🆙 Bump version to 4.2.13 [skip ci]

Merge pull request #116 from duckietm/dev
Dev
2026-06-19 15:06:19 +00:00 · 2026-05-21 07:02:08 +00:00 · 2026-05-21 09:01:07 +02:00 · 2026-05-21 07:40:49 +02:00 · 2026-05-21 07:40:34 +02:00 · 2026-05-21 07:40:19 +02:00
25 changed files with 1386 additions and 46 deletions
@@ -34,3 +34,13 @@ SET @ddl = IF(@col_exists = 0,
 PREPARE stmt FROM @ddl;
 EXECUTE stmt;
 DEALLOCATE PREPARE stmt;
 UPDATE emulator_settings SET `key`='ws.whitelist' WHERE  `key`='websockets.whitelist';
 UPDATE emulator_settings SET `key`='ws.host' WHERE  `key`='ws.nitro.host';
 UPDATE emulator_settings SET `key`='ws.port' WHERE  `key`='ws.nitro.port';
 INSERT IGNORE INTO emulator_settings (`key`, `value`)
 VALUES ('ws.ip.header', 'X-Forwarded-For');
 INSERT IGNORE INTO emulator_settings (`key`, `value`)
 VALUES ('ws.enabled', 'true');
@@ -0,0 +1,33 @@
 ALTER TABLE users
 ADD COLUMN `background_border_id` INT(11) NOT NULL DEFAULT 0 AFTER `background_id`;
 ALTER TABLE infostand_backgrounds
 CHANGE COLUMN `category` `category` ENUM('background', 'stand', 'overlay', 'card', 'border') NOT NULL ;
 INSERT IGNORE INTO `infostand_backgrounds` (`id`, `category`, `min_rank`, `is_hc_only`, `is_ambassador_only`) VALUES
    (1,  'border', 1, 0, 0),
    (2,  'border', 1, 0, 0),
    (3,  'border', 1, 0, 0),
    (4,  'border', 1, 0, 0),
    (5,  'border', 1, 0, 0),
    (6,  'border', 1, 0, 0),
    (7,  'border', 1, 0, 0),
    (8,  'border', 1, 0, 0),
    (9,  'border', 1, 0, 0),
    (10, 'border', 1, 0, 0),
    (11, 'border', 1, 0, 0),
    (12, 'border', 1, 0, 0),
    (13, 'border', 1, 0, 0),
    (14, 'border', 1, 0, 0),
    (15, 'border', 1, 0, 0),
    (16, 'border', 1, 0, 0),
    (17, 'border', 1, 0, 0),
    (18, 'border', 1, 0, 0),
    (19, 'border', 1, 0, 0),
    (20, 'border', 1, 0, 0),
    (21, 'border', 1, 0, 0),
    (22, 'border', 1, 0, 0),
    (23, 'border', 1, 0, 0),
    (24, 'border', 1, 0, 0),
    (25, 'border', 1, 0, 0);
@@ -0,0 +1,477 @@
 -- ============================================================
 -- Live required schema
 -- ============================================================
 -- Consolidated schema for the currently used Nitro/Arcturus live
 -- additions. This file intentionally excludes old/unused migration
 -- artifacts and dump-only data.
 --
 -- Scope:
 -- - tables/columns currently referenced by Java code
 -- - runtime settings required by secure assets/API, login, wired, and UI
 -- - safe CREATE IF NOT EXISTS / ADD COLUMN IF NOT EXISTS statements
 --
 -- Assumes the base Arcturus database already exists.
 -- Tested for MariaDB-style syntax used by this project.
 -- ============================================================
 SET NAMES utf8mb4;
 -- ------------------------------------------------------------
 -- Core settings support
 -- ------------------------------------------------------------
 ALTER TABLE `emulator_settings`
    ADD COLUMN IF NOT EXISTS `comment` TEXT NULL DEFAULT '' AFTER `value`;
 CREATE TABLE IF NOT EXISTS `wired_emulator_settings` (
    `key` VARCHAR(255) NOT NULL,
    `value` TEXT NOT NULL,
    `comment` TEXT NULL DEFAULT '',
    PRIMARY KEY (`key`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 INSERT INTO `emulator_settings` (`key`, `value`) VALUES
    ('crypto.ws.enabled', '0'),
    ('crypto.ws.signing.enabled', '0'),
    ('crypto.ws.signing.public_key', ''),
    ('crypto.ws.signing.private_key', ''),
    ('login.access.jwt.secret', ''),
    ('login.remember.duration.days', '30'),
    ('login.remember.rotate.interval.minutes', '15'),
    ('login.remember.jwt.secret', ''),
    ('login.turnstile.enabled', '0'),
    ('login.turnstile.sitekey', ''),
    ('login.turnstile.secretkey', ''),
    ('login.ratelimit.enabled', '1'),
    ('login.ratelimit.max_attempts', '5'),
    ('login.ratelimit.window_sec', '60'),
    ('login.ratelimit.lockout_sec', '120'),
    ('login.register.enabled', '1'),
    ('register.max_per_ip', '5'),
    ('register.default.look', 'hr-100-7.hd-180-1.ch-210-66.lg-270-82.sh-290-80'),
    ('register.default.motto', 'I love Habbo!'),
    ('password.reset.url', 'http://localhost/reset-password'),
    ('smtp.provider', 'own'),
    ('smtp.host', 'localhost'),
    ('smtp.port', '587'),
    ('smtp.username', ''),
    ('smtp.password', ''),
    ('smtp.from_address', 'no-reply@example.com'),
    ('smtp.from_name', 'Habbo Hotel'),
    ('smtp.use_tls', '1'),
    ('smtp.use_ssl', '0'),
    ('new_user_credits', '0'),
    ('new_user_duckets', '0'),
    ('new_user_diamonds', '0')
 ON DUPLICATE KEY UPDATE `value` = `value`;
 INSERT INTO `wired_emulator_settings` (`key`, `value`, `comment`) VALUES
    ('wired.engine.enabled', '1', 'Compatibility flag. The runtime uses the new wired engine.'),
    ('wired.engine.exclusive', '1', 'Compatibility flag. The runtime uses exclusive wired engine execution.'),
    ('wired.engine.maxStepsPerStack', '100', 'Maximum internal processing steps allowed for a single wired stack execution.'),
    ('wired.engine.debug', '0', 'Enable verbose debug logging for the wired engine.'),
    ('wired.custom.enabled', '0', 'Enable custom legacy wired compatibility behavior.'),
    ('hotel.wired.furni.selection.count', '5', 'Maximum number of furni that a wired box can store or select.'),
