Panel/Panel/CHANGELOG.md

Changelog

2026-05-18

• Cron ↔ Server Content action hook integration: Added scheduler-callable Server Content hooks in modules/addonsmanager/server_content_actions.php, exposed API route server_content/run_scheduled_action, and wired cron/user-cron action builders/parsing to support server content scheduled actions (check/install/queue/restart/validate/backup flows) without embedding game-specific install logic in the scheduler.
• Server Content Workshop Phase 1 in addonsmanager: Added a new Workshop Content flow under Server Content with per-home Workshop ID storage, ID validation/deduplication, install/update/remove/update-all actions, manifest-based script handoff (gsp_server_content/workshop_manifest.json), safe placeholder workshop scripts for Linux/Cygwin, and schema support via server_content_workshop plus addons.addon_type VARCHAR(32).
• Updater layout hardening + pre-update patch framework: Reworked modules/administration/panel_update.php to resolve explicit GSP root/Panel/Website paths, run mandatory preflight checks, self-update updater files before main sync when drift is detected, and apply ordered required patches from modules/update/patches/ with DB/local state tracking. Backup/rollback now includes both Panel + Website archives and root version.json, logs moved to root logs/update_trace.log, and the admin Update UI now exposes preflight, patch apply, Apache path scan/fix, backup, update, and rollback actions.
• Billing runtime relocation + portable path bootstrap: Re-homed storefront runtime to Panel/modules/billing, added portable runtime helpers (billing_bootstrap.php, site_config.php, site_config.example.php) with env/local override support for base path and panel path, normalized critical storefront redirects/links to computed billing URLs, and added Website compatibility wrappers for key billing entrypoints.
• Panel updater panel-subtree safety: Hardened updater logic to treat repository /panel as the update source when present (ZIP + git flows) so root-level docs/examples/scripts are no longer candidates for panel file overwrite during updates.
• Panel registration stability + captcha fallback hardening: Fixed a fatal syntax error in modules/register/register-exec.php, removed hardcoded/legacy registration redirects, added structured registration logging to modules/register/logs/register.log (auto-creates missing log dir), added duplicate username checks, added optional users_pass_hash write for PHP 8.3-compatible auth upgrades, and implemented graceful reCAPTCHA fallback when keys are missing/legacy-invalid or the widget reports an error so the themed registration flow no longer crashes with raw PHP errors.

2026-05-13

• Root Apache vhost template for split Panel/Website layout: Added SITES_AVAILABLE_EXAMPLE.conf at repo root with ready-to-copy sites-available examples for both Panel/ and Website/, covering HTTP→HTTPS redirects, SSL vhosts, example domains/paths, required Apache modules, Certbot (--apache and --webroot) commands, and verification/reload steps.
• Per-site Apache examples for direct deployment: Added examples/apache/panel.example.com.conf and examples/apache/website.example.com.conf so each site can be copied directly into /etc/apache2/sites-available/ with minimal edits.
• Apache install helper script: Added examples/apache/install-sites-available.sh to copy vhost examples into sites-available, optionally run a2enmod, a2ensite, apache2ctl configtest, and reload Apache in one flow.

2026-05-09

• Billing OS-variant rollback + exact-service provisioning: Removed storefront canonical Linux/Windows deduping and order-time OS service auto-switching so each enabled billing_services row is sold as its own variant. Checkout/provision now preserve the exact selected service_id/home_cfg_id/XML, enforce location OS compatibility without silent swapping, log selected XML context in provisioning traces, and show “Server installation is in progress.” instead of immediate executable-missing wording while update installs are active. Also replaced deprecated utf8_encode() usage in modules/gamemanager/view_server_log.php for PHP 8.3 compatibility.
• Mandatory provisioning trace log + existing-home install retry: Added visible fail-closed trace logging to modules/billing/logs/provisioning_trace.log, threaded detailed per-order provisioning results into checkout success flows, and changed billing provisioning so Active orders with an existing home_id only skip when the install is already complete. Incomplete existing homes now keep allocating missing IP/mod data and re-use gamemanager_trigger_update_install() with traced inputs/outputs instead of silently requiring a manual Game Monitor update.
• Billing provisioning auto-run + idempotency hardening: Updated paid capture, free checkout, PayPal webhook renewals, and admin add-home registration to always hand activated orders to billing_invoke_provision() in trusted internal context. modules/billing/create_servers.php now enforces 6-character alphanumeric default passwords, defaults new homes to ftp_status=1, adds stricter service/node/port/mod validation logging, retries existing home_id installs only when incomplete, and skips already-installed homes to prevent duplicate provisioning on refresh/retry paths.
• Game Monitor IP:PORT fallback reliability: modules/gamemanager/server_monitor.php now resolves missing display/connect endpoints from home_ip_ports + remote_server_ips for each home so newly provisioned servers consistently show IP:PORT even when initial joined row data is incomplete.
• Billing docs + auto-provision/install reliability: Updated Game Monitor and Support documentation links to always open https://gameservers.world/docs/ (game-specific path when available) in a new tab, and hardened billing provisioning so existing home_id orders can retry install automatically via the shared gamemanager update trigger (no manual Update Server click required). Added structured provisioning logs (modules/billing/logs/provisioning.log) and enriched panel log context with order/invoice/user/home/home_cfg/mod/ip/port/mechanism/result/error fields; PayPal webhook renewals now auto-provision when an order still has no home_id.
• Payment success provisioning visibility: Expanded modules/billing/payment_success.php to show per-order provisioning state (install started/pending/failed) using live order/home/IP-port/mod consistency checks, so users/admins can immediately see provisioning outcomes instead of silent failures.

