The way this now works is, if csrf is enabled:
* Any new or existing template can have csrf protection by adding the hidden input ctoken that's in this batch to its form, removes any logic in templates
* Page controllers that already exist have been updated, new ones only require checking if csrf is enabled and valid
* [ADDED] Config option `$config['donate_threshold']['min'] = 1;`
* [VERSION] Incremented config file version to `0.0.6`
* [CHANGED] Round donations to at least two digits
* [CHANGED] Honor minimum set pool donation percentage
* [UPDATED] Account edit template
Fixes#1475 once merged
* Now an array to disable with granularity
* Fixed all CSRF tokens back to 1 min
* Added CSRF protection for unlock account
* Unified error message for all csrf tokens
* Fixed a few issues with last commit
added csrf protection to workers under sitewide config
added csrf protection to notifications under sitewide config
added csrf protection to invitations under sitewide config
cleaned up login page csrf
cleaned up contactform/contactform page
cleaned up register/register page
moved config->csrf->forms->register to sitewide
added login ip/user/time to notification on login
* Adds config options for disabling, timeout lead time, and forms
* Adds another salt in config that's used in the token
* Adds protection for login form by default
* Added new token type: account_unlock
* Added update SQL File
* Updated base structure with new token type
* Added empty template
* Updated user class to send mail on failed passwords
* Added unlock account page to use tokens
Addresses #670
This will improve loading times on large transaction tables. Thanks
@feeleep75 for helping with this one.
* Do not use SQL_CALC_NUM_ROWS since it will do a full table scan
* Allow admins to disable account transaction summaries to speed up page
loads on large tables
* added new admin setting under system to Disable TX Summaries
Fixes#1065 once merged
* Merge manual and auto-payout into single cronjob
* Update template/code to reflect single payout cron
* Update monitoring page
* Update disable payouts option in admin panel settings
* Update account payout page to use new option
This will fix#967 once merged.
This will lock a user account if a password or PIN has been entered
wrong for multiple times in a row. When unlocking the account via admin
panel, both counters are reset so the user can log in again.
This should fix issues with brute force attacks to access user accounts.
Please see configuration dist file for new config options.
Please import SQL upgrade 007 to add new column to user accounts table.
Addresses #670 and should be merged once tested.
* [ADDED] More error codes
* [MODIFIED] Class updates to use Base Class all the time
* [MODIFIED] Cronjobs have been slightly adjusted
* [ADDED] More base class features
* Added: API String QR Code for #582 and #591
This will allow more QRCodes being added that are specific to an
account. The require library is added and the API string can be used as
an example how codes are generated.
Fixes#582
* Removed getAllTransactions method
* Unified getTransactions for users and admins
* Added filter abilities to user transaction view
This should speed up things a fair bit for transaction heavy pools.
Addresses #536
This addresses #497 and allows the admins to disable notifications
through the admin panel. Might be used by those relying on clients using
the API instead.
Once merged it will fix#497.
This will avoid double payouts via the website. Payouts will be
requested by users and processed by a cron. If, for whatever reason,
users do add two requests (it is checked if a payout exists) they would
only have one successful payout until their account balance is back up
to a save value to trigger the payout.
This should fix any issues with manual payouts being exploited through
the website. Will require some testing by others to ensure things work
as expected.
Invitations can now be configured through admin panel settings. By
default, invitations are enabled. Invitation system is also available if
registrations are disabled. To completely remove the ability of new
users to sign up, disable both registration and invitations.
Fixes#330
This will allow users to send invitations to other people via email.
Each account will still need to confirm the email address if the option
is enabled.
Addresses #330, will need to allow pool operators to enable this feature
even with registrations turned off.