    ('hotel.wired.max_delay', '20', 'Maximum delay value accepted by wired effects that support delayed execution.'),
    ('hotel.wired.message.max_length', '512', 'Maximum length of wired message text fields.'),
    ('wired.effect.teleport.delay', '500', 'Delay in milliseconds used by wired teleport movement.'),
    ('wired.place.under', '0', 'Allow placing wired furniture underneath other items when room rules permit it.'),
    ('wired.tick.interval.ms', '50', 'Global wired tick interval in milliseconds.'),
    ('wired.tick.resolution', '100', 'Legacy wired tick resolution value.'),
    ('wired.tick.debug', '0', 'Enable verbose logging for the wired tick service.'),
    ('wired.tick.thread.priority', '6', 'Java thread priority used by the wired tick service.'),
    ('wired.highscores.displaycount', '25', 'Maximum number of wired highscore entries shown to users.'),
    ('wired.abuse.max.recursion.depth', '10', 'Maximum recursive wired depth before execution is stopped.'),
    ('wired.abuse.max.events.per.window', '100', 'Maximum identical wired events allowed inside the abuse rate-limit window.'),
    ('wired.abuse.rate.limit.window.ms', '10000', 'Wired abuse rate-limit window in milliseconds.'),
    ('wired.abuse.ban.duration.ms', '600000', 'Temporary wired ban duration after abuse detection.'),
    ('wired.monitor.usage.window.ms', '1000', 'Rolling window size for wired usage monitoring.'),
    ('wired.monitor.usage.limit', '1000', 'Maximum wired usage budget in one monitor window.'),
    ('wired.monitor.delayed.events.limit', '100', 'Maximum delayed wired events queued in one room.'),
    ('wired.monitor.overload.average.ms', '50', 'Average execution time threshold for overload tracking.'),
    ('wired.monitor.overload.peak.ms', '150', 'Peak execution time threshold for overload tracking.'),
    ('wired.monitor.overload.consecutive.windows', '2', 'Consecutive overloaded windows required before logging overload.'),
    ('wired.monitor.heavy.usage.percent', '70', 'Usage percentage threshold for heavy-room tracking.'),
    ('wired.monitor.heavy.consecutive.windows', '5', 'Consecutive windows above heavy usage threshold.'),
    ('wired.monitor.heavy.delayed.percent', '60', 'Delayed queue percentage threshold for heavy-room tracking.')
 ON DUPLICATE KEY UPDATE
    `value` = VALUES(`value`),
    `comment` = VALUES(`comment`);
 -- ------------------------------------------------------------
 -- Login API, room templates, remember-me, and news
 -- ------------------------------------------------------------
 CREATE TABLE IF NOT EXISTS `password_resets` (
    `user_id` INT(11) NOT NULL,
    `token` VARCHAR(128) NOT NULL,
    `expires_at` TIMESTAMP NOT NULL,
    `created_ip` VARCHAR(64) NOT NULL DEFAULT '',
    PRIMARY KEY (`user_id`),
    UNIQUE KEY `idx_password_resets_token` (`token`),
    CONSTRAINT `fk_password_resets_user`
        FOREIGN KEY (`user_id`) REFERENCES `users` (`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 CREATE TABLE IF NOT EXISTS `users_remember_families` (
    `family_id` CHAR(36) NOT NULL,
    `user_id` INT(11) NOT NULL,
    `current_version` INT(11) NOT NULL DEFAULT 1,
    `created_at` INT(11) NOT NULL,
    `expires_at` INT(11) NOT NULL,
    `revoked` TINYINT(1) NOT NULL DEFAULT 0,
    `last_ip` VARCHAR(45) NOT NULL DEFAULT '',
    PRIMARY KEY (`family_id`),
    KEY `idx_users_remember_families_user_id` (`user_id`),
    KEY `idx_users_remember_families_expires_at` (`expires_at`),
    CONSTRAINT `fk_users_remember_families_user`
        FOREIGN KEY (`user_id`) REFERENCES `users` (`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
 CREATE TABLE IF NOT EXISTS `room_templates` (
    `template_id` INT(11) NOT NULL AUTO_INCREMENT,
    `title` VARCHAR(128) NOT NULL DEFAULT '',
    `description` VARCHAR(256) NOT NULL DEFAULT '',
    `thumbnail` VARCHAR(512) NOT NULL DEFAULT '',
    `sort_order` INT(11) NOT NULL DEFAULT 0,
    `enabled` ENUM('0','1') NOT NULL DEFAULT '1',
    `name` VARCHAR(50) NOT NULL DEFAULT '',
    `room_description` VARCHAR(250) NOT NULL DEFAULT '',
    `model` VARCHAR(100) NOT NULL,
    `password` VARCHAR(50) NOT NULL DEFAULT '',
    `state` ENUM('open','locked','password','invisible') NOT NULL DEFAULT 'open',
    `users_max` INT(11) NOT NULL DEFAULT 25,
    `category` INT(11) NOT NULL DEFAULT 0,
    `paper_floor` VARCHAR(50) NOT NULL DEFAULT '0.0',
    `paper_wall` VARCHAR(50) NOT NULL DEFAULT '0.0',
    `paper_landscape` VARCHAR(50) NOT NULL DEFAULT '0.0',
    `thickness_wall` INT(11) NOT NULL DEFAULT 0,
    `thickness_floor` INT(11) NOT NULL DEFAULT 0,
    `moodlight_data` VARCHAR(2048) NOT NULL DEFAULT '',
    `override_model` ENUM('0','1') NOT NULL DEFAULT '0',
    `trade_mode` INT(2) NOT NULL DEFAULT 2,
    `heightmap` MEDIUMTEXT NOT NULL,
    `door_x` INT(11) NOT NULL DEFAULT 0,
    `door_y` INT(11) NOT NULL DEFAULT 0,
    `door_dir` INT(4) NOT NULL DEFAULT 2,
    PRIMARY KEY (`template_id`),
    KEY `idx_room_templates_enabled_sort` (`enabled`, `sort_order`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
 CREATE TABLE IF NOT EXISTS `room_templates_items` (
    `id` INT(11) NOT NULL AUTO_INCREMENT,
    `template_id` INT(11) NOT NULL,
    `item_id` INT(11) UNSIGNED NOT NULL,
    `wall_pos` VARCHAR(20) NOT NULL DEFAULT '',
