Update CHANGELOG-1.x.md

HOOK_BEFORE_PAGE_CUSTOM,
HOOK_AFTER_PAGE_CUSTOM

CHANGELOG-1.x.md

@@ -1,5 +1,26 @@
 # Changelog
 
+## [1.6 - 03.06.2025]
+
+### Added
+* Add new setting/configurable: site_url, prevents domain spoofing (https://github.com/slawkens/myaac/commit/d8a6090be382c35c19117cfef964b594ed02b8d4)
+* Add new account coins setting (https://github.com/slawkens/myaac/commit/28886551e86fe562172c4c7f2afb89a2e7672c2e)
+* autoload: settings/install/init.php (https://github.com/slawkens/myaac/commit/e5749437074c3b3556628a2aeb5bad2edf97bde0, https://github.com/slawkens/myaac/commit/7d213f479a7e40c6254069b5fc4e578dc32bf8d9, https://github.com/slawkens/myaac/commit/207d6bc69120aba1af2b51808f17e0059b571fed)
+* Protect against csrf in more places (accounts & guilds & forums pages) (https://github.com/slawkens/myaac/commit/6eda38603c8ed7e99b92a78a4600b1245377f74d, https://github.com/slawkens/myaac/commit/e776bd52beb3064a9e694efd1b9021ec972ee2f6, https://github.com/slawkens/myaac/commit/84d502bf105f2a789481fba1acc820d236b4de66)
+* Added two new hooks for pages loaded from database (custom pages): HOOK_BEFORE_PAGE_CUSTOM, HOOK_AFTER_PAGE_CUSTOM (https://github.com/slawkens/myaac/commit/c961a1ebf837f2ab1734a825ff2c57b4937610c9)
+* Add global variables into $hooks->executeFilter (https://github.com/slawkens/myaac/commit/8fdea943768b20193eede99d60313ee84511a0be)
+* Add getNPCsCount() to OTS_InfoRespond (https://github.com/slawkens/myaac/commit/7d435ff6433ef1fb2295ee79ed043ee10dc725e9)
+
+### Fixed
+* Allow [] in character name (https://github.com/slawkens/myaac/commit/de6603a51347b9e656c58637ed9971fffdd7cedd)
+* Do not allow access to tools/ folder after install (https://github.com/slawkens/myaac/commit/6e0f5913831f8dba69fd2d1505be3e2a303c6324)
+* Fix CHANGELOG-1.x.md loading in admin panel (https://github.com/slawkens/myaac/commit/4a30fb495dbfbe1d434e8d52419eaf44fe517aee)
+* Fix links not working in admin dashboard modules (https://github.com/slawkens/myaac/commit/be7b27c31aa3bbd6c0289c34d1e61139a3fe015c)
+* Fix twig variables: logged + account_logged being not set directly after login (https://github.com/slawkens/myaac/commit/1e9b10d6489c488cadf7f6ed17b42f1ea6c767a8)
+
+### Changed
+* OTS_ServerInfo -> move setTimeout out of class - Possibility to use the class without MyAAC (https://github.com/slawkens/myaac/commit/40d65a6613149fda51bdceb82c807e5301a3388b)
+
 ## [1.5 - 14.05.2025]
 
 ### Added

admin/pages/modules/templates/coins.html.twig

@@ -19,7 +19,7 @@
 						{% set i = i + 1 %}
 						<tr>
 							<th>{{ i }}</th>
-							<td><a href="?p=accounts&id={{ result.id }}">{{ result.name }}</a></td>
+							<td><a href="?p=accounts&id={{ result.id }}">{{ result.name ?? result.id }}</a></td>
 							<td>{{ result.coins }}</td>
 						</tr>
 					{% endfor %}

common.php

@@ -26,7 +26,7 @@
 if (version_compare(phpversion(), '8.1', '<')) die('PHP version 8.1 or higher is required.');
 
 const MYAAC = true;
-const MYAAC_VERSION = '1.5.1-dev';
+const MYAAC_VERSION = '1.6';
 const DATABASE_VERSION = 45;
 const TABLE_PREFIX = 'myaac_';
 define('START_TIME', microtime(true));
@@ -122,38 +122,30 @@ if (!IS_CLI) {
 	session_start();
 }
 
