is 8.1.
   * list of open source libraries used in project page
 * auto-loading of themes, commands & pages from plugins/ folder. You need just to place them in correct folder and they will be loaded automatically - this allows better customization, without interfering with core AAC folders. This will allow in the future automatic updates for plugins as well the AAC as whole.
 * config.php moved to Admin Panel -> Settings page
-* new console script: aac (comes from MyAAC) - using symfony/console
+* new console script: aac - using symfony/console
   * usage: `php aac` (will list all commands by default)
   * example: `php aac cache:clear`
   * example: `php aac plugin:install theme-example.zip`
@@ -46,7 +76,7 @@ Minimum PHP version for this release is 8.1.
 * phpdebug bar (http://phpdebugbar.com/). Activated if env == 'dev', can be also activated in production by enabling "enable_debugbar" in local config
 
 ### Changed
-* Composer is now used for external libraries like: Twig, PHPMailer, fast-route etc.
+* Composer and NPM is now used for external libraries like: Twig, PHPMailer, fast-route, jQuery, Bootstrap etc.
 * mail support is disabled on fresh install, can be manually enabled by user
 * disable add php pages in admin panel for security. Option to disable plugins upload
 * visitors counter shows now user browser, and also if its bot

admin/pages/accounts.php

@@ -8,6 +8,7 @@
  * @link      https://my-aac.org
  */
 
+use MyAAC\Models\Account as AccountModel;
 use MyAAC\Models\Player;
 
 defined('MYAAC') or die('Direct access not allowed!');
@@ -51,36 +52,51 @@ $acc_type = setting('core.account_types');
 
 <?php
 $id = 0;
-$search_account = '';
+$search_account = $search_account_email = '';
 if (isset($_REQUEST['id']))
 	$id = (int)$_REQUEST['id'];
+else if (isset($_REQUEST['search_email'])) {
+	$search_account_email = $_REQUEST['search_email'];
+	$accountModel = AccountModel::where('email', $search_account_email)->limit(11)->get(['email', 'id']);
+	if (count($accountModel) == 0) {
+		echo_error('No entries found.');
+	} else if (count($accountModel) == 1) {
+		$id = $accountModel->first()->getKey();
+	} else if (count($accountModel) > 10) {
+		echo_error('Specified e-mail resulted with too many accounts.');
+	}
+}
 else if (isset($_REQUEST['search'])) {
 	$search_account = $_REQUEST['search'];
-	if (strlen($search_account) < 3 && !Validator::number($search_account)) {
-		echo_error('Player name is too short.');
+	$min_size = 3;
+	if ($nameOrNumberColumn == 'number') {
+		$min_size = 1;
+	}
+
+	if (strlen($search_account) < $min_size && !Validator::number($search_account)) {
+		echo_error('Account ' . $nameOrNumberColumn . ' is too short.');
 	} else {
-		$query = $db->query('SELECT `id` FROM `accounts` WHERE `' . $nameOrNumberColumn . '` = ' . $db->quote($search_account));
-		if ($query->rowCount() == 1) {
-			$query = $query->fetch();
-			$id = (int)$query['id'];
+		$query = AccountModel::where($nameOrNumberColumn, '=', $search_account)->limit(11)->get(['id', $nameOrNumberColumn]);
+		if (count($query) == 0) {
+			echo_error('No entries found.');
+		} else if (count($query) == 1) {
+			$id = $query->first()->getKey();
+		} else if (count($query) > 10) {
+			echo_error('Specified name resulted with too many accounts.');
 		} else {
-			$query = $db->query('SELECT `id`, `' . $nameOrNumberColumn . '` FROM `accounts` WHERE `' . $nameOrNumberColumn . '` LIKE ' . $db->quote('%' . $search_account . '%'));
-			if ($query->rowCount() > 0 && $query->rowCount() <= 10) {
 			$str_construct = 'Do you mean?<ul class="mb-0">';
-				foreach ($query as $row)
-					$str_construct .= '<li><a href="' . $admin_base . '&id=' . $row['id'] . '">' . $row[$nameOrNumberColumn] . '</a></li>';
+			foreach ($query as $row) {
+				$str_construct .= '<li><a href="' . $admin_base . '&id=' . $row->getKey() . '">' . $row->attributes[$nameOrNumberColumn] . '</a></li>';
+			}
 			$str_construct .= '</ul>';
 			echo_error($str_construct);
-			} else if ($query->rowCount() > 10)
-				echo_error('Specified name resulted with too many accounts.');
-			else
-				echo_error('No entries found.');
 		}
 	}
 }
 ?>
 <div class="row">
 	<?php
+	$groups = new OTS_Groups_List();
 	if ($id > 0) {
 		$account = new OTS_Account();
 		$account->load($id);
@@ -143,7 +159,9 @@ else if (isset($_REQUEST['search'])) {
 			$rl_loca = $_POST['rl_loca'];
 
 			//country
+			if(setting('core.account_country')) {
 				$rl_country = $_POST['rl_country'];
+			}
 
 			$web_flags = $_POST['web_flags'];
 			verify_number($web_flags, 'Web Flags', 1);
@@ -190,7 +208,11 @@ else if (isset($_REQUEST['search'])) {
 				}
 				$account->setRLName($rl_name);
 				$account->setLocation($rl_loca);
+
+				if(setting('core.account_country')) {
 					$account->setCountry($rl_country);
+				}
+				
 				$account->setCustomField('created', $created);
 				$account->setWebFlags($web_flags);
 				$account->setCustomField('web_lastlogin', $web_lastlogin);
@@ -214,7 +236,7 @@ else if (isset($_REQUEST['search'])) {
 			}
 		}
 	} else if ($id == 0) {
-		$accounts_db = $db->query('SELECT `id`, `' . $nameOrNumberColumn . '`' . ($hasTypeColumn ? ',type' : ($hasGroupColumn ? ',group_id' : '')) . ' FROM `accounts` ORDER BY `id` ASC');
+		$accounts_db = $db->query('SELECT `id`, `' . $nameOrNumberColumn . '`' . ($hasTypeColumn ? ',type' : ($hasGroupColumn ? ',group_id' : '')) . ', email FROM `accounts` ORDER BY `id` ASC');
 		?>
 		<div class="col-12 col-sm-12 col-lg-10">
 			<div class="card card-info card-outline">
@@ -228,6 +250,7 @@ else if (isset($_REQUEST['search'])) {
 							<th>ID</th>
 							<th><?= ($nameOrNumberColumn == 'number' ? 'Number' : 'Name'); ?></th>
 							<?php if($hasTypeColumn || $hasGroupColumn): ?>
+							<th>E-Mail</th>
 							<th>Position</th>
 							<?php endif; ?>
 							<th style="width: 40px">Edit</th>
@@ -238,6 +261,7 @@ else if (isset($_REQUEST['search'])) {
 							<tr>
 								<th><?php echo $account_lst['id']; ?></th>
 								<td><?php echo $account_lst[$nameOrNumberColumn]; ?></a></td>
+								<td><?php echo $account_lst['email']; ?></td>
 								<?php if($hasTypeColumn || $hasGroupColumn): ?>
 								<td>
 									<?php if ($hasTypeColumn) {
@@ -404,6 +428,7 @@ else if (isset($_REQUEST['search'])) {
 											   autocomplete="off" maxlength="20"
 											   value="<?php echo $account->getLocation(); ?>"/>
 									</div>
+									<?php if(setting('core.account_country')): ?>
 									<div class="col-12 col-sm-12 col-lg-4">
 										<label for="rl_country">Country:</label>
 										<select name="rl_country" id="rl_country" class="form-control">
@@ -412,6 +437,7 @@ else if (isset($_REQUEST['search'])) {
 											<?php endforeach; ?>
 										</select>
 									</div>
+									<?php endif; ?>
 								</div>
 								<div class="form-group row">
 									<div class="col-12 col-sm-12 col-lg-6">
@@ -583,6 +609,16 @@ else if (isset($_REQUEST['search'])) {
 			</div>
 			<div class="card-body">
 				<div class="row">
+					<div class="col-6 col-lg-12">
+						<form action="<?php echo $admin_base; ?>" method="post">
+							<?php csrf(); ?>
+							<label for="search">Account E-Mail:</label>
+							<div class="input-group input-group-sm">
+								<input type="email" class="form-control" id="search_email" name="search_email" value="<?= escapeHtml($search_account_email); ?>" maxlength="255" size="255">
+								<span class="input-group-append"><button type="submit" class="btn btn-info btn-flat">Search</button></span>
+							</div>
+						</form>
+					</div>
 					<div class="col-6 col-lg-12">
 						<form action="<?php echo $admin_base; ?>" method="post">
 							<?php csrf(); ?>

admin/pages/mailer.php

@@ -7,6 +7,9 @@
  * @copyright 2019 MyAAC
  * @link      https://my-aac.org
  */
+
+use MyAAC\Models\Account;
+
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Mailer';
 
@@ -61,15 +64,15 @@ if (!empty($mail_content) && !empty($mail_subject) && empty($mail_to)) {
 		$add = ' AND `email_verified` = 1';
 	}
 
-	$query = $db->query('SELECT `email` FROM `accounts` WHERE `email` != ""' . $add);
+	$query = Account::where('email', '!=', '')->get(['email']);
 	foreach ($query as $email) {
-		if (_mail($email['email'], $mail_subject, $mail_content)) {
+		if (_mail($email->email, $mail_subject, $mail_content)) {
 			$success++;
 		}
 		else {
 			$failed++;
 			echo '<br />';
-			error('An error occorred while sending email to <b>' . $email['email'] . '</b>. For Admin: More info can be found in system/logs/mailer-error.log');
+			error('An error occorred while sending email to <b>' . $email->email . '</b>. For Admin: More info can be found in system/logs/mailer-error.log');
 		}
 	}
 

admin/pages/mass_account.php

@@ -24,20 +24,13 @@ $freePremium = $config['lua']['freePremium'];
 
 function admin_give_points($points)
 {
-	global $db, $hasPointsColumn;
+	global $hasPointsColumn;
 
 	if (!$hasPointsColumn) {
 		displayMessage('Points not supported.');
 		return;
 	}
 
-
-	$statement = $db->prepare('UPDATE `accounts` SET `premium_points` = `premium_points` + :points');
-	if (!$statement) {
-		displayMessage('Failed to prepare query statement.');
-		return;
-	}
-
 	if (!Account::query()->increment('premium_points', $points)) {
 		displayMessage('Failed to add points.');
 		return;
@@ -47,7 +40,7 @@ function admin_give_points($points)
 
 function admin_give_coins($coins)
 {
-	global $db, $hasCoinsColumn;
+	global $hasCoinsColumn;
 
 	if (!$hasCoinsColumn) {
 		displayMessage('Coins not supported.');
@@ -62,24 +55,6 @@ function admin_give_coins($coins)
 	displayMessage($coins . ' coins added to all accounts.', true);
 }
 
-function query_add_premium($column, $value_query, $condition_query = '1=1', $params = [])
-{
-	global $db;
-
-	$statement = $db->prepare("UPDATE `accounts` SET `{$column}` = $value_query WHERE $condition_query");
-	if (!$statement) {
-		displayMessage('Failed to prepare query statement.');
-		return false;
-	}
-
-	if (!$statement->execute($params)) {
-		displayMessage('Failed to add premium days.');
-		return false;
-	}
-
-	return true;
-}
-
 function admin_give_premdays($days)
 {
 	global $db, $freePremium;
@@ -94,9 +69,9 @@ function admin_give_premdays($days)
 	// othire
 	if ($db->hasColumn('accounts', 'premend')) {
 		// append premend
-		if (query_add_premium('premend', '`premend` + :value', '`premend` > :now', ['value' => $value, 'now' => $now])) {
+		if (Account::where('premend', '>', $now)->increment('premend', $value)) {
 			// set premend
-			if (query_add_premium('premend', ':value', '`premend` <= :now', ['value' => $now + $value, 'now' => $now])) {
+			if (Account::where('premend', '<=', $now)->update(['premend' => $now + $value])) {
 				displayMessage($days . ' premium days added to all accounts.', true);
 				return;
 			} else {
@@ -114,11 +89,11 @@ function admin_give_premdays($days)
 	// tfs 0.x
 	if ($db->hasColumn('accounts', 'premdays')) {
 		// append premdays
-		if (query_add_premium('premdays', '`premdays` + :value', '1=1', ['value' => $days])) {
+		if (Account::query()->update(['premdays' => $days])) {
 			// append lastday
-			if (query_add_premium('lastday', '`lastday` + :value', '`lastday` > :now', ['value' => $value, 'now' => $now])) {
+			if (Account::where('lastday', '>', $now)->increment('lastday', $value)) {
 				// set lastday
-				if (query_add_premium('lastday', ':value', '`lastday` <= :now', ['value' => $now + $value, 'now' => $now])) {
+				if (Account::where('lastday', '<=', $now)->update(['lastday' => $now + $value])) {
 					displayMessage($days . ' premium days added to all accounts.', true);
 					return;
 				} else {
@@ -142,9 +117,9 @@ function admin_give_premdays($days)
 	// tfs 1.x
 	if ($db->hasColumn('accounts', 'premium_ends_at')) {
 		// append premium_ends_at
-		if (query_add_premium('premium_ends_at', '`premium_ends_at` + :value', '`premium_ends_at` > :now', ['value' => $value, 'now' => $now])) {
+		if (Account::where('premium_ends_at', '>', $now)->increment('premium_ends_at', $value)) {
 			// set premium_ends_at
-			if (query_add_premium('premium_ends_at', ':value', '`premium_ends_at` <= :now', ['value' => $now + $value, 'now' => $now])) {
+			if (Account::where('premium_ends_at', '<=', $now)->update(['premium_ends_at' => $now + $value])) {
 				displayMessage($days . ' premium days added to all accounts.', true);
 				return;
 			} else {

admin/pages/players.php

@@ -51,22 +51,20 @@ else if (isset($_REQUEST['search'])) {
 	if (strlen($search_player) < 3 && !Validator::number($search_player)) {
 		echo_error('Player name is too short.');
 	} else {
-		$query = $db->query('SELECT `id` FROM `players` WHERE `name` = ' . $db->quote($search_player));
-		if ($query->rowCount() == 1) {
-			$query = $query->fetch();
-			$id = (int)$query['id'];
+		$query = Player::where('name', 'like', '%' . $search_player . '%')->orderBy('name')->limit(11)->get(['id', 'name']);
+		if (count($query) == 0) {
+			echo_error('No entries found.');
+		} else if (count($query) == 1) {
+			$id = $query->first()->getKey();
+		} else if (count($query) > 10) {
+			echo_error('Specified name resulted with too many players.');
 		} else {
-			$query = $db->query('SELECT `id`, `name` FROM `players` WHERE `name` LIKE ' . $db->quote('%' . $search_player . '%'));
-			if ($query->rowCount() > 0 && $query->rowCount() <= 10) {
 			$str_construct = 'Do you mean?<ul>';
-				foreach ($query as $row)
-					$str_construct .= '<li><a href="' . $player_base . '&id=' . $row['id'] . '">' . $row['name'] . '</a></li>';
+			foreach ($query as $row) {
+				$str_construct .= '<li><a href="' . $player_base . '&id=' . $row->getKey() . '">' . $row->name . '</a></li>';
+			}
 			$str_construct .= '</ul>';
 			echo_error($str_construct);
-			} else if ($query->rowCount() > 10)
-				echo_error('Specified name resulted with too many players.');
-			else
-				echo_error('No entries found.');
 		}
 	}
 }
@@ -202,7 +200,7 @@ else if (isset($_REQUEST['search'])) {
 
 			if ($hasBlessingsColumn) {
 				$blessings = $_POST['blessings'];
-				verify_number($blessings, 'Blessings', 2);
+				verify_number($blessings, 'Blessings', 3);
 			}
 
 			$balance = $_POST['balance'];
@@ -274,7 +272,7 @@ else if (isset($_REQUEST['search'])) {
 					$player->setLossContainers($loss_containers);
 					$player->setLossItems($loss_items);
 				}
-				if ($db->hasColumn('players', 'blessings'))
+				if ($hasBlessingsColumn)
 					$player->setBlessings($blessings);
 
 				if ($hasBlessingColumn) {
@@ -307,7 +305,7 @@ else if (isset($_REQUEST['search'])) {
 			}
 		}
 	} else if ($id == 0) {
-		$players_db = $db->query('SELECT `id`, `name`, `level` FROM `players` ORDER BY `id` asc');
+		$players_db = Player::orderBy('id')->get(['id','name', 'level']);
 		?>
 		<div class="col-12 col-sm-12 col-lg-10">
 			<div class="card card-info card-outline">
@@ -327,11 +325,11 @@ else if (isset($_REQUEST['search'])) {
 						<tbody>
 						<?php foreach ($players_db as $player_db): ?>
 							<tr>
-								<th><?php echo $player_db['id']; ?></th>
-								<td><?php echo $player_db['name']; ?></a></td>
-								<td><?php echo $player_db['level']; ?></a></td>
+								<th><?php echo $player_db->id; ?></th>
+								<td><?php echo $player_db->name; ?></a></td>
+								<td><?php echo $player_db->level; ?></a></td>
 
-								<td><a href="?p=players&id=<?php echo $player_db['id']; ?>" class="btn btn-success btn-sm" title="Edit">
+								<td><a href="?p=players&id=<?php echo $player_db->id; ?>" class="btn btn-success btn-sm" title="Edit">
 										<i class="fas fa-pencil-alt"></i>
 									</a>
 								</td>

admin/pages/settings.php

@@ -48,7 +48,7 @@ if (!is_array($settingsFile)) {
 
 $settingsKeyName = ($plugin == 'core' ? $plugin : $settingsFile['key']);
 
-$title = ($plugin == 'core' ? 'Settings' : 'Plugin Settings - ' . $plugin);
+$title = ($plugin == 'core' ? 'Settings' : 'Plugin Settings - ' . $settingsFile['name']);
 
 $settingsParsed = Settings::display($settingsKeyName, $settingsFile['settings']);
 

admin/template/template.php

@@ -6,7 +6,7 @@
 	<?php echo template_header(true); ?>
 	<title><?php echo (isset($title) ? $title . ' - ' : '') . $config['lua']['serverName'];?></title>
 	<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
-	<link rel="stylesheet" href="<?php echo BASE_URL; ?>tools/ext/admin-lte/css/adminlte.min.css">
+	<link rel="stylesheet" href="<?php echo BASE_URL; ?>tools/css/adminlte.min.css">
 	<link rel="stylesheet" href="<?php echo BASE_URL; ?>tools/css/font-awesome.min.css">
 	<?php if (isset($use_datatable)) { ?>
 	<link rel="stylesheet" href="<?php echo BASE_URL; ?>tools/css/datatables.bs.min.css">
@@ -197,7 +197,7 @@ if ($logged && admin()) {
 <script src="<?php echo BASE_URL; ?>tools/js/datatables.min.js"></script>
 <script src="<?php echo BASE_URL; ?>tools/js/datatables.bs.min.js"></script>
 <?php } ?>
-<script src="<?php echo BASE_URL; ?>tools/ext/admin-lte/js/adminlte.min.js"></script>
+<script src="<?php echo BASE_URL; ?>tools/js/adminlte.min.js"></script>
 <?php $hooks->trigger(HOOK_ADMIN_BODY_END); ?>
 </body>
 </html>

common.php

@@ -20,13 +20,13 @@
  *
  * @package   MyAAC
  * @author    Slawkens <slawkens@gmail.com>
- * @copyright 2019 MyAAC
+ * @copyright 2024 MyAAC
  * @link      https://my-aac.org
  */
 if (version_compare(phpversion(), '8.1', '<')) die('PHP version 8.1 or higher is required.');
 
 const MYAAC = true;
-const MYAAC_VERSION = '1.0-beta';
+const MYAAC_VERSION = '1.0-RC';
 const DATABASE_VERSION = 40;
 const TABLE_PREFIX = 'myaac_';
 define('START_TIME', microtime(true));
@@ -156,7 +156,7 @@ if (file_exists(BASE . 'config.local.php')) {
 
 /** @var array $config */
 ini_set('log_errors', 1);
-if(@$config['env'] === 'dev') {
+if(@$config['env'] === 'dev' || defined('MYAAC_INSTALL')) {
 	ini_set('display_errors', 1);
 	ini_set('display_startup_errors', 1);
 	error_reporting(E_ALL);

composer.json

@@ -15,11 +15,12 @@
         "illuminate/database": "^10.18",
         "peppeocchi/php-cron-scheduler": "4.*",
         "symfony/console": "^6.4",
-        "symfony/string": "^6.4"
+        "symfony/string": "^6.4",
+        "symfony/var-dumper": "^6.4",
+        "filp/whoops": "^2.15",
+        "maximebf/debugbar": "dev-master"
     },
     "require-dev": {
-        "filp/whoops": "^2.15",
-        "maximebf/debugbar": "dev-master",
         "phpstan/phpstan": "^1.10"
     },
     "autoload": {

cypress/e2e/1-install.cy.js

@@ -67,7 +67,7 @@ describe('Install MyAAC', () => {
 
 		cy.get('form').submit()
 
-		cy.contains('[class="alert alert-success"]', 'Congratulations', { timeout: 30000 }).should('be.visible')
+		cy.contains('[class="alert alert-success"]', 'Congratulations', { timeout: 60000 }).should('be.visible')
 
 		cy.wait(2000);
 

install/index.php

@@ -3,9 +3,9 @@
 use Twig\Environment as Twig_Environment;
 use Twig\Loader\FilesystemLoader as Twig_FilesystemLoader;
 
-require '../common.php';
+const MYAAC_INSTALL = true;
 
-define('MYAAC_INSTALL', true);
+require '../common.php';
 
 // includes
 require SYSTEM . 'functions.php';
@@ -114,7 +114,7 @@ else if($step == 'finish') {
 	$email = $_SESSION['var_email'];
 	$password = $_SESSION['var_password'];
 	$password_confirm = $_SESSION['var_password_confirm'];
-	$player_name = $_SESSION['var_player_name'];
+	$player_name = $_SESSION['var_player_name'] ?? null;
 
 	// email check
 	if(empty($email)) {
@@ -159,13 +159,14 @@ else if($step == 'finish') {
 		$errors[] = $locale['step_admin_password_confirm_error_not_same'];
 	}
 
+	if (isset($player_name)) {
 		// player name check
-	if(empty($player_name)) {
+		if (empty($player_name)) {
 			$errors[] = $locale['step_admin_player_name_error_empty'];
-	}
-	else if(!Validator::characterName($player_name)) {
+		} else if (!Validator::characterName($player_name)) {
 			$errors[] = $locale['step_admin_player_name_error_format'];
 		}
+	}
 
 	if(!empty($errors)) {
 		$step = 'admin';

install/steps/3-requirements.php

@@ -2,10 +2,15 @@
 defined('MYAAC') or die('Direct access not allowed!');
 
 // configuration
-$dirs_required = [
+$dirs_required_writable = [
 	'system/logs',
 	'system/cache',
 ];
+
+$dirs_required = [
+	'tools/ext' => $locale['step_requirements_folder_not_exists_tools_ext'],
+];
+
 $dirs_optional = [
 	GUILD_IMAGES_DIR => $locale['step_requirements_warning_images_guilds'],
 	GALLERY_DIR => $locale['step_requirements_warning_images_gallery'],
@@ -18,6 +23,7 @@ $extensions_optional = [
 	'gd' => $locale['step_requirements_warning_player_signatures'],
 	'zip' => $locale['step_requirements_warning_install_plugins'],
 ];
+
 /*
  *
  * @param string $name
@@ -41,7 +47,7 @@ $failed = false;
 // start validating
 version_check($locale['step_requirements_php_version'], (PHP_VERSION_ID >= 50500), PHP_VERSION);
 
-foreach ($dirs_required as $value)
+foreach ($dirs_required_writable as $value)
 {
 	$is_writable = is_writable(BASE . $value) && (MYAAC_OS != 'WINDOWS' || win_is_writable(BASE . $value));
 	version_check($locale['step_requirements_write_perms'] . ': ' . $value, $is_writable);
@@ -52,6 +58,12 @@ foreach ($dirs_optional as $dir => $errorMsg) {
 	version_check($locale['step_requirements_write_perms'] . ': ' . $dir, $is_writable, $is_writable ? '' : $errorMsg, true);
 }
 
+foreach ($dirs_required as $dir => $errorMsg)
+{
+	$exists = is_dir(BASE . $dir);
+	version_check($locale['step_requirements_folder_exists'] . ': ' . $dir, $exists, $exists ? '' : $errorMsg);
+}
+
 $ini_register_globals = ini_get_bool('register_globals');
 version_check('register_long_arrays', !$ini_register_globals, $ini_register_globals ? $locale['on'] : $locale['off']);
 