    `x` INT(11) NOT NULL DEFAULT 0,
    `y` INT(11) NOT NULL DEFAULT 0,
    `z` DOUBLE(10,6) NOT NULL DEFAULT 0.000000,
    `rot` INT(11) NOT NULL DEFAULT 0,
    `extra_data` VARCHAR(2096) NOT NULL DEFAULT '',
    `wired_data` VARCHAR(4096) DEFAULT NULL,
    PRIMARY KEY (`id`),
    KEY `idx_room_templates_items_template_id` (`template_id`),
    KEY `idx_room_templates_items_item_id` (`item_id`),
    CONSTRAINT `fk_room_templates_items_template`
        FOREIGN KEY (`template_id`) REFERENCES `room_templates` (`template_id`) ON DELETE CASCADE,
    CONSTRAINT `fk_room_templates_items_item_base`
        FOREIGN KEY (`item_id`) REFERENCES `items_base` (`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
 CREATE TABLE IF NOT EXISTS `ui_news` (
    `id` INT(11) NOT NULL AUTO_INCREMENT,
    `title` VARCHAR(150) NOT NULL,
    `body` TEXT NOT NULL,
    `image` MEDIUMTEXT DEFAULT NULL,
    `link_text` VARCHAR(80) NOT NULL DEFAULT '',
    `link_url` VARCHAR(255) NOT NULL DEFAULT '',
    `enabled` TINYINT(1) NOT NULL DEFAULT 1,
    `sort_order` INT(11) NOT NULL DEFAULT 0,
    `created_at` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
    PRIMARY KEY (`id`),
    KEY `idx_ui_news_enabled_sort` (`enabled`, `sort_order`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
 INSERT INTO `ui_news` (`title`, `body`, `image`, `link_text`, `link_url`, `enabled`, `sort_order`)
 SELECT 'Welcome to the Hotel!', 'Catch up on the latest events, updates and competitions happening right now in the hotel.', '', '', '', 1, 0
 WHERE NOT EXISTS (SELECT 1 FROM `ui_news`);
 -- ------------------------------------------------------------
 -- Wired runtime data
 -- ------------------------------------------------------------
 CREATE TABLE IF NOT EXISTS `room_wired_settings` (
    `room_id` INT(11) NOT NULL,
    `inspect_mask` INT(11) NOT NULL DEFAULT 0 COMMENT 'Bitmask for who can open and inspect Wired in the room. 1=everyone, 2=users with rights, 4=group members, 8=group admins.',
    `modify_mask` INT(11) NOT NULL DEFAULT 0 COMMENT 'Bitmask for who can modify Wired in the room. 2=users with rights, 4=group members, 8=group admins.',
    PRIMARY KEY (`room_id`),
    CONSTRAINT `fk_room_wired_settings_room`
        FOREIGN KEY (`room_id`) REFERENCES `rooms` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 CREATE TABLE IF NOT EXISTS `room_wired_variables` (
    `room_id` INT(11) NOT NULL,
    `variable_item_id` INT(11) NOT NULL,
    `value` INT(11) DEFAULT NULL,
    `created_at` INT(11) NOT NULL DEFAULT 0,
    `updated_at` INT(11) NOT NULL DEFAULT 0,
    PRIMARY KEY (`room_id`, `variable_item_id`),
    KEY `idx_room_wired_variables_room_item` (`room_id`, `variable_item_id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 CREATE TABLE IF NOT EXISTS `room_user_wired_variables` (
    `room_id` INT(11) NOT NULL,
    `user_id` INT(11) NOT NULL,
    `variable_item_id` INT(11) NOT NULL,
    `value` INT(11) DEFAULT NULL,
    `created_at` INT(11) NOT NULL DEFAULT 0,
    `updated_at` INT(11) NOT NULL DEFAULT 0,
    PRIMARY KEY (`room_id`, `user_id`, `variable_item_id`),
    KEY `idx_room_user_wired_variables_room_item` (`room_id`, `variable_item_id`),
    KEY `idx_room_user_wired_variables_user` (`user_id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 CREATE TABLE IF NOT EXISTS `room_furni_wired_variables` (
    `room_id` INT(11) NOT NULL,
    `furni_id` INT(11) NOT NULL,
    `variable_item_id` INT(11) NOT NULL,
    `value` INT(11) DEFAULT NULL,
    `created_at` INT(11) NOT NULL DEFAULT 0,
    `updated_at` INT(11) NOT NULL DEFAULT 0,
    PRIMARY KEY (`room_id`, `furni_id`, `variable_item_id`),
    KEY `idx_room_furni_wired_variables_room_item` (`room_id`, `variable_item_id`),
    KEY `idx_room_furni_wired_variables_furni` (`furni_id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 -- ------------------------------------------------------------
 -- User customization: prefixes, nick icons, profile backgrounds
 -- ------------------------------------------------------------
 ALTER TABLE `users`
    ADD COLUMN IF NOT EXISTS `background_id` INT(11) NOT NULL DEFAULT 0 AFTER `machine_id`,
    ADD COLUMN IF NOT EXISTS `background_stand_id` INT(11) NOT NULL DEFAULT 0 AFTER `background_id`,
    ADD COLUMN IF NOT EXISTS `background_overlay_id` INT(11) NOT NULL DEFAULT 0 AFTER `background_stand_id`,
    ADD COLUMN IF NOT EXISTS `background_card_id` INT(11) NOT NULL DEFAULT 0 AFTER `background_overlay_id`;
 CREATE TABLE IF NOT EXISTS `infostand_backgrounds` (
    `id` INT(11) NOT NULL,
    `category` ENUM('background','stand','overlay','card') NOT NULL,
    `min_rank` INT(11) NOT NULL DEFAULT 0,
    `is_hc_only` TINYINT(1) NOT NULL DEFAULT 0,
    `is_ambassador_only` TINYINT(1) NOT NULL DEFAULT 0,
    PRIMARY KEY (`id`, `category`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 INSERT IGNORE INTO `infostand_backgrounds` (`id`, `category`, `min_rank`, `is_hc_only`, `is_ambassador_only`) VALUES
    (0, 'background', 0, 0, 0),
    (0, 'stand', 0, 0, 0),
    (0, 'overlay', 0, 0, 0),
    (0, 'card', 0, 0, 0);
 CREATE TABLE IF NOT EXISTS `user_prefixes` (
    `id` INT(11) NOT NULL AUTO_INCREMENT,
    `user_id` INT(11) NOT NULL,
    `text` VARCHAR(50) NOT NULL,
    `color` VARCHAR(255) NOT NULL DEFAULT '#FFFFFF',
