Mozgasnaplo Changelog
Versioning Scheme
Example: 1.12.1
- 1 --> Major version: Incremented after significant feature additions or front/backend restructuring.
- 12 --> Minor version: Incremented when adding new features. May also include bug fixes.
- 1 --> Patch (bugfix): Incremented after bug fixes or minor modifications to existing features.
v3.09.01 - 2025.11.18
System Configuration Improvements
- Migrate
settings_application table to system_settings table
- Migrate
settings_ldap table to system_settings table
v3.09.00 - 2025.11.18
System Configuration Overhaul
-
Centralized Settings Table & Migration
- Added
system_settings table via sql/migrations/20251116_create_system_settings_table.sql
- Boot process now merges DB overrides into
$_ENV (assets/load-environment.php)
- Helper
getSystemSetting() caches values in assets/base-functions.php
- All mail ordering logic now reads SMTP data from DB rather than
.env
-
System Settings UI Redesign
assets/admin/system-settings.php reorganized into scoped tabs (Core, Authentication, Mail, Ordering, API, License, LDAP)- Module enablement uses checkboxes, label-adjust applied for consistent layout
- Sensitive fields (SMTP/API/license credentials) support show/hide toggles
- CSRF-protected AJAX saves update
system_settings and sync appMaxOrderDate
-
Navigation & Access Control
- Gear dropdown is sysadmin-only and collects all configuration entries plus the new audit log
- Offcanvas sidebar now excludes system/admin links moved to the gear menu
-
Activity Log Viewer
- New
/auditlog route renders assets/admin/logs/activity-log.php
- Pulls from
activity_log table with filtering by category, event type, user, IP, and date range
- Human-readable context display and badge styling for categories
-
Ordering Mail Improvements
- PHPMailer configuration reads from
mail.smtp_* settings to keep secrets centralized
Documentation / Localization
- Added English and Hungarian translation strings for new settings labels, module descriptions, audit log UI, and route slug
Profile Enhancements
- My Profile now exposes ordering contact and delivery fields (when the ordering module is enabled) with AJAX save support, grouping by Personal/Contact/Invoicing/Delivery sections plus postal-code autocomplete and tax-field translations.
v3.08.01 - 2025.11.16
Security Enhancements
Documentation
- Security Analysis Documents Created
SECURITY_HEADERS_ANALYSIS.md - Complete audit of HTTP security headersRATE_LIMITING_PROPOSAL.md - Rate limiting implementation proposalCSP_HARDENING_PROPOSAL.md - Content Security Policy hardening roadmapDATATABLES_PROPOSAL.md - DataTables integration proposal
v3.08.00 - 2025.11.16
Major Security Enhancements
-
Session Timeout Validation
- Implemented automatic session expiration based on
appLoginSessionInterval setting
- Sessions now properly expire after configured inactivity period
- Automatic cleanup of expired sessions from database
- Expired session events logged to activity log
-
CSRF Token Rotation
- CSRF tokens now rotate automatically after each successful form submission
- Implemented
rotateAndSendCSRFToken() function in base-functions.php
- JavaScript handler automatically updates tokens from X-CSRF-Token header
- Enhanced protection against CSRF attacks through one-time token usage
-
Comprehensive Activity Logging System
- New
activity_log table for tracking all user actions and security events
- Log categories: INFO, WARN, SECURITY, ERROR, DEBUG
- Automatic logging of: login success/failure, logout, session timeout, IP blocking, CSRF failures
- JSON context data support for detailed event information
- Convenience wrapper functions:
logSecurityEvent(), logError(), logWarning(), logInfo()
-
Session Concurrency Limit
- Implemented
enforceSessionLimit() function to limit concurrent sessions per user
- Default limit: 5 concurrent sessions per user
- Automatically terminates oldest sessions when limit exceeded
- Session limit enforcement events logged to activity log
-
Automated Session Cleanup
- Created cron job script:
cron/cleanup_expired_sessions.php
- Removes expired sessions from database based on timeout setting
- Comprehensive logging of cleanup operations
- Crontab configuration file provided:
cron/mozgasnaplo.crontab
- Scheduled to run daily at 2:00 AM
# 1. Verify the script is executable
chmod +x /path/to/cron/cleanup_expired_sessions.php
# 2. Edit the crontab file and update the path
nano /path/to/cron/mozgasnaplo.crontab
# 3. Import to crontab
crontab -l > mycron
cat /path/to/cron/mozgasnaplo.crontab >> mycron
crontab mycron
rm mycron
# 4. Verify installation
crontab -l
# 5. Test the script manually first
php /path/to/cron/cleanup_expired_sessions.php
Technical Improvements
- Updated
checkLogin() function with timeout validation and security logging
- Enhanced
logoutSession() function with activity logging
- Integrated activity logging into authentication flow (login-auth.php)
- Created CSRF token rotation JavaScript handler:
assets/js/csrf-token-handler.js
- Added global helper functions:
getCSRFToken(), updateCSRFToken(), addCSRFTokenToFormData(), addCSRFTokenToData()
Database Schema
- Added
activity_log table with comprehensive event tracking fields
- Indexes optimized for security monitoring and user activity queries
- JSON column for flexible context data storage
================================================================
Example event types to log:
================================================================
SECURITY:
- login_success
- login_failed
- logout
- session_timeout
- session_expired
- csrf_failure
- session_hijack_attempt
- ip_blocked
- suspicious_activity
- password_changed
- mfa_enabled
- mfa_disabled
--
DATA:
- visitor_created
- visitor_updated
- visitor_deleted
- gate_entry
- gate_exit
- order_created
- order_updated
- settings_changed
--
ERROR:
- database_error
- permission_denied
- validation_failed
- api_error
--
INFO:
- page_view
- export_generated
- report_generated
- email_sent
================================================================
Files Added
sql/create_activity_log_table.sql - Activity log table creation scriptcron/cleanup_expired_sessions.php - Automated session cleanup scriptcron/mozgasnaplo.crontab - Crontab configuration for automated tasksassets/js/csrf-token-handler.js - Client-side CSRF token rotation handler
Files Modified
assets/base-functions.php - Added activity logging, session timeout, concurrency limit, CSRF rotationassets/includes/general/login-auth.php - Integrated activity logging and session concurrencyassets/includes/general/footer.php - Added CSRF token handler scriptpublic/index.php - Version bump to 3.08.00
v3.07.05 - 2025.11.16
Security Update
- Cookie generation now uses
bin2hex(random_bytes(32)) instead of IP+username+hrtime for improved security.