@@ -78,4 +90,3 @@ if($failed) {
 }
 
 echo '</div>';
-?>

install/steps/5-database.php

@@ -41,49 +41,38 @@ if(!$error) {
 	$configToSave['cache_engine'] = 'auto';
 	$configToSave['cache_prefix'] = 'myaac_' . generateRandomString(8, true, false, true);
 
+	if(!$error) {
+		$content = '';
+		$saved = Settings::saveConfig($configToSave, BASE . 'config.local.php', $content);
+		if ($saved) {
+			success($locale['step_database_config_saved']);
+			$_SESSION['saved'] = true;
+
+			require BASE . 'config.local.php';
 			require BASE . 'install/includes/config.php';
 
-	if(!$error) {
+			if (!$error) {
 				require BASE . 'install/includes/database.php';
 
-		$locale['step_database_importing'] = str_replace('$DATABASE_NAME$', config('database_name'), $locale['step_database_importing']);
-		success($locale['step_database_importing']);
-
-		if(isset($database_error)) { // we failed connect to the database
+				if (isset($database_error)) { // we failed connect to the database
 					error($database_error);
 				}
 				else {
-			if(!$db->hasTable('accounts')) {
+					if (!$db->hasTable('accounts')) {
 						$tmp = str_replace('$TABLE$', 'accounts', $locale['step_database_error_table']);
 						error($tmp);
 						$error = true;
 					}
 
-			if(!$db->hasTable('players')) {
-				$tmp = str_replace('$TABLE$', 'players', $locale['step_database_error_table']);
-				error($tmp);
-				$error = true;
-			}
-
-			if(!$db->hasTable('guilds')) {
-				$tmp = str_replace('$TABLE$', 'guilds', $locale['step_database_error_table']);
-				error($tmp);
-				$error = true;
-			}
-
-			if(!$error) {
+					if (!$error) {
 						$twig->display('install.installer.html.twig', array(
 							'url' => 'tools/5-database.php',
 							'message' => $locale['loading_spinner']
 						));
-
-				$content = '';
-				$saved = Settings::saveConfig($configToSave, BASE . 'config.local.php', $content);
-				if($saved) {
-					success($locale['step_database_config_saved']);
-					$_SESSION['saved'] = true;
 					}
-				else {
+				}
+			}
+		} else {
 			$_SESSION['config_content'] = $content;
 			unset($_SESSION['saved']);
 
@@ -92,8 +81,6 @@ if(!$error) {
 				<textarea cols="70" rows="10">' . $content . '</textarea>');
 		}
 	}
-		}
-	}
 }
 ?>
 

install/steps/6-admin.php

@@ -18,6 +18,7 @@ if(!$error) {
 		'locale' => $locale,
 		'session' => $_SESSION,
 		'account' => $account,
+		'hasTablePlayers' => $db->hasTable('players'),
 		'errors' => isset($errors) ? $errors : null,
 		'buttons' => next_buttons(true, $error ? false : true)
 	));

install/steps/7-finish.php

@@ -1,5 +1,7 @@
 <?php
 
+use MyAAC\Cache\Cache;
+use MyAAC\Models\News;
 use MyAAC\Settings;
 
 defined('MYAAC') or die('Direct access not allowed!');
@@ -7,29 +9,40 @@ defined('MYAAC') or die('Direct access not allowed!');
 ini_set('max_execution_time', 300);
 if(isset($config['installed']) && $config['installed'] && !isset($_SESSION['saved'])) {
 	warning($locale['already_installed']);
+	return;
 }
-else {
-	require SYSTEM . 'init.php';
-	if(!$error) {
-		if(USE_ACCOUNT_NAME || USE_ACCOUNT_NUMBER)
-			$account = isset($_SESSION['var_account']) ? $_SESSION['var_account'] : null;
-		else
-			$account_id = isset($_SESSION['var_account_id']) ? $_SESSION['var_account_id'] : null;
 
-		$password = $_SESSION['var_password'];
+$cache = Cache::getInstance();
+if ($cache->enabled()) {
+	// clear plugin_hooks to have fresh hooks
+	$cache->delete('plugins_hooks');
+}
 
-		if(USE_ACCOUNT_SALT)
-		{
+require SYSTEM . 'init.php';
+if($error) {
+	return;
+}
+
+if(USE_ACCOUNT_NAME || USE_ACCOUNT_NUMBER)
+	$account = $_SESSION['var_account'] ?? null;
+else
+	$account_id = $_SESSION['var_account_id'] ?? null;
+
+$password = $_SESSION['var_password'];
+
+if(USE_ACCOUNT_SALT)
+{
 	$salt = generateRandomString(10, false, true, true);
 	$password = $salt . $password;
-		}
+}
 
-		$account_db = new OTS_Account();
-		if(isset($account))
+$account_db = new OTS_Account();
+if(isset($account))
 	$account_db->find($account);
-		else
+else
 	$account_db->load($account_id);
 
+if ($db->hasTable('players')) {
 	$player_name = $_SESSION['var_player_name'];
 	$player_db = new OTS_Player();
 	$player_db->find($player_name);
@@ -47,16 +60,17 @@ else {
 
 	$groups = new OTS_Groups_List();
 	$player_used->setGroupId($groups->getHighestId());
+}
 
-		$email = $_SESSION['var_email'];
-		if($account_db->isLoaded()) {
+$email = $_SESSION['var_email'];
+if($account_db->isLoaded()) {
 	$account_db->setPassword(encrypt($password));
 	$account_db->setEMail($email);
 	$account_db->save();
 
 	$account_used = &$account_db;
-		}
-		else {
+}
+else {
 	$new_account = new OTS_Account();
 	if(USE_ACCOUNT_NAME) {
 		$new_account->create($account);
@@ -74,53 +88,74 @@ else {
 	$new_account->logAction('Account created.');
 
 	$account_used = &$new_account;
-		}
+}
 
-		if(USE_ACCOUNT_SALT)
+if(USE_ACCOUNT_SALT)
 	$account_used->setCustomField('salt', $salt);
 
-		$account_used->setCustomField('web_flags', FLAG_ADMIN + FLAG_SUPER_ADMIN);
-		$account_used->setCustomField('country', 'us');
-		if($db->hasColumn('accounts', 'group_id'))
+$account_used->setCustomField('web_flags', FLAG_ADMIN + FLAG_SUPER_ADMIN);
+$account_used->setCustomField('country', 'us');
+$account_used->setCustomField('email_verified', 1);
+
+if($db->hasColumn('accounts', 'group_id'))
 	$account_used->setCustomField('group_id', $groups->getHighestId());
-		if($db->hasColumn('accounts', 'type'))
+if($db->hasColumn('accounts', 'type'))
 	$account_used->setCustomField('type', 6);
 
-		if(!$player_db->isLoaded())
+if ($db->hasTable('players')) {
+	if(!$player_db->isLoaded()) {
 		$player->setAccountId($account_used->getId());
-		else
-			$player_db->setAccountId($account_used->getId());
-
-		success($locale['step_database_created_account']);
-
-		setSession('account', $account_used->getId());
-		setSession('password', encrypt($password));
-		setSession('remember_me', true);
-
-		if($player_db->isLoaded()) {
-			$player_db->save();
-		}
-		else {
 		$player->save();
 	}
+	else {
+		$player_db->setAccountId($account_used->getId());
+		$player_db->save();
+	}
+}
 
+success($locale['step_database_created_account']);
+
+setSession('account', $account_used->getId());
+setSession('password', encrypt($password));
+setSession('remember_me', true);
+
+if(!News::all()->count()) {
 	$player_id = 0;
-		$query = $db->query("SELECT `id` FROM `players` WHERE `name` = " . $db->quote($player_name) . ";");
-		if($query->rowCount() == 1) {
-			$query = $query->fetch();
-			$player_id = $query['id'];
+
+	if ($db->hasTable('players')) {
+		$tmpNewsPlayer = \MyAAC\Models\Player::where('name', $player_name)->first();
+		if($tmpNewsPlayer) {
+			$player_id = $tmpNewsPlayer->id;
+		}
 	}
 
-		$query = $db->query("SELECT `id` FROM `" . TABLE_PREFIX ."news` WHERE `title` LIKE 'Hello!';");
-		if($query->rowCount() == 0) {
-			if(query("INSERT INTO `" . TABLE_PREFIX ."news` (`id`, `type`, `date`, `category`, `title`, `body`, `player_id`, `comments`, `hide`) VALUES (NULL, '1', UNIX_TIMESTAMP(), '2', 'Hello!', 'MyAAC is just READY to use!', " . $player_id . ", 'https://my-aac.org', '0');
-	INSERT INTO `myaac_news` (`id`, `type`, `date`, `category`, `title`, `body`, `player_id`, `comments`, `hide`) VALUES (NULL, '2', UNIX_TIMESTAMP(), '4', 'Hello tickets!', 'https://my-aac.org', " . $player_id . ", '', '0');")) {
+	News::create([
+		'type' => 1,
+		'date' => time(),
+		'category' => 2,
+		'title' => 'Hello!',
+		'body' => 'MyAAC is just READY to use!',
+		'player_id' => $player_id,
+		'comments' => 'https://my-aac.org',
+		'hide' => 0,
+	]);
+
+	News::create([
+		'type' => 2,
+		'date' => time(),
+		'category' => 4,
+		'title' => 'Hello tickers!',
+		'body' => 'https://my-aac.org',
+		'player_id' => $player_id,
+		'comments' => '',
+		'hide' => 0,
+	]);
+
 	success($locale['step_database_created_news']);
-			}
-		}
+}
 
-		$settings = Settings::getInstance();
-		foreach($_SESSION as $key => $value) {
+$settings = Settings::getInstance();
+foreach($_SESSION as $key => $value) {
 	if (in_array($key, ['var_usage', 'var_date_timezone', 'var_client'])) {
 		if ($key == 'var_usage') {
 			$key = 'anonymous_usage_statistics';
@@ -133,15 +168,15 @@ else {
 
 		$settings->updateInDatabase('core', $key, $value);
 	}
-		}
-		success('Settings saved.');
+}
+success('Settings saved.');
 
-		$twig->display('install.installer.html.twig', array(
+$twig->display('install.installer.html.twig', array(
 	'url' => 'tools/7-finish.php',
 	'message' => $locale['importing_spinner']
-		));
+));
 
-		if(!isset($_SESSION['installed'])) {
+if(!isset($_SESSION['installed'])) {
 	if (!array_key_exists('CI', getenv())) {
 		$report_url = 'https://my-aac.org/report_install.php?v=' . MYAAC_VERSION . '&b=' . urlencode(BASE_URL);
 		if (function_exists('curl_version'))
@@ -158,15 +193,15 @@ else {
 	}
 
 	$_SESSION['installed'] = true;
-		}
+}
 
-		foreach($_SESSION as $key => $value) {
+foreach($_SESSION as $key => $value) {
 	if(strpos($key, 'var_') !== false)
 		unset($_SESSION[$key]);
-		}
-		unset($_SESSION['saved']);
-		if(file_exists(CACHE . 'install.txt')) {
-			unlink(CACHE . 'install.txt');
-		}
-	}
 }
+unset($_SESSION['saved']);
+if(file_exists(CACHE . 'install.txt')) {
+	unlink(CACHE . 'install.txt');
+}
+
+$hooks->trigger(HOOK_INSTALL_FINISH_END);

install/tools/5-database.php

@@ -32,6 +32,9 @@ if($db->hasTable(TABLE_PREFIX . 'account_actions')) {
 else {
 	// import schema
 	try {
+		$locale['step_database_importing'] = str_replace('$DATABASE_NAME$', config('database_name'), $locale['step_database_importing']);
+		success($locale['step_database_importing']);
+
 		$db->query(file_get_contents(BASE . 'install/includes/schema.sql'));
 
 		$locale['step_database_success_schema'] = str_replace('$PREFIX$', TABLE_PREFIX, $locale['step_database_success_schema']);
@@ -138,75 +141,76 @@ if(!$db->hasColumn('accounts', 'premium_points')) {
 		success($locale['step_database_adding_field'] . ' accounts.premium_points...');
 }
 
-if($db->hasColumn('guilds', 'checkdata')) {
-	if(query("ALTER TABLE `guilds` MODIFY `checkdata` INT NOT NULL DEFAULT 0;"))
+if ($db->hasTable('guilds')) {
+	if ($db->hasColumn('guilds', 'checkdata')) {
+		if (query("ALTER TABLE `guilds` MODIFY `checkdata` INT NOT NULL DEFAULT 0;"))
 			success($locale['step_database_modifying_field'] . ' guilds.checkdata...');
-}
+	}
 
-if(!$db->hasColumn('guilds', 'motd')) {
-	if(query("ALTER TABLE `guilds` ADD `motd` VARCHAR(255) NOT NULL DEFAULT '';"))
+	if (!$db->hasColumn('guilds', 'motd')) {
+		if (query("ALTER TABLE `guilds` ADD `motd` VARCHAR(255) NOT NULL DEFAULT '';"))
 			success($locale['step_database_adding_field'] . ' guilds.motd...');
-}
-else {
-	if(query("ALTER TABLE `guilds` MODIFY `motd` VARCHAR(255) NOT NULL DEFAULT '';"))
+	} else {
+		if (query("ALTER TABLE `guilds` MODIFY `motd` VARCHAR(255) NOT NULL DEFAULT '';"))
 			success($locale['step_database_modifying_field'] . ' guilds.motd...');
-}
+	}
 
-if(!$db->hasColumn('guilds', 'description')) {
-	if(query("ALTER TABLE `guilds` ADD `description` TEXT NOT NULL;"))
+	if (!$db->hasColumn('guilds', 'description')) {
+		if (query("ALTER TABLE `guilds` ADD `description` TEXT NOT NULL;"))
 			success($locale['step_database_adding_field'] . ' guilds.description...');
-}
+	}
 
-if($db->hasColumn('guilds', 'logo_gfx_name')) {
-	if(query("ALTER TABLE `guilds` CHANGE `logo_gfx_name` `logo_name` VARCHAR( 255 ) NOT NULL DEFAULT 'default.gif';")) {
+	if ($db->hasColumn('guilds', 'logo_gfx_name')) {
+		if (query("ALTER TABLE `guilds` CHANGE `logo_gfx_name` `logo_name` VARCHAR( 255 ) NOT NULL DEFAULT 'default.gif';")) {
 			$tmp = str_replace('$FIELD$', 'guilds.logo_gfx_name', $locale['step_database_changing_field']);
 			$tmp = str_replace('$FIELD_NEW$', 'guilds.logo_name', $tmp);
 			success($tmp);
 		}
-}
-else if(!$db->hasColumn('guilds', 'logo_name')) {
-	if(query("ALTER TABLE `guilds` ADD `logo_name` VARCHAR( 255 ) NOT NULL DEFAULT 'default.gif';"))
+	} else if (!$db->hasColumn('guilds', 'logo_name')) {
+		if (query("ALTER TABLE `guilds` ADD `logo_name` VARCHAR( 255 ) NOT NULL DEFAULT 'default.gif';"))
 			success($locale['step_database_adding_field'] . ' guilds.logo_name...');
+	}
 }
 
-if(!$db->hasColumn('players', 'created')) {
-	if(query("ALTER TABLE `players` ADD `created` INT(11) NOT NULL DEFAULT 0;"))
+if ($db->hasTable('players')) {
+	if (!$db->hasColumn('players', 'created')) {
+		if (query("ALTER TABLE `players` ADD `created` INT(11) NOT NULL DEFAULT 0;"))
 			success($locale['step_database_adding_field'] . ' players.created...');
-}
+	}
 
-if(!$db->hasColumn('players', 'deleted') && !$db->hasColumn('players', 'deletion')) {
-	if(query("ALTER TABLE `players` ADD `deleted` TINYINT(1) NOT NULL DEFAULT 0;"))
+	if (!$db->hasColumn('players', 'deleted') && !$db->hasColumn('players', 'deletion')) {
+		if (query("ALTER TABLE `players` ADD `deleted` TINYINT(1) NOT NULL DEFAULT 0;"))
 			success($locale['step_database_adding_field'] . ' players.deleted...');
-}
+	}
 
-if($db->hasColumn('players', 'hide_char')) {
-	if(!$db->hasColumn('players', 'hide')) {
-		if(query("ALTER TABLE `players` CHANGE `hide_char` `hide` TINYINT(1) NOT NULL DEFAULT 0;")) {
+	if ($db->hasColumn('players', 'hide_char')) {
+		if (!$db->hasColumn('players', 'hide')) {
+			if (query("ALTER TABLE `players` CHANGE `hide_char` `hide` TINYINT(1) NOT NULL DEFAULT 0;")) {
 				$tmp = str_replace('$FIELD$', 'players.hide_char', $locale['step_database_changing_field']);
 				$tmp = str_replace('$FIELD_NEW$', 'players.hide', $tmp);
 				success($tmp);
 			}
 		}
-}
-else if(!$db->hasColumn('players', 'hide')) {
-	if(query("ALTER TABLE `players` ADD `hide` TINYINT(1) NOT NULL DEFAULT 0;"))
+	} else if (!$db->hasColumn('players', 'hide')) {
+		if (query("ALTER TABLE `players` ADD `hide` TINYINT(1) NOT NULL DEFAULT 0;"))
 			success($locale['step_database_adding_field'] . ' players.hide...');
-}
+	}
 
-if(!$db->hasColumn('players', 'comment')) {
-	if(query("ALTER TABLE `players` ADD `comment` TEXT NOT NULL;"))
+	if (!$db->hasColumn('players', 'comment')) {
+		if (query("ALTER TABLE `players` ADD `comment` TEXT NOT NULL;"))
 			success($locale['step_database_adding_field'] . ' players.comment...');
-}
+	}
 
-if($db->hasColumn('players', 'rank_id')) {
-	if(query("ALTER TABLE players MODIFY `rank_id` INT(11) NOT NULL DEFAULT 0;"))
+	if ($db->hasColumn('players', 'rank_id')) {
+		if (query("ALTER TABLE players MODIFY `rank_id` INT(11) NOT NULL DEFAULT 0;"))
 			success($locale['step_database_modifying_field'] . ' players.rank_id...');
 
-	if($db->hasColumn('players', 'guildnick')) {
-		if(query("ALTER TABLE players MODIFY `guildnick` VARCHAR(255) NOT NULL DEFAULT '';")) {
+		if ($db->hasColumn('players', 'guildnick')) {
+			if (query("ALTER TABLE players MODIFY `guildnick` VARCHAR(255) NOT NULL DEFAULT '';")) {
 				success($locale['step_database_modifying_field'] . ' players.guildnick...');
 			}
 		}
+	}
 }
 
 if($db->hasTable('z_forum')) {

install/tools/7-finish.php

@@ -25,30 +25,33 @@ if(isset($config['installed']) && $config['installed'] && !isset($_SESSION['save
 
 require SYSTEM . 'init.php';
 
-$deleted = 'deleted';
-if($db->hasColumn('players', 'deletion'))
+if ($db->hasTable('players')) {
+	$deleted = 'deleted';
+	if ($db->hasColumn('players', 'deletion'))
 		$deleted = 'deletion';
 
-$time = time();
-function insert_sample_if_not_exist($p) {
+	$time = time();
+	function insert_sample_if_not_exist($p)
+	{
 		global $db, $success, $deleted, $time;
 
 		$query = $db->query('SELECT `id` FROM `players` WHERE `name` = ' . $db->quote($p['name']));
-	if($query->rowCount() == 0) {
-		if(!query("INSERT INTO `players` (`id`, `name`, `group_id`, `account_id`, `level`, `vocation`, `health`, `healthmax`, `experience`, `lookbody`, `lookfeet`, `lookhead`, `looklegs`, `looktype`, `maglevel`, `mana`, `manamax`, `manaspent`, `soul`, `town_id`, `posx`, `posy`, `posz`, `conditions`, `cap`, `sex`, `lastlogin`, `lastip`, `save`, `lastlogout`, `balance`, `$deleted`, `created`, `hide`, `comment`) VALUES (null, " . $db->quote($p['name']) . ", 1, " . getSession('account') . ", " . $p['level'] . ", " . $p['vocation_id'] . ", " . $p['health'] . ", " . $p['healthmax'] . ", " . $p['experience'] . ", 118, 114, 38, 57, " . $p['looktype'] . ", 0, " . $p['mana'] . ", " . $p['manamax'] . ", 0, " . $p['soul'] . ", 1, 1000, 1000, 7, '', " . $p['cap'] . ", 1, " . $time . ", 2130706433, 1, " . $time . ", 0, 0, " . $time . ", 1, '');"))
+		if ($query->rowCount() == 0) {
+			if (!query("INSERT INTO `players` (`id`, `name`, `group_id`, `account_id`, `level`, `vocation`, `health`, `healthmax`, `experience`, `lookbody`, `lookfeet`, `lookhead`, `looklegs`, `looktype`, `maglevel`, `mana`, `manamax`, `manaspent`, `soul`, `town_id`, `posx`, `posy`, `posz`, `conditions`, `cap`, `sex`, `lastlogin`, `lastip`, `save`, `lastlogout`, `balance`, `$deleted`, `created`, `hide`, `comment`) VALUES (null, " . $db->quote($p['name']) . ", 1, " . getSession('account') . ", " . $p['level'] . ", " . $p['vocation_id'] . ", " . $p['health'] . ", " . $p['healthmax'] . ", " . $p['experience'] . ", 118, 114, 38, 57, " . $p['looktype'] . ", 0, " . $p['mana'] . ", " . $p['manamax'] . ", 0, " . $p['soul'] . ", 1, 1000, 1000, 7, '', " . $p['cap'] . ", 1, " . $time . ", 2130706433, 1, " . $time . ", 0, 0, " . $time . ", 1, '');"))
 				$success = false;
 		}
-}
+	}
 
-$success = true;
-insert_sample_if_not_exist(array('name' => 'Rook Sample', 'level' => 1, 'vocation_id' => 0, 'health' => 150, 'healthmax' => 150, 'experience' => 0, 'looktype' => 130, 'mana' => 0, 'manamax' => 0, 'soul' => 100, 'cap' => 400));
-insert_sample_if_not_exist(array('name' => 'Sorcerer Sample', 'level' => 8, 'vocation_id' => 1, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 130, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470));
-insert_sample_if_not_exist(array('name' => 'Druid Sample', 'level' => 8, 'vocation_id' => 2, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 130, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470));
-insert_sample_if_not_exist(array('name' => 'Paladin Sample', 'level' => 8, 'vocation_id' => 3, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 129, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470));
-insert_sample_if_not_exist(array('name' => 'Knight Sample', 'level' => 8, 'vocation_id' => 4, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 131, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470));
+	$success = true;
+	insert_sample_if_not_exist(array('name' => 'Rook Sample', 'level' => 1, 'vocation_id' => 0, 'health' => 150, 'healthmax' => 150, 'experience' => 0, 'looktype' => 130, 'mana' => 0, 'manamax' => 0, 'soul' => 100, 'cap' => 400));
+	insert_sample_if_not_exist(array('name' => 'Sorcerer Sample', 'level' => 8, 'vocation_id' => 1, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 130, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470));
+	insert_sample_if_not_exist(array('name' => 'Druid Sample', 'level' => 8, 'vocation_id' => 2, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 130, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470));
+	insert_sample_if_not_exist(array('name' => 'Paladin Sample', 'level' => 8, 'vocation_id' => 3, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 129, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470));
+	insert_sample_if_not_exist(array('name' => 'Knight Sample', 'level' => 8, 'vocation_id' => 4, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 131, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470));
 
-if($success) {
+	if ($success) {
 		success($locale['step_database_imported_players']);
+	}
 }
 
 Plugins::installMenus('kathrine', require TEMPLATES . 'kathrine/menus.php');
@@ -77,6 +80,8 @@ if(ModelsFAQ::count() == 0) {
 	]);
 }
 
+$hooks->trigger(HOOK_INSTALL_FINISH);
+
 $db->setClearCacheAfter(true);
 
 $locale['step_finish_desc'] = str_replace('$ADMIN_PANEL$', generateLink(str_replace('tools/', '',ADMIN_URL), $locale['step_finish_admin_panel'], true), $locale['step_finish_desc']);

login.php

@@ -4,6 +4,7 @@ use MyAAC\Models\BoostedCreature;
 use MyAAC\Models\PlayerOnline;
 use MyAAC\Models\Account;
 use MyAAC\Models\Player;
+use MyAAC\RateLimit;
 
 require_once 'common.php';
 require_once SYSTEM . 'functions.php';
@@ -130,12 +131,29 @@ switch ($action) {
 		}
 