    `icon` VARCHAR(50) NOT NULL DEFAULT '',
    `effect` VARCHAR(50) NOT NULL DEFAULT '',
    `font` VARCHAR(50) NOT NULL DEFAULT '',
    `catalog_prefix_id` INT(11) NOT NULL DEFAULT 0,
    `display_name` VARCHAR(100) NOT NULL DEFAULT '',
    `points` INT(11) NOT NULL DEFAULT 0,
    `points_type` INT(11) NOT NULL DEFAULT 0,
    `is_custom` TINYINT(1) NOT NULL DEFAULT 1,
    `active` TINYINT(1) NOT NULL DEFAULT 0,
    PRIMARY KEY (`id`),
    KEY `idx_user_prefixes_user_id` (`user_id`),
    KEY `idx_user_prefixes_user_active` (`user_id`, `active`),
    CONSTRAINT `fk_user_prefixes_user`
        FOREIGN KEY (`user_id`) REFERENCES `users` (`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 CREATE TABLE IF NOT EXISTS `custom_prefixes_catalog` (
    `id` INT(11) NOT NULL AUTO_INCREMENT,
    `display_name` VARCHAR(100) NOT NULL DEFAULT '',
    `text` VARCHAR(50) NOT NULL,
    `color` VARCHAR(255) NOT NULL DEFAULT '#FFFFFF',
    `icon` VARCHAR(50) NOT NULL DEFAULT '',
    `effect` VARCHAR(50) NOT NULL DEFAULT '',
    `font` VARCHAR(50) NOT NULL DEFAULT '',
    `points` INT(11) NOT NULL DEFAULT 0,
    `points_type` INT(11) NOT NULL DEFAULT 0,
    `enabled` TINYINT(1) NOT NULL DEFAULT 1,
    `sort_order` INT(11) NOT NULL DEFAULT 0,
    PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 CREATE TABLE IF NOT EXISTS `user_visual_settings` (
    `user_id` INT(11) NOT NULL,
    `display_order` VARCHAR(50) NOT NULL DEFAULT 'icon-prefix-name',
    PRIMARY KEY (`user_id`),
    CONSTRAINT `fk_user_visual_settings_user`
        FOREIGN KEY (`user_id`) REFERENCES `users` (`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 CREATE TABLE IF NOT EXISTS `custom_prefix_settings` (
    `key_name` VARCHAR(100) NOT NULL,
    `value` VARCHAR(255) NOT NULL,
    PRIMARY KEY (`key_name`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 CREATE TABLE IF NOT EXISTS `custom_prefix_blacklist` (
    `id` INT(11) NOT NULL AUTO_INCREMENT,
    `word` VARCHAR(100) NOT NULL,
    PRIMARY KEY (`id`),
    UNIQUE KEY `uk_custom_prefix_blacklist_word` (`word`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 INSERT IGNORE INTO `custom_prefix_settings` (`key_name`, `value`) VALUES
    ('max_length', '15'),
    ('min_rank_to_buy', '1'),
    ('price_credits', '5'),
    ('price_points', '0'),
    ('points_type', '0'),
    ('font_price_credits', '10'),
    ('font_price_points', '0'),
    ('font_points_type', '0');
 INSERT IGNORE INTO `custom_prefixes_catalog`
    (`id`, `display_name`, `text`, `color`, `icon`, `effect`, `font`, `points`, `points_type`, `enabled`, `sort_order`)
 VALUES
    (1, 'VIP', 'VIP', '#FFD700', '', 'glow', '', 10, 0, 1, 1),
    (2, 'Legend', 'Legend', '#8B5CF6', '', 'discord-neon', '', 15, 0, 1, 2),
    (3, 'Staff Pick', 'Staff', '#3B82F6', '*', 'cartoon', '', 20, 0, 1, 3);
 CREATE TABLE IF NOT EXISTS `custom_nick_icons_catalog` (
    `id` INT(11) NOT NULL AUTO_INCREMENT,
    `icon_key` VARCHAR(50) NOT NULL,
    `display_name` VARCHAR(100) NOT NULL DEFAULT '',
    `points` INT(11) NOT NULL DEFAULT 0,
    `points_type` INT(11) NOT NULL DEFAULT 0,
    `enabled` TINYINT(1) NOT NULL DEFAULT 1,
    `sort_order` INT(11) NOT NULL DEFAULT 0,
    PRIMARY KEY (`id`),
    UNIQUE KEY `uk_custom_nick_icons_catalog_icon_key` (`icon_key`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 CREATE TABLE IF NOT EXISTS `user_nick_icons` (
    `id` INT(11) NOT NULL AUTO_INCREMENT,
    `user_id` INT(11) NOT NULL,
    `icon_key` VARCHAR(50) NOT NULL,
    `active` TINYINT(1) NOT NULL DEFAULT 0,
    PRIMARY KEY (`id`),
    UNIQUE KEY `uk_user_nick_icons_user_icon` (`user_id`, `icon_key`),
    KEY `idx_user_nick_icons_user_id` (`user_id`),
    KEY `idx_user_nick_icons_user_active` (`user_id`, `active`),
    CONSTRAINT `fk_user_nick_icons_user`
        FOREIGN KEY (`user_id`) REFERENCES `users` (`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 INSERT IGNORE INTO `custom_nick_icons_catalog` (`icon_key`, `display_name`, `points`, `points_type`, `enabled`, `sort_order`) VALUES
    ('1', 'Icon 1', 10, 0, 1, 1),
    ('2', 'Icon 2', 10, 0, 1, 2),
    ('3', 'Icon 3', 10, 0, 1, 3),
    ('4', 'Icon 4', 10, 0, 1, 4),
    ('5', 'Icon 5', 10, 0, 1, 5),
    ('6', 'Icon 6', 10, 0, 1, 6);
 -- ------------------------------------------------------------
 -- Custom badge maker
 -- ------------------------------------------------------------
 CREATE TABLE IF NOT EXISTS `users_custom_badge_settings` (
    `id` INT(11) NOT NULL AUTO_INCREMENT,
    `badge_path` VARCHAR(255) NOT NULL DEFAULT '/var/www/gamedata/c_images/album1584',
    `badge_url` VARCHAR(255) NOT NULL DEFAULT '/gamedata/c_images/album1584',
    `price_badge` INT(11) NOT NULL DEFAULT 0,
    `currency_type` INT(11) NOT NULL DEFAULT -1,
    PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
 INSERT INTO `users_custom_badge_settings` (`id`, `badge_path`, `badge_url`, `price_badge`, `currency_type`)
 SELECT 1, '/var/www/gamedata/c_images/album1584', '/gamedata/c_images/album1584', 50, 5
 WHERE NOT EXISTS (SELECT 1 FROM `users_custom_badge_settings` WHERE `id` = 1);
 CREATE TABLE IF NOT EXISTS `user_custom_badge` (
    `id` INT(11) NOT NULL AUTO_INCREMENT,
    `user_id` INT(11) NOT NULL,
    `badge_id` VARCHAR(64) NOT NULL,