v3.07.04 - 2025.11.16
Backend Development
- Removal of legacy, deprecated CSRF token system code
v3.07.03 - 2025.11.15
Documentation
- README.md Update
- Comprehensive README creation with installation guide
- System architecture and technology stack documentation
- Developer guide additions
v3.07.02 - 2025.11.15
Bug Fixes
- Camera Include Fix
import-carplates-to-cameras.php: Fixed include orderget-available-cameras-for-import.php: Fixed field mapping (camera_id → id)
v3.07.01 - 2025.11.15
New Features
- CSV Import - Camera Upload Integration
- Direct upload of imported license plates to cameras after CSV import
- New Step 4: Camera selector UI with active camera list
get-available-cameras-for-import.php, import-carplates-to-cameras.php endpoints- Feedback on upload results per camera
- 25+ new translations (hu_HU, en_US)
Bug Fixes
v3.07.00 - 2025.11.15
Major Changes – Top 10 Frequent Visitors Feature
NEW FEATURE: Automatically prefill the gate traffic form with the 10 most frequent visitors on the page.
New Features
Backend Enhancements
- New backend files:
assets/includes/traffic/movements/get-top10-visitors.php – Top 10 query
- SQL GROUP BY by visitor and company
- COUNT(*) based ordering
- Last 30 days filter
- Gate-specific filtering
assets/includes/traffic/movements/get-visitor-latest-entry.php – Load full entry data
- Complex JOINs (traffic_gates, traffic_visitors, traffic_visitor_company, traffic_targetperson, settings_visitortypes, traffic_carplates)
- Entry permission information
- Falls back to default carplate when available
Frontend Enhancements
- Modified files:
assets/includes/traffic/movements/gate-traffic.php:
- Added Top 10 card container at the top of the page
- Header copy with icon and subtitle
- Bootstrap row/col grid structure
assets/js/traffic/movement-scripts.js (+177 lines):
loadTop10Visitors() – AJAX call to fetch Top 10renderTop10Cards() – card rendererautoFillFromTop10() – load entry data on clickfillFormWithData() – full form population logicescapeHtml() – XSS protection helper- Auto-load Top 10 on page load
- Auto-refresh cards after successful entry save
UI/UX Enhancements
-
Bootstrap-native design
- Fully uses the Bootstrap card component
- No custom CSS (aside from inline
cursor: pointer)
- Responsive grid breakpoints:
- col-6: mobile (2 columns)
- col-sm-4: tablet (3 columns)
- col-md-3: laptop (4 columns)
- col-lg-2: desktop (6 columns)
- Text truncation for long names + tooltip support
- Badge colors: warning (1st), info (2nd), success (3rd), secondary (4-10)
-
Touch-friendly design
- Entire card surface is clickable
- Card size optimized for tapping
- Hover and focus states included
- Smooth scrolling to the form
Language Support
- New translation keys (3):
- Hungarian (hu_HU.po):
- TEXT_TOP10_FREQUENT_VISITORS: "Gyakori Látogatók"
- TEXT_TOP10_LAST_30_DAYS: "30 nap"
- TEXT_TOP10_VISITS: "látogatás"
- English (en_US.po):
- TEXT_TOP10_FREQUENT_VISITORS: "Frequent Visitors"
- TEXT_TOP10_LAST_30_DAYS: "Last 30 days"
- TEXT_TOP10_VISITS: "visits"
Performance Optimizations
-
Efficient SQL queries:
- Single GROUP BY query for the Top 10 list
- Reuses gateid and arrivetime indexes
- LIMIT 10 applied
- LEFT JOINs only for required data
-
Asynchronous loading:
- AJAX-driven data fetch
- Does not block page render
- Fault tolerant (hides the widget when an error occurs)
Usage
- Open any gate traffic page (for example “Gate 1”)
- The Top 10 cards load automatically on top
- Click a card
- The form fills with the visitor’s last entry
- Adjust or approve the data
- Press the “Entry” button
- The Top 10 list refreshes automatically
Files
New files (2):
assets/includes/traffic/movements/get-top10-visitors.php (~75 lines)assets/includes/traffic/movements/get-visitor-latest-entry.php (~95 lines)
Modified files (4):
assets/includes/traffic/movements/gate-traffic.php (+11 lines of HTML)assets/js/traffic/movement-scripts.js (+177 lines)assets/languages/hu_HU/LC_MESSAGES/hu_HU.po (+3 msgid)assets/languages/en_US/LC_MESSAGES/en_US.po (+3 msgid)
Summary
- New feature: Rapid entry for Top 10 frequent visitors
- Files: 2 new, 4 modified
- Lines: ~260 new lines (PHP + JavaScript)
- Translations: 3 new keys per language
- Design: Pure Bootstrap, responsive, touch-friendly
v3.06.00 - 2025.11.15
Major Changes – Visitor CSV Import Feature
NEW FEATURE: Bulk import visitors and their carplates from CSV.