2026-05-08

• Auto-install trigger + monthly-only billing pricing: Refactored Game Monitor update/install into a shared callable (modules/gamemanager/update_actions.php) reused by billing provisioning so new paid/free/admin-created homes auto-trigger the same install/update path used by m=gamemanager&p=update&update=refresh without manual clicks. Billing now treats monthly pricing (price_monthly) as canonical across admin service config, add-to-cart, free checkout, PayPal capture, and provisioning end-date math (31-day months), while preserving legacy daily/yearly columns for backward compatibility.
• LiteFM PHP 8.3 compatibility and install-pending UX: Removed deprecated ${var} interpolation usage, guarded missing fm_cwd_* session keys and dirname() null paths, and replaced directory-not-found warning output with a clear message when server files are not installed yet.
• Provisioning + billing admin UX reliability pass: Hardened automatic server provisioning to reserve ports from arrange_ports (exact home_cfg_id, then home_cfg_id=0 fallback), prevent duplicate home_ip_ports assignment, keep order/invoice/home linkage intact even when install is pending, and apply safe default mod resolution so base installs are not blocked by missing explicit mod choices. Refreshed billing admin service management with row-level save actions, sortable columns (including Game Name enabled-first toggle), clearer save feedback, cleaner unstable-update caution styling, login theme polish, and updated storefront timestamp footer metadata.
• Steam Workshop reliability + UI simplification: Removed customer CLI/update scripting instructions from Workshop user flow, reduced per-server behavior options to supported modes only, switched remaining Steam Workshop SQL references to prefix helpers (no OGP_DB_PREFIX strings), hardened queued-update agent processing (queued → updating → installed/failed) with clearer error persistence, and refreshed monitor/support documentation links to open game-specific docs (fallback to docs index) in a new tab.
• Billing docs routing refresh: Updated docs browser links/icons to root-relative storefront paths (/docs.php, /docs/...) and removed stale hardcoded panel host guidance from getting-started documentation.

2026-05-07

• README + storefront mobile/cart pricing fixes: Rewrote the root README for GSP positioning, hardened storefront mobile responsiveness (login, order, cart, shared header guardrails), fixed add-to-cart price persistence for low-decimal paid items, aligned cart/free-checkout math to total_due values, and refreshed the canonical storefront footer timestamp.
• Billing/cart/storefront stability pass: Hardened add_to_cart.php to build schema-compatible invoice inserts dynamically (including legacy installs missing period_start), fixed free-checkout DB close handling so wrapper objects are never passed to mysqli_close(), switched cart/free-total decisions to cent-based math so low nonzero prices (e.g. $0.02) never show as FREE, improved canonical game deduplication + OS variant matching in storefront list/order pages, and aligned Steam Workshop behavior labels with the new restart/update wording.