    `badge_name` VARCHAR(64) NOT NULL DEFAULT '',
    `badge_description` VARCHAR(255) NOT NULL DEFAULT '',
    `date_created` INT(11) NOT NULL DEFAULT 0,
    `date_edit` INT(11) NOT NULL DEFAULT 0,
    PRIMARY KEY (`id`),
    UNIQUE KEY `uk_user_custom_badge_badge_id` (`badge_id`),
    KEY `idx_user_custom_badge_user_id` (`user_id`),
    CONSTRAINT `fk_user_custom_badge_user`
        FOREIGN KEY (`user_id`) REFERENCES `users` (`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
 -- ------------------------------------------------------------
 -- UI/catalog compatibility values used by the current client
 -- ------------------------------------------------------------
 INSERT INTO `chat_bubbles` (`type`, `name`, `permission`, `overridable`, `triggers_talking_furniture`) VALUES
    (200, 'SHOW_MESSAGE_RED', '', 1, 0),
    (201, 'SHOW_MESSAGE_GREEN', '', 1, 0),
    (202, 'SHOW_MESSAGE_BLUE', '', 1, 0),
    (210, 'SHOW_MESSAGE_ALERT', '', 1, 0),
    (211, 'SHOW_MESSAGE_INFO', '', 1, 0),
    (212, 'SHOW_MESSAGE_WARNING', '', 1, 0),
    (220, 'SHOW_MESSAGE_WRONG', '', 1, 0),
    (221, 'SHOW_MESSAGE_WRONG_CIRCLED', '', 1, 0),
    (222, 'SHOW_MESSAGE_CORRECT', '', 1, 0),
    (223, 'SHOW_MESSAGE_CORRECT_CIRCLED', '', 1, 0),
    (224, 'SHOW_MESSAGE_QUESTION', '', 1, 0),
    (225, 'SHOW_MESSAGE_QUESTION_CIRCLED', '', 1, 0),
    (226, 'SHOW_MESSAGE_ARROW_UP', '', 1, 0),
    (227, 'SHOW_MESSAGE_ARROW_UP_CIRCLED', '', 1, 0),
    (228, 'SHOW_MESSAGE_ARROW_DOWN', '', 1, 0),
    (229, 'SHOW_MESSAGE_ARROW_DOWN_CIRCLED', '', 1, 0),
    (250, 'SHOW_MESSAGE_SKULL', '', 1, 0),
    (251, 'SHOW_MESSAGE_SKULL_ALT', '', 1, 0),
    (252, 'SHOW_MESSAGE_MAGNIFIER', '', 1, 0)
 ON DUPLICATE KEY UPDATE
    `name` = VALUES(`name`),
    `permission` = VALUES(`permission`),
    `overridable` = VALUES(`overridable`),
    `triggers_talking_furniture` = VALUES(`triggers_talking_furniture`);
 INSERT IGNORE INTO `emulator_texts` (`key`, `value`) VALUES
    ('commands.keys.cmd_setroom_template', 'setroom_template;set_room_template'),
    ('commands.succes.cmd_setroom_template.verify', 'Copy the current room "%roomname%" to room_templates? Type :setroom_template %generic.yes% to confirm.'),
    ('commands.succes.cmd_setroom_template', 'Room saved as template id %id% with %items% items (%skipped% skipped - item_id not in items_base).'),
    ('commands.error.cmd_setroom_template', 'Could not save room as template. Check the server log for details.'),
    ('commands.error.cmd_setroom_template.no_room', 'You must be inside a room to use this command.'),
    ('commands.keys.cmd_give_prefix', 'giveprefix'),
    ('commands.keys.cmd_list_prefixes', 'listprefixes'),
    ('commands.keys.cmd_remove_prefix', 'removeprefix'),
    ('commands.keys.cmd_prefix_blacklist', 'prefixblacklist'),
    ('wiredfurni.badgereceived.body', 'You have just received a new Badge! Check your Inventory!'),
    ('wiredfurni.badgereceived.title', 'Badge received!');
 -- Optional permission metadata for normalized permission schemas.
 -- Actual rank values still belong in the permissions/permission_ranks setup.
 CREATE TABLE IF NOT EXISTS `permission_definitions` (
    `permission_key` VARCHAR(64) NOT NULL,
    `max_value` TINYINT(3) UNSIGNED NOT NULL DEFAULT 1,
    `comment` TEXT NOT NULL,
    PRIMARY KEY (`permission_key`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 INSERT INTO `permission_definitions` (`permission_key`, `max_value`, `comment`) VALUES
    ('cmd_setroom_template', 1, 'Allows using :setroom_template to copy a room into the login room-template table.'),
    ('cmd_give_prefix', 1, 'Allows granting custom prefixes to users.'),
    ('cmd_list_prefixes', 1, 'Allows listing custom prefixes assigned to users.'),
    ('cmd_remove_prefix', 1, 'Allows removing custom prefixes from users.'),
    ('cmd_prefix_blacklist', 1, 'Allows managing the custom prefix blacklist.')
 ON DUPLICATE KEY UPDATE
    `max_value` = VALUES(`max_value`),
    `comment` = VALUES(`comment`);
 -- ------------------------------------------------------------
 -- Explicitly obsolete table from older remember-me attempts.
 -- The current Java uses users_remember_families only.
 -- ------------------------------------------------------------
 DROP TABLE IF EXISTS `users_remember_tokens`;
@@ -0,0 +1,31 @@
 -- ============================================================
 -- Fix: acc_supporttool wrongly granted to VIP / wrongly denied to Super Mod
 -- ============================================================
 -- The default permission_definitions seed shipped acc_supporttool
 -- with rank pattern (0, 1, 1, 1, 1, 0, 1) — i.e. rank_2 (VIP) and
 -- rank_3 (X, junior helper) had ALLOWED, while rank_6 (Super Mod)
 -- did NOT. That's two bugs:
 --
 --   * VIP users see the ModTools button on the toolbar and can
 --     open Room/User info windows. The actual sanction endpoints
 --     still gate on ACC_SUPPORTTOOL server-side so they can't
 --     actually moderate, but the UI exposure is wrong and lets a
 --     VIP request user info / room info / chatlogs they have no
 --     business reading.
 --   * Super Mod is denied the tool entirely, which is obviously
 --     unintended given the rank name.
 --
 -- Intended pattern: only Support (4) and up — (0, 0, 0, 1, 1, 1, 1).