-// basedir
-$basedir = '';
-$tmp = explode('/', $_SERVER['SCRIPT_NAME']);
-$size = count($tmp) - 1;
-for($i = 1; $i < $size; $i++)
-	$basedir .= '/' . $tmp[$i];
-
-$basedir = str_replace(['/' . ADMIN_PANEL_FOLDER, '/install', '/tools'], '', $basedir);
-define('BASE_DIR', $basedir);
-
-if(!IS_CLI) {
-	if (isset($_SERVER['HTTP_HOST'][0])) {
-		$baseHost = $_SERVER['HTTP_HOST'];
-	} else {
-		if (isset($_SERVER['SERVER_NAME'][0])) {
-			$baseHost = $_SERVER['SERVER_NAME'];
-		} else {
-			$baseHost = $_SERVER['SERVER_ADDR'];
-		}
-	}
-
-	define('SERVER_URL', 'http' . (isHttps() ? 's' : '') . '://' . $baseHost);
-	define('BASE_URL', SERVER_URL . BASE_DIR . '/');
-	define('ADMIN_URL', SERVER_URL . BASE_DIR . '/' . ADMIN_PANEL_FOLDER . '/');
-
-	//define('CURRENT_URL', BASE_URL . $_SERVER['REQUEST_URI']);
-}
-
 if (file_exists(BASE . 'config.local.php')) {
 	require BASE . 'config.local.php';
 }
 
+require SYSTEM . 'base.php';
+define('BASE_DIR', $baseDir);
+
+if(!IS_CLI) {
+	if (isset($config['site_url'])) {
+		$hasSlashAtEnd = ($config['site_url'][strlen($config['site_url']) - 1] == '/');
+
+		define('SERVER_URL', $config['site_url']);
+		define('BASE_URL', SERVER_URL . ($hasSlashAtEnd ? '' : '/'));
+		define('ADMIN_URL', SERVER_URL . ($hasSlashAtEnd ? '' : '/') . ADMIN_PANEL_FOLDER . '/');
+	}
+	else {
+		define('SERVER_URL', 'http' . (isHttps() ? 's' : '') . '://' . $baseHost);
+		define('BASE_URL', SERVER_URL . BASE_DIR . '/');
+		define('ADMIN_URL', SERVER_URL . BASE_DIR . '/' . ADMIN_PANEL_FOLDER . '/');
+
+		//define('CURRENT_URL', BASE_URL . $_SERVER['REQUEST_URI']);
+	}
+}
+
 /** @var array $config */
 ini_set('log_errors', 1);
 if(@$config['env'] === 'dev' || defined('MYAAC_INSTALL')) {

install/steps/4-config.php

@@ -10,6 +10,14 @@ foreach($config['clients'] as $client) {
 	$clients[$client] = $client_version;
 }
 
+if (empty($_SESSION['var_site_url'])) {
+	//require SYSTEM . 'base.php';
+	$serverUrl = 'http' . (isHttps() ? 's' : '') . '://' . $baseHost;
+	$siteURL = $serverUrl . $baseDir;
+
+	$_SESSION['var_site_url'] = $siteURL;
+}
+
 $twig->display('install.config.html.twig', array(
 	'clients' => $clients,
 	'timezones' => DateTimeZone::listIdentifiers(),

install/steps/7-finish.php

@@ -195,13 +195,4 @@ if(!isset($_SESSION['installed'])) {
 	$_SESSION['installed'] = true;
 }
 
-foreach($_SESSION as $key => $value) {
-	if(strpos($key, 'var_') !== false)
-		unset($_SESSION[$key]);
-}
-unset($_SESSION['saved']);
-if(file_exists(CACHE . 'install.txt')) {
-	unlink(CACHE . 'install.txt');
-}
-
 $hooks->trigger(HOOK_INSTALL_FINISH_END);

install/tools/5-database.php

@@ -7,6 +7,11 @@ require SYSTEM . 'functions.php';
 require BASE . 'install/includes/functions.php';
 require BASE . 'install/includes/locale.php';
 
+if(isset($config['installed']) && $config['installed'] && !isset($_SESSION['saved'])) {
+	warning($locale['already_installed']);
+	return;
+}
+
 $error = false;
 require BASE . 'install/includes/config.php';
 

install/tools/7-finish.php

@@ -17,11 +17,11 @@ ini_set('max_execution_time', 300);
 ob_implicit_flush();
 
 header('X-Accel-Buffering: no');
-/*
+
 if(isset($config['installed']) && $config['installed'] && !isset($_SESSION['saved'])) {
 	warning($locale['already_installed']);
 	return;
-}*/
+}
 
 require SYSTEM . 'init.php';
 
@@ -94,6 +94,17 @@ $hooks->trigger(HOOK_INSTALL_FINISH);
 
 $db->setClearCacheAfter(true);
 