 		$account = $account->first();
+
+		$ip = get_browser_real_ip();
+		$limiter = new RateLimit('failed_logins', setting('core.account_login_attempts_limit'), setting('core.account_login_ban_time'));
+		$limiter->enabled = setting('core.account_login_ipban_protection');
+		$limiter->load();
+
+		$ban_msg = 'A wrong account, password or secret has been entered ' . setting('core.account_login_attempts_limit') . ' times in a row. You are unable to log into your account for the next ' . setting('core.account_login_ban_time') . ' minutes. Please wait.';
 		if (!$account) {
+			$limiter->increment($ip);
+			if ($limiter->exceeded($ip)) {
+				sendError($ban_msg);
+			}
+			
 			sendError(($inputEmail != false ? 'Email' : 'Account name') . ' or password is not correct.');
 		}
 
 		$current_password = encrypt((USE_ACCOUNT_SALT ? $account->salt : '') . $request->password);
 		if (!$account || $account->password != $current_password) {
+			$limiter->increment($ip);
+			if ($limiter->exceeded($ip)) {
+				sendError($ban_msg);
+			}
+
 			sendError(($inputEmail != false ? 'Email' : 'Account name') . ' or password is not correct.');
 		}
 
@@ -145,16 +163,30 @@ switch ($action) {
 			if ($accountSecret != null && $accountSecret != '') {
 				$accountHasSecret = true;
 				if ($inputToken === false) {
+					$limiter->increment($ip);
+					if ($limiter->exceeded($ip)) {
+						sendError($ban_msg);
+					}
 					sendError('Submit a valid two-factor authentication token.', 6);
 				} else {
 					require_once LIBS . 'rfc6238.php';
 					if (TokenAuth6238::verify($accountSecret, $inputToken) !== true) {
+						$limiter->increment($ip);
+						if ($limiter->exceeded($ip)) {
+							sendError($ban_msg);
+						}
+
 						sendError('Two-factor authentication failed, token is wrong.', 6);
 					}
 				}
 			}
 		}
 
+		$limiter->reset($ip);
+		if (setting('core.account_mail_verify') && $account->email_verified !== 1) {
+			sendError('You need to verify your account, enter in our site and resend verify e-mail!');
+		}
+
 		// common columns
 		$columns = 'id, name, level, sex, vocation, looktype, lookhead, lookbody, looklegs, lookfeet, lookaddons';
 

nginx-sample.conf

@@ -10,17 +10,20 @@ server {
 	# this is very important, be sure its in your nginx conf - it prevents access to logs etc.
 	location ~ /system {
 		deny all;
-		return 404;
 	}
 
-	# block .htaccess
-	location ~ /\.ht {
+	location /vendor {
+		deny all;
+	}
+
+	# block .htaccess, CHANGELOG.md, composer.json etc.
+	# this is to prevent finding software versions
+	location ~\.(ht|md|json|dist)$ {
 		deny all;
 	}
 
 	# block git files and folders
 	location ~ /\.git {
-		return 404;
 		deny all;
 	}
 

phpstan.neon

@@ -28,7 +28,8 @@ parameters:
 		- '#Variable \$guild might not be defined#'
 		- '#Variable \$[a-zA-Z0-9\\_]+ might not be defined#'
 		# Eloquent models
-		- '#Call to an undefined static method [a-zA-Z0-9\\_]+::[a-zA-Z0-9\\_]+()#'
+		- '#Call to an undefined static method [a-zA-Z0-9\\_]+::[a-zA-Z0-9\\_]+\(\)#'
+		- '#Call to an undefined method object::toArray\(\)#'
 		# system/pages/highscores.php
 		- '#Call to an undefined method Illuminate\\Database\\Query\\Builder::withOnlineStatus\(\)#'
 		- '#Access to an undefined property Illuminate\\Database\\Eloquent\\Model::\$online_status#'

plugins/email-confirmed-reward/reward.php

@@ -1,8 +1,6 @@
 <?php
 defined('MYAAC') or die('Direct access not allowed!');
 
-$reward = setting('core.account_mail_confirmed_reward');
-
 $hasCoinsColumn = $db->hasColumn('accounts', 'coins');
 $rewardCoins = setting('core.account_mail_confirmed_reward_coins');
 if ($rewardCoins > 0 && !$hasCoinsColumn) {

plugins/example.json

@@ -25,7 +25,8 @@
 	"hooks": {
 		"Example Hook": {
 			"type": "BEFORE_PAGE",
-			"file": "plugins/example/before.php"
+			"file": "plugins/example/before.php",
+			"priority": 1000
 		}
 	},
 	"routes": {
@@ -33,12 +34,20 @@
 			"pattern": "/YourAwesomePage/{name:string}/{page:int}",
 			"file": "plugins/your-plugin/your-awesome-page.php",
 			"method": "GET",
-			"priority": "130"
+			"priority": 130
 		},
 		"Redirect Example": {
 			"redirect_from": "/redirectExample",
 			"redirect_to": "account/manage"
 		}
 	},
-	"settings": "plugins/your-plugin-folder/settings.php"
+	"routes-default-priority": 1000,
+	"pages-default-priority": 1000,
+	"settings": "plugins/your-plugin-folder/settings.php",
+	"autoload": {
+		"pages": true,
+		"pagesSubFolders": false,
+		"commands": true,
+		"themes": true
+	}
  }

release.sh

@@ -38,7 +38,11 @@ if [ $1 = "prepare" ]; then
 	cd $dir || exit
 
 	# dependencies
-	composer install --prefer-dist --optimize-autoloader
+	composer install --no-dev --prefer-dist --optimize-autoloader
+	npm install
+
+	# node_modules is useless, we already have copy in tools/ext
+	rm -R node_modules
 
 	echo "Now you can make changes to $dir. When you are ready, type 'release.sh pack'"
 	exit

system/clients.conf.php

@@ -105,4 +105,8 @@ $config['clients'] = [
 	1316,
 	1320,
 	1321,
+	1322,
+	1330,
+	1332,
+	1340,
 ];

system/database.php

@@ -127,6 +127,7 @@ try {
 	}
 
 	if(defined('MYAAC_INSTALL')) {
+		$error = $e->getMessage();
 		return; // installer will take care of this
 	}
 

system/functions.php

@@ -87,18 +87,29 @@ function getForumBoardLink($board_id, $page = NULL): string {
 	return BASE_URL . (setting('core.friendly_urls') ? '' : 'index.php/') . 'forum/board/' . (int)$board_id . (isset($page) ? '/' . $page : '');
 }
 
-function getPlayerLink($name, $generate = true): string
+function getPlayerLink($name, $generate = true, bool $colored = false): string
 {
-	if(is_numeric($name))
-	{
 	$player = new OTS_Player();
+
+	if(is_numeric($name)) {
 		$player->load((int)$name);
-		if($player->isLoaded())
-			$name = $player->getName();
+	}
+	else {
+		$player->find($name);
 	}
 
+	if (!$player->isLoaded()) {
+		return '(error)';
+	}
+
+	$name = $player->getName();
+
 	$url = BASE_URL . (setting('core.friendly_urls') ? '' : 'index.php/') . 'characters/' . urlencode($name);
 
+	if ($colored) {
+		$name = '<span style="color: ' . ($player->isOnline() ? 'green' : 'red') . ';">' . $name . '</span>';
+	}
+
 	if(!$generate) return $url;
 	return generateLink($url, $name);
 }
@@ -1030,7 +1041,7 @@ function load_config_lua($filename)
 	return $result;
 }
 
-function str_replace_first($search, $replace, $subject) {
+function str_replace_first($search,$replace, $subject) {
 	$pos = strpos($subject, $search);
 	if ($pos !== false) {
 		return substr_replace($subject, $replace, $pos, strlen($search));
@@ -1623,7 +1634,7 @@ function removeIfFirstSlash(&$text) {
 };
 
 function escapeHtml($html) {
-	return htmlentities($html, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
+	return htmlspecialchars($html);
 }
 
 function getGuildNameById($id)

system/init.php

@@ -134,10 +134,6 @@ $ots = POT::getInstance();
 $eloquentConnection = null;
 require_once SYSTEM . 'database.php';
 
-if ($config_lua_reload) {
-	clearCache();
-}
-
 // verify myaac tables exists in database
 if(!defined('MYAAC_INSTALL') && !$db->hasTable('myaac_account_actions')) {
 	throw new RuntimeException('Seems that the table myaac_account_actions of MyAAC doesn\'t exist in the database. This is a fatal error. You can try to reinstall MyAAC by visiting ' . BASE_URL . 'install');
@@ -163,8 +159,8 @@ date_default_timezone_set(setting('core.date_timezone'));
 
 setting(
 	[
-		'core.account_create_character_create',
-		setting('core.account_create_character_create') && (!setting('core.mail_enabled') || !setting('core.account_mail_verify'))
+		'core.account_mail_verify',
+		setting('core.account_mail_verify') && setting('core.mail_enabled')
 	]
 );
 

system/libs/pot/OTS_Base_DAO.php

@@ -83,38 +83,4 @@ abstract class OTS_Base_DAO implements IOTS_DAO
     {
         unset($this->data['id']);
     }
-
-/**
- * Magic PHP5 method.
- * 
- * <p>
- * Allows object importing from {@link http://www.php.net/manual/en/function.var-export.php var_export()}.
- * </p>
- * 
- * @version 0.1.0
- * @param array $properties List of object properties.
- */
-    public static function __set_state($properties)
-    {
-        // deletes database handle
-        if( isset($properties['db']) )
-        {
-            unset($properties['db']);
-        }
-
-        // initializes new object with current database connection
-        $object = new self();
-
-        // loads properties
-        foreach($properties as $name => $value)
-        {
-            $object->$name = $value;
-        }
-
-        return $object;
-    }
 }
-
-/**#@-*/
-
-?>

system/libs/pot/OTS_Base_DB.php

@@ -184,8 +184,14 @@ abstract class OTS_Base_DB extends PDO implements IOTS_DB
 		$query = 'UPDATE '.$this->tableName($table).' SET ';
 
 		$count = count($fields);
-		for ($i = 0; $i < $count; $i++)
-			$query.= $this->fieldName($fields[$i]).' = '.$this->quote($values[$i]).', ';
+		for ($i = 0; $i < $count; $i++) {
+			$value = 'NULL';
+			if ($values[$i] !== null) {
+				$value = $this->quote($values[$i]);
+			}
+
+			$query.= $this->fieldName($fields[$i]).' = '.$value.', ';
+		}
 
 		$query = substr($query, 0, -2);
 		$query.=' WHERE (';

system/libs/pot/OTS_Buffer.php

@@ -196,6 +196,16 @@ class OTS_Buffer
 		return $value[1];
 	}
 
+	public function getLongLong()
+	{
+		// checks buffer size
+		$this->check(8);
+
+		$value = unpack('P', substr($this->buffer, $this->pos, 8) );
+		$this->pos += 8;
+		return $value[1];
+	}
+
 /**
  * Appends quater byte to buffer.
  *

system/libs/pot/OTS_House.php

@@ -60,12 +60,7 @@ class OTS_House extends OTS_Row_DAO
     private $tiles = array();
 
 	public function load($id) {
-		$this->data = $this->db->query('SELECT * FROM `houses` WHERE `id` = ' . $id )->fetch();
-		foreach($this->data as $key => $value) {
-			if(is_numeric($key)) {
-				unset($this->data[$key]);
-			}
-		}
+		$this->data = $this->db->query('SELECT * FROM `houses` WHERE `id` = ' . $id )->fetch(PDO::FETCH_ASSOC);
 	}
 
     public function find($name)

system/libs/pot/OTS_Monster.php

@@ -135,13 +135,14 @@ class OTS_Monster extends DOMDocument
 	{
 		$flags = array();
 
-        // read all flags
+		if ($this->documentElement->getElementsByTagName('flags')->item(0)) {
 			foreach( $this->documentElement->getElementsByTagName('flags')->item(0)->getElementsByTagName('flag') as $flag)
 			{
 				$flag = $flag->attributes->item(0);
 
 				$flags[$flag->nodeName] = (int) $flag->nodeValue;
 			}
+		}
 
 		return $flags;
 	}

system/libs/pot/OTS_Player.php

@@ -90,7 +90,7 @@ class OTS_Player extends OTS_Row_DAO
  * @version 0.1.2
  * @var array
  */
-    private $data = array('sex' => 0, 'vocation' => 0, 'experience' => 0, 'level' => 1, 'maglevel' => 0, 'health' => 100, 'healthmax' => 100, 'mana' => 100, 'manamax' => 100, 'manaspent' => 0, 'soul' => 0, 'lookbody' => 10, 'lookfeet' => 10, 'lookhead' => 10, 'looklegs' => 10, 'looktype' => 136, 'lookaddons' => 0, 'posx' => 0, 'posy' => 0, 'posz' => 0, 'cap' => 0, 'lastlogin' => 0, 'lastip' => 0, 'save' => true, 'skulltime' => 0, 'skull' => 0, 'balance' => 0, 'lastlogout' => 0, 'blessings' => 0, 'stamina' => 0, 'online' => 0, 'comment' => '', 'created' => 0, 'hide' => 0);
+    private $data = array('group_id' => 1, 'sex' => 0, 'vocation' => 0, 'experience' => 0, 'level' => 1, 'maglevel' => 0, 'health' => 100, 'healthmax' => 100, 'mana' => 100, 'manamax' => 100, 'manaspent' => 0, 'soul' => 0, 'lookbody' => 10, 'lookfeet' => 10, 'lookhead' => 10, 'looklegs' => 10, 'looktype' => 136, 'lookaddons' => 0, 'posx' => 0, 'posy' => 0, 'posz' => 0, 'cap' => 0, 'lastlogin' => 0, 'lastip' => 0, 'save' => true, 'skulltime' => 0, 'skull' => 0, 'balance' => 0, 'lastlogout' => 0, 'blessings' => 0, 'stamina' => 0, 'online' => 0, 'comment' => '', 'created' => 0, 'hide' => 0);
 
 /**
  * Player skills.
@@ -1229,6 +1229,13 @@ class OTS_Player extends OTS_Row_DAO
         $this->data['direction'] = (int) $direction;
     }
 
+	public function getOutfit(): string
+	{
+		$hasLookAddons = $this->db->hasColumn('players', 'lookaddons');
+
+		return setting('core.outfit_images_url') . '?id=' . $this->getLookType() . ($hasLookAddons ? '&addons=' . $this->getLookAddons() : '') . '&head=' . $this->getLookHead() . '&body=' . $this->getLookBody() . '&legs=' . $this->getLookLegs() . '&feet=' . $this->getLookFeet();
+	}
+
 /**
  * Body color.
  *

system/locale/de/install.php

@@ -36,6 +36,10 @@ $locale['step_requirements'] = 'Anforderungen';
 $locale['step_requirements_title'] = 'Anforderungen überprüfen';
 $locale['step_requirements_php_version'] = 'PHP Version';
 $locale['step_requirements_write_perms'] = 'Schreibberechtigungen';
+$locale['step_requirements_folder_exists'] = 'Ordner ist vorhanden';
+$locale['step_requirements_folder_not_exists_tools_ext'] = 'NPM Package Manager wird verwendet für externe JavaScript/CSS Bibliotheken.'
+	. ' Es sollte via Command Line installiert werden: <a href="https://docs.npmjs.com/downloading-and-installing-node-js-and-npm">https://docs.npmjs.com/downloading-and-installing-node-js-and-npm</a>'
+	. ' Nachdem das Tool installiert wurde, folgende Befehl sollte ausgeführt in dem Hauptordner des MyAACs: "npm install".';
 $locale['step_requirements_failed'] = 'Die Installation wird deaktiviert, bis diese Anforderungen erfüllt sind.</b><br/>Für weitere Informationen siehe <b>README</b> Datei.';
 $locale['step_requirements_extension'] = '$EXTENSION$ PHP Erweiterung';
 

system/locale/en/install.php

@@ -36,6 +36,10 @@ $locale['step_requirements'] = 'Requirements';
 $locale['step_requirements_title'] = 'Requirements check';
 $locale['step_requirements_php_version'] = 'PHP Version';
 $locale['step_requirements_write_perms'] = 'Write permissions';
+$locale['step_requirements_folder_exists'] = 'Directory exists';
+$locale['step_requirements_folder_not_exists_tools_ext'] = 'NPM Package Manager is used for external JavaScript/CSS libraries.'
+	. ' You need to install it through Command Line: <a href="https://docs.npmjs.com/downloading-and-installing-node-js-and-npm">https://docs.npmjs.com/downloading-and-installing-node-js-and-npm</a>'
+	. ' When you done with installing that tool, execute: "npm install" in the main MyAAC folder.';
 $locale['step_requirements_failed'] = 'Installation will be disabled until these requirements will be passed.</b><br/>For more informations see <b>README</b> file.';
 $locale['step_requirements_extension'] = '$EXTENSION$ PHP extension';
 $locale['step_requirements_warning_images_guilds'] = 'Guild logo upload will not work';

system/locale/pl/install.php

@@ -36,6 +36,10 @@ $locale['step_requirements'] = 'Wymagania';
 $locale['step_requirements_title'] = 'Sprawdzanie wymagań';
 $locale['step_requirements_php_version'] = 'Wersja PHP';
 $locale['step_requirements_write_perms'] = 'Uprawnienia do zapisu';
+$locale['step_requirements_folder_exists'] = 'Folder istnieje';
+$locale['step_requirements_folder_not_exists_tools_ext'] = 'Manadżer Pakietów NPM jest używany do zewnętrznych bibliotek JavaScript/CSS.'
+	. ' Trzeba go zainstalować poprzez wiersz poleceń: <a href="https://docs.npmjs.com/downloading-and-installing-node-js-and-npm">https://docs.npmjs.com/downloading-and-installing-node-js-and-npm</a>'
+	. ' Po instalacji narzędzia, wywołaj następujące polecenie w głownym katalogu MyAAC: "npm install".';
 $locale['step_requirements_failed'] = 'Instalacja zostanie zablokowana dopóki te wymagania nie zostaną spełnione.</b><br/>Po więcej informacji zasięgnij do pliku <b>README</b>.';
 $locale['step_requirements_extension'] = 'Rozszerzenie PHP - $EXTENSION$';
 $locale['step_requirements_warning_images_guilds'] = 'Nie będzie możliwości uploadu obrazków gildii';

system/logout.php

@@ -22,11 +22,5 @@ if(isset($account_logged) && $account_logged->isLoaded()) {
 
 		$logged = false;
 		unset($account_logged);
-
-		if(isset($_REQUEST['redirect']))
-		{
-			header('Location: ' . urldecode($_REQUEST['redirect']));
-			exit;
-		}
 	}
 }

system/migrations/20.php

@@ -2,6 +2,10 @@
 
 use MyAAC\Settings;
 
+if (!$db->hasTable('players')) {
+	return;
+}
+
 $query = $db->query("SELECT `id` FROM `players` WHERE (`name` = " . $db->quote("Rook Sample") . " OR `name` = " . $db->quote("Sorcerer Sample") . " OR `name` = " . $db->quote("Druid Sample") . " OR `name` = " . $db->quote("Paladin Sample") . " OR `name` = " . $db->quote("Knight Sample") . " OR `name` = " . $db->quote("Account Manager") . ") ORDER BY `id`;");
 
 $highscores_ignored_ids = array();

system/pages/account/base.php

@@ -12,6 +12,8 @@ defined('MYAAC') or die('Direct access not allowed!');
 
 if(!$logged)
 {
+	$title = 'Login';
+
 	if(!empty($errors))
 		$twig->display('error_box.html.twig', array('errors' => $errors));
 
@@ -19,7 +21,8 @@ if(!$logged)
 		'redirect' => $_REQUEST['redirect'] ?? null,
 		'account' => USE_ACCOUNT_NAME ? 'Name' : 'Number',
 		'account_login_by' => getAccountLoginByLabel(),
-		'error' => $errors[0] ?? null
+		'error' => $errors[0] ?? null,
+		'errors' => $errors ?? [],
 	));
 
 	return;

system/pages/account/change-email.php

@@ -57,14 +57,14 @@ if($email_new_time < 10) {
 			$twig->display('error_box.html.twig', array('errors' => $errors));
 
 			//show form
-			$twig->display('account.change_mail.html.twig', array(
+			$twig->display('account.change-email.html.twig', array(
 				'new_email' => isset($_POST['new_email']) ? $_POST['new_email'] : null
 			));
 		}
 	}
 	else
 	{
-		$twig->display('account.change_mail.html.twig', array(
+		$twig->display('account.change-email.html.twig', array(
 			'new_email' => isset($_POST['new_email']) ? $_POST['new_email'] : null
 		));
 	}

system/pages/account/change-info.php

@@ -26,12 +26,13 @@ if(setting('core.account_country'))
 $account = Account::find($account_logged->getId());
 
 $show_form = true;
-$new_rlname = isset($_POST['info_rlname']) ? htmlspecialchars(stripslashes($_POST['info_rlname'])) : NULL;
-$new_location = isset($_POST['info_location']) ? htmlspecialchars(stripslashes($_POST['info_location'])) : NULL;
-$new_country = isset($_POST['info_country']) ? htmlspecialchars(stripslashes($_POST['info_country'])) : NULL;
+$new_rlname = isset($_POST['info_rlname']) ? htmlspecialchars(stripslashes($_POST['info_rlname'])) : '';
+$new_location = isset($_POST['info_location']) ? htmlspecialchars(stripslashes($_POST['info_location'])) : '';
+$new_country = isset($_POST['info_country']) ? htmlspecialchars(stripslashes($_POST['info_country'])) : '';
 if(isset($_POST['changeinfosave']) && $_POST['changeinfosave'] == 1) {
-	if(!isset($config['countries'][$new_country]))
+	if(setting('core.account_country') && !isset($config['countries'][$new_country])) {
 		$errors[] = 'Country is not correct.';
+	}
 
 	if(empty($errors)) {
 		//save data from form
@@ -39,7 +40,14 @@ if(isset($_POST['changeinfosave']) && $_POST['changeinfosave'] == 1) {
 		$account->location = $new_location;
 		$account->country = $new_country;
 		$account->save();
-		$account_logged->logAction('Changed Real Name to <b>' . $new_rlname . '</b>, Location to <b>' . $new_location . '</b> and Country to <b>' . $config['countries'][$new_country] . '</b>.');
+
+		$log = 'Changed Real Name to <b>' . $new_rlname . '</b>, Location to <b>' . $new_location . '</b>';
+		if(setting('core.account_country')) {
+			$log .= ' and Country to <b>' . $config['countries'][$new_country] . '</b>';
+		}
+		$log .= '.';
+
+		$account_logged->logAction($log);
 		$twig->display('success.html.twig', array(
 			'title' => 'Public Information Changed',
 			'description' => 'Your public information has been changed.'
@@ -68,7 +76,7 @@ if($show_form) {
 			$countries[$code] = $country;
 	}
 
-	$twig->display('account.change_info.html.twig', array(
+	$twig->display('account.change-info.html.twig', array(
 		'countries' => $countries ?? [],
 		'account_rlname' => $account_rlname,
 		'account_location' => $account_location,

system/pages/account/change-password.php

@@ -21,7 +21,7 @@ $new_password = $_POST['newpassword'] ?? NULL;
 $new_password_confirm = $_POST['newpassword_confirm'] ?? NULL;
 $old_password = $_POST['oldpassword'] ?? NULL;
 if(empty($new_password) && empty($new_password_confirm) && empty($old_password)) {
-	$twig->display('account.change_password.html.twig');
+	$twig->display('account.change-password.html.twig');
 }
 else
 {
@@ -52,7 +52,7 @@ else
 		$twig->display('error_box.html.twig', array('errors' => $errors));
 
 		//show form
-		$twig->display('account.change_password.html.twig');
+		$twig->display('account.change-password.html.twig');
 	}
 	else {
 		$org_pass = $new_password;

system/pages/account/characters/change-comment.php

@@ -14,7 +14,7 @@ use MyAAC\Models\Player;
 defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Change Comment';
-require __DIR__ . '/base.php';
+require PAGES . 'account/base.php';
 
 if(!$logged) {
 	return;
@@ -68,7 +68,7 @@ if($show_form) {
 	}
 
 	if(isset($player) && $player) {
-		$twig->display('account.change_comment.html.twig', array(
+		$twig->display('account.characters.change-comment.html.twig', array(
 			'player' => $player->toArray()
 		));
 	}

system/pages/account/characters/change-name.php

@@ -11,7 +11,7 @@
 defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Change Name';
-require __DIR__ . '/base.php';
+require PAGES . 'account/base.php';
 
 if(!$logged) {
 	return;
@@ -109,7 +109,7 @@ else
 			$twig->display('error_box.html.twig', array('errors' => $errors));
 		}
 