 --
 -- Run on existing deployments to align with the corrected default
 -- seed in `Default Database/FullDatabase.sql`. Idempotent.
 UPDATE `permission_definitions`
   SET `rank_1` = 0,
       `rank_2` = 0,
       `rank_3` = 0,
       `rank_4` = 1,
       `rank_5` = 1,
       `rank_6` = 1,
       `rank_7` = 1
 WHERE `permission_key` = 'acc_supporttool';
@@ -28598,7 +28598,7 @@ INSERT INTO `permission_definitions` (`permission_key`, `max_value`, `comment`,
 	('acc_staff_chat', 1, 'Grants access to the in-game Staff Chat group buddy: receives broadcasts from other staff and can broadcast to anyone holding this permission.', 0, 0, 0, 0, 0, 0, 1),
 	('acc_staff_pick', 1, 'Allows using staff item pick-up actions that bypass normal room ownership restrictions.', 0, 0, 0, 0, 0, 0, 1),
 	('acc_superwired', 1, 'Allows saving advanced wired data without the normal wordfilter and reward payload restrictions applied to regular users.', 0, 0, 0, 0, 0, 0, 1),
-	('acc_supporttool', 1, 'Allows opening and using the support/moderation tool interface.', 0, 1, 1, 1, 1, 0, 1),
+	('acc_supporttool', 1, 'Allows opening and using the support/moderation tool interface.', 0, 0, 0, 1, 1, 1, 1),
 	('acc_trade_anywhere', 1, 'Allows starting trades outside the normal trade-enabled areas.', 0, 0, 0, 0, 0, 0, 1),
 	('acc_unignorable', 1, 'Prevents the account from being ignored by other users through the ignore system.', 0, 0, 0, 0, 0, 0, 0),
 	('acc_unkickable', 1, 'Prevents the user from being kicked by normal moderation or room commands.', 0, 0, 0, 0, 0, 0, 1),
@@ -6,7 +6,7 @@
    <groupId>com.eu.habbo</groupId>
    <artifactId>Habbo</artifactId>
-    <version>4.2.8</version>
+    <version>4.2.13</version>
    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -50,6 +50,7 @@ public class RoomUserPetComposer extends MessageComposer {
        this.response.appendString("");
        this.response.appendString("unknown");
        this.response.appendInt(0);
        this.response.appendInt(0);
        return this.response;
    }
@@ -2,7 +2,12 @@ package com.eu.habbo.habbohotel.commands;
 import com.eu.habbo.Emulator;
 import com.eu.habbo.habbohotel.gameclients.GameClient;
 import com.eu.habbo.habbohotel.permissions.PermissionsManager;
 import com.eu.habbo.habbohotel.permissions.Rank;
 import com.eu.habbo.habbohotel.rooms.RoomChatMessageBubbles;
 import com.eu.habbo.habbohotel.users.Habbo;
 import com.eu.habbo.habbohotel.users.HabboManager;
 import com.eu.habbo.messages.outgoing.users.UserPermissionsComposer;
 public class UpdatePermissionsCommand extends Command {
    public UpdatePermissionsCommand() {
@@ -13,7 +18,41 @@ public class UpdatePermissionsCommand extends Command {
    public boolean handle(GameClient gameClient, String[] params) throws Exception {
        Emulator.getGameEnvironment().getPermissionsManager().reload();
-        gameClient.getHabbo().whisper(Emulator.getTexts().getValue("commands.succes.cmd_update_permissions"), RoomChatMessageBubbles.ALERT);
+        // PermissionsManager.reload() rebuilt the rank table — each online
        // Habbo's HabboInfo still references the OLD Rank object, so
        // server-side hasPermission() / wire composers would keep
        // reporting stale data until relogin. Re-bind every connected
        // user to the freshly-loaded Rank by id, then ship the new
        // UserPermissionsComposer (which carries clubLevel,
        // securityLevel, isAmbassador, rank metadata and the resolved
        // permission_definitions map) so Nitro clients' React-side
        // useHasPermission(key) / useUserRank() / useUserPermissions()
        // consumers re-render against the updated tables without an F5.
        HabboManager habboManager = Emulator.getGameEnvironment().getHabboManager();
        PermissionsManager permissions = Emulator.getGameEnvironment().getPermissionsManager();
        int refreshed = 0;
        for (Habbo habbo : habboManager.getOnlineHabbos().values()) {
            if (habbo == null || habbo.getHabboInfo() == null || habbo.getClient() == null) continue;
            int currentRankId = habbo.getHabboInfo().getRank().getId();
            // Defensive fallback: if the admin deleted the rank from the
            // permission_ranks table between sessions, fall back to rank 1
            // (Member) so the user isn't stranded with a null Rank.
            Rank freshRank = permissions.rankExists(currentRankId)
                    ? permissions.getRank(currentRankId)
                    : permissions.getRank(1);
            habbo.getHabboInfo().setRank(freshRank);
            habbo.getClient().sendResponse(new UserPermissionsComposer(habbo));
            refreshed++;
        }
        gameClient.getHabbo().whisper(
                Emulator.getTexts().getValue("commands.succes.cmd_update_permissions") + " (" + refreshed + " online refreshed)",
                RoomChatMessageBubbles.ALERT
        );
        return true;
    }
@@ -651,6 +651,10 @@ public class ModToolManager {
            sender.getClient().sendResponse(new ModToolIssueHandledComposer(ModToolIssueHandledComposer.ABUSIVE));
        }
        // Reporter (the user who opened the CFH) gets their abusive
        // counter bumped — the legacy stat shown in the User Info table.
        bumpUserSettingCounter(issue.senderId, "cfh_abusive");
        this.updateTicketToMods(issue);
        this.removeTicket(issue);
@@ -737,4 +741,38 @@ public class ModToolManager {
        return issues;
    }
    /**
     * Increments a single integer counter on `users_settings` for the
     * given user. Used by the moderation sanction handlers to bump the
     * legacy counters that `ModToolUserInfoComposer` surfaces (cfh_warnings,
     * cfh_bans, cfh_abusive, tradelock_amount) — historically these were
     * only ever incremented by the CFH submission path, so a user could
     * accumulate any number of bans/mutes without the User Info table
     * reflecting it.
     *
     * Restricted to a whitelisted column name to keep the dynamic SQL
     * safe; the caller passes a Permission-style constant.