New Features
Backend Enhancements
-
New backend file:
assets/admin/traffic/visitor-import-csv.php – CSV processing backend
- CSV parsing with UTF-8 support
- Automatic column mapping for multilingual headers (HU/EN)
- Chunk processing with error handling
- Detailed statistics collection
- CSRF protection and permission checks
-
Helper functions:
- Auto-detect country codes from license plate
- Fuzzy matching for visitor_company and entity_assignment names
- Duplicate detection for visitors and carplates
- Intelligent visitor_type matching
Frontend Enhancements
-
Modified file:
assets/admin/traffic/visitor-account-change.php:
- Added “Import Visitors (CSV)” button
- Full import modal implementation
- JavaScript handlers for upload and processing
- Results display with colored status cards
- Modal state management + reset flow
-
New template file:
public/templates/visitor_import_template.csv – downloadable sample CSV with example data
Language Support
- 30+ new translation keys:
- Hungarian (hu_HU.po): Import buttons, modal titles, field names, error messages
- English (en_US.po): Full English coverage
- Rich field descriptions and error texts in both languages
Additional Improvements
Usage
- Open the Visitor editor page
- Click the “Import Visitors (CSV)” button
- (Optional) Download the template CSV
- Select your CSV file (max 5 MB)
- Click “Start Import”
- Monitor the processing progress bar
- Review stats and error details
- Refresh the visitor list
Files
New files (3):
assets/admin/traffic/visitor-import-csv.phppublic/templates/visitor_import_template.csv
Modified files (3):
assets/admin/traffic/visitor-account-change.php (~200 lines of JavaScript + modal HTML)assets/languages/hu_HU/LC_MESSAGES/hu_HU.po (+30 msgid)assets/languages/en_US/LC_MESSAGES/en_US.po (+30 msgid)
Summary
- New feature: CSV import for visitors and license plates
- Files: 3 new, 3 modified
- Lines: ~700 new lines (PHP backend + JavaScript frontend)
- Translations: 30+ new keys for both languages
- Import type: Flexible, fault tolerant, detailed feedback
v3.05.00 - 2025.11.14
Major Changes – Unified Entity Management System
SIGNIFICANT REFACTOR: settings_property and settings_companydata merged into a single hierarchical entity system.
New Features
-
Unified entity management
- Manage properties and companies on one page (
change-entity-management.php)
- Hierarchical structure: properties → companies (parent-child)
- Entity type selector when creating new records (property/company)
- Visual differentiation: 🏢 property, 🏪 company badges
- Choose parent property when creating companies
-
Hierarchical access control
- Property-level users see the property plus all companies underneath
- Company-level users only see their own company
- Sysadmin sees every property and company
- Applied to cameras and carplates as well
-
Camera assignment improvements
- Cameras can be linked to a property OR a company
- Optgroup dropdown separates properties and companies
- Property-level cameras become visible to all child companies
- Company-level cameras remain private to that company
Backend Enhancements
Database Changes
- Unified table structure:
settings_companydata extended with:
entity_type ENUM('company','property') to differentiate entity types- Column renames:
company_* → entity_*
parent_entity_id: self-referencing foreign key (company → property)
settings_property table removed (merged)- Indexes:
entity_type, parent_entity_id
- New constraint:
fk_parent_entity (self reference)
Navigation & Routing
-
Unified menu item:
- Separate “Company management” + “Property management” replaced with single “Property & Company Admin”
- Menu header now shows property name (previously company name)
- URI:
/entitas-kezelese (HU) or /entity-management (EN)
-
Backward compatibility:
- Legacy URLs automatically redirect to the new page
/cegek-kezelese → unified page/ingatlan → unified page
New backend files
assets/admin/change-entity-management.php – unified UIassets/admin/entity-search.php – entity lookup (AJAX)assets/admin/entity-update.php – create/update entitiesassets/admin/entity-delete.php – soft delete with validationassets/admin/entity-logo-upload.php – logo handling
Modified files (19)
Property management (5 files):
change-property-management.php, property-search.php, property-update.php, property-delete.php, property-logo-upload.php
Company management (5 files):
change-company-management.php, company-search.php, company-update.php, company-delete.php, company-logo-upload.php
Camera module (3 files):
change-camera-settings.php – optgroup dropdownchange-carplates.php – optgroup dropdowncamera-functions.php – hierarchical logic
User management (3 files):
change-local-account.php, login-card.php, set-new-user-password.php
Core (4 files):
base-functions.php, data-save.php, offcanvas-menu.php, routing.php
Language Support
- 30 new translations (Hungarian + English):
- Unified management copy
- Entity type labels
- Camera assignment strings
- Error messages
- Tooltip content
Bug Fixes
- Config path fix: correct initialization for entity backend files
- Camera validation: accept property entities while saving cameras
- Camera username removal: fixed
bind_param type (integer → string)
- Translation duplicates: removed duplicate msgids (TEXT_RESP_NO_PROPERTIES, TEXT_PAGE_ENTITY_MGMT)
SQL File Updates
sql/mozgasnaplo_DB_structure.sql – reflects new entity structure
Performance & Security
- SQL aliases used for backward compatibility
- Prepared statements across all queries
- CSRF protection on every action
- Soft delete via
isActive flag for data retention
Summary
Touched files: 30+ (19 modified, 5 new, 2 SQL, 2 language packs, 2 docs)
New lines: ~1,500
Broken backward compatibility: None (legacy URLs redirected)
Database migration required: Yes (migration script included)
v3.04.02 - 2025.11.11
Enhancements
- License validation now uses caching to avoid excessive server requests. License verification occurs once daily.