-		$twig->display('account.change_name.html.twig', array(
+		$twig->display('account.characters.change-name.html.twig', array(
 			'points' => $points,
 			'errors' => $errors
 			//'account_players' => $account_logged->getPlayersList()

system/pages/account/characters/change-sex.php

@@ -11,7 +11,7 @@
 defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Change Sex';
-require __DIR__ . '/base.php';
+require PAGES . 'account/base.php';
 
 if(!$logged) {
 	return;
@@ -88,7 +88,7 @@ else
 		if(!empty($errors)) {
 			$twig->display('error_box.html.twig', array('errors' => $errors));
 		}
-		$twig->display('account.change_sex.html.twig', array(
+		$twig->display('account.characters.change-sex.html.twig', array(
 			'players' => $account_logged->getPlayersList(false),
 			'player_sex' => isset($player) ? $player->getSex() : -1,
 			'points' => $points

system/pages/account/characters/create.php

@@ -14,7 +14,7 @@ use MyAAC\CreateCharacter;
 defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Create Character';
-require __DIR__ . '/base.php';
+require PAGES . 'account/base.php';
 
 if(!$logged) {
 	return;
@@ -43,7 +43,7 @@ if(count($errors) > 0) {
 }
 
 if(!$character_created) {
-	$twig->display('account.create_character.html.twig', array(
+	$twig->display('account.characters.create.html.twig', array(
 		'name' => $character_name,
 		'sex' => $character_sex,
 		'vocation' => $character_vocation,

system/pages/account/characters/delete.php

@@ -11,7 +11,7 @@
 defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Delete Character';
-require __DIR__ . '/base.php';
+require PAGES . 'account/base.php';
 
 if(!$logged) {
 	return;
@@ -93,5 +93,5 @@ if($show_form) {
 		$twig->display('error_box.html.twig', array('errors' => $errors));
 	}
 
-	$twig->display('account.delete_character.html.twig');
+	$twig->display('account.characters.delete.html.twig');
 }

system/pages/account/confirm-email.php

@@ -25,16 +25,20 @@ if(!Account::where('email_hash', $hash)->exists()) {
 }
 else
 {
-	if (Account::where('email_hash', $hash)->where('email_verified', 0)->exists()) {
-		$query = $query->fetch(PDO::FETCH_ASSOC);
+	$accountModel = Account::where('email_hash', $hash)->where('email_verified', 0)->first();
+	if ($accountModel) {
+		$accountModel->email_verified = 1;
+		$accountModel->save();
+
+		success('You have now verified your e-mail, this will increase the security of your account. Thank you for doing this. You can now <a href=' . getLink('account/manage') . '>log in</a>.');
+
 		$account = new OTS_Account();
-		$account->load($query['id']);
+		$account->load($accountModel->id);
 		if ($account->isLoaded()) {
 			$hooks->trigger(HOOK_EMAIL_CONFIRMED, ['account' => $account]);
 		}
 	}
-
-	Account::where('email_hash', $hash)->update('email_verified', 1);
-	success('You have now verified your e-mail, this will increase the security of your account. Thank you for doing this.');
+	else {
+		error('Link has expired.');
+	}
 }
-?>

system/pages/account/create.php

@@ -148,6 +148,10 @@ if($save)
 		}
 	}
 
+	/**
+	 * two hooks for compatibility
+	 */
+	$hooks->trigger(HOOK_ACCOUNT_CREATE_AFTER_SUBMIT, $params);
 	if (!$hooks->trigger(HOOK_ACCOUNT_CREATE_POST, $params)) {
 		return;
 	}
@@ -187,6 +191,8 @@ if($save)
 		$new_account->setEMail($email);
 		$new_account->save();
 
+		$hooks->trigger(HOOK_ACCOUNT_CREATE_AFTER_SAVED, ['account' => $new_account]);
+
 		if(USE_ACCOUNT_SALT)
 			$new_account->setCustomField('salt', $salt);
 
@@ -227,7 +233,7 @@ if($save)
 			$hash = md5(generateRandomString(16, true, true) . $email);
 			$new_account->setCustomField('email_hash', $hash);
 
-			$verify_url = getLink('account/confirm_email/' . $hash);
+			$verify_url = getLink('account/confirm-email/' . $hash);
 			$body_html = $twig->render('mail.account.verify.html.twig', array(
 				'account' => $tmp_account,
 				'verify_url' => generateLink($verify_url, $verify_url, true)
@@ -236,6 +242,9 @@ if($save)
 			if(_mail($email, 'New account on ' . $config['lua']['serverName'], $body_html))
 			{
 				echo 'Your account has been created.<br/><br/>';
+
+				warning("Before you can login - you need to verify your E-Mail. The verification link has been sent to $email. If the message is not coming - remember to check the SPAM folder.");
+
 				$twig->display('success.html.twig', array(
 					'title' => 'Account Created',
 					'description' => 'Your account ' . $account_type . ' is <b>' . $tmp_account . '</b><br/>You will need the account ' . $account_type . ' and your password to play on ' . configLua('serverName') . '.
@@ -252,15 +261,6 @@ if($save)
 		}
 		else
 		{
-			if(setting('core.account_create_character_create')) {
-				// character creation
-				$character_created = $createCharacter->doCreate($character_name, $character_sex, $character_vocation, $character_town, $new_account, $errors);
-				if (!$character_created) {
-					error('There was an error creating your character. Please create your character later in account management page.');
-					error(implode(' ', $errors));
-				}
-			}
-
 			if(setting('core.account_create_auto_login')) {
 				if ($hasBeenCreatedByEMail) {
 					$_POST['account_login'] = $email;
@@ -311,6 +311,15 @@ if($save)
 			}
 		}
 
+		if(setting('core.account_create_character_create')) {
+			// character creation
+			$character_created = $createCharacter->doCreate($character_name, $character_sex, $character_vocation, $character_town, $new_account, $errors);
+			if (!$character_created) {
+				error('There was an error creating your character. Please create your character later in account management page.');
+				error(implode(' ', $errors));
+			}
+		}
+
 		return;
 	}
 }

system/pages/account/login.php

@@ -8,39 +8,26 @@
  * @copyright 2023 MyAAC
  * @link      https://my-aac.org
  */
+
+use MyAAC\RateLimit;
+
 defined('MYAAC') or die('Direct access not allowed!');
-$title = 'Login';
 
 // new login with data from form
-if(!$logged && isset($_POST['account_login'], $_POST['password_login']))
+if($logged || !isset($_POST['account_login']) || !isset($_POST['password_login'])) {
+	return;
+}
+
+$login_account = $_POST['account_login'];
+$login_password = $_POST['password_login'];
+$remember_me = isset($_POST['remember_me']);
+$ip = get_browser_real_ip();
+if(!empty($login_account) && !empty($login_password))
 {
-	$login_account = $_POST['account_login'];
-	$login_password = $_POST['password_login'];
-	$remember_me = isset($_POST['remember_me']);
-	if(!empty($login_account) && !empty($login_password))
-	{
-		if($cache->enabled())
-		{
-			$tmp = '';
-			if($cache->fetch('failed_logins', $tmp))
-			{
-				$tmp = unserialize($tmp);
-				$to_remove = array();
-				foreach($tmp as $ip => $t)
-				{
-					if(time() - $t['last'] >= 5 * 60)
-						$to_remove[] = $ip;
-				}
 
-				foreach($to_remove as $ip)
-					unset($tmp[$ip]);
-			}
-			else
-				$tmp = array();
-
-			$ip = $_SERVER['REMOTE_ADDR'];
-			$t = $tmp[$ip] ?? null;
-		}
+	$limiter = new RateLimit('failed_logins', setting('core.account_login_attempts_limit'), setting('core.account_login_ban_time'));
+	$limiter->enabled = setting('core.account_login_ipban_protection');
+	$limiter->load();
 
 	$account_logged = new OTS_Account();
 	if (config('account_login_by_email')) {
@@ -55,10 +42,12 @@ if(!$logged && isset($_POST['account_login'], $_POST['password_login']))
 		}
 	}
 
-		if($account_logged->isLoaded() && encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $login_password) == $account_logged->getPassword()
-			&& (!isset($t) || $t['attempts'] < 5)
+	if($account_logged->isLoaded() && encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $login_password) == $account_logged->getPassword() && ($limiter->enabled && !$limiter->exceeded($ip))
 	)
 	{
+		if (setting('core.account_mail_verify') && (int)$account_logged->getCustomField('email_verified') !== 1) {
+			$errors[] = 'Your account is not verified. Please verify your email address. If the message is not coming check the SPAM folder in your E-Mail client.';
+		} else {
 			session_regenerate_id();
 			setSession('account', $account_logged->getId());
 			setSession('password', encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $login_password));
@@ -82,44 +71,27 @@ if(!$logged && isset($_POST['account_login'], $_POST['password_login']))
 
 			$hooks->trigger(HOOK_LOGIN, array('account' => $account_logged, 'password' => $login_password, 'remember_me' => $remember_me));
 		}
+
+		$limiter->reset($ip);
+	}
 	else
 	{
 		$hooks->trigger(HOOK_LOGIN_ATTEMPT, array('account' => $login_account, 'password' => $login_password, 'remember_me' => $remember_me));
 
 		$errorMessage = getAccountLoginByLabel() . ' or password is not correct.';
-
-			// temporary solution for blocking failed login attempts
-			if($cache->enabled())
-			{
-				if(isset($t))
-				{
-					$t['attempts']++;
-					$t['last'] = time();
-
-					if($t['attempts'] >= 5)
-						$errors[] = 'A wrong password has been entered 5 times in a row. You are unable to log into your account for the next 5 minutes. Please wait.';
-					else
-						$errors[] = $errorMessage;
-				}
-				else
-				{
-					$t = array('attempts' => 1, 'last' => time());
-					$errors[] = $errorMessage;
+		$limiter->increment($ip);
+		if ($limiter->exceeded($ip)) {
+			$errorMessage = 'A wrong password has been entered ' . $limiter->max_attempts . ' times in a row. You are unable to log into your account for the next ' . $limiter->ttl . ' minutes. Please wait.';
 		}		
 
-				$tmp[$ip] = $t;
-				$cache->set('failed_logins', serialize($tmp), 60 * 60); // save for 1 hour
-			}
-			else {
 		$errors[] = $errorMessage;
+		
 	}
-		}
-	}
-	else {
+}
+else {
 	$errors[] = 'Please enter your ' . getAccountLoginByLabel() . ' and password.';
 
 	$hooks->trigger(HOOK_LOGIN_ATTEMPT, array('account' => $login_account, 'password' => $login_password, 'remember_me' => $remember_me));
-	}
-
-	$hooks->trigger(HOOK_ACCOUNT_LOGIN_POST);
 }
+
+$hooks->trigger(HOOK_ACCOUNT_LOGIN_POST);

system/pages/account/lost.php

@@ -17,532 +17,31 @@ if(!setting('core.mail_enabled'))
 	return;
 }
 
-$action_type = isset($_REQUEST['action_type']) ? $_REQUEST['action_type'] : '';
-if($action == '')
-{
+$action_type = $_REQUEST['action_type'] ?? '';
+if($action == '') {
 	$twig->display('account.lost.form.html.twig');
 }
 else if($action == 'step1' && $action_type == '') {
 	$twig->display('account.lost.noaction.html.twig');
 }
-elseif($action == 'step1' && $action_type == 'email')
-{
-	$nick = stripslashes($_REQUEST['nick']);
-	if(Validator::characterName($nick))
-	{
-		$player = new OTS_Player();
-		$account = new OTS_Account();
-		$player->find($nick);
-		if($player->isLoaded())
-			$account = $player->getAccount();
-
-		if($account->isLoaded())
-		{
-			if($account->getCustomField('email_next') < time())
-				echo 'Please enter e-mail to account with this character.<BR>
-				<form action="' . getLink('account/lost') . '?action=sendcode" method=post>
-				<input type=hidden name="character">
-				<table cellspacing=1 cellpadding=4 border=0 width=100%>
-				<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Please enter e-mail to account</B></TD></TR>
-				<TR><TD BGCOLOR="'.$config['darkborder'].'">
-				Character: <INPUT TYPE=text NAME="nick" VALUE="'.$nick.'" SIZE="40" readonly="readonly"><BR>
-				E-mail to account:<INPUT TYPE=text NAME="email" VALUE="" SIZE="40"><BR>
-				</TD></TR>
-				</TABLE>
-				<BR>
-				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				' . $twig->render('buttons.submit.html.twig') . '</div>
-				</TD></TR></FORM></TABLE></TABLE>';
-			else
-			{
-				$insec = (int)$account->getCustomField('email_next') - time();
-				$minutesleft = floor($insec / 60);
-				$secondsleft = $insec - ($minutesleft * 60);
-				$timeleft = $minutesleft.' minutes '.$secondsleft.' seconds';
-				echo 'Account of selected character (<b>'.$nick.'</b>) received e-mail in last '.ceil(setting('core.mail_lost_account_interval') / 60).' minutes. You must wait '.$timeleft.' before you can use Lost Account Interface again.';
-			}
-		}
-		else
-			echo 'Player or account of player <b>' . $nick . '</b> doesn\'t exist.';
-	}
-	else
-		echo 'Invalid player name format. If you have other characters on account try with other name.';
-	echo '<BR /><TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				<a href="' . getLink('account/lost') . '" border="0"><IMG SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" NAME="Back" ALT="Back" BORDER=0 WIDTH=120 HEIGHT=18></a></div>
-				</TD></TR></FORM></TABLE></TABLE>';
+elseif($action == 'step1' && $action_type == 'email') {
+	require PAGES . 'account/lost/step1-email.php';
 }
-elseif($action == 'sendcode')
-{
-	$email = $_REQUEST['email'];
-	$nick = stripslashes($_REQUEST['nick']);
-	if(Validator::characterName($nick))
-	{
-		$player = new OTS_Player();
-		$account = new OTS_Account();
-		$player->find($nick);
-		if($player->isLoaded())
-			$account = $player->getAccount();
-
-		if($account->isLoaded())
-		{
-			if($account->getCustomField('email_next') < time())
-			{
-				if($account->getEMail() == $email)
-				{
-					$newcode = generateRandomString(30, true, false, true);
-					$mailBody = '
-					You asked to reset your ' . $config['lua']['serverName'] . ' password.<br/>
-					<p>Account name: '.$account->getName().'</p>
-					<br />
-					To do so, please click this link:
-					<p><a href="' . getLink('account/lost') . '?action=checkcode&code='.$newcode.'&character='.urlencode($nick).'">' . getLink('account/lost') . '?action=checkcode&code='.$newcode.'&character='.urlencode($nick).'</a></p>
-					<p>or open page: <i>' . getLink('account/lost') . '?action=checkcode</i> and in field "code" write <b>'.$newcode.'</b></p>
-					<br/>
-						<p>If you did not request a password change, you may ignore this message and your password will remain unchanged.';
-
-					$account_mail = $account->getCustomField('email');
-					if(_mail($account_mail, $config['lua']['serverName'].' - Recover your account', $mailBody))
-					{
-						$account->setCustomField('email_code', $newcode);
-						$account->setCustomField('email_next', (time() + setting('core.mail_lost_account_interval')));
-						echo '<br />Details about steps required to recover your account has been sent to <b>' . $account_mail . '</b>. You should receive this email within 15 minutes. Please check your inbox/spam directory.';
-					}
-					else
-					{
-						$account->setCustomField('email_next', (time() + 60));
-						echo '<br /><p class="error">An error occurred while sending email! Try again later or contact with admin. For Admin: More info can be found in system/logs/mailer-error.log</p>';
-					}
-				}
-				else
-					echo 'Invalid e-mail to account of character <b>'.$nick.'</b>. Try again.';
-			}
-			else
-			{
-				$insec = (int)$account->getCustomField('email_next') - time();
-				$minutesleft = floor($insec / 60);
-				$secondsleft = $insec - ($minutesleft * 60);
-				$timeleft = $minutesleft.' minutes '.$secondsleft.' seconds';
-				echo 'Account of selected character (<b>'.$nick.'</b>) received e-mail in last '.ceil(setting('core.mail_lost_account_interval') / 60).' minutes. You must wait '.$timeleft.' before you can use Lost Account Interface again.';
-			}
-		}
-		else
-			echo 'Player or account of player <b>'.$nick.'</b> doesn\'t exist.';
-	}
-	else
-		echo 'Invalid player name format. If you have other characters on account try with other name.';
-	echo '<BR /><TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				<a href="' . getLink('account/lost') . '?action=step1&action_type=email&nick='.urlencode($nick).'" border="0"><IMG SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" NAME="Back" ALT="Back" BORDER=0 WIDTH=120 HEIGHT=18></a></div>
-				</TD></TR></FORM></TABLE></TABLE>';
+elseif($action == 'send-code') {
+	require PAGES . 'account/lost/send-code.php';
 }
-elseif($action == 'step1' && $action_type == 'reckey')
-{
-	$nick = stripslashes($_REQUEST['nick']);
-	if(Validator::characterName($nick))
-	{
-		$player = new OTS_Player();
-		$account = new OTS_Account();
-		$player->find($nick);
-		if($player->isLoaded())
-			$account = $player->getAccount();
-		if($account->isLoaded())
-		{
-			$account_key = $account->getCustomField('key');
-			if(!empty($account_key))
-			{
-						echo 'If you enter right recovery key you will see form to set new e-mail and password to account. To this e-mail will be send your new password and account name.<BR>
-						<FORM ACTION="' . getLink('account/lost') . '?action=step2" METHOD=post>
-						<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
-						<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Please enter your recovery key</B></TD></TR>
-						<TR><TD BGCOLOR="'.$config['darkborder'].'">
-						Character name:&nbsp;<INPUT TYPE=text NAME="nick" VALUE="'.$nick.'" SIZE="40" readonly="readonly"><BR />
-						Recovery key:&nbsp;&nbsp;&nbsp;&nbsp;<INPUT TYPE=text NAME="key" VALUE="" SIZE="40"><BR>
-						</TD></TR>
-						</TABLE>
-						<BR>
-						<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-						' . $twig->render('buttons.submit.html.twig') . '</div>
-						</TD></TR></FORM></TABLE></TABLE>';
-			}
-			else
-				echo 'Account of this character has no recovery key!';
-		}
-		else
-			echo 'Player or account of player <b>'.$nick.'</b> doesn\'t exist.';
-	}
-	else
-		echo 'Invalid player name format. If you have other characters on account try with other name.';
-	echo '<BR /><TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				<a href="' . getLink('account/lost') . '" border="0"><IMG SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" NAME="Back" ALT="Back" BORDER=0 WIDTH=120 HEIGHT=18></a></div>
-				</TD></TR></FORM></TABLE></TABLE>';
+elseif($action == 'step1' && $action_type == 'reckey') {
+	require PAGES . 'account/lost/step1-reckey.php';
 }
-elseif($action == 'step2')
-{
-	$rec_key = trim($_REQUEST['key']);
-	$nick = stripslashes($_REQUEST['nick']);
-	if(Validator::characterName($nick))
-	{
-		$player = new OTS_Player();
-		$account = new OTS_Account();
-		$player->find($nick);
-		if($player->isLoaded())
-			$account = $player->getAccount();
-		if($account->isLoaded())
-		{
-			$account_key = $account->getCustomField('key');
-			if(!empty($account_key))
-			{
-				if($account_key == $rec_key)
-				{
-					echo '<script type="text/javascript">
-					function validate_required(field,alerttxt)
-					{
-					with (field)
-					{
-					if (value==null||value==""||value==" ")
-					  {alert(alerttxt);return false;}
-					else {return true}
-					}
-					}
-					function validate_email(field,alerttxt)
-					{
-					with (field)
-					{
-					apos=value.indexOf("@");
-					dotpos=value.lastIndexOf(".");
-					if (apos<1||dotpos-apos<2)
-					  {alert(alerttxt);return false;}
-					else {return true;}
-					}
-					}
-					function validate_form(thisform)
-					{
-					with (thisform)
-					{
-					if (validate_required(email,"Please enter your e-mail!")==false)
-					  {email.focus();return false;}
-					if (validate_email(email,"Invalid e-mail format!")==false)
-					  {email.focus();return false;}
-					if (validate_required(passor,"Please enter password!")==false)
-					  {passor.focus();return false;}
-					if (validate_required(passor2,"Please repeat password!")==false)
-					  {passor2.focus();return false;}
-					if (passor2.value!=passor.value)
-					  {alert(\'Repeated password is not equal to password!\');return false;}
-					}
-					}
-					</script>';
-					echo 'Set new password and e-mail to your account.<BR>
-					<FORM ACTION="' . getLink('account/lost') . '?action=step3" onsubmit="return validate_form(this)" METHOD=post>
-					<INPUT TYPE=hidden NAME="character" VALUE="">
-					<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
-					<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Please enter new password and e-mail</B></TD></TR>
-					<TR><TD BGCOLOR="'.$config['darkborder'].'">
-					Account of character:&nbsp;&nbsp;<INPUT TYPE=text NAME="nick" VALUE="'.$nick.'" SIZE="40" readonly="readonly"><BR />
-					New password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<INPUT id="passor" TYPE=password NAME="passor" VALUE="" SIZE="40"><BR>
-					Repeat new password:&nbsp;&nbsp;<INPUT id="passor2" TYPE=password NAME="passor" VALUE="" SIZE="40"><BR>
-					New e-mail address:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<INPUT id="email" TYPE=text NAME="email" VALUE="" SIZE="40"><BR>
-					<INPUT TYPE=hidden NAME="key" VALUE="'.$rec_key.'">
-					</TD></TR>
-					</TABLE>
-					<BR>
-					<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-					' . $twig->render('buttons.submit.html.twig') . '</div>
-					</TD></TR></FORM></TABLE></TABLE>';
-				}
-				else
-					echo 'Wrong recovery key!';
-			}
-			else
-				echo 'Account of this character has no recovery key!';
-		}
-		else
-			echo 'Player or account of player <b>'.$nick.'</b> doesn\'t exist.';
-	}
-	else
-		echo 'Invalid player name format. If you have other characters on account try with other name.';
-	echo '<BR /><TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				<a href="' . getLink('account/lost') . '?action=step1&action_type=reckey&nick='.urlencode($nick).'" border="0"><IMG SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" NAME="Back" ALT="Back" BORDER=0 WIDTH=120 HEIGHT=18></a></div>
-				</TD></TR></FORM></TABLE></TABLE>';
+elseif($action == 'step2') {
+	require PAGES . 'account/lost/step2.php';
 }
-elseif($action == 'step3')
-{
-	$rec_key = trim($_REQUEST['key']);
-	$nick = stripslashes($_REQUEST['nick']);
-	$new_pass = trim($_REQUEST['passor']);
-	$new_email = trim($_REQUEST['email']);
-	if(Validator::characterName($nick))
-	{
-		$player = new OTS_Player();
-		$account = new OTS_Account();
-		$player->find($nick);
-		if($player->isLoaded())
-			$account = $player->getAccount();
-		if($account->isLoaded())
-		{
-			$account_key = $account->getCustomField('key');
-			if(!empty($account_key))
-			{
-				if($account_key == $rec_key)
-				{
-					if(Validator::password($new_pass))
-					{
-						if(Validator::email($new_email))
-						{
-							$account->setEMail($new_email);
-
-							$tmp_new_pass = $new_pass;
-							if(USE_ACCOUNT_SALT)
-							{
-								$salt = generateRandomString(10, false, true, true);
-								$tmp_new_pass = $salt . $new_pass;
-							}
-
-							$account->setPassword(encrypt($tmp_new_pass));
-							$account->save();
-
-							if(USE_ACCOUNT_SALT)
-								$account->setCustomField('salt', $salt);
-
-							echo 'Your account name, new password and new e-mail.<BR>
-							<FORM ACTION="' . getLink('account/manage') . '" onsubmit="return validate_form(this)" METHOD=post>
-							<INPUT TYPE=hidden NAME="character" VALUE="">
-							<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
-							<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Your account name, new password and new e-mail</B></TD></TR>
-							<TR><TD BGCOLOR="'.$config['darkborder'].'">
-							Account name:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<b>'.$account->getName().'</b><BR>
-							New password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<b>'.$new_pass.'</b><BR>
-							New e-mail address:&nbsp;<b>'.$new_email.'</b><BR>';
-							if($account->getCustomField('email_next') < time())
-							{
-								$mailBody = '
-								<h3>Your account name and new password!</h3>
-								<p>Changed password and e-mail to your account in Lost Account Interface on server <a href="'.BASE_URL.'"><b>'.$config['lua']['serverName'].'</b></a></p>
-								<p>Account name: <b>'.$account->getName().'</b></p>
-								<p>New password: <b>'.$new_pass.'</b></p>
-								<p>E-mail: <b>'.$new_email.'</b> (this e-mail)</p>
-								<br />
-								<p><u>It\'s automatic e-mail from OTS Lost Account System. Do not reply!</u></p>';
-
-								if(_mail($account->getCustomField('email'), $config['lua']['serverName']." - New password to your account", $mailBody))
-								{
-									echo '<br /><small>Sent e-mail with your account name and password to new e-mail. You should receive this e-mail in 15 minutes. You can login now with new password!</small>';
-								}
-								else
-								{
-									echo '<br /><p class="error">An error occurred while sending email! You will not receive e-mail with this informations. For Admin: More info can be found in system/logs/mailer-error.log</p>';
-								}
-							}
-							else
-							{
-								echo '<br /><small>You will not receive e-mail with this informations.</small>';
-							}
-							echo '<INPUT TYPE=hidden NAME="account_login" VALUE="'.$account->getId().'">
-							<INPUT TYPE=hidden NAME="password_login" VALUE="'.$new_pass.'">
-							</TD></TR></TABLE><BR>
-							<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-							<INPUT TYPE=image NAME="Login" ALT="Login" SRC="'.$template_path.'/images/global/buttons/sbutton_login.gif" BORDER=0 WIDTH=120 HEIGHT=18></div>
-							</TD></TR></FORM></TABLE></TABLE>';
-						}
-						else
-							echo Validator::getLastError();
-					}
-					else
-						echo Validator::getLastError();
-				}
-				else
-					echo 'Wrong recovery key!';
-			}
-			else
-				echo 'Account of this character has no recovery key!';
-		}
-		else
-			echo 'Player or account of player <b>'.$nick.'</b> doesn\'t exist.';
-	}
-	else
-		echo 'Invalid player name format. If you have other characters on account try with other name.';
-	echo '<BR /><TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				<a href="' . getLink('account/lost') . '?action=step1&action_type=reckey&nick='.urlencode($nick).'" border="0"><IMG SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" NAME="Back" ALT="Back" BORDER=0 WIDTH=120 HEIGHT=18></a></div>
-				</TD></TR></FORM></TABLE></TABLE>';
+elseif($action == 'step3') {
+	require PAGES . 'account/lost/step3.php';
 }
-elseif($action == 'checkcode')
-{
-	$code = trim($_REQUEST['code']);
-	$character = stripslashes(trim($_REQUEST['character']));
-	if(empty($code) || empty($character))
-		echo 'Please enter code from e-mail and name of one character from account. Then press Submit.<BR>
-				<FORM ACTION="' . getLink('account/lost') . '?action=checkcode" METHOD=post>
-				<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
-				<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Code & character name</B></TD></TR>
-				<TR><TD BGCOLOR="'.$config['darkborder'].'">
-				Your code:&nbsp;<INPUT TYPE=text NAME="code" VALUE="" SIZE="40")><BR />
-				Character:&nbsp;<INPUT TYPE=text NAME="character" VALUE="" SIZE="40")><BR />
-				</TD></TR>
-				</TABLE>
-				<BR>
-				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				' . $twig->render('buttons.submit.html.twig') . '</div>
-				</TD></TR></FORM></TABLE></TABLE>';
-	else
-	{
-		$player = new OTS_Player();
-		$account = new OTS_Account();
-		$player->find($character);
-		if($player->isLoaded())
-			$account = $player->getAccount();
-		if($account->isLoaded())
-		{
-			if($account->getCustomField('email_code') == $code)
-			{
-				echo '<script type="text/javascript">
-				function validate_required(field,alerttxt)
-				{
-				with (field)
-				{
-				if (value==null||value==""||value==" ")
-				  {alert(alerttxt);return false;}
-				else {return true}
-				}
-				}
-
-				function validate_form(thisform)
-				{
-				with (thisform)
-				{
-				if (validate_required(passor,"Please enter password!")==false)
-				  {passor.focus();return false;}
-				if (validate_required(passor2,"Please repeat password!")==false)
-				  {passor2.focus();return false;}
-				if (passor2.value!=passor.value)
-				  {alert(\'Repeated password is not equal to password!\');return false;}
-				}
-				}
-				</script>
-				Please enter new password to your account and repeat to make sure you remember password.<BR>
-				<FORM ACTION="' . getLink('account/lost') . '?action=setnewpassword" onsubmit="return validate_form(this)" METHOD=post>
-				<INPUT TYPE=hidden NAME="character" VALUE="'.$character.'">
-				<INPUT TYPE=hidden NAME="code" VALUE="'.$code.'">
-				<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
-				<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Code & account name</B></TD></TR>
-				<TR><TD BGCOLOR="'.$config['darkborder'].'">
-				New password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<INPUT TYPE=password ID="passor" NAME="passor" VALUE="" SIZE="40")><BR />
-				Repeat new password:&nbsp;<INPUT TYPE=password ID="passor2" NAME="passor2" VALUE="" SIZE="40")><BR />
-				</TD></TR>
-				</TABLE>
-				<BR>
-				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				' . $twig->render('buttons.submit.html.twig') . '</div>
-				</TD></TR></FORM></TABLE></TABLE>';
-			}
-			else
-				$error= 'Wrong code to change password.';
-		}
-		else
-			$error = 'Account of this character or this character doesn\'t exist.';
-	}
-	if(!empty($error))
-				echo '<span style="color: red"><b>'.$error.'</b></span><br />Please enter code from e-mail and name of one character from account. Then press Submit.<BR>
-				<FORM ACTION="' . getLink('account/lost') . '?action=checkcode" METHOD=post>
-				<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
-				<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Code & character name</B></TD></TR>
-				<TR><TD BGCOLOR="'.$config['darkborder'].'">
-				Your code:&nbsp;<INPUT TYPE=text NAME="code" VALUE="" SIZE="40")><BR />
-				Character:&nbsp;<INPUT TYPE=text NAME="character" VALUE="" SIZE="40")><BR />
-				</TD></TR>
-				</TABLE>
-				<BR>
-				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				' . $twig->render('buttons.submit.html.twig') . '</div>
-				</TD></TR></FORM></TABLE></TABLE>';
+elseif($action == 'check-code') {
+	require PAGES . 'account/lost/check-code.php';
 }
-elseif($action == 'setnewpassword')
-{
-	$newpassword = $_REQUEST['passor'];
-	$code = $_REQUEST['code'];
-	$character = stripslashes($_REQUEST['character']);
-	echo '';
-	if(empty($code) || empty($character) || empty($newpassword))
-		echo '<span style="color: red"><b>Error. Try again.</b></span><br />Please enter code from e-mail and name of one character from account. Then press Submit.<BR>
-				<BR><FORM ACTION="' . getLink('account/lost') . '?action=checkcode" METHOD=post>
-				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				<INPUT TYPE=image NAME="Back" ALT="Back" SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" BORDER=0 WIDTH=120 HEIGHT=18></div>
-				</TD></TR></FORM></TABLE></TABLE>';
-	else
-	{
-		$player = new OTS_Player();
-		$account = new OTS_Account();
-		$player->find($character);
-		if($player->isLoaded())
-			$account = $player->getAccount();
-		if($account->isLoaded())
-		{
-			if($account->getCustomField('email_code') == $code)
-			{
-				if(Validator::password($newpassword))
-				{
-					$tmp_new_pass = $newpassword;
-					if(USE_ACCOUNT_SALT)
-					{
-						$salt = generateRandomString(10, false, true, true);
-						$tmp_new_pass  = $salt . $newpassword;
-						$account->setCustomField('salt', $salt);
-					}
-
-					$account->setPassword(encrypt($tmp_new_pass ));
-					$account->save();
-					$account->setCustomField('email_code', '');
-					echo 'New password to your account is below. Now you can login.<BR>
-					<INPUT TYPE=hidden NAME="character" VALUE="'.$character.'">
-					<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
-					<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Changed password</B></TD></TR>
-					<TR><TD BGCOLOR="'.$config['darkborder'].'">
-					New password:&nbsp;<b>'.$newpassword.'</b><BR />
-					Account name:&nbsp;&nbsp;&nbsp;<i>(Already on your e-mail)</i><BR />';
-
-					$mailBody = '
-					<h3>Your account name and password!</h3>
-					<p>Changed password to your account in Lost Account Interface on server <a href="'.BASE_URL.'"><b>'.$config['lua']['serverName'].'</b></a></p>
-					<p>Account name: <b>'.$account->getName().'</b></p>
-					<p>New password: <b>'.$newpassword.'</b></p>
-					<br />
-					<p><u>It\'s automatic e-mail from OTS Lost Account System. Do not reply!</u></p>';
-
-					if(_mail($account->getCustomField('email'), $config['lua']['serverName']." - Your new password", $mailBody))
-					{
-						echo '<br /><small>New password work! Sent e-mail with your password and account name. You should receive this e-mail in 15 minutes. You can login now with new password!';
-					}
-					else
-					{
-						echo '<br /><p class="error">New password work! An error occurred while sending email! You will not receive e-mail with new password. For Admin: More info can be found in system/logs/mailer-error.log';
-					}
-				echo '</TD></TR>
-				</TABLE>
-				<BR>
-				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				<FORM ACTION="' . getLink('account/manage') . '" METHOD=post>
-				<INPUT TYPE=image NAME="Login" ALT="Login" SRC="'.$template_path.'/images/global/buttons/sbutton_login.gif" BORDER=0 WIDTH=120 HEIGHT=18></div>
-				</TD></TR></FORM></TABLE></TABLE>';
-				}
-				else
-					$error= Validator::getLastError();
-			}
-			else
-				$error= 'Wrong code to change password.';
-		}
-		else
-			$error = 'Account of this character or this character doesn\'t exist.';
-	}
-	if(!empty($error))
-				echo '<span style="color: red"><b>'.$error.'</b></span><br />Please enter code from e-mail and name of one character from account. Then press Submit.<BR>
-				<FORM ACTION="' . getLink('account/lost') . '?action=checkcode" METHOD=post>
-				<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
-				<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Code & character name</B></TD></TR>
-				<TR><TD BGCOLOR="'.$config['darkborder'].'">
-				Your code:&nbsp;<INPUT TYPE=text NAME="code" VALUE="" SIZE="40")><BR />
-				Character:&nbsp;<INPUT TYPE=text NAME="character" VALUE="" SIZE="40")><BR />
-				</TD></TR>
-				</TABLE>
-				<BR>
-				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
-				' . $twig->render('buttons.submit.html.twig') . '</div>
-				</TD></TR></FORM></TABLE></TABLE>';
+elseif($action == 'set-new-password') {
+	require PAGES . 'account/lost/set-new-password.php';
 }