+// cleanup
+foreach($_SESSION as $key => $value) {
+	if(str_contains($key, 'var_')) {
+		unset($_SESSION[$key]);
+	}
+}
+unset($_SESSION['saved']);
+if(file_exists(CACHE . 'install.txt')) {
+	unlink(CACHE . 'install.txt');
+}
+
 $locale['step_finish_desc'] = str_replace('$ADMIN_PANEL$', generateLink(str_replace('tools/', '',ADMIN_URL), $locale['step_finish_admin_panel'], true), $locale['step_finish_desc']);
 $locale['step_finish_desc'] = str_replace('$HOMEPAGE$', generateLink(str_replace('tools/', '', BASE_URL), $locale['step_finish_homepage'], true), $locale['step_finish_desc']);
 $locale['step_finish_desc'] = str_replace('$LINK$', generateLink('https://my-aac.org', 'https://my-aac.org', true), $locale['step_finish_desc']);

system/base.php

@@ -0,0 +1,21 @@
+<?php
+
+$baseDir = '';
+$tmp = explode('/', $_SERVER['SCRIPT_NAME']);
+$size = count($tmp) - 1;
+for($i = 1; $i < $size; $i++)
+	$baseDir .= '/' . $tmp[$i];
+
+$baseDir = str_replace(['/' . ADMIN_PANEL_FOLDER, '/install', '/tools'], '', $baseDir);
+
+if(!IS_CLI) {
+	if (isset($_SERVER['HTTP_HOST'][0])) {
+		$baseHost = $_SERVER['HTTP_HOST'];
+	} else {
+		if (isset($_SERVER['SERVER_NAME'][0])) {
+			$baseHost = $_SERVER['SERVER_NAME'];
+		} else {
+			$baseHost = $_SERVER['SERVER_ADDR'];
+		}
+	}
+}

system/init.php

@@ -12,6 +12,7 @@ use DebugBar\StandardDebugBar;
 use MyAAC\Cache\Cache;
 use MyAAC\CsrfToken;
 use MyAAC\Hooks;
+use MyAAC\Plugins;
 use MyAAC\Models\Town;
 use MyAAC\Settings;
 
@@ -46,6 +47,11 @@ if(isset($config['gzip_output']) && $config['gzip_output'] && isset($_SERVER['HT
 global $cache;
 $cache = Cache::getInstance();
 
+// load plugins init.php
+foreach (Plugins::getInits() as $init) {
+	require $init;
+}
+
 // event system
 global $hooks;
 $hooks = new Hooks();

system/libs/pot/OTS.php

@@ -311,18 +311,9 @@ class POT
  */
 	public function loadClass($class)
 	{
-		if( preg_match('/^(I|E_)?OTS_/', $class) > 0) {
-			global $hooks;
-			$include = $this->path . $class . '.php';
-
-			if (isset($hooks)) {
-				$args = ['include' => $include, 'class' => $class];
-				$hooks->triggerFilter(HOOK_FILTER_POT, $args);
-
-				$include = $args['include'];
-			}
-
-			include_once($include);
+		if( preg_match('/^(I|E_)?OTS_/', $class) > 0)
+		{
+			include_once($this->path . $class . '.php');
 		}
 	}
 

system/locale/de/install.php

@@ -48,6 +48,8 @@ $locale['step_config'] = 'Konfiguration';
 $locale['step_config_title'] = 'Grundkonfiguration';
 $locale['step_config_server_path'] = 'Serverpfad';
 $locale['step_config_server_path_desc'] = 'Pfad zu Ihrem TFS-Hauptverzeichnis, in dem sich die config.lua befinden.';
+$locale['step_config_site_url'] = 'Website URL';
+$locale['step_config_site_url_desc'] = 'Ihre Website-Adresse.';
 $locale['step_config_mail_admin'] = 'Admin E-Mail';
 $locale['step_config_mail_admin_desc'] = 'Adresse, an die E-Mails aus dem Kontaktformular gesendet werden, z. B. admin@gmail.com';
 $locale['step_config_mail_admin_error'] = 'Admin E-Mail ist nicht korrekt.';

system/locale/en/install.php

@@ -52,6 +52,8 @@ $locale['step_config'] = 'Configuration';
 $locale['step_config_title'] = 'Basic configuration';
 $locale['step_config_server_path'] = 'Server path';
 $locale['step_config_server_path_desc'] = 'Path to your TFS main directory, where you have config.lua located.';
+$locale['step_config_site_url'] = 'Website URL';
+$locale['step_config_site_url_desc'] = 'Your website address.';
 $locale['step_config_mail_admin'] = 'Admin Email';
 $locale['step_config_mail_admin_desc'] = 'Address where emails from contact form will be delivered, for example admin@gmail.com';
 $locale['step_config_mail_admin_error'] = 'Admin Email is not correct.';