2026-05-06

• Panel settings language defaults: Added missing English labels/help text for login_ban_time, allow_setting_cpu_affinity, regex_invalid_file_name_chars, discord_invite_url, discord_webhook_main, and discord_webhook_admin; language lookup now loads English fallback strings when the active locale is missing a key so settings pages stop rendering raw _key_ tokens.
• Config XML section editor redesign: Added a top-level section-based XML editor in config_games with per-section Validate/Save/Reset actions, optional-section add/remove controls, required-section removal protection, and schema validation for section updates; kept the existing detailed node editor and full raw XML editor for advanced edits.
• Steam Workshop admin and routing cleanup: Reworked steam_workshop admin profile editing into clearer grouped dark-theme panels, added XML-based default detection/refresh flow with explicit overwrite confirmation, switched touched SQL to active DB prefix helpers, and re-enabled the p=user route in module navigation so valid user links no longer fail with “Invalid subpage given.”
• Billing/admin provisioning hardening: Styled the panel Migrate action like the other server action buttons, switched admin-created billing rows to the canonical monthly/31-day default, and made paid checkout fulfillment sync billing_orders.home_id, billing_invoices.home_id, and billing_transactions.home_id after provisioning so paid orders no longer stay at home_id = 0.
• Billing cart data correctness: add_to_cart.php now calculates invoice amounts from the selected slot count and duration, stores subtotal/total_due metadata, and replaces ChangeMe placeholders with securely generated passwords before anything is written to billing tables.
• PayPal/coupon idempotency: Cart checkout now stamps PayPal custom_id with the exact invoice IDs being purchased, capture/free/webhook handlers normalize month=31-day renewals, avoid duplicate transaction logs, and queue provisioning only for orders that still lack a home.

2026-05-05

• Billing checkout — automatic server provisioning after payment: Fixed the core provisioning gap where capture_order.php never populated $newOrderIds, so the auto-provisioner was always skipped. After a successful PayPal capture (or zero-dollar checkout), a billing_orders row is now created for each paid invoice and passed to billing_invoke_provision() so the game server is created/installed immediately without manual admin action.

• Billing checkout — duplicate provisioning prevention: Invoice→Order linkage is written atomically (billing_invoices.order_id updated after order creation). Because getUnpaidInvoicesForUser() filters on payment_status NOT IN ('paid',…), a retried PayPal capture will find no invoices and skip all processing — preventing duplicate servers.

• Billing checkout — paid invoices no longer reappear in cart: markInvoicePaid() now sets both payment_status='paid' and status='paid'. The cart query was also tightened to exclude any invoice where payment_status is paid/cancelled/refunded.

• Billing checkout — zero-dollar checkout: New checkout_free.php handles orders where a coupon reduces the total to $0. The cart now shows a "Complete Free Order" button instead of the PayPal button when $final_amount <= 0. Free checkout marks invoices paid (method=coupon), creates orders, increments the coupon use counter, and triggers provisioning — identical flow to a PayPal capture.

• Billing checkout — payment_success.php JOIN fix: Fixed a broken SELECT … s.game_name JOIN that referenced a non-existent column; corrected to s.service_name.

• Billing checkout — SQL migration: Added sql/002_billing_checkout_fixes.sql — idempotent migration that adds coupon_id, discount_amount, payment_status, subtotal, and total_due columns to gsp_billing_invoices, and coupon_id/discount_amount to gsp_billing_orders for older installations missing these columns.

• Billing order status standardization: Canonical billing_orders.status values are now Active, Invoiced, and Expired only. All old writes of installed, paid (as order status), and suspended have been replaced. A SQL migration script modules/billing/sql/normalize_billing_order_status.sql converts any existing legacy rows. Backward-compatibility read paths (e.g. renewable-status checks in my_account.php) are preserved until the migration runs.

• Expiration display date-only: The billing expiration shown on the game server monitor (server_monitor.php) now displays as YYYY-MM-DD only instead of YYYY-MM-DD HH:MM.

• Full-day expiration grace rule: A server whose end_date falls on today is treated as active for the entire calendar day. Expiration is only processed starting the next calendar day. This rule is applied consistently in: billing cron (cron-shop.php Steps B and C), the server monitor expiration helper (home_handling_functions.php::get_server_billing_expiration_html), and the OGP user/group assignment expiration processor (user_games/check_expire.php). All comparisons now use DATE(end_date) < CURDATE() (SQL) or < strtotime(date('Y-m-d')) (PHP) — never <= NOW() or <= time().

• GSP 1.0 baseline: Reset all bundled/core module versions to 1.0. DB schema versions ($db_version) are unchanged.

• FAQ module refresh: Restored online RSS update code from upstream (opengamepanel.org), fixed $local = false initialization bug, switched local cache to ogpfaq.rss, added PHP 8.3-compatible (array) casts, restored upstream credits footer, and opened navigation.xml access to user,admin,subuser.

• Config XML editor improvements: Added schema validation before save (both structured editor and raw XML path); invalid XML is rejected with line-level error messages instead of being written to disk. Added auto-restore from backup on validation failure. Fields are now displayed in schema-defined order with required/optional badges. Added a raw XML editing panel with validation warning. Unknown/custom XML fields are preserved when only specific nodes are modified.