system/pages/account/lost/check-code.php

@@ -0,0 +1,57 @@
+<?php
+$code = isset($_REQUEST['code']) ? trim($_REQUEST['code']) : '';
+$character = isset($_REQUEST['character']) ? stripslashes(trim($_REQUEST['character'])) : '';
+
+if(empty($code) || empty($character))
+	$twig->display('account.lost.check-code.html.twig', [
+		'code' => $code,
+		'characters' => $character,
+	]);
+else
+{
+	$player = new OTS_Player();
+	$account = new OTS_Account();
+	$player->find($character);
+	if($player->isLoaded()) {
+		$account = $player->getAccount();
+	}
+
+	if($account->isLoaded()) {
+		if($account->getCustomField('email_code') == $code) {
+			echo '
+				Please enter new password to your account and repeat to make sure you remember password.<BR>
+				<FORM ACTION="' . getLink('account/lost') . '?action=setnewpassword" METHOD=post>
+				<INPUT TYPE=hidden NAME="character" VALUE="'.$character.'">
+				<INPUT TYPE=hidden NAME="code" VALUE="'.$code.'">
+				<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
+				<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Passwords</B></TD></TR>
+				<TR><TD BGCOLOR="'.$config['darkborder'].'">
+				New password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<INPUT TYPE=password ID="passor" NAME="passor" VALUE="" SIZE="40"><BR />
+				Repeat new password:&nbsp;<INPUT TYPE=password ID="passor2" NAME="passor2" VALUE="" SIZE="40"><BR />
+				</TD></TR>
+				</TABLE>
+				<BR>
+				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
+				' . $twig->render('buttons.submit.html.twig') . '</div>
+				</TD></TR></FORM></TABLE></TABLE>';
+		}
+		else {
+			$error = 'Wrong code to change password.';
+		}
+	}
+	else {
+		$error = "Account of this character or this character doesn't exist.";
+	}
+}
+
+if(!empty($error)) {
+	$twig->display('error_box.html.twig', [
+		'errors' => [$error],
+	]);
+
+	echo '<br/>';
+
+	$twig->display('account.lost.check-code.html.twig', [
+
+	]);
+}

system/pages/account/lost/send-code.php

@@ -0,0 +1,56 @@
+<?php
+
+$email = $_REQUEST['email'];
+$nick = stripslashes($_REQUEST['nick']);
+
+$player = new OTS_Player();
+$account = new OTS_Account();
+$player->find($nick);
+if($player->isLoaded()) {
+	$account = $player->getAccount();
+}
+
+if($account->isLoaded()) {
+	if($account->getCustomField('email_next') < time()) {
+		if($account->getEMail() == $email) {
+			$newCode = generateRandomString(30, true, false, true);
+			$mailBody = $twig->render('mail.account.lost.code.html.twig', [
+				'newCode' => $newCode,
+				'account' => $account,
+				'nick' => $nick,
+			]);
+
+			$accountEMail = $account->getCustomField('email');
+			if(_mail($accountEMail, configLua('serverName') . ' - Recover your account', $mailBody)) {
+				$account->setCustomField('email_code', $newCode);
+				$account->setCustomField('email_next', (time() + setting('core.mail_lost_account_interval')));
+
+				echo '<br />Details about steps required to recover your account has been sent to <b>' . $accountEMail . '</b>. You should receive this email within 15 minutes. Please check your inbox/spam directory.';
+			}
+			else {
+				$account->setCustomField('email_next', (time() + 60));
+				error('An error occurred while sending email! Try again later or contact with admin. For Admin: More info can be found in system/logs/mailer-error.log</p>');
+			}
+		}
+		else {
+			echo 'Invalid e-mail to account of character <b>' . htmlspecialchars($nick) . '</b>. Try again.';
+		}
+	}
+	else {
+		$insec = (int)$account->getCustomField('email_next') - time();
+		$minutesleft = floor($insec / 60);
+		$secondsleft = $insec - ($minutesleft * 60);
+		$timeleft = $minutesleft.' minutes '.$secondsleft.' seconds';
+
+		echo 'Account of selected character (<b>' . htmlspecialchars($nick) . '</b>) received e-mail in last '.ceil(setting('core.mail_lost_account_interval') / 60) . ' minutes. You must wait '.$timeleft.' before you can use Lost Account Interface again.';
+	}
+}
+else {
+	echo "Player or account of player <b>" . htmlspecialchars($nick) . "</b> doesn't exist.";
+}
+
+$twig->display('account.back_button.html.twig', [
+	'new_line' => true,
+	'center' => true,
+	'action' => getLink('account/lost') . '?action=step1&action_type=email&nick=' . urlencode($nick),
+]);

system/pages/account/lost/set-new-password.php

@@ -0,0 +1,81 @@
+<?php
+$newPassword = $_REQUEST['passor'];
+$code = $_REQUEST['code'];
+$character = stripslashes($_REQUEST['character']);
+
+if(empty($code) || empty($character) || empty($newPassword)) {
+	echo '<span style="color: red"><b>Error. Try again.</b></span><br/>Please enter code from e-mail and name of one character from account. Then press Submit.<br>';
+
+	$twig->display('account.back_button.html.twig', [
+		'new_line' => true,
+		'center' => true,
+		'action' => getLink('account/lost') . '?action=check-code',
+	]);
+}
+else
+{
+	$player = new OTS_Player();
+	$account = new OTS_Account();
+	$player->find($character);
+	if($player->isLoaded()) {
+		$account = $player->getAccount();
+	}
+
+	if($account->isLoaded())
+	{
+		if($account->getCustomField('email_code') == $code)
+		{
+			if(Validator::password($newPassword))
+			{
+				$tmp_new_pass = $newPassword;
+				if(USE_ACCOUNT_SALT)
+				{
+					$salt = generateRandomString(10, false, true, true);
+					$tmp_new_pass  = $salt . $newPassword;
+					$account->setCustomField('salt', $salt);
+				}
+
+				$account->setPassword(encrypt($tmp_new_pass));
+				$account->save();
+				$account->setCustomField('email_code', '');
+
+				$mailBody = $twig->render('mail.account.lost.new-password.html.twig', [
+					'account' => $account,
+					'newPassword' => $newPassword,
+				]);
+
+				$statusMsg = '';
+				if(_mail($account->getCustomField('email'), configLua('serverName') . ' - Your new password', $mailBody)) {
+					$statusMsg = '<br /><small>New password work! Sent e-mail with your password and account name. You should receive this e-mail in 15 minutes. You can login now with new password!';
+				}
+				else {
+					$statusMsg = '<br /><p class="error">New password work! An error occurred while sending email! You will not receive e-mail with new password. For Admin: More info can be found in system/logs/mailer-error.log';
+				}
+
+				$twig->display('account.lost.finish.new-password.html.twig', [
+					'statusMsg' => $statusMsg,
+					'newPassword' => $newPassword,
+				]);
+			}
+			else
+				$error= Validator::getLastError();
+		}
+		else
+			$error= 'Wrong code to change password.';
+	}
+	else
+		$error = 'Account of this character or this character doesn\'t exist.';
+}
+
+if(!empty($error)) {
+	$twig->display('error_box.html.twig', [
+		'errors' => [$error],
+	]);
+
+	echo '<br/>';
+
+	$twig->display('account.lost.check-code.html.twig', [
+		'code' => $code,
+		'character' => $character,
+	]);
+}

system/pages/account/lost/step1-email.php

@@ -0,0 +1,36 @@
+<?php
+
+$nick = stripslashes($_REQUEST['nick']);
+
+$player = new OTS_Player();
+$account = new OTS_Account();
+$player->find($nick);
+if($player->isLoaded()) {
+	$account = $player->getAccount();
+}
+
+if($account->isLoaded()) {
+	if($account->getCustomField('email_next') < time()) {
+		$twig->display('account.lost.step1-email.html.twig', [
+			'nick' => $nick,
+		]);
+	}
+	else
+	{
+		$insec = (int)$account->getCustomField('email_next') - time();
+		$minutesleft = floor($insec / 60);
+		$secondsleft = $insec - ($minutesleft * 60);
+		$timeleft = $minutesleft.' minutes '.$secondsleft.' seconds';
+
+		echo 'Account of selected character (<b>'.$nick.'</b>) received e-mail in last '.ceil(setting('core.mail_lost_account_interval') / 60).' minutes. You must wait '.$timeleft.' before you can use Lost Account Interface again.';
+	}
+}
+else {
+	echo "Player or account of player <b>" . htmlspecialchars($nick) . "</b> doesn't exist.";
+}
+
+$twig->display('account.back_button.html.twig', [
+	'new_line' => true,
+	'center' => true,
+	'action' => getLink('account/lost'),
+]);

system/pages/account/lost/step1-reckey.php

@@ -0,0 +1,39 @@
+<?php
+$nick = stripslashes($_REQUEST['nick']);
+
+$player = new OTS_Player();
+$account = new OTS_Account();
+$player->find($nick);
+if($player->isLoaded())
+	$account = $player->getAccount();
+if($account->isLoaded())
+{
+	$account_key = $account->getCustomField('key');
+	if(!empty($account_key))
+	{
+		echo 'If you enter right recovery key you will see form to set new e-mail and password to account. To this e-mail will be send your new password and account name.<BR>
+					<FORM ACTION="' . getLink('account/lost') . '?action=step2" METHOD=post>
+					<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
+					<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Please enter your recovery key</B></TD></TR>
+					<TR><TD BGCOLOR="'.$config['darkborder'].'">
+					Character name:&nbsp;<INPUT TYPE=text NAME="nick" VALUE="'.$nick.'" SIZE="40" readonly="readonly"><BR />
+					Recovery key:&nbsp;&nbsp;&nbsp;&nbsp;<INPUT TYPE=text NAME="key" VALUE="" SIZE="40"><BR>
+					</TD></TR>
+					</TABLE>
+					<BR>
+					<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
+					' . $twig->render('buttons.submit.html.twig') . '</div>
+					</TD></TR></FORM></TABLE></TABLE>';
+	}
+	else
+		echo 'Account of this character has no recovery key!';
+}
+else {
+	echo 'Player or account of player <b>' . htmlspecialchars($nick) . '</b> doesn\'t exist.';
+}
+
+$twig->display('account.back_button.html.twig', [
+	'new_line' => true,
+	'center' => true,
+	'action' => getLink('account/lost'),
+]);

system/pages/account/lost/step2.php

@@ -0,0 +1,37 @@
+<?php
+
+$recKey = trim($_REQUEST['key']);
+$nick = stripslashes($_REQUEST['nick']);
+
+$player = new OTS_Player();
+$account = new OTS_Account();
+$player->find($nick);
+if($player->isLoaded()) {
+	$account = $player->getAccount();
+}
+
+if($account->isLoaded()) {
+	$accountKey = $account->getCustomField('key');
+	if(!empty($accountKey)) {
+		if($accountKey == $recKey) {
+			$twig->display('account.lost.step2.html.twig', [
+				'nick' => $nick,
+				'recKey' => $recKey,
+			]);
+		}
+		else {
+			echo 'Wrong recovery key!';
+		}
+	}
+	else {
+		echo 'Account of this character has no recovery key!';
+	}
+}
+else
+	echo "Player or account of player <b>" . htmlspecialchars($nick) . "</b> doesn't exist.";
+
+$twig->display('account.back_button.html.twig', [
+	'new_line' => true,
+	'center' => true,
+	'action' => getLink('account/lost') . '?action=step1&action_type=reckey&nick=' . urlencode($nick),
+]);

system/pages/account/lost/step3.php

@@ -0,0 +1,87 @@
+<?php
+$recKey = trim($_REQUEST['key']);
+$nick = stripslashes($_REQUEST['nick']);
+$newPassword = trim($_REQUEST['passor']);
+$newEmail = trim($_REQUEST['email']);
+
+$player = new OTS_Player();
+$account = new OTS_Account();
+$player->find($nick);
+if($player->isLoaded()) {
+	$account = $player->getAccount();
+}
+
+if($account->isLoaded())
+{
+	$accountKey = $account->getCustomField('key');
+	if(!empty($accountKey)) {
+		if($accountKey == $recKey) {
+			if(Validator::password($newPassword)) {
+				if(Validator::email($newEmail)) {
+					$account->setEMail($newEmail);
+
+					$tmp_new_pass = $newPassword;
+					if(USE_ACCOUNT_SALT)
+					{
+						$salt = generateRandomString(10, false, true, true);
+						$tmp_new_pass = $salt . $newPassword;
+					}
+
+					$account->setPassword(encrypt($tmp_new_pass));
+					$account->save();
+
+					if(USE_ACCOUNT_SALT) {
+						$account->setCustomField('salt', $salt);
+					}
+
+					$statusMsg = '';
+					if($account->getCustomField('email_next') < time()) {
+						$mailBody = $twig->render('mail.account.lost.new-email.html.twig', [
+							'account' => $account,
+							'newPassword' => $newPassword,
+							'newEmail' => $newEmail,
+						]);
+
+						if(_mail($account->getCustomField('email'), $config['lua']['serverName']." - New password to your account", $mailBody)) {
+							$statusMsg = '<br /><small>Sent e-mail with your account name and password to new e-mail. You should receive this e-mail in 15 minutes. You can login now with new password!</small>';
+						}
+						else {
+							$statusMsg = '<br /><p class="error">An error occurred while sending email! You will not receive e-mail with this informations. For Admin: More info can be found in system/logs/mailer-error.log</p>';
+						}
+					}
+					else {
+						$statusMsg = '<br /><small>You will not receive e-mail with this informations.</small>';
+					}
+
+					$twig->display('account.lost.finish.new-email.html.twig', [
+						'statusMsg' => $statusMsg,
+						'account' => $account,
+						'newPassword' => $newPassword,
+						'newEmail' => $newEmail,
+					]);
+				}
+				else {
+					echo Validator::getLastError();
+				}
+			}
+			else {
+				echo Validator::getLastError();
+			}
+		}
+		else {
+			echo 'Wrong recovery key!';
+		}
+	}
+	else {
+		echo 'Account of this character has no recovery key!';
+	}
+}
+else {
+	echo "Player or account of player <b>" . htmlspecialchars($nick) . "</b> doesn't exist.";
+}
+
+$twig->display('account.back_button.html.twig', [
+	'new_line' => true,
+	'center' => true,
+	'action' => getLink('account/lost') . '?action=step1&action_type=reckey&nick=' . urlencode($nick),
+]);

system/pages/account/manage.php

@@ -22,6 +22,12 @@ if(isset($_REQUEST['redirect']))
 {
 	$redirect = urldecode($_REQUEST['redirect']);
 