v3.04.01 - 2025.11.11
Bug Fix
- validatePassword() bug fix
v3.04.00 - 2025.11.10
New Features
- License Verification Implementation
verifyLicense() function added (base-functions.php)- API call to external license server (cURL)
- License status display in footer (client name, expiration date)
- Automatic shutdown on invalid license
- 5 new translation keys added (hu_HU.po)
Modified Files:
- assets/base-functions.php (verifyLicense function)
- assets/includes/general/footer.php (license display)
- assets/languages/hu_HU/LC_MESSAGES/hu_HU.po + .mo
- public/index.php (version bump)
v3.03.18 - 2025.11.10
Enhancements
Modifications
-
Base Functions
displaySubmitButton() function extended with new $prop parameter- Allows adding custom HTML attributes (e.g.
disabled) to buttons
- Usage:
displaySubmitButton("btnId", "TEXT_BUTTON", "submit", "", "disabled")
- Location:
assets/base-functions.php:1271 (line 1297)
-
Routing Update
- Profile page route redirected to new location
- Old:
assets/admin/change-local-profile.php
- New:
assets/admin/local-profile/local-profile.php
- Location:
assets/routing.php:78
Translation Strings
- 2 new translation keys added (en_US.po, hu_HU.po):
TEXT_RESP_PASSWORD_LENGHT - "Password length is incorrect."TEXT_RESP_USERNAME_MISSING - "Username is missing."
Modified Files:
- assets/admin/change-local-profile.php → assets/admin/local-profile/local-profile.php (renamed + AJAX conversion)
- assets/admin/local-profile/local-profile-update.php (new file - AJAX endpoint)
- assets/admin/change-local-account.php (dynamic password validation)
- assets/base-functions.php (displaySubmitButton enhancement)
- assets/routing.php (route update)
- assets/languages/en_US/LC_MESSAGES/en_US.po + .mo
- assets/languages/hu_HU/LC_MESSAGES/hu_HU.po + .mo
- public/index.php (version bump)
v3.03.17 - 2025.11.10
Bug Fixes
-
Accounts Management (/accounts/edit) - CSRF Token Error
- Problem: Using old SESSION-based CSRF validation
- Solution:
- Updated to use
validateCSRFToken()
- Backward compatibility:
$_POST['csrf_token'] ?? $_POST['csrfToken']
- Token rotation added on successful operations (UPDATE and INSERT)
- Result: Account editing and creation works ✅
-
Profile Management (/profile) - Parse Error and CSRF
- Problem 1: Parse error - Unmatched '}' on line 74
- Cause: Extra closing braces remained in code (lines 72-74)
- Solution: Removed 3 extra closing braces
- Problem 2: Two different CSRF checks, both using old SESSION-based method
- Solution: Unified CSRF validation for both forms
- Token rotation added on both successful operations
- Result: Parse error fixed, profile save works ✅
-
Companies Management - CSRF Token and JSON Response Error
-
Problem 1: Invalid CSRF Token
- Location:
company-update.php (line 29-34)
- Cause: Using old SESSION-based validation
- Solution: Updated to use
validateCSRFToken()
-
Problem 2: Wrong toast color (green instead of red on error)
- Cause:
updateSuccess()/updateFailed() returns string, not JSON
- Solution: All responses in JSON format
- Content-Type:
application/json header added
- Token rotation: After every successful operation
-
Updated endpoints:
company-update.php - Create/Update companiescompany-delete.php - Company deletionlocal-account-delete.php - User deletion
-
Result: CSRF works, toast colors correct ✅
-
Companies Management Route - Invalid Character %20
- Problem: URL "Companies management" → "Companies%20management"
- Solution: Space removed → "companies-management"
- NOTE: .po file updated, but .mo file needs recompilation!
- Result: Clean URL without spaces ✅
Modified Files:
- assets/admin/change-local-profile.php (Parse error fix + CSRF validation + token rotation)
- assets/admin/company-update.php (CSRF validation + JSON responses + token rotation)
- assets/admin/company-delete.php (CSRF validation + JSON responses + token rotation)
- assets/admin/local-account-delete.php (CSRF validation + token rotation)
- assets/languages/en_US/LC_MESSAGES/en_US.po (URL fix)
- public/index.php (version bump)
v3.03.16 - 2025.11.10
Bug Fixes
v3.03.15 - 2025.11.10
Bug Fixes
-
Complete CSRF Token Rotation Coverage - All Endpoints Updated
- Problem: Only visitor/traffic modules got token rotation in v3.03.14
- Solution: ALL JSON endpoints updated with automatic token rotation
Camera Module Endpoints (7 files):
- assets/admin/camera/carplate-save.php
- assets/admin/camera/carplate-delete.php
- assets/admin/camera/carplate-remove.php
- assets/admin/camera/carplate-sync.php
- assets/admin/camera/camera-update.php
- assets/admin/camera/camera-delete.php
- assets/admin/camera/camera-test-connection.php
- assets/admin/camera/carplate-import.php
Admin/Settings Endpoints (2 files):
- assets/admin/property-update.php (3 success points)
- assets/admin/property-delete.php
Password Reset:
- assets/includes/general/set-new-user-password-handler.php
Updates in all files:
- Old SESSION-based CSRF validation →
validateCSRFToken()
- Added
rotateAndSendCSRFToken(true) after successful operations
- Backward compatibility:
$_POST['csrf_token'] ?? $_POST['csrfToken']
- Result:
- ✅ ALL modules support automatic token rotation
- ✅ Camera management: add/edit/delete/sync/test/import
- ✅ Property management: create/update/delete
- ✅ Unified CSRF protection across ENTIRE application
- ✅ No more "Invalid CSRF token" errors anywhere!