• Obsidian theme: Added themes/Obsidian/ from hmrserver/Obsidian. The theme is immediately selectable in the panel theme settings.

• Removed 22 stray backup/duplicate files left by manual editing (.bak, .BAK, .orig, .backup extensions). Files inside modules/config_games/server_configs/backup/ (intentional runtime backup folder) were left untouched.

2026-05-01

• Changed panel update backup location from /var/backups/gsp-panel to <panel_root>/backups/ so all backups are self-contained inside the panel directory and require no external path or elevated permissions.
• Removed stale "Dev Testing" placeholder heading from the panel login page (index.php).

2026-05-01

• Added safe panel update system to home.php?m=administration&p=main:
  • Numbered Releases: fetches GitHub releases via API, shows newest-first dropdown, updates to selected tag.
  • Development Version: pulls from the stable branch (default Panel-stable).
  • Cutting Edge Version: pulls from the unstable branch (default Panel-unstable) with an instability warning.
  • Full pre-update backup (DB via mysqldump + panel files via PHP copy, excluding .git/, logs/, cache/, tmp/) saved to /var/backups/gsp-panel/YYYY-mm-dd_HH-MM-SS/.
  • backup.json metadata (timestamp, git commit, current version, update target) written with each backup.
  • Revert section lists available backups; restores files and database from the selected snapshot.
  • Config files (includes/config.inc.php, DB update-blacklist) preserved across all updates.
  • CSRF protection on every update/revert form; admin-only access enforced.
  • All update actions logged to logs/panel_updates.log.
  • Installed version/branch written to includes/panel_version.php after each update.

2026-04-23

• Applied a repository-wide PHP 8 compatibility sweep across PHP sources to harden array iteration/count/key checks, normalize date() timestamp casting, and quote bare delete/edit/remove string concatenations.

2026-01-31

• Rebuilt the Steam Workshop picker search to rely solely on Steam Community scraping (matching the working curl flow) and updated the request preview to show the actual Steam URL instead of a local panel endpoint.
• Added adapter AppID lookup for Workshop search so the picker can query Steam even when the server XML lacks a clear default installer entry.
• Switched Workshop picker results to checkbox selection, letting customers toggle multiple mods directly from the search list.
• Added a hardened Workshop scraping helper (the same HTML workflow we validated manually) and wired it into the Steam Workshop service as a fallback whenever the official API errors out or returns empty data.
• Added a native PHP HTTP scraper fallback (auto-selected when bash/proc_open is unavailable, e.g., on Windows XAMPP installs) so the Game Monitor search stops showing “Unable to contact the Steam Workshop” when the API dies but the HTML workflow still works.
• Surface scraper vs API attempts (including shell commands, exit codes, and stderr) in the JSON response so the Game Monitor can show exactly which backend produced the results.
• Bundled the reusable workshop_scrape.sh bash helper inside the module so future diagnostics can be run server-side without re-copying the ad-hoc script.

2026-01-25

• Replaced the Steam Workshop search backend with the official Steam Web API (QueryFiles) so searches are anonymous, paginated, and no longer depend on fragile HTML scraping.
• Added detailed Steam API failure logging plus structured JSON responses that expose pagination metadata to the UI.
• Introduced a reusable SteamCMD installer helper that downloads Workshop items with anonymous login, falls back to authenticated credentials, and captures all stdout/stderr in per-run log files.
• Documented the new search and install helpers to clarify expected usage from both the panel UI and CLI tooling.

2026-01-17

• Added per-game Steam Workshop adapter management with CRUD UI and automatic mapping helpers.
• Added workshop capability helpers and monitor button gating so only supported SteamCMD homes expose the Steam Workshop shortcut.

2026-01-18

• Reworked Steam Workshop support detection to read installer AppIDs directly from the canonical game XMLs, ensuring admin mappings and Game Monitor buttons only appear for true Workshop-enabled titles.

2026-01-19

• Hid staging directory, install strategy, and post-install script controls from non-admins to keep panel defaults enforced for customers.
• Added the Steam Workshop mod picker, including search-backed UI, JSON state handling, and refreshed styling so customers can select mods without touching raw ID lists.
• Pointed the Workshop search endpoint at whichever panel script rendered the page so AJAX searches work in both the main panel and the customer Game Monitor.
• Removed the per-server install-strategy selector so that behavior is governed solely by the admin adapter configuration.
• Removed the per-server post-install script field so hook execution stays defined at the adapter level only.