+	// should never happen, unless hacker modify the URL
+	if (!str_contains($redirect, BASE_URL)) {
+		error('Fatal error: Cannot redirect outside the website.');
+		return;
+	}
+
 	$twig->display('account.redirect.html.twig', array(
 		'redirect' => $redirect
 	));
@@ -46,7 +52,7 @@ if(empty($recovery_key))
 else
 {
 	if(setting('core.account_generate_new_reckey') && setting('core.mail_enabled'))
-		$account_registered = '<b><span style="color: green">Yes ( <a href="' . getLink('account/register/new') . '"> Buy new Recovery Key </a> )</span></b>';
+		$account_registered = '<b><span style="color: green">Yes ( <a href="' . getLink('account/register-new') . '"> Buy new Recovery Key </a> )</span></b>';
 	else
 		$account_registered = '<b><span style="color: green">Yes</span></b>';
 }

system/pages/account/redirect.php

@@ -12,6 +12,12 @@ defined('MYAAC') or die('Direct access not allowed!');
 
 $redirect = urldecode($_REQUEST['redirect']);
 
+// should never happen, unless hacker modify the URL
+if (!str_contains($redirect, BASE_URL)) {
+	error('Fatal error: Cannot redirect outside the website.');
+	return;
+}
+
 $twig->display('account.redirect.html.twig', array(
 	'redirect' => $redirect
 ));

system/pages/characters.php

@@ -8,6 +8,9 @@
  * @copyright 2019 MyAAC
  * @link      https://my-aac.org
  */
+
+use MyAAC\Models\PlayerDeath;
+
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Characters';
 
@@ -199,7 +202,7 @@ if($player->isLoaded() && !$player->isDeleted())
 		unset($storage);
 	}
 
-	if($config['characters']['equipment'] && $db->hasTable('player_items') && $db->hasColumn('player_items', 'pid') && $db->hasColumn('player_items', 'sid') && $db->hasColumn('player_items', 'itemtype')) {
+	if($db->hasTable('player_items') && $db->hasColumn('player_items', 'pid') && $db->hasColumn('player_items', 'sid') && $db->hasColumn('player_items', 'itemtype')) {
 		$eq_sql = $db->query('SELECT `pid`, `itemtype` FROM player_items WHERE player_id = '.$player->getId().' AND (`pid` >= 1 and `pid` <= 10)');
 		$equipment = array();
 		foreach($eq_sql as $eq)
@@ -322,20 +325,39 @@ WHERE killers.death_id = '".$death['id']."' ORDER BY killers.final_hit DESC, kil
 
 	$frags = array();
 	$frag_add_content = '';
-	if($config['characters']['frags'] && $db->hasTable('killers')) {
+	if ($config['characters']['frags']) {
+		$frags_limit = 10; // frags limit to show? // default: 10
+
+		if ($db->hasTable('killers')) {
 			//frags list by Xampy
 			$i = 0;
-		$frags_limit = 10; // frags limit to show? // default: 10
-		$player_frags = $db->query('SELECT `player_deaths`.*, `players`.`name`, `killers`.`unjustified` FROM `player_deaths` LEFT JOIN `killers` ON `killers`.`death_id` = `player_deaths`.`id` LEFT JOIN `player_killers` ON `player_killers`.`kill_id` = `killers`.`id` LEFT JOIN `players` ON `players`.`id` = `player_deaths`.`player_id` WHERE `player_killers`.`player_id` = '.$player->getId().' ORDER BY `date` DESC LIMIT 0,'.$frags_limit.';')->fetchAll();
-		if(count($player_frags)) {
+			$player_frags = $db->query('SELECT `player_deaths`.*, `players`.`name`, `killers`.`unjustified` FROM `player_deaths` LEFT JOIN `killers` ON `killers`.`death_id` = `player_deaths`.`id` LEFT JOIN `player_killers` ON `player_killers`.`kill_id` = `killers`.`id` LEFT JOIN `players` ON `players`.`id` = `player_deaths`.`player_id` WHERE `player_killers`.`player_id` = ' . $player->getId() . ' ORDER BY `date` DESC LIMIT 0,' . $frags_limit . ';')->fetchAll();
+			if (count($player_frags)) {
 				$row_count = 0;
-			foreach($player_frags as $frag)
-			{
+				foreach ($player_frags as $frag) {
 					$description = 'Fragged <a href="' . getPlayerLink($frag['name'], false) . '">' . $frag['name'] . '</a> at level ' . $frag['level'];
 					$frags[] = array('time' => $frag['date'], 'description' => $description, 'unjustified' => $frag['unjustified'] != 0);
 				}
 			}
 		}
+		else if($db->hasTable('player_deaths') && $db->hasColumn('player_deaths', 'killed_by')) {
+			$i = 0;
+			$player_frags = PlayerDeath::where('player_deaths.killed_by', $player->getName())
+				->join('players', 'players.id', '=', 'player_deaths.player_id')
+				->limit($frags_limit)
+				->selectRaw('players.name, player_deaths.*')
+				->orderBy('player_deaths.time', 'DESC')
+				->get();
+
+			if ($player_frags->count()) {
+				$row_count = 0;
+				foreach ($player_frags as $frag) {
+					$description = 'Fragged <a href="' . getPlayerLink($frag->name, false) . '">' . $frag->name . '</a> at level ' . $frag->level;
+					$frags[] = array('time' => $frag->time, 'description' => $description, 'unjustified' => $frag->unjustified != 0);
+				}
+			}
+		}
+	}
 
 	// signature
 	if(setting('core.signature_enabled')) {

system/pages/forum/edit_post.php

@@ -19,7 +19,7 @@ if ($ret === false) {
 }
 
 if(!$logged) {
-	echo 'You are not logged in. <a href="' . getLink('account/manage') . '?redirect=' . BASE_URL . urlencode(getLink('forum')) . '">Log in</a> to post on the forum.<br /><br />';
+	echo 'You are not logged in. <a href="' . getLink('account/manage') . '?redirect=' . urlencode(getLink('forum')) . '">Log in</a> to post on the forum.<br /><br />';
 	return;
 }
 

system/pages/forum/move_thread.php

@@ -19,7 +19,7 @@ if ($ret === false) {
 }
 
 if(!$logged) {
-	echo 'You are not logged in. <a href="' . getLink('account/manage') . '?redirect=' . BASE_URL . urlencode(getLink('forum')) . '">Log in</a> to post on the forum.<br /><br />';
+	echo 'You are not logged in. <a href="' . getLink('account/manage') . '?redirect=' . urlencode(getLink('forum')) . '">Log in</a> to post on the forum.<br /><br />';
 	return;
 }
 

system/pages/forum/new_post.php

@@ -24,7 +24,7 @@ if(!$logged) {
 		$extra_url = '?action=new_post&thread_id=' . $_GET['thread_id'];
 	}
 
-	echo 'You are not logged in. <a href="' . getLink('account/manage') . '?redirect=' . BASE_URL . urlencode(getLink('forum') . $extra_url) . '">Log in</a> to post on the forum.<br /><br />';
+	echo 'You are not logged in. <a href="' . getLink('account/manage') . '?redirect=' . urlencode(getLink('forum') . $extra_url) . '">Log in</a> to post on the forum.<br /><br />';
 	return;
 }
 

system/pages/forum/new_thread.php

@@ -24,7 +24,7 @@ if(!$logged) {
 		$extra_url = '?action=new_thread&section_id=' . $_GET['section_id'];
 	}
 
-	echo 'You are not logged in. <a href="' . getLink('account/manage') . '?redirect=' . BASE_URL . urlencode(getLink('forum') . $extra_url) . '">Log in</a> to post on the forum.<br /><br />';
+	echo 'You are not logged in. <a href="' . getLink('account/manage') . '?redirect=' . urlencode(getLink('forum') . $extra_url) . '">Log in</a> to post on the forum.<br /><br />';
 	return;
 }
 

system/pages/forum/remove_post.php

@@ -19,7 +19,7 @@ if ($ret === false) {
 }
 
 if(!$logged) {
-	echo 'You are not logged in. <a href="' . getLink('account/manage') . '?redirect=' . BASE_URL . urlencode(getLink('forum')) . '">Log in</a> to post on the forum.<br /><br />';
+	echo 'You are not logged in. <a href="' . getLink('account/manage') . '?redirect=' . urlencode(getLink('forum')) . '">Log in</a> to post on the forum.<br /><br />';
 	return;
 }
 

system/pages/forum/show_thread.php

@@ -60,7 +60,7 @@ foreach($posts as &$post) {
 	}
 
 	if($config['characters']['outfit']) {
-		$post['outfit'] = setting('core.outfit_images_url') . '?id=' . $player->getLookType() . ($lookaddons ? '&addons=' . $player->getLookAddons() : '') . '&head=' . $player->getLookHead() . '&body=' . $player->getLookBody() . '&legs=' . $player->getLookLegs() . '&feet=' . $player->getLookFeet();
+		$post['outfit'] = $player->getOutfit();
 	}
 
 	$groupName = '';

system/pages/guilds/cleanup_players.php

@@ -40,7 +40,7 @@ if(count($players_list) > 0)
 				if(!$rank_guild->isLoaded())
 				{
 					$player->setRank();
-					$player->setGuildNick();
+					$player->setGuildNick('');
 					$changed_ranks_of[] = $player->getName();
 					$deleted_ranks[] = 'ID: '.$player_rank->getId().' - '.$player_rank->getName();
 					$player_rank->delete();

system/pages/guilds/create.php

@@ -10,6 +10,8 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 
+use MyAAC\Models\GuildRank;
+
 require __DIR__ . '/base.php';
 
 $guild_name = isset($_REQUEST['guild']) ? urldecode($_REQUEST['guild']) : NULL;
@@ -113,7 +115,25 @@ if(isset($todo) && $todo == 'save')
 	$new_guild->setOwner($player);
 	$new_guild->save();
 	$new_guild->setCustomField('description', setting('core.guild_description_default'));
-	//$new_guild->setCustomField('creationdata', time());
+
+	if ($db->hasTable('guild_ranks')) {
+		if (!GuildRank::where('guild_id', $new_guild->getId())->first()) {
+			$ranks = [
+				['level' => 3, 'name' => 'the Leader'],
+				['level' => 2, 'name' => 'a Vice-Leader'],
+				['level' => 1, 'name' => 'a Member'],
+			];
+
+			foreach ($ranks as $rank) {
+				GuildRank::create([
+					'guild_id' => $new_guild->getId(),
+					'name' => $rank['name'],
+					'level' => $rank['level'],
+				]);
+			}
+		}
+	}
+
 	$ranks = $new_guild->getGuildRanksList();
 	$ranks->orderBy('level', POT::ORDER_DESC);
 	foreach($ranks as $rank) {
@@ -124,14 +144,11 @@ if(isset($todo) && $todo == 'save')
 			$player->setRank($rank);
 		}
 	}
+
 	$twig->display('guilds.create.success.html.twig', array(
 		'guild_name' => $guild_name,
 		'leader_name' => $player->getName()
 	));
-
-	/*$db->exec('INSERT INTO `guild_ranks` (`id`, `guild_id`, `name`, `level`) VALUES (null, '.$new_guild->getId().', "the Leader", 3)');
-	$db->exec('INSERT INTO `guild_ranks` (`id`, `guild_id`, `name`, `level`) VALUES (null, '.$new_guild->getId().', "a Vice-Leader", 2)');
-	$db->exec('INSERT INTO `guild_ranks` (`id`, `guild_id`, `name`, `level`) VALUES (null, '.$new_guild->getId().', "a Member", 1)');*/
 }
 else {
 	sort($array_of_player_nig);

system/pages/guilds/show.php

@@ -142,9 +142,7 @@ if($logged && count($invited_list) > 0)
 	}
 }
 
-$useGuildNick = false;
-if($db->hasColumn('players', 'guildnick'))
-	$useGuildNick = true;
+$useGuildNick = $db->hasTable('guild_members') || $db->hasTable('guild_membership') || $db->hasColumn('players', 'guildnick');
 
 $twig->display('guilds.view.html.twig', array(
 	'logo' => $guild_logo,
@@ -160,7 +158,6 @@ $twig->display('guilds.view.html.twig', array(
 	'level_in_guild' => $level_in_guild,
 	'isLeader' => $guild_leader,
 	'isVice' => $guild_vice,
-	'logged' => $logged,
 	'invited_list' => $invited_list,
 	'show_accept_invite' => $show_accept_invite,
 	'useGuildNick' => $useGuildNick

system/pages/highscores.php

@@ -180,9 +180,9 @@ if (empty($highscores)) {
 	} else if ($skill == SKILL_FRAGS) // frags
 	{
 		if ($db->hasTable('player_killers')) {
-			$query->addSelect(['value' => PlayerKillers::where('player_killers.player_id', 'players.id')->selectRaw('COUNT(*)')]);
+			$query->addSelect(['value' => PlayerKillers::whereColumn('player_killers.player_id', 'players.id')->selectRaw('COUNT(*)')]);
 		} else {
-			$query->addSelect(['value' => PlayerDeath::unjustified()->where('player_deaths.killed_by', 'players.name')->selectRaw('COUNT(*)')]);
+			$query->addSelect(['value' => PlayerDeath::unjustified()->whereColumn('player_deaths.killed_by', 'players.name')->selectRaw('COUNT(*)')]);
 		}
 	} else if ($skill == SKILL_BALANCE) // balance
 	{

system/pages/monsters.php

@@ -39,9 +39,12 @@ if (empty($_REQUEST['name'])) {
 
 // display monster
 $monster_name = urldecode(stripslashes(ucwords(strtolower($_REQUEST['name']))));
-$monster = Monster::where('hide', '!=', 1)->where('name', $monster_name)->first()->toArray();
+$monsterModel = Monster::where('hide', '!=', 1)->where('name', $monster_name)->first();
+
+if ($monsterModel && isset($monsterModel->name)) {
+	/** @var array $monster */
+	$monster = $monsterModel->toArray();
 
-if (isset($monster['name'])) {
 	function sort_by_chance($a, $b)
 	{
 		if ($a['chance'] == $b['chance']) {
@@ -79,7 +82,7 @@ if (isset($monster['name'])) {
 	));
 
 } else {
-	echo "Monster with name <b>" . $monster_name . "</b> doesn't exist.";
+	echo "Monster with name <b>" . htmlspecialchars($monster_name) . "</b> doesn't exist.";
 }
 
 // back button

system/pages/polls.php

@@ -51,7 +51,7 @@ function getColorByPercent($percent)
 					if($logged)
 						echo $link.'?id='.$poll['id'];
 					else
-						echo getLink('account/manage') . '?redirect=' . BASE_URL . urlencode($link.'?id='.$poll['id']);
+						echo getLink('account/manage') . '?redirect=' . urlencode($link.'?id='.$poll['id']);
 
 					echo '">'.$poll['question'] . '</a>
 				</td>
@@ -80,7 +80,7 @@ function getColorByPercent($percent)
 					if($logged)
 						echo $link.'?id='.$poll['id'];
 					else
-						echo getLink('account/manage') . '?redirect=' . BASE_URL . urlencode($link.'?id='.$poll['id']);
+						echo getLink('account/manage') . '?redirect=' . urlencode($link.'?id='.$poll['id']);
 
 					echo '">'.$poll['question'] . '</a>
 				</td>

system/router.php

@@ -91,35 +91,67 @@ if($logged && $account_logged && $account_logged->isLoaded()) {
 $dispatcher = FastRoute\cachedDispatcher(function (FastRoute\RouteCollector $r) {
 	$routes = require SYSTEM . 'routes.php';
 
-	$isAlreadyDefined = [];
-
-	$routesTmp = [];
+	$routesFinal = [];
 	foreach(getDatabasePages() as $page) {
-		$isAlreadyDefined[$page] = true;
-		$routesTmp[] = ['*', $page, '__database__/' . $page, true];
+		$routesFinal[] = ['*', $page, '__database__/' . $page, 100];
 	}
 
 	Plugins::clearWarnings();
 	foreach (Plugins::getRoutes() as $route) {
-		if(!isset($isAlreadyDefined[$route[1]])) {
-			$isAlreadyDefined[$route[1]] = true;
-			$routesTmp[] = [$route[0], $route[1], $route[2]];
-		}
+		$routesFinal[] = [$route[0], $route[1], $route[2], $route[3] ?? 1000];
+/*
+		echo '<pre>';
+		var_dump($route[1], $route[3], $route[2]);
+		echo '/<pre>';
+*/
 	}
 
 	foreach ($routes as $route) {
-		if(!isset($isAlreadyDefined[$route[1]])) {
-			if (strpos($route[2], '__redirect__') === false && strpos($route[2], '__database__') === false) {
-				$routesTmp[] = [$route[0], $route[1], 'system/pages/' . $route[2]];
+		if (!str_contains($route[2], '__redirect__') && !str_contains($route[2], '__database__')) {
+			$routesFinal[] = [$route[0], $route[1], 'system/pages/' . $route[2], $route[3] ?? 10000];
 		}
 		else {
-				$routesTmp[] = [$route[0], $route[1], $route[2]];
-			}
+			$routesFinal[] = [$route[0], $route[1], $route[2], $route[3] ?? 10000];
 		}
 	}
 
-	//var_dump($routesTmp);
-	foreach ($routesTmp as $route) {
+	// sort required for the next step (filter)
+	usort($routesFinal, function ($a, $b)
+	{
+		// key 3 is priority
+		if ($a[3] == $b[3]) {
+			return 0;
+		}
+
+		return ($a[3] < $b[3]) ? -1 : 1;
+	});
+
+	// remove duplicates
+	// if same route pattern, but different priority
+	$routesFinal = array_filter($routesFinal, function ($a) {
+		$aliases = [
+			[':int', ':string', ':alphanum'],
+			[':\d+', ':[A-Za-z0-9-_%+\' ]+', ':[A-Za-z0-9]+'],
+		];
+
+		// apply aliases
+		$a[1] = str_replace($aliases[0], $aliases[1], $a[1]);
+
+		static $duplicates = [];
+		if (isset($duplicates[$a[1]])) {
+			return false;
+		}
+
+		$duplicates[$a[1]] = true;
+		return true;
+	});
+/*
+	echo '<pre>';
+	var_dump($routesFinal);
+	echo '</pre>';
+	die;
+*/
+	foreach ($routesFinal as $route) {
 		if ($route[0] === '*') {
 			$route[0] = ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'HEAD'];
 		}

system/routes.php

@@ -11,50 +11,56 @@ defined('MYAAC') or die('Direct access not allowed!');
 
 return [
 	['GET', '', 'news.php'], // empty URL = show news
-	['GET', 'news/archive/{id:int}[/]', 'news/archive.php'],
-	['GET', 'news/{id:int}[/]', 'news/archive.php'],
+	['GET', 'news/archive/{id:int}', 'news/archive.php'],
+	['GET', 'news/{id:int}', 'news/archive.php'],
 
 	// block access to some files
-	['*', 'account/base[/]', '404.php'], // this is to block account/base.php
-	['*', 'forum/base[/]', '404.php'],
-	['*', 'guilds/base[/]', '404.php'],
+	['*', 'account/base', '404.php', 10], // this is to block account/base.php
+	['*', 'forum/base', '404.php', 10],
+	['*', 'guilds/base', '404.php', 10],
 
-	[['GET', 'POST'], 'account/password[/]', 'account/change_password.php'],
-	[['GET', 'POST'], 'account/register/new[/]', 'account/register_new.php'],
-	[['GET', 'POST'], 'account/email[/]', 'account/change_email.php'],
-	[['GET', 'POST'], 'account/info[/]', 'account/change_info.php'],
-	[['GET', 'POST'], 'account/character/create[/]', 'account/create_character.php'],
-	[['GET', 'POST'], 'account/character/name[/]', 'account/change_name.php'],
-	[['GET', 'POST'], 'account/character/sex[/]', 'account/change_sex.php'],
-	[['GET', 'POST'], 'account/character/delete[/]', 'account/delete_character.php'],
-	[['GET', 'POST'], 'account/character/comment[/{name:[A-Za-z0-9-_%+\']+}]', 'account/change_comment.php'],
-	['GET', 'account/confirm_email/{hash:alphanum}[/]', 'account/confirm_email.php'],
+	['GET', 'account/confirm-email/{hash:alphanum}', 'account/confirm-email.php'],
 
-	['GET', 'bans/{page:int}[/]', 'bans.php'],
+	['GET', 'bans/{page:int}', 'bans.php'],
 	[['GET', 'POST'], 'characters[/{name:string}]', 'characters.php'],
 	['GET', 'changelog[/{page:int}]', 'changelog.php'],
 	[['GET', 'POST'], 'monsters[/{name:string}]', 'monsters.php'],
 
 	[['GET', 'POST'], 'faq[/{action:string}]', 'faq.php'],
 
-	[['GET', 'POST'], 'forum/{action:string}[/]', 'forum.php'],
-	['GET', 'forum/board/{id:int}[/]', 'forum/show_board.php'],
-	['GET', 'forum/board/{id:int}/{page:[0-9]+}[/]', 'forum/show_board.php'],
-	['GET', 'forum/thread/{id:int}[/]', 'forum/show_thread.php'],
-	['GET', 'forum/thread/{id:int}/{page:int}[/]', 'forum/show_thread.php'],
+	[['GET', 'POST'], 'forum/{action:string}', 'forum.php'],
+	['GET', 'forum/board/{id:int}', 'forum/show_board.php'],
+	['GET', 'forum/board/{id:int}/{page:[0-9]+}', 'forum/show_board.php'],
+	['GET', 'forum/thread/{id:int}', 'forum/show_thread.php'],
+	['GET', 'forum/thread/{id:int}/{page:int}', 'forum/show_thread.php'],
 
-	['GET', 'gallery/{image:int}[/]', 'gallery.php'],
-	[['GET', 'POST'], 'gallery/{action:string}[/]', 'gallery.php'],
+	['GET', 'gallery/{image:int}', 'gallery.php'],
+	[['GET', 'POST'], 'gallery/{action:string}', 'gallery.php'],
 
-	[['GET', 'POST'], 'guilds/{guild:string}[/]', 'guilds/show.php'],
+	[['GET', 'POST'], 'guilds/{guild:string}', 'guilds/show.php'],
 
-	['GET', 'highscores/{list:alphanum}/{vocation:alphanum}/{page:int}[/]', 'highscores.php'],
-	['GET', 'highscores/{list:alphanum}/{page:int}[/]', 'highscores.php'],
-	['GET', 'highscores/{list:alphanum}/{vocation:alphanum}[/]', 'highscores.php'],
-	['GET', 'highscores/{list:alphanum}[/]', 'highscores.php'],
+	['GET', 'highscores/{list:alphanum}/{vocation:alphanum}/{page:int}', 'highscores.php'],
+	['GET', 'highscores/{list:alphanum}/{page:int}', 'highscores.php'],
+	['GET', 'highscores/{list:alphanum}/{vocation:alphanum}', 'highscores.php'],
+	['GET', 'highscores/{list:alphanum}', 'highscores.php'],
 /*
-	'/^gifts\/history\/?$/' => array('subtopic' => 'gifts', 'action' => 'show_history'),
 	'/^polls\/[0-9]+\/?$/' => array('subtopic' => 'polls', 'id' => '$1'),
 	'/^spells\/[A-Za-z0-9-_%]+\/[A-Za-z0-9-_]+\/?$/' => array('subtopic' => 'spells', 'vocation' => '$1', 'order' => '$2'),
 	'/^houses\/view\/?$/' => array('subtopic' => 'houses', 'page' => 'view')*/
+
+	/**
+	 * Deprecated
+	 * To be removed in next versions
+	 * Kept just for compatibility
+	 */
+	[['GET', 'POST'], 'account/password', 'account/change-password.php'],
+	[['GET', 'POST'], 'account/register/new', 'account/register-new.php'],
+	[['GET', 'POST'], 'account/email', 'account/change-email.php'],
+	[['GET', 'POST'], 'account/info', 'account/change-info.php'],
+	[['GET', 'POST'], 'account/character/create', 'account/characters/create.php'],
+	[['GET', 'POST'], 'account/character/name', 'account/characters/change-name.php'],
+	[['GET', 'POST'], 'account/character/sex', 'account/characters/change-sex.php'],
+	[['GET', 'POST'], 'account/character/delete', 'account/characters/delete.php'],
+	[['GET', 'POST'], 'account/character/comment[/{name:string}]', 'account/characters/change-comment.php'],
+	['GET', 'account/confirm_email/{hash:alphanum}', 'account/confirm-email.php'],
 ];

system/settings.php

@@ -15,8 +15,7 @@ use MyAAC\Settings;
 
 return [
 	'name' => 'MyAAC',
-	'settings' =>
-	[
+	'settings' => [
 		[
 			'type' => 'category',
 			'title' => 'General'
@@ -735,7 +734,7 @@ Sent by MyAAC,<br/>
 			'name' => 'Name Min Length',
 			'type' => 'number',
 			'desc' => '',
-			'default' => 4,
+			'default' => 3,
 		],
 		'create_character_name_max_length' => [
 			'name' => 'Name Max Length',
@@ -1374,7 +1373,7 @@ Sent by MyAAC,<br/>
 			'name' => 'Item Images URL',
 			'type' => 'text',
 			'desc' => 'Set to <strong>images/items</strong> if you host your own items in images folder',
-			'default' => 'http://item-images.ots.me/1092/',
+			'default' => 'https://item-images.ots.me/1092/',
 		],
 		'item_images_extension' => [
 			'name' => 'Item Images File Extension',
@@ -1390,7 +1389,7 @@ Sent by MyAAC,<br/>
 			'name' => 'Outfit Images URL',
 			'type' => 'text',
 			'desc' => 'Set to animoutfit.php for animated outfit',
-			'default' => 'http://outfit-images.ots.me/outfit.php',
+			'default' => 'https://outfit-images.ots.me/outfit.php',
 		],
 		'outfit_images_wrong_looktypes' => [
 			'name' => 'Outfit Images Wrong Looktypes',
@@ -1590,6 +1589,34 @@ Sent by MyAAC,<br/>
 				'account_change_character_sex', '=', 'true',
 			],
 		],
+		[
+			'type' => 'category',
+			'title' => 'Security',
+		],
+		[
+			'type' => 'section',
+			'title' => 'IP Ban Protection',
+		],
+		'account_login_ipban_protection' => [
+			'name' => 'IP Ban Protection',
+			'type' => 'boolean',
+			'desc' => 'Activate IP ban protection after exceeding incorrect login attempts',
+			'default' => true,
+		],
+
+		'account_login_attempts_limit' => [
+			'name' => 'Login Attempts Limit',
+			'type' => 'number',
+			'desc' => 'Number of incorrect login attempts before banning the IP',
+			'default' => 5, // Ajuste conforme necessário
+		],
+
+		'account_login_ban_time' => [
+			'name' => 'Ban Time (Minutes)',
+			'type' => 'number',
+			'desc' => 'Time in minutes the IP will be banned after exceeding login attempts',
+			'default' => 30, // Ajuste conforme necessário
+		],
 	],
 	'callbacks' => [
 		'beforeSave' => function(&$settings, &$values) {
@@ -1658,6 +1685,6 @@ Sent by MyAAC,<br/>
 
 			return $success;
 		},
-	],
+	]
 ];
 

system/src/CreateCharacter.php

@@ -149,9 +149,9 @@ class CreateCharacter
 		if(empty($errors))
 		{
 			$char_to_copy_name = config('character_samples')[$vocation];
-			$char_to_copy = new \OTS_Player();
-			$char_to_copy->find($char_to_copy_name);
-			if(!$char_to_copy->isLoaded())
+			$playerSample = new \OTS_Player();
+			$playerSample->find($char_to_copy_name);
+			if(!$playerSample->isLoaded())
 				$errors[] = 'Wrong characters configuration. Try again or contact with admin. ADMIN: Go to Admin Panel -> Settings -> Create Character and set valid characters to copy names. Character to copy: <b>'.$char_to_copy_name.'</b> doesn\'t exist.';
 		}
 