v3.03.14 - 2025.11.10
Enhancements
- Automatic CSRF Token Rotation with Client-side Update
-
New function: rotateAndSendCSRFToken() in base-functions.php
- Token rotation after every successful operation
- New token sent in HTTP header (X-CSRF-Token) AND JSON response (csrf_token)
-
Global JavaScript Handler (custom-scripts-header.js)
- Automatically updates ALL
csrf_token fields on page
- Using
$(document).ajaxComplete()
- Supports both JSON response and X-CSRF-Token header
-
Updated Endpoints with Token Rotation:
- assets/admin/traffic/visitor-carplate-add.php
- assets/admin/traffic/visitor-carplate-update.php
- assets/admin/traffic/visitor-carplate-delete.php
- assets/admin/traffic/visitor-account-update.php
- assets/data-save.php
-
Result:
- ✅ Multiple operations on same page WORK
- ✅ Token automatically refreshes after every AJAX operation
- ✅ No page reload needed
- ✅ Improved security with token rotation
Bug Fixes
- CSRF Token Undefined Variable Bugfix
- visitor-carplate-add.php:
$csrfToken → $token (line 20-23)
- visitor-carplate-delete.php:
$csrfToken → $token (line 19-22)
- visitor-camera-assignments.php: already fixed in v3.03.13
- Result: Carplate add works even BEFORE save! ✅
v3.03.12 - 2025.11.10
Bug Fixes
-
CSRF Token System - AJAX Data Key & Validation Fix
- CRITICAL BUG FIXED: Two separate issues resolved
1. AJAX Data Key Problem:
- JavaScript read token from
input[name="csrf_token"] (correct)
- But sent as
csrfToken: value (incorrect)
- Solution: All AJAX data objects updated:
csrf_token: value (correct)
- Updated files (~50+ AJAX calls):
- assets/js/traffic/movement-scripts.js
- assets/js/ordering/cart-ui.js
- assets/admin/traffic/change-visitor-data.php (2 AJAX calls)
- assets/admin/camera/* (all AJAX calls)
- assets/admin/change-*.php (all settings files)
2. Backend Validation Problem:
-
6 *-update.php files still used OLD SESSION-based validation
-
Old: if ($csrfToken != $_SESSION["csrfToken"])
-
New: if (!validateCSRFToken($token))
-
Updated backend files:
- assets/admin/traffic/visitor-account-update.php
- assets/admin/traffic/visitor-carplate-update.php
- assets/admin/traffic/visitor-carplate-add.php
- assets/admin/traffic/visitor-carplate-delete.php
- assets/admin/camera/visitor-camera-assignments.php
- assets/admin/camera/carplate-import.php
-
Result: Token validation now WORKS everywhere! ✅
-
Visitor and camera management working! ✅
v3.03.11 - 2025.11.10
Bug Fixes
- CSRF Token System Simplification - Phase 7 (JavaScript Migration)
- CRITICAL: All JavaScript code updated to use new
csrf_token field
- This version fixes forms functionality - forms didn't work after Phase 6!
- Updated files:
- assets/js/traffic/movement-scripts.js (3 replacements)
- assets/js/ordering/cart-ui.js (meta tag)
- 13 PHP files with inline JavaScript:
- change-visitor-type.php, visitor-account-change.php
- change-gate.php, change-visitor-data.php
- change-camera-settings.php, change-carplates.php
- change-application-data.php, change-ldap-data.php
- change-property-management.php, change-company-management.php
- change-company-data.php, change-local-account.php
- menu-gate-list.php
- All token references: csrfTokenXXX → csrf_token
- Forms now work with new token system
- Next step: Remove legacy functions (Phase 8)
v3.03.10 - 2025.11.10
New Features
- CSRF Token System Simplification - Phase 6 (Admin/Settings & General Forms)
- Admin/Settings and general forms migrated to new CSRF system
- 10 files updated
writeCSRFToken() → writeCSRFTokenField()
- Migrated files:
- assets/admin/change-company-data.php
- assets/admin/change-company-management.php
- assets/admin/change-property-management.php
- assets/admin/change-local-account.php
- assets/admin/change-local-profile.php (2 forms)
- assets/admin/change-application-data.php
- assets/admin/change-ldap-data.php
- assets/includes/general/set-new-user-password.php
- assets/includes/general/login-card.php
- ALL PHP forms now use
csrf_token field
- Backward compatibility: JavaScript still uses old field names (Phase 7)
- Next step: JavaScript update (Phase 7)
v3.03.9 - 2025.11.10
New Features
- CSRF Token System Simplification - Phase 4 (Camera Module)
- Camera module forms migrated to new CSRF system
- 2 files updated
writeCSRFToken() → writeCSRFTokenField()
- Migrated files:
- assets/admin/camera/change-camera-settings.php
- assets/admin/camera/change-carplates.php
- All Camera module forms now use
csrf_token field
- Backward compatibility: JavaScript still uses old field names (Phase 7)
- Next step: Ordering module (Phase 5)
v3.03.8 - 2025.11.10
New Features
- CSRF Token System Simplification - Phase 3 (Traffic Module)
- Traffic module forms migrated to new CSRF system
- 7 files updated
writeCSRFToken() → writeCSRFTokenField()
- Migrated files:
- assets/admin/traffic/change-visitor-type.php
- assets/admin/traffic/visitor-account-change.php
- assets/admin/traffic/change-visitor-data.php
- assets/admin/traffic/change-gate.php
- assets/includes/traffic/movements/gate-traffic.php
- assets/includes/traffic/modal-leave.php
- assets/includes/traffic/menu-gate-list.php
