Skip to content
GitLab

Build login-aware user area and account settings

Merged Onne Ronda requested to merge fix/login-user-area into master

Summary

This merge request builds a functional login-aware user area on top of fix/config-centralization.

It fixes inconsistent login/session handling, adds a usable user/profile/settings area, improves local development behavior, and cleans up several API/media-page issues that were making local testing noisy or unreliable.

This branch is intended to stack on top of fix/config-centralization.

What Changed

Auth and login flow

  • Fixed login/session handling so successful logins are recognized reliably across the site.
  • Updated the login flow to set cookies server-side and redirect cleanly after login.
  • Added last_log updates on successful login.
  • Added a logout endpoint and hooked it into the account UI.
  • Kept compatibility with the existing cookie/session approach instead of introducing a new auth model.

Header and account navigation

  • Replaced the static Login behavior with account-aware header behavior.
  • Added an account dropdown with:
    • user page
    • settings
    • logout
  • Moved the Users shortcut into the right-hand account area.
  • Only show the Users shortcut for logged-in non-anonymous members.

User profile page

  • Added a repo-owned user profile page that works on both desktop and mobile.
  • Added profile stats and sections for:
    • videos
    • images
    • about
  • Added search and sorting for a user’s uploads.
  • Made the sortable table headers clickable on the user page.

Users directory

  • Added a users overview page with:
    • search
    • sorting
    • pagination
    • desktop table layout
    • mobile card layout
  • Made the table headers clickable for sorting.
  • Replaced the simple previous/next pager with a numbered paginator.

Settings page

  • Added a settings page for logged-in members.
  • Added editing for:
    • username
    • email
    • first name
    • last name
    • nickname
    • gender
    • about text
    • password
  • Added CSRF protection and validation for the settings flow.
  • Kept the implementation compatible with the existing database layout by updating existing fields instead of changing schema.

Avatar handling

  • Added avatar upload with crop/zoom in settings.
  • Added avatar removal that reverts to def.svg.
  • Added the ability to use an existing public site image as an avatar.
  • Site-image avatars now use the CDN directly instead of copying the image into the avatar folder.
  • Crop/zoom for CDN-backed avatars is stored compactly inside profimg, so the crop persists without changing the database schema or the CDN asset itself.
  • Uploaded avatars still use the dedicated avatar folder.
  • Default avatars still use def.svg.
  • Avatar deletion is blocked when the avatar is already the default image.

Config and local development

  • Added documented config load order:
    • config.php
    • config.local.php
    • config.dev.php
  • Added .gitignore entries for:
    • config.dev.php
    • conn.php
  • Kept config.local.php tracked.
  • Added local/dev captcha bypass support to make login/register/contact/error reporting testable in local environments.

API and page fixes

  • Extended user/profile API behavior to support the new user area.
  • Fixed api/?get=basic fatal behavior caused by closing mysqli twice.
  • Fixed undefined-key warnings on media/list pages.
  • Updated avatar rendering so pages can handle:
    • default avatars
    • uploaded avatars
    • CDN-backed avatars with stored crop metadata

Tests

  • Added and expanded PHP tests for:
    • auth cookie parsing
    • CSRF token generation
    • menu payload behavior
    • profile sanitization and validation
    • avatar helper behavior
    • CDN avatar parsing and crop-token handling
  • Current test run passes:
    • php tests/run.php -> All 90 tests passed

Compatibility / Safety Notes

  • No database schema changes are included in this merge request.
  • profimg remains schema-compatible and continues to fit inside the existing varchar field.
  • Existing uploaded-avatar behavior remains supported.
  • Default avatar fallback remains def.svg.
  • The settings/profile changes were implemented to preserve compatibility with the current users / profils split instead of refactoring schema assumptions.

Local Testing Done

  • php -l passed on the touched PHP files.
  • php tests/run.php passed with All 90 tests passed.
  • Manual local smoke testing covered:
    • login
    • logout
    • settings save
    • user page
    • users page
    • avatar upload
    • CDN-backed avatar selection
    • CDN-backed avatar crop persistence
    • avatar removal
    • /?p=...
    • /?v=...
    • /?img
  • Confirmed that CDN-backed avatar selections now store compact profimg values such as cdn:<id>@<crop> and render correctly.

Notes For Review

  • This branch is intentionally incremental and avoids a large architectural rewrite.
  • The app still has some legacy self-HTTP behavior on content pages, so local testing with PHP’s built-in server may still benefit from multiple workers.
  • The focus here is functional user-area delivery with minimal schema risk and minimal disruption to the existing project structure.

Suggested Review Focus

  • Auth/session consistency after login
  • User/profile/settings routing and behavior
  • Avatar storage/rendering compatibility
  • CDN-backed avatar crop persistence
  • Local-dev config and captcha behavior
  • Regressions on legacy media pages