@@ -162,72 +162,72 @@ class CreateCharacter
 		global $db;
 
 		if($sex == "0")
-			$char_to_copy->setLookType(136);
+			$playerSample->setLookType(136);
 
 		$player = new \OTS_Player();
 		$player->setName($name);
 		$player->setAccount($account);
 		$player->setGroupId(1);
 		$player->setSex($sex);
-		$player->setVocation($char_to_copy->getVocation());
+		$player->setVocation($playerSample->getVocation());
 		if($db->hasColumn('players', 'promotion'))
-			$player->setPromotion($char_to_copy->getPromotion());
+			$player->setPromotion($playerSample->getPromotion());
 
 		if($db->hasColumn('players', 'direction'))
-			$player->setDirection($char_to_copy->getDirection());
+			$player->setDirection($playerSample->getDirection());
 
-		$player->setConditions($char_to_copy->getConditions());
-		$rank = $char_to_copy->getRank();
+		$player->setConditions($playerSample->getConditions());
+		$rank = $playerSample->getRank();
 		if($rank->isLoaded()) {
-			$player->setRank($char_to_copy->getRank());
+			$player->setRank($playerSample->getRank());
 		}
 
 		if($db->hasColumn('players', 'lookaddons'))
-			$player->setLookAddons($char_to_copy->getLookAddons());
+			$player->setLookAddons($playerSample->getLookAddons());
 
 		$player->setTownId($town);
-		$player->setExperience($char_to_copy->getExperience());
-		$player->setLevel($char_to_copy->getLevel());
-		$player->setMagLevel($char_to_copy->getMagLevel());
-		$player->setHealth($char_to_copy->getHealth());
-		$player->setHealthMax($char_to_copy->getHealthMax());
-		$player->setMana($char_to_copy->getMana());
-		$player->setManaMax($char_to_copy->getManaMax());
-		$player->setManaSpent($char_to_copy->getManaSpent());
-		$player->setSoul($char_to_copy->getSoul());
+		$player->setExperience($playerSample->getExperience());
+		$player->setLevel($playerSample->getLevel());
+		$player->setMagLevel($playerSample->getMagLevel());
+		$player->setHealth($playerSample->getHealth());
+		$player->setHealthMax($playerSample->getHealthMax());
+		$player->setMana($playerSample->getMana());
+		$player->setManaMax($playerSample->getManaMax());
+		$player->setManaSpent($playerSample->getManaSpent());
+		$player->setSoul($playerSample->getSoul());
 
 		for($skill = \POT::SKILL_FIRST; $skill <= \POT::SKILL_LAST; $skill++) {
 			$value = 10;
 			if (setting('core.use_character_sample_skills')) {
-				$value = $char_to_copy->getSkill($skill);
+				$value = $playerSample->getSkill($skill);
 			}
 
 			$player->setSkill($skill, $value);
 		}
 
-		$player->setLookBody($char_to_copy->getLookBody());
-		$player->setLookFeet($char_to_copy->getLookFeet());
-		$player->setLookHead($char_to_copy->getLookHead());
-		$player->setLookLegs($char_to_copy->getLookLegs());
-		$player->setLookType($char_to_copy->getLookType());
-		$player->setCap($char_to_copy->getCap());
+		$player->setLookBody($playerSample->getLookBody());
+		$player->setLookFeet($playerSample->getLookFeet());
+		$player->setLookHead($playerSample->getLookHead());
+		$player->setLookLegs($playerSample->getLookLegs());
+		$player->setLookType($playerSample->getLookType());
+		$player->setCap($playerSample->getCap());
 		$player->setBalance(0);
 		$player->setPosX(0);
 		$player->setPosY(0);
 		$player->setPosZ(0);
 
 		if($db->hasColumn('players', 'stamina')) {
-			$player->setStamina($char_to_copy->getStamina());
+			$player->setStamina($playerSample->getStamina());
 		}
 
 		if($db->hasColumn('players', 'loss_experience')) {
-			$player->setLossExperience($char_to_copy->getLossExperience());
-			$player->setLossMana($char_to_copy->getLossMana());
-			$player->setLossSkills($char_to_copy->getLossSkills());
+			$player->setLossExperience($playerSample->getLossExperience());
+			$player->setLossMana($playerSample->getLossMana());
+			$player->setLossSkills($playerSample->getLossSkills());
 		}
 		if($db->hasColumn('players', 'loss_items')) {
-			$player->setLossItems($char_to_copy->getLossItems());
-			$player->setLossContainers($char_to_copy->getLossContainers());
+			$player->setLossItems($playerSample->getLossItems());
+			$player->setLossContainers($playerSample->getLossContainers());
 		}
 
 		$player->save();
@@ -245,7 +245,7 @@ class CreateCharacter
 			for($skill = \POT::SKILL_FIRST; $skill <= \POT::SKILL_LAST; $skill++) {
 				$value = 10;
 				if (setting('core.use_character_sample_skills')) {
-					$value = $char_to_copy->getSkill($skill);
+					$value = $playerSample->getSkill($skill);
 				}
 				$skillExists = $db->query('SELECT `skillid` FROM `player_skills` WHERE `player_id` = ' . $player->getId() . ' AND `skillid` = ' . $skill);
 				if($skillExists->rowCount() <= 0) {
@@ -255,7 +255,7 @@ class CreateCharacter
 		}
 
 		if ($db->hasTable('player_items') && $db->hasColumn('player_items', 'pid') && $db->hasColumn('player_items', 'sid') && $db->hasColumn('player_items', 'itemtype')) {
-			$loaded_items_to_copy = $db->query("SELECT * FROM player_items WHERE player_id = ".$char_to_copy->getId()."");
+			$loaded_items_to_copy = $db->query("SELECT * FROM player_items WHERE player_id = ".$playerSample->getId()."");
 			foreach($loaded_items_to_copy as $save_item) {
 				$blob = $db->quote($save_item['attributes']);
 				$db->query("INSERT INTO `player_items` (`player_id` ,`pid` ,`sid` ,`itemtype`, `count`, `attributes`) VALUES ('".$player->getId()."', '".$save_item['pid']."', '".$save_item['sid']."', '".$save_item['itemtype']."', '".$save_item['count']."', $blob);");
@@ -267,6 +267,7 @@ class CreateCharacter
 			[
 				'account' => $account,
 				'player' => $player,
+				'playerSample' => $playerSample,
 				'name' => $name,
 				'sex' => $sex,
 				'vocation' => $vocation,

system/src/Models/GuildRank.php

@@ -9,6 +9,8 @@ class GuildRank extends Model {
 
 	public $timestamps = false;
 
+	protected $fillable = ['guild_id', 'name', 'level'];
+
 	public function guild()
 	{
 		return $this->belongsTo(Guild::class);

system/src/Models/PlayerKillers.php

@@ -5,7 +5,7 @@ use Illuminate\Database\Eloquent\Model;
 
 class PlayerKillers extends Model {
 
-	protected $table = 'players_killers';
+	protected $table = 'player_killers';
 
 	public $timestamps = false;
 

system/src/Plugins.php

@@ -23,18 +23,15 @@ class Plugins {
 
 		$routes = [];
 		foreach(self::getAllPluginsJson() as $plugin) {
-			$pluginPages = glob(PLUGINS . $plugin['filename'] . '/pages/*.php');
-			foreach ($pluginPages as $file) {
-				$file = str_replace(PLUGINS, 'plugins/', $file);
-				$name = pathinfo($file, PATHINFO_FILENAME);
-
-				$routes[] = [['get', 'post'], $name, $file, 1000];
+			$routesDefaultPriority = 1000;
+			if (isset($plugin['routes-default-priority'])) {
+				$routesDefaultPriority = $plugin['routes-default-priority'];
 			}
 
 			$warningPreTitle = 'Plugin: ' . $plugin['name'] . ' - ';
 
 			if (isset($plugin['routes'])) {
-				foreach ($plugin['routes'] as $_name => $info) {
+				foreach ($plugin['routes'] as $info) {
 					// default method: get
 					$method = $info['method'] ?? ['GET'];
 					if ($method !== '*') {
@@ -51,7 +48,7 @@ class Plugins {
 					}
 
 					if (!isset($info['priority'])) {
-						$info['priority'] = 100; // default priority
+						$info['priority'] = $routesDefaultPriority; // default priority taken from plugin.json
 					}
 
 					if (isset($info['redirect_from'])) {
@@ -70,24 +67,60 @@ class Plugins {
 					// replace first occurrence of / in pattern if found (will be auto-added later)
 					removeIfFirstSlash($info['pattern']);
 
-					foreach ($routes as $id => &$route) {
-						if($route[1] == $info['pattern']) {
-							if($info['priority'] < $route[3]) {
-								self::$warnings[] = $warningPreTitle . "Duplicated route with lower priority: {$info['pattern']}. Disabling this route...";
-								continue 2;
+					$routes[] = [$methods, $info['pattern'], $info['file'], $info['priority']];
+				}
+			}
+
+			$pagesDefaultPriority = 1000;
+			if (isset($plugin['pages-default-priority'])) {
+				$pagesDefaultPriority = $plugin['pages-default-priority'];
+			}
+
+			if (self::getAutoLoadOption($plugin, 'pages', true)) {
+				//
+				// Get all plugins/*/pages/*.php pages
+				//
+				$pluginPages = glob(PLUGINS . $plugin['filename'] . '/pages/*.php');
+				foreach ($pluginPages as $file) {
+					$file = str_replace(PLUGINS, 'plugins/', $file);
+					$name = pathinfo($file, PATHINFO_FILENAME);
+
+					$routes[] = [['get', 'post'], $name, $file, $pagesDefaultPriority];
+				}
+			}
+
+			if (self::getAutoLoadOption($plugin, 'pagesSubFolders', true)) {
+				//
+				// Get all plugins/*/pages/subFolder/*.php pages
+				//
+				$pluginPagesSubFolders = glob(PLUGINS . $plugin['filename'] . '/pages/*', GLOB_ONLYDIR);
+				foreach ($pluginPagesSubFolders as $folder) {
+					$folderName = pathinfo($folder, PATHINFO_FILENAME);
+
+					$subFiles = glob(PLUGINS . $plugin['filename'] . '/pages/' . $folderName . '/*.php');
+					foreach ($subFiles as $file) {
+						$file = str_replace(PLUGINS, 'plugins/', $file);
+						$name = $folderName . '/' . pathinfo($file, PATHINFO_FILENAME);
+
+						$routes[] = [['get', 'post'], $name, $file, $pagesDefaultPriority];
+					}
+
+					$subFolders = glob(PLUGINS . $plugin['filename'] . '/pages/' . $folderName . '/*', GLOB_ONLYDIR);
+					foreach ($subFolders as $subFolder) {
+						$subFolderName = pathinfo($subFolder, PATHINFO_FILENAME);
+						$subSubFiles = glob(PLUGINS . $plugin['filename'] . '/pages/' . $folderName . '/' . $subFolderName . '/*.php');
+
+						foreach ($subSubFiles as $subSubFile) {
+							$subSubFile = str_replace(PLUGINS, 'plugins/', $subSubFile);
+							$name = $folderName . '/' . $subFolderName . '/' . pathinfo($subSubFile, PATHINFO_FILENAME);
+
+							$routes[] = [['get', 'post'], $name, $subSubFile, $pagesDefaultPriority];
+						}
 					}
-							else {
-								self::$warnings[] = $warningPreTitle . "Duplicated route with lower priority: {$route[1]} ({$route[3]}). Disabling this route...";
-								unset($routes[$id]);
 				}
 			}
 		}
 
-					$routes[] = [$methods, $info['pattern'], $info['file'], $info['priority']];
-				}
-			}
-		}
-		/*
 		usort($routes, function ($a, $b)
 		{
 			// key 3 is priority
@@ -95,14 +128,14 @@ class Plugins {
 				return 0;
 			}
 
-					return ($a[3] > $b[3]) ? -1 : 1;
+			return ($a[3] < $b[3]) ? -1 : 1;
 		});
-		*/
+
 		// cleanup before passing back
 		// priority is not needed anymore
-		foreach ($routes as &$route) {
-			unset($route[3]);
-		}
+		//foreach ($routes as &$route) {
+		//	unset($route[3]);
+		//}
 
 		if ($cache->enabled()) {
 			$cache->set('plugins_routes', serialize($routes), 600);
@@ -123,6 +156,10 @@ class Plugins {
 
 		$themes = [];
 		foreach(self::getAllPluginsJson() as $plugin) {
+			if (!self::getAutoLoadOption($plugin, 'themes', true)) {
+				continue;
+			}
+
 			$pluginThemes = glob(PLUGINS . $plugin['filename'] . '/themes/*', GLOB_ONLYDIR);
 			foreach ($pluginThemes as $path) {
 				$path = str_replace(PLUGINS, 'plugins/', $path);
@@ -151,6 +188,10 @@ class Plugins {
 
 		$commands = [];
 		foreach(self::getAllPluginsJson() as $plugin) {
+			if (!self::getAutoLoadOption($plugin, 'commands', true)) {
+				continue;
+			}
+
 			$pluginCommands = glob(PLUGINS . $plugin['filename'] . '/commands/*.php');
 			foreach ($pluginCommands as $path) {
 				$commands[] = $path;
@@ -178,13 +219,19 @@ class Plugins {
 		foreach(self::getAllPluginsJson() as $plugin) {
 			if (isset($plugin['hooks'])) {
 				foreach ($plugin['hooks'] as $_name => $info) {
+					$priority = 1000;
+
 					if (str_contains($info['type'], 'HOOK_')) {
 						$info['type'] = str_replace('HOOK_', '', $info['type']);
 					}
 
+					if (isset($info['priority'])) {
+						$priority = (int)$info['priority'];
+					}
+
 					if (defined('HOOK_'. $info['type'])) {
 						$hook = constant('HOOK_'. $info['type']);
-						$hooks[] = ['name' => $_name, 'type' => $hook, 'file' => $info['file']];
+						$hooks[] = ['name' => $_name, 'type' => $hook, 'file' => $info['file'], 'priority' => $priority];
 					} else {
 						self::$warnings[] = 'Plugin: ' . $plugin['name'] . '. Unknown event type: ' . $info['type'];
 					}
@@ -192,6 +239,15 @@ class Plugins {
 			}
 		}
 
+		usort($hooks, function ($a, $b)
+		{
+			if ($a['priority'] == $b['priority']) {
+				return 0;
+			}
+
+			return ($a['priority'] < $b['priority']) ? -1 : 1;
+		});
+
 		if ($cache->enabled()) {
 			$cache->set('plugins_hooks', serialize($hooks), 600);
 		}
@@ -757,4 +813,21 @@ class Plugins {
 			}
 		}
 	}
+
+	private static function getAutoLoadOption(array $plugin, string $optionName, bool $default = true)
+	{
+		if (isset($plugin['autoload'])) {
+			$autoload = $plugin['autoload'];
+			if (is_array($autoload)) {
+				if (isset($autoload[$optionName])) {
+					return getBoolean($autoload[$optionName]);
+				}
+			}
+			else if (is_bool($autoload)) {
+				return $autoload;
+			}
+		}
+
+		return $default;
+	}
 }

system/src/RateLimit.php

@@ -0,0 +1,120 @@
+<?php
+
+
+namespace MyAAC;
+
+
+class RateLimit
+{
+	public string $key;
+	public int $max_attempts;
+	public int $ttl;
+	public $enabled = false;
+	protected array $data;
+
+	public function __construct(string $key, int $max_attempts, int $ttl)
+	{
+		$this->key = $key;
+		$this->max_attempts = $max_attempts;
+		$this->ttl = $ttl;
+	}
+
+	public function attempts(string $ip): int
+	{
+		if (!$this->enabled) {
+			return 0;
+		}
+
+		if (isset($this->data[$ip]['attempts'])) {
+			return $this->data[$ip]['attempts'];
+		}
+
+		return 0;
+	}
+
+	public function exceeded(string $ip): bool {
+		if (!$this->enabled) {
+			return false;
+		}
+
+		return $this->attempts($ip) >= $this->max_attempts;
+	}
+
+	public function increment(string $ip): bool
+	{
+		global $cache;
+		if ($this->enabled && $cache->enabled()) {
+			if (isset($this->data[$ip]['attempts']) && isset($this->data[$ip]['last'])) {
+				$this->data[$ip]['attempts']++;
+				$this->data[$ip]['last'] = time();
+			} else {
+				$this->data[$ip] = [
+					'attempts' => 1,
+					'last' => time(),
+				];
+			}
+
+			$this->save();
+		}
+
+		return false;
+	}
+
+	public function reset(string $ip): void
+	{
+		if (!$this->enabled) {
+			return;
+		}
+
+		if (isset($this->data[$ip])) {
+			unset($this->data[$ip]);
+		}
+
+		$this->save();
+	}
+
+	public function save(): void
+	{
+		global $cache;
+		if (!$this->enabled) {
+			return;
+		}
+
+		$data = $this->data;
+		$cache->set($this->key, serialize($data), $this->ttl * 60);
+	}
+
+	public function load(): void
+	{
+		global $cache;
+		if (!$this->enabled) {
+			return;
+		}
+
+		$data = [];
+		if ($this->enabled && $cache->enabled()) {
+			$tmp = '';
+			if ($cache->fetch($this->key, $tmp)) {
+				$data = unserialize($tmp);
+				$to_remove = [];
+				foreach ($data as $ip => $t) {
+					if (time() - $t['last'] >= ($this->ttl * 60)) {
+						$to_remove[] = $ip;
+					}
+				}
+
+				if (count($to_remove)) {
+					foreach ($to_remove as $ip) {
+						unset($data[$ip]);
+					}
+
+					$this->save();
+				}
+			} else {
+				$data = [];
+			}
+		}
+
+		$this->data = $data;
+	}
+}

system/src/Settings.php

@@ -382,6 +382,8 @@ class Settings implements \ArrayAccess
 		}
 
 		$this->settingsDatabase[$pluginKeyName][$key] = $value;
+		// invalidate cache
+		unset($this->cache[$offset]);
 	}
 
 	#[\ReturnTypeWillChange]

system/src/Towns.php

@@ -124,6 +124,6 @@ class Towns
 	 */
 	public static function getFromDatabase()
 	{
-		return Town::pluck('name', 'id')->toArray();
+		return Town::orderBy('id', 'ASC')->pluck('name', 'id')->toArray();
 	}
 }

system/src/Twig/Extension/TypeCastingExtension.php

@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+namespace MyAAC\Twig\Extension;
+
+use Twig\Extension\AbstractExtension;
+use Twig\TwigFilter;
+
+final class TypeCastingExtension extends AbstractExtension
+{
+	/** @return array<int, TwigFilter> */
+	public function getFilters(): array
+	{
+		return [
+			new TwigFilter('int', function ($value) {
+				return (int)$value;
+			}),
+			new TwigFilter('float', function ($value) {
+				return (float)$value;
+			}),
+			new TwigFilter('string', function ($value) {
+				return (string)$value;
+			}),
+			new TwigFilter('bool', function ($value) {
+				return (bool)$value;
+			}),
+			new TwigFilter('array', function (object $value) {
+				return (array)$value;
+			}),
+			new TwigFilter('object', function (array $value) {
+				return (object)$value;
+			}),
+		];
+	}
+}

system/src/global.php

@@ -45,6 +45,12 @@ define('HOOK_ACCOUNT_CREATE_AFTER_TOWNS', ++$i);
 define('HOOK_ACCOUNT_CREATE_BEFORE_SUBMIT_BUTTON', ++$i);
 define('HOOK_ACCOUNT_CREATE_AFTER_FORM', ++$i);
 define('HOOK_ACCOUNT_CREATE_POST', ++$i);
+define('HOOK_ACCOUNT_CREATE_AFTER_SUBMIT', ++$i);
+define('HOOK_ACCOUNT_CREATE_AFTER_SAVED', ++$i);
+define('HOOK_ACCOUNT_MANAGE_BEFORE_GENERAL_INFORMATION', ++$i);
+define('HOOK_ACCOUNT_MANAGE_BEFORE_PUBLIC_INFORMATION', ++$i);
+define('HOOK_ACCOUNT_MANAGE_BEFORE_ACCOUNT_LOGS', ++$i);
+define('HOOK_ACCOUNT_MANAGE_BEFORE_CHARACTERS', ++$i);
 define('HOOK_ACCOUNT_LOGIN_BEFORE_PAGE', ++$i);
 define('HOOK_ACCOUNT_LOGIN_BEFORE_ACCOUNT', ++$i);
 define('HOOK_ACCOUNT_LOGIN_AFTER_ACCOUNT', ++$i);
@@ -54,6 +60,11 @@ define('HOOK_ACCOUNT_LOGIN_AFTER_REMEMBER_ME', ++$i);
 define('HOOK_ACCOUNT_LOGIN_AFTER_PAGE', ++$i);
 define('HOOK_ACCOUNT_LOGIN_POST', ++$i);
 define('HOOK_ACCOUNT_CREATE_CHARACTER_AFTER', ++$i);
+define('HOOK_ACCOUNT_CREATE_CHARACTER_BEFORE_FIRST_TABLE', ++$i);
+define('HOOK_ACCOUNT_CREATE_CHARACTER_BEFORE_VOCATIONS', ++$i);
+define('HOOK_ACCOUNT_CREATE_CHARACTER_BEFORE_TOWNS', ++$i);
+define('HOOK_ACCOUNT_CREATE_CHARACTER_AFTER_TOWNS', ++$i);
+define('HOOK_ACCOUNT_CREATE_CHARACTER_AFTER_SECOND_TABLE', ++$i);
 define('HOOK_ADMIN_HEAD_END', ++$i);
 define('HOOK_ADMIN_HEAD_START', ++$i);
 define('HOOK_ADMIN_BODY_START', ++$i);
@@ -74,6 +85,8 @@ define('HOOK_GUILDS_AFTER_GUILD_MEMBERS', ++$i);
 define('HOOK_GUILDS_AFTER_INVITED_CHARACTERS', ++$i);
 define('HOOK_TWIG', ++$i);
 define('HOOK_CACHE_CLEAR', ++$i);
+define('HOOK_INSTALL_FINISH', ++$i);
+define('HOOK_INSTALL_FINISH_END', ++$i);
 
 const HOOK_FIRST = HOOK_STARTUP;
 define('HOOK_LAST', $i);

system/status.php

@@ -142,10 +142,14 @@ function updateStatus() {
 			}
 		}
 
-		$status['uptime'] = $serverStatus->getUptime();
-		$h = floor($status['uptime'] / 3600);
-		$m = floor(($status['uptime'] - $h * 3600) / 60);
-		$status['uptimeReadable'] = $h . 'h ' . $m . 'm';
+		$uptime = $status['uptime'] = $serverStatus->getUptime();
+		$m = date('m', $uptime);
+		$m = $m > 1 ? "$m months, " : ($m == 1 ? 'month, ' : '');
+		$d = date('d', $uptime);
+		$d = $d > 1 ? "$d days, " : ($d == 1 ? 'day, ' : '');
+		$h = date('H', $uptime);
+		$min = date('i', $uptime);
+		$status['uptimeReadable'] = "{$m}{$d}{$h}h {$min}m";
 