- All Traffic module forms now use
csrf_token field
- Backward compatibility: JavaScript still uses old field names (Phase 7)
- Next step: Camera module (Phase 4)
v3.03.7 - 2025.11.10
New Features
- CSRF Token System Simplification - Phase 2 (Core Validation)
- data-save.php migrated to new simplified CSRF system
- Supports both new (
csrf_token) and old (csrfToken) tokens
- Automatic token rotation after successful operations
- Backward compatibility maintained: old tokens still work
- Validation priority:
- Use new simplified token (
csrf_token) if exists
- Fallback to old token system if new one not received
- Timing-safe comparison with
validateCSRFToken() function
- Next step: Migrate modules to new system (Phase 3-6)
v3.03.6 - 2025.11.08
New Features
- CSRF Token System Simplification - Phase 1 (Foundation)
- New simplified CSRF token functions added (base-functions.php)
- Single token usage per session (instead of 13)
- Token rotation implemented after successful form submission (better security)
- New functions:
generateCSRFToken() - Token generationvalidateCSRFToken() - Token validation (timing-safe)rotateCSRFToken() - Token rotationwriteCSRFTokenField() - HTML field outputgetCSRFToken() - Token retrieval for JS/AJAX usage
- Old system still works (backward compatibility)
- Start of gradual migration (Gradual Migration - Option A)
v3.03.5 - 2025.11.08
Bug Fix
- After exit, the leave_notes field value must be cleared.
v3.03.4 - 2025.11.08
Bug Fix
- New row didn't appear without page refresh at gate entry (gate-traffic.php)
- data-save.php: HTML response was not output in "traffic_save" case
- Echo statement on lines 787-788 was commented out
- Solution: Added echo immediately after HTML construction (line 693)
v3.03.3 - 2025.11.07
Bug Fix
- Primary carplate and entry permission values were not passed when using resync button
- change-visitor-data.php: Fixed field identifiers for resync button
$('#entry_permission') → $('#entry_allowed')$('#default_carplate') → $('#primary_carplate')
v3.03.2 - 2025.11.07
New Features
- Pending Synchronization Handling
- On failed camera connection, carplates enter "pending" status
- Warning message appears in visitor editor when synchronization is pending
- "Resync" button added to retry pending carplates
Bug Fixes
- visitor-account-update.php structural issues fixed
- Removed duplicate if blocks
- Made UPDATE query accessible when data changes
- Cleaner code structure and logic
- Use 'pending' status instead of 'failed' on unsuccessful sync
- visitor-camera-sync.php: Mark as 'pending' on failed upload/verification
- pending_count return value instead of failed_count
Translation Strings
- 10 new translation strings added (en_US.po, hu_HU.po):
- TEXT_LABEL_CAMERA_SYNC, TEXT_HELP_CAMERA_SYNC_AUTO
- TEXT_NO_CAMERAS_SELECTED, TEXT_CAMERAS_SELECTED
- TEXT_BTN_RETRY_SYNC, TEXT_MSG_PENDING_SYNCS
- TEXT_LABEL_PENDING_PLATES, TEXT_SYNCING
- TEXT_RESP_SYNC_RETRY_SUCCESS, TEXT_RESP_SYNC_RETRY_FAILED
v3.03.1 - 2025.11.07
Bug Fix
- Camera selection removal didn't work when editing visitor
- visitor-account-update.php: Detect camera assignment change even with empty array
- Compare previous and new camera lists on every save
- Sync always runs if camera assignment changed (even with empty list)
- Missing translation strings added (en_US.po, hu_HU.po)
- TEXT_RESP_NO_CAMERAS_ASSIGNED
- TEXT_RESP_NO_PLATES_TO_REMOVE
- TEXT_RESP_REMOVED_FROM_CAMERAS
- TEXT_RESP_SYNC_SUCCESS
- TEXT_RESP_SYNC_PARTIAL
v3.03.0 - 2025.11.XX (WIP)
New Features
- Unified Visitor-Camera Management
- Automatic synchronization of visitor carplates to cameras on save
- traffic_carplates table extended (country code, validity dates)
- traffic_carplate_camera junction table (carplate ↔ camera sync status)
- Automatic removal from cameras when deleting visitor/carplate
- Automatic country code detection from carplate
- Three operating modes: TRAFFIC-only, CAMERA-only, BOTH
Bug Fix
- Camera removal didn't work when editing visitor (clearing checkbox selection)
- syncTrafficCarplatesToCamera() now supports empty list upload
- removeTrafficCarplatesFromCamera() now always syncs, even with empty list
- New message added: "Camera whitelist successfully cleared"
Database Changes
- traffic_carplates: +5 columns (country_code, effective_start_date, effective_end_date, created_at, updated_at)
- traffic_carplate_camera: new junction table for sync status tracking
Backward Compatibility
- TRAFFIC-only clients: NO changes, 100% compatible
- New columns are NULL if not used
v3.02.1 - 2025.11.07
Bug Fix
- label-adjust.js didn't work on AJAX-loaded content (change-visitor-data.php)
- Manual label width setting added to visitor editor form
- Runs with 50ms delay after DOM rendering
- Automatic equal width for all
.input-group-text labels
v3.02.0 - 2025.11.07
New Features
- Visitor carplate management with AJAX operations
- Add, edit, delete carplates with AJAX
- Automatic validation using camera-functions.php
- 30+ EU/Balkan country recognition with flag display
- Inline editing with visual feedback