system/locale/pl/install.php

@@ -52,6 +52,8 @@ $locale['step_config'] = 'Konfiguracja';
 $locale['step_config_title'] = 'Podstawowa konfiguracja';
 $locale['step_config_server_path'] = 'Ścieżka do serwera';
 $locale['step_config_server_path_desc'] = 'Ścieżka do Twojego folderu z TFS, gdzie znajduje się plik config.lua.';
+$locale['step_config_server_url'] = 'Adres strony';
+$locale['step_config_server_url_desc'] = 'Adres tej strony www.';
 $locale['step_config_mail_admin'] = 'E-Mail admina';
 $locale['step_config_mail_admin_desc'] = 'Na ten adres będą dostarczane E-Maile z formularza kontaktowego, przykładowo admin@gmail.com';
 $locale['step_config_mail_admin_error'] = 'E-Mail admina jest niepoprawny.';

system/pages/account/create.php

@@ -221,8 +221,14 @@ if($save)
 			}
 		}
 
-		if(setting('core.account_premium_points') && setting('core.account_premium_points') > 0) {
-			$new_account->setCustomField('premium_points', setting('core.account_premium_points'));
+		$accountDefaultPremiumPoints = setting('core.account_premium_points');
+		if($accountDefaultPremiumPoints > 0) {
+			$new_account->setCustomField('premium_points', $accountDefaultPremiumPoints);
+		}
+
+		$accountDefaultCoins = setting('core.account_coins');
+		if($db->hasColumn('accounts', 'coins') && $accountDefaultCoins > 0) {
+			$new_account->setCustomField('coins', $accountDefaultCoins);
 		}
 
 		$tmp_account = $email;

system/router.php

@@ -129,14 +129,14 @@ $dispatcher = FastRoute\cachedDispatcher(function (FastRoute\RouteCollector $r)
 		return ($a[3] < $b[3]) ? -1 : 1;
 	});
 
+	$aliases = [
+		[':int', ':string', ':alphanum'],
+		[':\d+', ':[A-Za-z0-9-_%+\' ]+', ':[A-Za-z0-9]+'],
+	];
+
 	// remove duplicates
 	// if same route pattern, but different priority
-	$routesFinal = array_filter($routesFinal, function ($a) {
-		$aliases = [
-			[':int', ':string', ':alphanum'],
-			[':\d+', ':[A-Za-z0-9-_%+\' ]+', ':[A-Za-z0-9]+'],
-		];
-
+	$routesFinal = array_filter($routesFinal, function ($a) use ($aliases) {
 		// apply aliases
 		$a[1] = str_replace($aliases[0], $aliases[1], $a[1]);
 
@@ -171,11 +171,6 @@ $dispatcher = FastRoute\cachedDispatcher(function (FastRoute\RouteCollector $r)
 			$route[0] = array_map($toUpperCase, $route[0]);
 		}
 
-		$aliases = [
-			[':int', ':string', ':alphanum'],
-			[':\d+', ':[A-Za-z0-9-_%+\' ]+', ':[A-Za-z0-9]+'],
-		];
-
 		// apply aliases
 		$route[1] = str_replace($aliases[0], $aliases[1], $route[1]);
 
@@ -252,7 +247,7 @@ else {
 
 				$success = false;
 				$tmp_content = getCustomPage($pageName, $success);
-				if ($success) {
+				if ($success && $hooks->trigger(HOOK_BEFORE_PAGE_CUSTOM)) {
 					$content .= $tmp_content;
 					if (hasFlag(FLAG_CONTENT_PAGES) || superAdmin()) {
 						$pageInfo = getCustomPageInfo($pageName);
@@ -260,6 +255,8 @@ else {
 							) . $content;
 					}
 
+					$hooks->trigger(HOOK_AFTER_PAGE_CUSTOM);
+
 					$page = $pageName;
 					$file = false;
 				}

system/routes.php

@@ -22,7 +22,7 @@ return [
 	['GET', 'account/confirm-email/{hash:alphanum}', 'account/confirm-email.php'],
 
 	['GET', 'bans/{page:int}', 'bans.php'],
-	[['GET', 'POST'], 'characters[/{name:string}]', 'characters.php'],
+	[['GET', 'POST'], 'characters[/{name:[A-Za-z0-9-_%+\' \[\]]+}]', 'characters.php'],
 	['GET', 'changelog[/{page:int}]', 'changelog.php'],
 	[['GET', 'POST'], 'monsters[/{name:string}]', 'monsters.php'],
 

system/settings.php

@@ -19,6 +19,15 @@ $templates = Cache::remember('templates', 5 * 60, function () {
 });
 $defaultTemplate = in_array('kathrine', $templates) ? 'kathrine' : $templates[0];
 
