Commit Graph

11 Commits

Author SHA1 Message Date
myron 7eade583f7 Restrict Agent Info and Credit Accounting to master admin only; protect master admin account
- Agent Info: master admin sees full edit form; other admins see view-only panel with Copy and Open URL buttons
- Credit Accounting: master admin can manage entries; other admins see total only (Manage Credits button hidden)
- API: credits_create/update/delete require master admin; platform update strips agent fields for non-master
- Players: suspend/delete buttons disabled when viewing master admin account (UI + JS guards)
- URL fields (Agent Link, Games Link): open-in-new-tab arrow button added in both edit and view modes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-04 18:06:17 +00:00
myron f50d1d481d Add Credit Accounting section to game management
- New table: platform_credits (id, platform_id, credits_purchased, credit_date, payment_method, notes)
- API: credits_list, credits_create, credits_update, credits_delete actions (admin-only)
- Admin form: Credit Accounting box showing Available Credits total; Manage Credits button opens modal
- Modal: Total Credits header, add/edit/delete entries with credits, date, payment method, notes
- Game list cards: show live credit total per game (cyan, loads async)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-04 18:00:15 +00:00
myron 99079340cb Add sub-account and cashier credential fields to game management
- DB: added sub_agent_login, sub_agent_password, cashier_login, cashier_password to platforms table
- API: create/update handle all 4 new fields
- Admin: Sub-Account and Cashier sections added inside Agent Info box; game list cards display all new fields

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-04 17:51:37 +00:00
myron 0aec13daf4 Add agent fields to game management
- DB: renamed console_url to agent_link, added agent_login, agent_password, games_link, agent_guide to platforms table
- api/platforms.php: create/update now handles all 5 agent fields (admin-only)
- admin/index.php: game form has new Agent Info section (purple, admin-only styling); game list cards show all agent fields inline; JS saveGame/editGame/resetGameForm updated

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-04 17:39:48 +00:00
myron 497071e1b7 Fix pending_signups stat pollution and use branded reset email
- pending_signups stat and list queries now filter username != __reset__
  so active password-reset rows no longer inflate the signup counter or
  appear in the admin pending-signups list
- send_password_reset now calls sendPasswordResetEmail() from mailer.php
  instead of building a plain-text cybermailSend() call inline; the
  wrapper sends a branded dark-theme HTML email matching the verification
  email style
2026-06-03 06:01:49 +00:00
myron 5b364db2a5 Surface cybermailSend failure to admin on password reset
Previously the endpoint always returned success:true regardless of
whether the email was actually delivered. Now captures the bool return
value and returns success:false with an error message if CyberMail
fails, so the admin knows to retry rather than assuming delivery.
2026-06-03 03:57:22 +00:00
myron 9815db29d0 Add reset_password.php — password reset redemption page
Handles the /reset_password.php?token=... URL generated by the
admin send_password_reset action. Flow:
- GET: validates token against pending_registrations (username=__reset__,
  not expired), shows set-new-password form
- POST: re-validates token, enforces 6-char min + confirm match,
  bcrypt-hashes the new password, updates users.password by email,
  deletes the pending row to prevent reuse
- Invalid/expired token shows a clear error with link back to home

Matches the dark gaming aesthetic of verify.php.
2026-06-03 03:56:17 +00:00
myron 18ec3a7143 Fix broken password reset INSERT — SQL syntax error and wrong token value
The INSERT had two compounding bugs:
1. ".?" in the VALUES clause — a PHP dot inside a double-quoted string
   is a literal character, not concatenation. MySQL saw it as a syntax
   error and the INSERT always failed silently (no try/catch).
2. The token column had the literal string __reset__ hardcoded instead
   of a ? placeholder, so even if the INSERT had run, the real random
   token would never have been stored — the reset link always invalid.

Fix: VALUES ("__reset__","",?,?,?,?) with execute(alias,email,token,exp)
giving 4 placeholders for 4 params, all columns correctly bound.
2026-06-03 03:54:16 +00:00
myron ad57071f97 Add DB schema (22 tables) and vhost config 2026-05-25 13:52:18 +00:00
myron 894392065c Security: remove test/debug/install files from production 2026-05-22 13:05:18 +00:00
myron 2e587941c2 Initial commit 2026-05-22 12:52:50 +00:00