 		$status['monsters'] = $serverStatus->getMonstersCount();
 		$status['motd'] = $serverStatus->getMOTD();

system/templates/account.back_button.html.twig

@@ -1,7 +1,26 @@
 {% if new_line is defined and new_line %}
 	<br/>
 {% endif %}
-<form action="{% if action is not defined %}{{ getLink('account/manage') }}{% else %}{{ action }}{% endif %}" method="post">
+
+{% set _center = false %}
+
+{% if center is defined and center %}
+{% set _center = true %}
+{% endif %}
+
+{% if _center %}
+<table border="0" cellspacing="1" cellpadding="4" width="100%">
+	<tbody>
+	<tr>
+		<td align="center">
+{% endif %}
+			<form action="{% if action is not defined %}{{ getLink('account/manage') }}{% else %}{{ action }}{% endif %}" method="post">
 				{{ csrf() }}
 				{{ include('buttons.back.html.twig') }}
-</form>
+			</form>
+{% if _center %}
+		</td>
+	</tr>
+	</tbody>
+</table>
+{% endif %}

system/templates/account.change-email.html.twig

@@ -0,0 +1,54 @@
+Please enter your password and the new email address. Make sure that you enter a valid email address which you have access to. <br/><b>For security reasons, the actual change will be finalised after a waiting period of {{ setting('core.account_mail_change') }} days.</b><br/><br/>
+{% set title = 'Change Email Address' %}
+{% set background = config('darkborder') %}
+{% set content %}
+	<table style="width:100%;">
+		<tr>
+			<td class="LabelV" >
+				<span>New Email Address:</span>
+			</td>
+			<td style="width:90%;">
+				<input form="form" name="new_email" value="{% if new_email is defined %}{{ new_email }}{% endif %}" size="30" maxlength="50" autofocus/>
+			</td>
+		</tr>
+		<tr>
+			<td class="LabelV">
+				<span >Password:</span>
+			</td>
+			<td>
+				<input form="form" type="password" name="password" size="30" maxlength="29">
+			</td>
+		</tr>
+	</table>
+{% endset %}
+{% include 'tables.headline.html.twig' %}
+<br/>
+<table style="width:100%;">
+	<tr align="center">
+		<td>
+			<table border="0" cellspacing="0" cellpadding="0">
+				<tr>
+					<td style="border:0px;">
+						<form id="form" action="{{ getLink('account/change-email') }}" method="post">
+							{{ csrf() }}
+							<input type="hidden" name="changeemailsave" value="1"/>
+							{{ include('buttons.submit.html.twig') }}
+						</form>
+					</td>
+				<tr>
+			</table>
+		</td>
+		<td>
+			<table border="0" cellspacing="0" cellpadding="0">
+				<form action="{{ getLink('account/manage') }}" method="post">
+					{{ csrf() }}
+					<tr>
+						<td style="border:0px;">
+							{{ include('buttons.back.html.twig') }}
+						</td>
+					</tr>
+				</form>
+			</table>
+		</td>
+	</tr>
+</table>

system/templates/account.change-info.html.twig

@@ -0,0 +1,84 @@
+Here you can tell other players about yourself. This information will be displayed alongside the data of your characters. If you do not want to fill in a certain field, just leave it blank.<br/><br/>
+{% set title = 'Change Public Information' %}
+{% set background = config('darkborder') %}
+{% set content %}
+<table style="width: 100%;" >
+	<tr>
+		<td class="LabelV">Real Name:</td>
+		<td style="width:90%;" >
+			<input form="form" name="info_rlname" value="{{ account_rlname }}" size="30" maxlength="50" >
+		</td>
+	</tr>
+	<tr>
+		<td class="LabelV" >Location:</td>
+		<td>
+			<input form="form" name="info_location" value="{{ account_location }}" size="30" maxlength="50" >
+		</td>
+	</tr>
+	{% if setting('core.account_country') %}
+	<tr>
+		<td class="LabelV">Country:</td>
+		<td>
+			<select form="form" name="info_country" id="account_country">
+				{% for code, country in countries %}
+				<option value="{{ code}}"{% if account_country == code %} selected{% endif %}>{{ country }} </option>
+				{% endfor %}
+			</select>
+			<img src="" id="account_country_img"/>
+			<script>
+				function updateFlag()
+				{
+					var img = $('#account_country_img');
+					var country = $('#account_country :selected').val();
+					if(country.length) {
+						img.attr('src', 'images/flags/' + country + '.gif');
+						img.show();
+					}
+					else {
+						img.hide();
+					}
+				}
+
+				$(function() {
+					updateFlag();
+					$('#account_country').change(function() {
+						updateFlag();
+					});
+				});
+			</script>
+		</td>
+	</tr>
+	{% endif %}
+</table>
+{% endset %}
+{% include 'tables.headline.html.twig' %}
+<br/>
+<table width="100%">
+	<tr align="center">
+		<td>
+			<table border="0" cellspacing="0" cellpadding="0" >
+				<tr>
+					<td style="border:0px;" >
+						<form id="form" action="{{ getLink('account/change-info') }}" method="post">
+							{{ csrf() }}
+							<input type="hidden" name="changeinfosave" value="1">
+							{{ include('buttons.submit.html.twig') }}
+						</form>
+					</td>
+				</tr>
+			</table>
+		</td>
+		<td>
+			<table border="0" cellspacing="0" cellpadding="0" >
+				<tr>
+					<td style="border:0px;" >
+						<form action="{{ getLink('account/manage') }}" method="post" >
+							{{ csrf() }}
+							{{ include('buttons.back.html.twig') }}
+						</form>
+					</td>
+				</tr>
+			</table>
+		</td>
+	</tr>
+</table>

system/templates/account.change-password.html.twig

@@ -0,0 +1,62 @@
+Please enter your current password and a new password. For your security, please enter the new password twice.<br/>
+<br/>
+{% set title = 'Change Password' %}
+{% set background = config('darkborder') %}
+{% set content %}
+<table style="width:100%;">
+	<tr>
+		<td class="LabelV">
+			<span>New Password:</span>
+		</td>
+		<td style="width:90%;">
+			<input form="form" type="password" name="newpassword" size="30" maxlength="29">
+		</td>
+	</tr>
+	<tr>
+		<td class="LabelV">
+			<span>New Password Again:</span>
+		</td>
+		<td>
+			<input form="form" type="password" name="newpassword_confirm" size="30" maxlength="29">
+		</td>
+	</tr>
+	<tr>
+		<td class="LabelV">
+			<span>Current Password:</span>
+		</td>
+		<td>
+			<input form="form" type="password" name="oldpassword" size="30" maxlength="29">
+		</td>
+	</tr>
+</table>
+{% endset %}
+{% include 'tables.headline.html.twig' %}
+<br/>
+<table style="width:100%;">
+	<tr align="center">
+		<td>
+			<table border="0" cellspacing="0" cellpadding="0">
+				<tr>
+					<td style="border:0px;">
+						<form id="form" action="{{ getLink('account/change-password') }}" method="post">
+							{{ csrf() }}
+							{{ include('buttons.submit.html.twig') }}
+						</form>
+					</td>
+				<tr>
+			</table>
+		</td>
+		<td>
+			<table border="0" cellspacing="0" cellpadding="0">
+				<tr>
+					<td style="border:0px;">
+						<form action="{{ getLink('account/manage') }}" method="post">
+							{{ csrf() }}
+							{{ include('buttons.back.html.twig') }}
+						</form>
+					</td>
+				</tr>
+			</table>
+		</td>
+	</tr>
+</table>

system/templates/account.change_info.html.twig

@@ -1,102 +0,0 @@
-Here you can tell other players about yourself. This information will be displayed alongside the data of your characters. If you do not want to fill in a certain field, just leave it blank.<br/><br/>
-<form action="{{ getLink('account/info') }}" method="post">
-	{{ csrf() }}
-	<div class="TableContainer" >
-		<table class="Table1" cellpadding="0" cellspacing="0" >
-			<div class="CaptionContainer" >
-				<div class="CaptionInnerContainer" >
-					<span class="CaptionEdgeLeftTop" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);" /></span>
-					<span class="CaptionEdgeRightTop" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);" /></span>
-					<span class="CaptionBorderTop" style="background-image:url({{ template_path }}/images/content/table-headline-border.gif);" ></span>
-					<span class="CaptionVerticalLeft" style="background-image:url({{ template_path }}/images/content/box-frame-vertical.gif);" /></span>
-					<div class="Text" >Change Public Information</div>
-					<span class="CaptionVerticalRight" style="background-image:url({{ template_path }}/images/content/box-frame-vertical.gif);" /></span>
-					<span class="CaptionBorderBottom" style="background-image:url({{ template_path }}/images/content/table-headline-border.gif);" ></span>
-					<span class="CaptionEdgeLeftBottom" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);" /></span>
-					<span class="CaptionEdgeRightBottom" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);" /></span>
-				</div>
-			</div>
-			<tr>
-				<td>
-					<div class="InnerTableContainer" >
-						<table style="width:100%;" >
-							<tr>
-								<td class="LabelV" >Real Name:</td>
-								<td style="width:90%;" >
-									<input name="info_rlname" value="{{ account_rlname }}" size="30" maxlength="50" >
-								</td>
-							</tr>
-							<tr>
-								<td class="LabelV" >Location:</td>
-								<td>
-									<input name="info_location" value="{{ account_location }}" size="30" maxlength="50" >
-								</td>
-							</tr>
-							{% if setting('core.account_country') %}
-							<tr>
-								<td class="LabelV" >Country:</td>
-								<td>
-									<select name="info_country" id="account_country">
-										{% for code, country in countries %}
-										<option value="{{ code}}"{% if account_country == code %} selected{% endif %}>{{ country }} </option>
-										{% endfor %}
-									</select>
-									<img src="" id="account_country_img"/>
-									<script>
-										function updateFlag()
-										{
-											var img = $('#account_country_img');
-											var country = $('#account_country :selected').val();
-											if(country.length) {
-												img.attr('src', 'images/flags/' + country + '.gif');
-												img.show();
-											}
-											else {
-												img.hide();
-											}
-										}
-
-										$(function() {
-											updateFlag();
-											$('#account_country').change(function() {
-												updateFlag();
-											});
-										});
-									</script>
-								</td>
-							</tr>
-							{% endif %}
-						</table>
-					</div>
-				</td>
-			</tr>
-		</table>
-	</div>
-	<br/>
-	<table width="100%">
-		<tr align="center">
-			<td>
-				<table border="0" cellspacing="0" cellpadding="0" >
-					<tr>
-						<td style="border:0px;" >
-							<input type="hidden" name="changeinfosave" value="1">
-								{{ include('buttons.submit.html.twig') }}
-						</td>
-					</tr>
-				</table>
-			</td>
-			<td>
-</form>
-				<table border="0" cellspacing="0" cellpadding="0" >
-					<form action="{{ getLink('account/manage') }}" method="post" >
-						{{ csrf() }}
-						<tr>
-							<td style="border:0px;" >
-								{{ include('buttons.back.html.twig') }}
-							</td>
-						</tr>
-					</form>
-				</table>
-			</td>
-		</tr>
-	</table>

system/templates/account.change_mail.html.twig

@@ -1,72 +0,0 @@
-Please enter your password and the new email address. Make sure that you enter a valid email address which you have access to. <br/><b>For security reasons, the actual change will be finalised after a waiting period of {{ setting('core.account_mail_change') }} days.</b><br/><br/>
-<form action="{{ getLink('account/email') }}" method="post">
-	{{ csrf() }}
-<div class="TableContainer">
-	<table class="Table1" cellpadding="0" cellspacing="0">
-		<div class="CaptionContainer">
-			<div class="CaptionInnerContainer" >
-				<span class="CaptionEdgeLeftTop" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);"></span>
-				<span class="CaptionEdgeRightTop" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);"></span>
-				<span class="CaptionBorderTop" style="background-image:url({{ template_path }}/images/content/table-headline-border.gif);"></span>
-				<span class="CaptionVerticalLeft" style="background-image:url({{ template_path }}/images/content/box-frame-vertical.gif);"></span>
-				<div class="Text" >Change Email Address</div>
-				<span class="CaptionVerticalRight" style="background-image:url({{ template_path }}/images/content/box-frame-vertical.gif);"></span>
-				<span class="CaptionBorderBottom" style="background-image:url({{ template_path }}/images/content/table-headline-border.gif);"></span>
-				<span class="CaptionEdgeLeftBottom" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);"></span>
-				<span class="CaptionEdgeRightBottom" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);"></span>
-			</div>
-		</div>
-		<tr>
-			<td>
-				<div class="InnerTableContainer">
-					<table style="width:100%;">
-						<tr>
-							<td class="LabelV" >
-								<span >New Email Address:</span>
-							</td>
-							<td style="width:90%;">
-								<input name="new_email" value="{% if new_email is defined %}{{ new_email }}{% endif %}" size="30" maxlength="50" autofocus/>
-							</td>
-						</tr>
-						<tr>
-							<td class="LabelV">
-								<span >Password:</span>
-							</td>
-							<td>
-								<input type="password" name="password" size="30" maxlength="29">
-							</td>
-						</tr>
-					</table>
-				</div>
-			</td>
-		</tr>
-	</table>
-</div>
-<br/>
-<table style="width:100%;">
-	<tr align="center">
-		<td>
-			<table border="0" cellspacing="0" cellpadding="0">
-				<tr>
-					<td style="border:0px;">
-						<input type="hidden" name="changeemailsave" value="1"/>
-						{{ include('buttons.submit.html.twig') }}
-					</td>
-				<tr>
-			</table>
-		</td>
-</form>
-		<td>
-			<table border="0" cellspacing="0" cellpadding="0">
-				<form action="{{ getLink('account/manage') }}" method="post">
-					{{ csrf() }}
-					<tr>
-						<td style="border:0px;">
-							{{ include('buttons.back.html.twig') }}
-						</td>
-					</tr>
-				</form>
-			</table>
-		</td>
-	</tr>
-</table>

system/templates/account.change_name.html.twig

@@ -1,79 +0,0 @@
-To change a name of character select player and choose a new name.<br/>
-<span style="color: red">Change name cost {{ setting('core.account_change_character_name_price') }} {{ setting('core.donate_column') == 'coins' ? 'coins' : 'premium points' }}. You have {{ points }} {{ setting('core.donate_column') == 'coins' ? 'coins' : 'premium points' }}.</span><br/><br/>
-<form action="{{ getLink('account/character/name') }}" method="post">
-	{{ csrf() }}
-	<input type="hidden" name="changenamesave" value="1">
-	<div class="TableContainer">
-		<table class="Table1" cellpadding="0" cellspacing="0">
-			<div class="CaptionContainer">
-				<div class="CaptionInnerContainer" >
-					<span class="CaptionEdgeLeftTop" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);"></span>
-					<span class="CaptionEdgeRightTop" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);"></span>
-					<span class="CaptionBorderTop" style="background-image:url({{ template_path }}/images/content/table-headline-border.gif);"></span>
-					<span class="CaptionVerticalLeft" style="background-image:url({{ template_path }}/images/content/box-frame-vertical.gif);"></span>
-					<div class="Text" >Change Name</div>
-					<span class="CaptionVerticalRight" style="background-image:url({{ template_path }}/images/content/box-frame-vertical.gif);"></span>
-					<span class="CaptionBorderBottom" style="background-image:url({{ template_path }}/images/content/table-headline-border.gif);"></span>
-					<span class="CaptionEdgeLeftBottom" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);"></span>
-					<span class="CaptionEdgeRightBottom" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);"></span>
-				</div>
-			</div>
-			<tr>
-				<td>
-					<div class="InnerTableContainer" >
-						<table style="width:100%;" >
-							<tr>
-                                <td class="LabelV" ><span>Character:</span></td>
-								<td style="width:90%;" >
-									<select name="player_id">
-										{% for player in account_logged.getPlayersList(false) %}
-										<option value="{{ player.getId() }}">{{ player.getName() }}</option>
-										{% endfor %}
-									</select>
-								</td>
-							</tr>
-							<tr>
-                                <td class="LabelV" ><span>New Name:</span></td>
-								<td>
-									<input type="text" name="name" id="character_name" size="25" maxlength="25" >
-									<img id="character_indicator" src="images/global/general/{% if not save or errors|length > 0 %}n{% endif %}ok.gif" />
-									<br/>
-									<span style="font-size: 10px">
-										<div id="character_error">Please enter your character name.</div>
-									</span>
-								</td>
-							</tr>
-						</table>
-					</div>
-				</td>
-			</tr>
-		</table>
-	</div>
-	<br/>
-	<table style="width:100%" >
-		<tr align="center">
-			<td>
-				<table border="0" cellspacing="0" cellpadding="0">
-					<tr>
-						<td style="border:0px;">
-							{{ include('buttons.submit.html.twig') }}
-						</td>
-					</tr>
-</form>
-				</table>
-			</td>
-			<td>
-				<table border="0" cellspacing="0" cellpadding="0">
-					<form action="{{ getLink('account/manage') }}" method="post">
-						{{ csrf() }}
-						<tr>
-							<td style="border:0px;">
-								{{ include('buttons.back.html.twig') }}
-							</td>
-						</tr>
-					</form>
-				</table>
-			</td>
-		</tr>
-	</table>
-<script type="text/javascript" src="tools/check_name.js"></script>

system/templates/account.change_password.html.twig

@@ -1,80 +0,0 @@
-Please enter your current password and a new password. For your security, please enter the new password twice.<br/>
-<br/>
-<form action="{{ getLink('account/password') }}" method="post">
-	{{ csrf() }}
-	<div class="TableContainer">
-		<table class="Table1" cellpadding="0" cellspacing="0">
-			<div class="CaptionContainer">
-				<div class="CaptionInnerContainer">
-					<span class="CaptionEdgeLeftTop" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);"></span>
-					<span class="CaptionEdgeRightTop" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);"></span>
-					<span class="CaptionBorderTop" style="background-image:url({{ template_path }}/images/content/table-headline-border.gif);"></span>
-					<span class="CaptionVerticalLeft" style="background-image:url({{ template_path }}/images/content/box-frame-vertical.gif);"></span>
-					<div class="Text" >Change Password</div>
-					<span class="CaptionVerticalRight" style="background-image:url({{ template_path }}/images/content/box-frame-vertical.gif);"></span>
-					<span class="CaptionBorderBottom" style="background-image:url({{ template_path }}/images/content/table-headline-border.gif);"></span>
-					<span class="CaptionEdgeLeftBottom" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);"></span>
-					<span class="CaptionEdgeRightBottom" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);"></span>
-				</div>
-			</div>
-			<tr>
-				<td>
-					<div class="InnerTableContainer">
-						<table style="width:100%;">
-							<tr>
-								<td class="LabelV">
-									<span>New Password:</span>
-								</td>
-								<td style="width:90%;">
-									<input type="password" name="newpassword" size="30" maxlength="29">
-								</td>
-							</tr>
-							<tr>
-								<td class="LabelV">
-									<span>New Password Again:</span>
-								</td>
-								<td>
-									<input type="password" name="newpassword_confirm" size="30" maxlength="29">
-								</td>
-							</tr>
-							<tr>
-								<td class="LabelV">
-									<span>Current Password:</span>
-								</td>
-								<td>
-									<input type="password" name="oldpassword" size="30" maxlength="29">
-								</td>
-							</tr>
-						</table>
-					</div>
-				</td>
-			</tr>
-		</table>
-	</div>
-	<br/>
-	<table style="width:100%;">
-		<tr align="center">
-			<td>
-				<table border="0" cellspacing="0" cellpadding="0">
-					<tr>
-						<td style="border:0px;">
-							{{ include('buttons.submit.html.twig') }}
-						</td>
-					<tr>
-				</table>
-			</td>
-</form>
-			<td>
-				<table border="0" cellspacing="0" cellpadding="0">
-					<form action="{{ getLink('account/manage') }}" method="post">
-						{{ csrf() }}
-						<tr>
-							<td style="border:0px;">
-								{{ include('buttons.back.html.twig') }}
-							</td>
-						</tr>
-					</form>
-				</table>
-			</td>
-		</tr>
-	</table>

system/templates/account.change_sex.html.twig

@@ -1,78 +0,0 @@
-To change a sex of character select player and choose a new sex.<br/>
-<span style="color: red">Change sex cost {{ setting('core.account_change_character_sex_price') }} {{ setting('core.donate_column') == 'coins' ? 'coins' : 'premium points' }}. You have {{ points }} {{ setting('core.donate_column') == 'coins' ? 'coins' : 'premium points' }}.</span><br/><br/>
-<form action="{{ getLink('account/character/sex') }}" method="post">
-	{{ csrf() }}
-	<input type="hidden" name="changesexsave" value="1"/>
-	<div class="TableContainer">
-		<table class="Table1" cellpadding="0" cellspacing="0">
-			<div class="CaptionContainer">
-				<div class="CaptionInnerContainer">
-					<span class="CaptionEdgeLeftTop" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);"></span>
-					<span class="CaptionEdgeRightTop" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);"></span>
-					<span class="CaptionBorderTop" style="background-image:url({{ template_path }}/images/content/table-headline-border.gif);"></span>
-					<span class="CaptionVerticalLeft" style="background-image:url({{ template_path }}/images/content/box-frame-vertical.gif);"></span>
-					<div class="Text" >Change sex</div>
-					<span class="CaptionVerticalRight" style="background-image:url({{ template_path }}/images/content/box-frame-vertical.gif);"></span>
-					<span class="CaptionBorderBottom" style="background-image:url({{ template_path }}/images/content/table-headline-border.gif);" ></span>
-					<span class="CaptionEdgeLeftBottom" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);" /></span>
-					<span class="CaptionEdgeRightBottom" style="background-image:url({{ template_path }}/images/content/box-frame-edge.gif);" /></span>
-				</div>
-			</div>
-			<tr>
-				<td>
-					<div class="InnerTableContainer">
-						<table style="width:100%;" >
-							<tr>
-								<td class="LabelV" ><span >Character:</td>
-								<td style="width:90%;" >
-									<select name="player_id">
-										{% for player in players %}
-										<option value="{{ player.getId() }}">{{ player.getName() }}</option>
-										{% endfor %}
-									</select>
-								</td>
-							</tr>
-							<tr>
-								<td class="LabelV" ><span >New Sex:</td>
-								<td>
-									<select name="new_sex">
-										{% for id, gender in config.genders %}
-										<option value="{{ id }}"{% if player_sex == id %} selected{% endif %}>{{ gender }}</option>
-										{% endfor %}
-									</select>
-								</td>
-							</tr>
-						</table>
-					</div>
-				</td>
-			</tr>
-		</table>
-	</div>
-	<br/>
-	<table style="width:100%">
-		<tr align="center">
-			<td>
-				<table border="0" cellspacing="0" cellpadding="0" >
-					<tr>
-						<td style="border:0px;" >
-							{{ include('buttons.submit.html.twig') }}
-						</td>
-					</tr>
-					<tr>
-</form>
-				</table>
-			</td>
-			<td>
-				<table border="0" cellspacing="0" cellpadding="0">
-					<form action="{{ getLink('account/manage') }}" method="post">
-						{{ csrf() }}
-						<tr>
-							<td style="border:0px;" >
-								{{ include('buttons.back.html.twig') }}
-							</td>
-						</tr>
-					</form>
-				</table>
-			</td>
-		</tr>
-	</table>

system/templates/account.characters.change-comment.html.twig

@@ -1,6 +1,6 @@
 Here you can see and edit the information about your character.<br/>
 If you do not want to specify a certain field, just leave it blank.<br/><br/>
-<form action="{{ getLink('account/character/comment') }}" method="post">
+<form action="{{ getLink('account/characters/change-comment') }}" method="post">
 	{{ csrf() }}
 	<div class="TableContainer" >
 		<table class="Table5" cellpadding="0" cellspacing="0">