- Automatic primary carplate update
- Bootstrap modals instead of prompt/alert
- 4 new AJAX endpoints (add, update, delete, list)
Modifications
- Convert form fields to input-group layout
- Switch from floating labels to input-group-text labels
- Use
<label> element instead of <span> with for attribute
- Uniform appearance with label-adjust.js support
- Primary carplate automatically updates on save
Bug Fixes
- Fixed carplate editing auto-save
- Fixed delete button multiple clicks
- Enter key support in modals
v3.01.0 - 2025.11.07
Modifications
- Camera carplate editor reorganization
- Camera selector panel removed from page top
- Inline checkbox list under company selector
- Display only active cameras
- Automatic checkbox selection when loading carplate
- Whitelist/blacklist toggle removed
- All carplates treated as whitelist
- Simplified user interface
- Display inactive cameras below active ones
v3.00.0 - 2025.11.02
New Features
1. Camera Module (ANPR - Automatic Number Plate Recognition)
- Hikvision ANPR camera integration via ISAPI protocol
- Camera settings page (IP, port, HTTPS, username, password with AES-256-CBC encryption)
- Camera allowed vehicles management (carplate whitelist)
- Import carplates from allowed parking permissions
- Duplicate carplate checking, CRUD operations
- Camera connection testing, status checking
- AJAX API endpoints for camera management (7 new endpoints)
2. Property Management
- New complete property management interface for sysadmin
- Property CRUD operations (create, edit, delete, list)
- Property data: name, short name, address, email, phone, logo
- Assign companies to properties (using company_property_id field)
- Referential integrity check on deletion (checking active company count)
- Two-panel interface: list panel + editor panel
- 4 new AJAX endpoints for property management
3. Company Management Enhancements
- Company management access redesign: sysadmin (all companies) + siteadmin (own company only)
- Siteadmin users automatically loaded with their own company
- Conditional UI display: hidden company list for siteadmin, full-width editor
- Logo upload system on all three company editor screens:
- File upload with AJAX, preview at 50x50 px
- Automatic image conversion to JPG format
- Image resizing to max 250x250 px, preserving aspect ratio
- Filename sanitization: lowercase, hyphenated, only [a-z0-9-] characters
- Files saved to /upload directory (outside DOCROOT)
- Old logo automatically deleted on new upload
- Standard Bootstrap input-group layout everywhere (140px wide labels)
4. Permission Management Redesign
- New helper functions:
getUserType(int $userId): ?int - Get user typegetUserCompanyId(int $userId): ?int - Get user company ID
- Access permissions redesign:
- Sysadmin (usertype 2): all functions, all companies and properties
- Siteadmin (usertype 1): edit own company only
- Conditional access validation on all AJAX endpoints
- CSRF token protection on all POST operations
5. New Helper Functions
sanitizeLogoFilename(string $name, string $suffix): string - Filename sanitization for logosprocessLogoImage(string $source, string $dest): bool - Image processing (resize, conversion)getUploadDir(): string - Get upload directory pathdeleteLogoFile(string $filename): bool - Secure logo file deletionisReallyEmpty($value): bool - Empty value check (0, "0" not empty)
6. Database Changes
settings_camera table creation (camera data storage)settings_camera_carplates table (camera whitelisted carplates, many-to-many relationship)settings_property table activation (property data)settings_companydata.company_property_id field usage (company-property relationship)
7. UI/UX Improvements
- Unified Bootstrap 5 based input-group layout
- Two-panel layout (list + editor) on administrative pages
- Real-time AJAX upload for logos with immediate preview
- Conditional UI elements display based on user permissions
- Toast messages for all AJAX operation feedback
- Image gallery preview for uploaded logos
8. Routing and Navigation
- New route: URI_FUNC_PROPERTY (/ingatlan) - Property management page
- New route: URI_FUNC_CAMERA - Camera settings page
- New route: URI_ACTION_CAMERA_SETTINGS - Camera settings
- New route: URI_ACTION_CARPLATES - Allowed carplates
- New menu items in offcanvas menu:
- Property management (sysadmin)
- Camera settings (sysadmin + siteadmin)
- Camera carplates (sysadmin + siteadmin)
9. Security
- AES-256-CBC encryption for camera passwords
- CSRF token validation on all data modification operations
- Prepared statements in all SQL queries
- File upload validation (size, type, content checking)
- Access permission checking on all AJAX endpoints
- Referential integrity check before deletion
10. Multilingual Support
- 150+ new translation keys added (English + Hungarian):
- Camera module translations (30+ keys)
- Property management translations (20+ keys)
- Logo upload translations (11 keys)
- Company management additional translations (15+ keys)
- Error messages and tooltips (40+ keys)
- URI translations for new routes (10+ keys)