+global $db;
+
+if (!IS_CLI) {
+	require SYSTEM . 'base.php';
+
+	$serverUrl = 'http' . (isHttps() ? 's' : '') . '://' . $baseHost;
+	$siteURL = $serverUrl . $baseDir;
+}
+
 return [
 	'name' => 'MyAAC',
 	'settings' => [
@@ -30,6 +39,13 @@ return [
 			'type' => 'section',
 			'title' => 'General'
 		],
+		'site_url' => [
+			'name' => 'Website URL',
+			'type' => 'text',
+			'desc' => 'Website address of this MyAAC instance',
+			'default' => IS_CLI ? '' : $siteURL,
+			'is_config' => true,
+		],
 		'env' => [
 			'name' => 'App Environment',
 			'type' => 'options',
@@ -674,6 +690,13 @@ Sent by MyAAC,<br/>
 			'desc' => 'Default premium points on new account',
 			'default' => 0,
 		],
+		'account_coins' => [
+			'name' => 'Default Account Coins',
+			'type' => 'number',
+			'desc' => 'Default coins on new account',
+			'hidden' => ($db && !$db->hasColumn('accounts', 'coins')),
+			'default' => 0,
+		],
 		'account_mail_change' => [
 			'name' => 'Account Mail Change Days',
 			'type' => 'number',

system/src/Hook.php

@@ -38,6 +38,8 @@ class Hook
 	}
 
 	public function executeFilter(&$args) {
+		global $db, $config, $template_path, $ots, $content, $twig;
+
 		return include BASE . $this->_file;
 	}
 

system/src/Plugins.php

@@ -11,6 +11,25 @@ class Plugins {
 	private static $error = null;
 	private static $plugin_json = [];
 
+	public static function getInits()
+	{
+		return Cache::remember('plugins_inits', 10 * 60, function () {
+			$inits = [];
+			foreach(self::getAllPluginsJson() as $plugin) {
+				if (!self::getAutoLoadOption($plugin, 'init', false)) {
+					continue;
+				}
+
+				$pluginInits = glob(PLUGINS . $plugin['filename'] . '/init.php');
+				foreach ($pluginInits as $path) {
+					$inits[] = $path;
+				}
+			}
+
+			return $inits;
+		});
+	}
+
 	public static function getAdminPages()
 	{
 		return Cache::remember('plugins_admin_pages', 10 * 60, function () {

system/src/global.php

@@ -8,7 +8,9 @@ $i = 0;
 define('HOOK_INIT', ++$i);
 define('HOOK_STARTUP', ++$i);
 define('HOOK_BEFORE_PAGE', ++$i);
+define('HOOK_BEFORE_PAGE_CUSTOM', ++$i);
 define('HOOK_AFTER_PAGE', ++$i);
+define('HOOK_AFTER_PAGE_CUSTOM', ++$i);
 define('HOOK_FINISH', ++$i);
 define('HOOK_TIBIACOM_ARTICLE', ++$i);
 define('HOOK_TIBIACOM_BORDER_3', ++$i);
@@ -102,7 +104,6 @@ define('HOOK_FILTER_ROUTES', ++$i);
 define('HOOK_FILTER_TWIG_DISPLAY', ++$i);
 define('HOOK_FILTER_TWIG_RENDER', ++$i);
 define('HOOK_FILTER_THEME_FOOTER', ++$i);
-define('HOOK_FILTER_POT', ++$i);
 
 const HOOK_FIRST = HOOK_INIT;
 define('HOOK_LAST', $i);

system/templates/install.config.html.twig

@@ -9,7 +9,7 @@
 <form action="{{ constant('BASE_URL') }}install/" method="post" autocomplete="off">
 	<input type="hidden" name="step" id="step" value="database" />
 
-	{% for value in ['server_path'] %}
+	{% for value in ['site_url', 'server_path'] %}
 	<div class="form-group mb-2">
 		<label for="vars_{{ value }}">{{ locale['step_config_' ~ value]  }}</label>
 		<input class="form-control" type="{% if value == 'mail_admin' %}email{% else %}text{% endif %}" name="vars[{{ value }}]" id="vars_{{ value }}"{% if session['var_' ~ value] is not null %} value="{{ session['var_' ~ value] }}"{% endif %}/>