     */
    public static void bumpUserSettingCounter(int userId, String column) {
        switch (column) {
            case "cfh_warnings":
            case "cfh_bans":
            case "cfh_abusive":
            case "tradelock_amount":
                break;
            default:
                LOGGER.warn("Refusing to bump unrecognized user_settings column: {}", column);
                return;
        }
        try (Connection connection = Emulator.getDatabase().getDataSource().getConnection();
             PreparedStatement statement = connection.prepareStatement(
                 "UPDATE users_settings SET " + column + " = " + column + " + 1 WHERE user_id = ?")) {
            statement.setInt(1, userId);
            statement.executeUpdate();
        } catch (SQLException e) {
            LOGGER.error("Caught SQL exception bumping {} for user {}", column, userId, e);
        }
    }
 }
@@ -46,6 +46,7 @@ public class HabboInfo implements Runnable {
    private int InfostandStand;
    private int InfostandOverlay;
    private int InfostandCardBg;
    private int InfostandBorder;
    private int loadingRoom;
    private Room currentRoom;
    private String roomEntryMethod = "door";
@@ -93,6 +94,11 @@ public class HabboInfo implements Runnable {
            this.InfostandStand = set.getInt("background_stand_id");
            this.InfostandOverlay = set.getInt("background_overlay_id");
            this.InfostandCardBg = set.getInt("background_card_id");
            try {
                this.InfostandBorder = set.getInt("background_border_id");
            } catch (SQLException ignored) {
                this.InfostandBorder = 0;
            }
            this.currentRoom = null;
        } catch (SQLException e) {
            LOGGER.error("Caught SQL exception", e);
@@ -300,6 +306,15 @@ public class HabboInfo implements Runnable {
    public void setInfostandCardBg(int infostandCardBg) {
        InfostandCardBg = infostandCardBg;
    }
    public int getInfostandBorder() {
        return InfostandBorder;
    }
    public void setInfostandBorder(int infostandBorder) {
        InfostandBorder = infostandBorder;
    }
    public Rank getRank() {
        return this.rank;
    }
@@ -587,7 +602,7 @@ public class HabboInfo implements Runnable {
        try {
            SqlQueries.update(
-                    "UPDATE users SET motto = ?, online = ?, look = ?, gender = ?, credits = ?, last_login = ?, last_online = ?, home_room = ?, ip_current = ?, `rank` = ?, machine_id = ?, username = ?, background_id = ?, background_stand_id = ?, background_overlay_id = ?, background_card_id = ? WHERE id = ?",
+                    "UPDATE users SET motto = ?, online = ?, look = ?, gender = ?, credits = ?, last_login = ?, last_online = ?, home_room = ?, ip_current = ?, `rank` = ?, machine_id = ?, username = ?, background_id = ?, background_stand_id = ?, background_overlay_id = ?, background_card_id = ?, background_border_id = ? WHERE id = ?",
                    this.motto,
                    this.online ? "1" : "0",
                    this.look,
@@ -604,6 +619,7 @@ public class HabboInfo implements Runnable {
                    this.InfostandStand,
                    this.InfostandOverlay,
                    this.InfostandCardBg,
                    this.InfostandBorder,
                    this.id);
        } catch (SqlQueries.DataAccessException e) {
            LOGGER.error("Caught SQL exception", e);
@@ -24,7 +24,8 @@ public class InfostandBackgroundManager {
        BACKGROUND("background"),
        STAND("stand"),
        OVERLAY("overlay"),
-        CARD("card");
+        CARD("card"),
        BORDER("border");
        public final String dbValue;
@@ -89,11 +90,12 @@ public class InfostandBackgroundManager {
        this.enforce = loaded > 0;
        if (this.enforce) {
-            LOGGER.info("InfostandBackgroundManager -> Loaded {} backgrounds, {} stands, {} overlays, {} cards from infostand_backgrounds.",
+            LOGGER.info("InfostandBackgroundManager -> Loaded {} backgrounds, {} stands, {} overlays, {} cards, {} borders from infostand_backgrounds.",
                    this.entries.get(Category.BACKGROUND).size(),
                    this.entries.get(Category.STAND).size(),
                    this.entries.get(Category.OVERLAY).size(),
-                    this.entries.get(Category.CARD).size());
+                    this.entries.get(Category.CARD).size(),
                    this.entries.get(Category.BORDER).size());
        } else {
            LOGGER.info("InfostandBackgroundManager -> infostand_backgrounds is empty, server-side validation disabled (only range clamp will apply).");
        }
@@ -1,6 +1,7 @@
 package com.eu.habbo.messages.incoming.modtool;
 import com.eu.habbo.Emulator;
 import com.eu.habbo.habbohotel.modtool.ModToolManager;
 import com.eu.habbo.habbohotel.modtool.ModToolSanctionItem;
 import com.eu.habbo.habbohotel.modtool.ModToolSanctions;
 import com.eu.habbo.habbohotel.permissions.Permission;
@@ -47,6 +48,8 @@ public class ModToolSanctionAlertEvent extends MessageHandler {
                } else {
                    habbo.alert(message);
                }
                ModToolManager.bumpUserSettingCounter(userId, "cfh_warnings");
            } else {
                this.client.sendResponse(new ModToolIssueHandledComposer(Emulator.getTexts().getValue("generic.user.not_found").replace("%user%", Emulator.getConfig().getValue("hotel.player.name"))));
            }
@@ -2,6 +2,7 @@ package com.eu.habbo.messages.incoming.modtool;
 import com.eu.habbo.Emulator;
 import com.eu.habbo.habbohotel.modtool.ModToolBanType;
 import com.eu.habbo.habbohotel.modtool.ModToolManager;
 import com.eu.habbo.habbohotel.modtool.ModToolSanctionItem;
 import com.eu.habbo.habbohotel.modtool.ModToolSanctions;
 import com.eu.habbo.habbohotel.modtool.ScripterManager;
@@ -73,6 +74,7 @@ public class ModToolSanctionBanEvent extends MessageHandler {
                Emulator.getGameEnvironment().getModToolManager().ban(userId, this.client.getHabbo(), message, duration, ModToolBanType.ACCOUNT, cfhTopic);
            }
            ModToolManager.bumpUserSettingCounter(userId, "cfh_bans");
        } else {
            ScripterManager.scripterDetected(this.client, Emulator.getTexts().getValue("scripter.warning.modtools.ban").replace("%username%", this.client.getHabbo().getHabboInfo().getUsername()));
        }
@@ -1,6 +1,7 @@
 package com.eu.habbo.messages.incoming.modtool;
 import com.eu.habbo.Emulator;
 import com.eu.habbo.habbohotel.modtool.ModToolManager;
 import com.eu.habbo.habbohotel.modtool.ModToolSanctionItem;
