The voting button relied on HTMX implicitly including the enclosing form's token; make it explicit like the other form-based ajax actions (addComment, addPrivateMessage).
Core changes:
- Voting widget (core/system.php):
- Pass hx_include => '#form'.$votid to the vote action so the form (token + answers) is included
- Action fragment (templates/{lite,admin}/fragments/comment-action-ajax.html):
- Render an optional hx-include attribute when provided (no-op for other callers)
A stale or missing CSRF token on a go=1/2/5 request died with a raw "Illegal file access". Return the localized alert instead, and make the token constant available on the front end where the gate runs.
Core changes:
- Ajax gate (index.php):
- On token mismatch return the _TOKENMISS alert fragment instead of a bare die()
- Language constants:
- Add _TOKENMISS to all front-end lang files (loaded first at bootstrap, before the gate)
- Remove the now-duplicate _TOKENMISS from admin lang files
Callouts nested inside list items were emitted as raw "> [!...]" text instead of rendering as alert blocks.
Core changes:
- auto_links / changelog admin help (modules/*/admin/info/ru.md):
- Move the [!TIP]/[!IMPORTANT] callouts to top level so they render as .sl-alert
The *NN smiley rule matched the digits of bold markup and longer numbers, rendering a stray smiley (e.g. 12 ... produced smiley 12).
Core changes:
- BB block parser (core/classes/parser.php):
- Match smilies as (?<!\)\(0[1-9]|1[0-8])(?!\d): not after another asterisk, not inside a longer number
- Bold like 12 and numbers like *180 stay as text;
..
still render
Remove the redundant control-panel path from the first line of every admin help page, and restructure the ratings help so a non-technical admin can grasp all the rules at a glance.
Core changes:
- All admin help (admin/info/, modules//admin/info/*):
- Strip the "(
admin.php?name=xxx)" reference from the section intro (44 pages) - Reword the search help sentence that spelled out the path
- Ratings help (admin/info/ratings/ru.md):
- Group the content into: where rating works, the three per-module settings, and anti-farm protection
- Document the built-in protections (self-vote block, existing/published target only, no points for profile rating, daily point cap, 1-5 clamp)
- Move callouts to top level so they render, and drop bold that collided with the smiley syntax
The BB smiley rule turned any asterisk followed by two digits into an <img smilies/NN.gif>, but only icons 01-18 exist. Codes like 19-99 (and the leading digits of bold such as 30) rendered as a broken image anywhere user text is parsed (forum, comments, help docs).
Core changes:
- BB block parser (core/classes/parser.php):
- Narrow the smiley match from \(\d{2}) to \(0[1-9]|1[0-8])
- Out-of-range *NN now stays as plain text instead of a broken image
Overhaul how contribution points are earned and harden the rating endpoint against inflation, with a naming-compliance rename of the points primitives. No schema changes.
Core changes:
- Points primitives (core/system.php):
- Rename update_points -> updatePoints, addActionPoint -> addPointsAction (camelCase per .rules naming)
- addPointsAction: credit repeatable-action points once per (event, item, user/ip) within the retention window, reusing the _rating dedup table
- setContentActive: atomically promote pending content to active and credit submission points to the AUTHOR; replaces addPointsAuthor + a manual status flip
- Award timing moved submit -> approval (modules//index.php, modules//admin/index.php):
- Drop the immediate submit-time credit in news/pages/media/jokes/faq/links/files
- Credit the author via setContentActive on every promote-to-active path (full-edit save, single approve, batch activate)
- Repeatable-action dedup at call sites (modules/auto_links, files, links):
- auto_links view and file/link download now go through addPointsAction (no more unlimited farming by reloading the URL)
- Rating hardening (core/system.php getRatingView, core/helpers.php, index.php):
- Block rating your own account
- Accept votes only for an existing, visible target (status != 0) -> kills farming via non-existent ids
- Account rating awards no points; per-voter daily cap (<=30) on rating-earned points
- Keep the 0..5 rate clamp; wrap the vote in a transaction; number_format the average
- Narrow the go=1/2/5 CSRF-token exemption so only go=4 uploads may defer the token
Benefits:
- Removes point-inflation and group-escalation vectors (URL farming, rating id enumeration, self-rating)
- One forget-proof approval helper instead of 12 scattered award+flip sites
- Consistent camelCase points API
Technical notes:
- Reuses the existing _rating table for dedup and the per-voter cap; no schema change
- Behavior change: contribution points now appear when a moderator approves the item, not on submission
Clarify how and when contribution points are credited in the points section of the groups admin help.
Core changes:
- Points section (admin/info/groups/ru.md):
- User content credits the author on moderation approval, not on submission
- Repeatable actions (download / outbound link / auto-link) count once per item within the window
- Soften the "real-time" wording to reflect approval-gated crediting
Bring the poll list in line with the shared sortable list (news liste): sortable columns, standard row hover, the info tip merged with the title, and the number anchor paired with the admin editor.
Core changes:
- voting() (modules/voting/index.php):
- table sortable; headers reordered to title / comments / votes / id
- Rows carry clean data-sort keys; admin editor via getTplEditMenu()
- voting-home partial (voting-home.html):
- sl-table-row (standard hover); info tip + title in one cell
Comments and votes rendered as sl-chip-info / sl-chip-success chips with bi-chat-text / bi-hand-thumbs-up icons
- id anchor + editor menu in the trailing sl-table-col-num cell
- Lite theme (theme.css):
- Drop the .sl-table-list bottom margin for tighter list spacing
Benefits:
- Voting list matches the project-wide sortable list look and behaviour
- All columns sortable with correct numeric keys despite hidden panels
Rework the .sl-tip popover used by getTplTitleTip(): a chrome-free green "i" trigger, a position-aware arrow that flips with the panel, typography matching the admin tooltip, and no redundant default label.
Core changes:
- getTplTitleTip() (core/helpers.php):
- Single plain tip renders as content_html (no <dl> grid)
- Drop the default _INFO label so a bare tip shows no heading
- Popover fragments (lite + admin popover.html):
- Trigger .sl-but-mini -> .sl-tip-icon; render <dt> only when labelled
- Lite theme (theme.css):
- .sl-tip-icon: bare 16px (--sl-icon-size-xs) success-green glyph
Shared .sl-float-panel arrow with .sl-float-up flip; colour per context; drop the old non-flipping .sl-menu arrow
- .sl-tip panel font 14px/16px and non-bold dt with a CSS ":" separator
Benefits:
- One direction-aware arrow for tips and the editor menu, both themes
- Tooltip reads like the admin tooltip; no duplicate/blurred glyphs