- All .po and .mo files updated
11. API Integration
- Hikvision ISAPI XML-based REST API communication
- 17 new AJAX endpoints:
- Camera CRUD operations (4 endpoints)
- Camera connection testing (1 endpoint)
- Carplate management (3 endpoints)
- Property management (4 endpoints)
- Company management additions (3 endpoints)
- Logo upload (2 endpoints)
Statistics
- Modified files: ~50
- New lines of code: ~3500+
- New database tables: 4
- New API endpoints: 17
- New translation keys: 150+
v2.01.0 - 2025.10.18
New Features
- Ordering page (checkout flow, cart, filtering)
- Past orders section on the user side
- Admin order summaries plus daily delivery sheet generation
v2.00.1 - 2025.10.07
Bug Fix
v2.00.0 - 2025.08
New Features
- Modular architecture with three modules:
- Traffic log
- License plate recognition with Hikvision ANPR cameras
- Ordering
v1.02.2 - 2025.07.25
Bug Fix
- (#92) Password length validation error
v1.02.1 - 2025.07.06
New Features
- Clicking the version number now opens the changelog
Modification
- (#89) Record gate movements with dynamic table refresh
v1.01.1 - 2025.04
New Features
- (#79) Limit failed login attempts
- (#73) Implement CSRF token protection
Modification
- (#85) Changed TIMESTAMP columns to DATETIME in SQL to avoid the Y2038 issue
- (#84) Moved LoginSessionInterval and FailedBlockDuration values into the database
- (#75) Automatic logout after X minutes of inactivity
- (#83) Clean up session and blocking records via DB event instead of on every run
- (#71) Harden SQL queries
v1.01.0 - 2024.10.17
New Features
- (#81) Let users edit their own profile data and change password
Modification
- (#65) Pagination for parking permits
- (#82) Configure minimum password length in the ENV file
Bug Fix
- (#77) Hide broken image icon on login if no logo is set
- (#78) Show the offcanvas menu even if no movement exists yet
v1.00.00 - 2024.09.23
New Features
- (#50) Collapsible sidebar menu (offcanvas)
- (#51) Fully mobile-friendly layout
- (#61) Separate parking permits and single-use visitors
- (#67) Load movements for the last used gate on login (default gate)
- (#68) Language selector
- (#52) Local user authentication
- (#66) Company logo upload on company profile
Modification
- Design: input radius 0 px; font-size 0.9rem
- Design: login dialog centered within viewport without border
- Rewrite changelog into Markdown
- Bootstrap Icons upgrade 1.10.2 → 1.x
- Bootstrap upgrade 5.1.3 → 5.x
- jQuery upgrade 3.6.1 → 3.x
- Load Bootstrap and jQuery via jsDelivr CDN
- Update copyright text and remove year
- Convert translations to gettext (PO) format
Bug Fix
- If the session cookie is missing from the DB, delete the received cookie + session (protect against stolen cookies)
- Move PHP debug configuration from index.php to config.php
- (#54) Set default timezone
- (#58) Keep entry type for known visitors
- (#59) Fix displayed parking options for existing visitors
- (#62) Visitor name is required
- (#64) Hide table columns responsively when resizing the movement table
- (#69) Show empty page if no default gate exists
- (#76) Limit logo dimensions
- (#60) Allow deletion of existing license plates
v0.08.01 - 2022.12.13
Modification
- (#49) Reduce retroactive event logging window to 10 minutes
v0.08.00 - 2022.11.20
Modification
- Bootstrap upgrade 5.1.3 → 5.2.2
- Bootstrap Icons upgrade 1.8.3 → 1.10.2
- jQuery upgrade 3.6.0 → 3.6.1
- jQuery UI upgrade 1.13.1 → 1.13.2
Bug Fix
- (#46) Fix column wrapping on parking permit list
- (#45) Review line weights after Bootstrap upgrade
- (#44) Fix button and tooltip border radius on login screen
v0.07.00 - 2022.11.20
New Features
- (#4) Pre-fill “Who they visit” field from the last event
- (#10) Persist In/Out switch state per user
- (#41) Autocomplete for “arrived from” and “going to” inputs
- (#43) Allow filtering parking permits by license plate
v0.06.001 - 2022.11.18
New Features
Bug Fix
- Missing translation key for Nexon query result-empty state
v0.06.000 - 2022.11.18
New Features
- (#42) Colorize the leading “i” icon when a note already exists
- (#31) Passenger car vs. truck selector
v0.05.000 - 2022.11.17
New Features
- (#38) Nexon presence query from MS SQL Server
- (#38) Print.js integration (https://printjs.crabbly.com/) for nicely formatted reports
Known Issues
- Production MSSQL connection still hits an OpenSSL error
v0.04.000 - 2022.08.13
New Features
- (#36) Clear ID card number when the visitor leaves
Modifications
- Optimize and simplify code that checks entry and exit timestamps
v0.03.001 - 2022.08.12
Fixes
- Validate timestamps even when the user just focuses the field (not only on input)
v0.03.000 - 2022.08.12
New Features
- (#34) Move JS form-validation helpers into a dedicated file so they can load earlier
- (#30) Allow entering both entry and exit timestamps and validate them
- (#35) Inactivity watchdog: reload the page after 30 minutes of inactivity to avoid session/self-signed SSL expiry
Modifications
- (#33) ID card field is no longer mandatory
Bug Fix
- (#32) Sort Excel reports by entry time descending