 import com.eu.habbo.habbohotel.modtool.ModToolSanctionLevelItem;
 import com.eu.habbo.habbohotel.modtool.ModToolSanctions;
@@ -59,6 +60,8 @@ public class ModToolSanctionMuteEvent extends MessageHandler {
                    habbo.alert(message);
                    this.client.getHabbo().whisper(Emulator.getTexts().getValue("commands.succes.cmd_mute.muted").replace("%user%", habbo.getHabboInfo().getUsername()));
                }
                ModToolManager.bumpUserSettingCounter(userId, "cfh_warnings");
            } else {
                this.client.sendResponse(new ModToolIssueHandledComposer(Emulator.getTexts().getValue("generic.user.not_found").replace("%user%", Emulator.getConfig().getValue("hotel.player.name"))));
            }
@@ -1,6 +1,7 @@
 package com.eu.habbo.messages.incoming.modtool;
 import com.eu.habbo.Emulator;
 import com.eu.habbo.habbohotel.modtool.ModToolManager;
 import com.eu.habbo.habbohotel.modtool.ModToolSanctionItem;
 import com.eu.habbo.habbohotel.modtool.ModToolSanctions;
 import com.eu.habbo.habbohotel.permissions.Permission;
@@ -49,6 +50,8 @@ public class ModToolSanctionTradeLockEvent extends MessageHandler {
                    habbo.getHabboStats().setAllowTrade(false);
                    habbo.alert(message);
                }
                ModToolManager.bumpUserSettingCounter(userId, "tradelock_amount");
            } else {
                this.client.sendResponse(new ModToolIssueHandledComposer(Emulator.getTexts().getValue("generic.user.not_found").replace("%user%", Emulator.getConfig().getValue("hotel.player.name"))));
            }
@@ -37,6 +37,7 @@ public class ChangeInfostandBgEvent extends MessageHandler {
        int requestedStand = sanitize(this.packet.readInt());
        int requestedOverlay = sanitize(this.packet.readInt());
        int requestedCard = this.packet.bytesAvailable() >= 4 ? sanitize(this.packet.readInt()) : 0;
        int requestedBorder = this.packet.bytesAvailable() >= 4 ? sanitize(this.packet.readInt()) : 0;
        InfostandBackgroundManager manager = Emulator.getGameEnvironment() != null ? Emulator.getGameEnvironment().getInfostandBackgroundManager() : null;
@@ -44,11 +45,13 @@ public class ChangeInfostandBgEvent extends MessageHandler {
        int backgroundStand = resolve(manager, habbo, Category.STAND, requestedStand, info.getInfostandStand());
        int backgroundOverlay = resolve(manager, habbo, Category.OVERLAY, requestedOverlay, info.getInfostandOverlay());
        int backgroundCard = resolve(manager, habbo, Category.CARD, requestedCard, info.getInfostandCardBg());
        int backgroundBorder = resolve(manager, habbo, Category.BORDER, requestedBorder, info.getInfostandBorder());
        if (info.getInfostandBg() == backgroundImage
                && info.getInfostandStand() == backgroundStand
                && info.getInfostandOverlay() == backgroundOverlay
-                && info.getInfostandCardBg() == backgroundCard) {
+                && info.getInfostandCardBg() == backgroundCard
                && info.getInfostandBorder() == backgroundBorder) {
            return;
        }
@@ -56,6 +59,7 @@ public class ChangeInfostandBgEvent extends MessageHandler {
        info.setInfostandStand(backgroundStand);
        info.setInfostandOverlay(backgroundOverlay);
        info.setInfostandCardBg(backgroundCard);
        info.setInfostandBorder(backgroundBorder);
        info.run();
        if (info.getCurrentRoom() != null) {
@@ -12,10 +12,13 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.sql.*;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Date;
 public class ModToolUserInfoComposer extends MessageComposer {
    private static final Logger LOGGER = LoggerFactory.getLogger(ModToolUserInfoComposer.class);
    private static final SimpleDateFormat DATE_FORMAT = new SimpleDateFormat("yyyy-MM-dd HH:mm");
    private final ResultSet set;
    private final boolean hideMail;
@@ -29,37 +32,30 @@ public class ModToolUserInfoComposer extends MessageComposer {
    protected ServerMessage composeInternal() {
        this.response.init(Outgoing.ModToolUserInfoComposer);
        try {
-            int totalBans = 0;
+            int userId = this.set.getInt("user_id");
            String machineId = this.set.getString("machine_id");
            int now = Emulator.getIntUnixTimestamp();
-            try (Connection connection = Emulator.getDatabase().getDataSource().getConnection();
+            int totalBans = countBansForUser(userId);
-                 PreparedStatement statement = connection.prepareStatement("SELECT COUNT(*) AS amount FROM bans WHERE user_id = ?")) {
+            int lastPurchaseTimestamp = fetchLastPurchaseTimestamp(userId);
-                statement.setInt(1, this.set.getInt("user_id"));
+            int tradeLockExpiryTimestamp = fetchActiveTradeLockExpiry(userId, now);
-                try (ResultSet set = statement.executeQuery()) {
+            int identityRelatedBanCount = countIdentityRelatedBans(userId, machineId);
                    if (set.next()) {
                       totalBans = set.getInt("amount");
                    }
                } catch (SQLException e) {
                    LOGGER.error("Caught SQL exception", e);
                }
            } catch (SQLException e) {
                LOGGER.error("Caught SQL exception", e);
            }
-            this.response.appendInt(this.set.getInt("user_id"));
+            this.response.appendInt(userId);
            this.response.appendString(this.set.getString("username"));
            this.response.appendString(this.set.getString("look"));
-            this.response.appendInt((Emulator.getIntUnixTimestamp() - this.set.getInt("account_created")) / 60);
+            this.response.appendInt((now - this.set.getInt("account_created")) / 60);
-            this.response.appendInt((this.set.getInt("online") == 1 ? 0 : Emulator.getIntUnixTimestamp() - this.set.getInt("last_online")) / 60);
+            this.response.appendInt((this.set.getInt("online") == 1 ? 0 : now - this.set.getInt("last_online")) / 60);
            this.response.appendBoolean(this.set.getInt("online") == 1);
            this.response.appendInt(this.set.getInt("cfh_send"));
            this.response.appendInt(this.set.getInt("cfh_abusive"));
            this.response.appendInt(this.set.getInt("cfh_warnings"));
            this.response.appendInt(totalBans); // Number of bans
            this.response.appendInt(this.set.getInt("tradelock_amount"));
-            this.response.appendString(""); //Trading lock expiry timestamp
+            this.response.appendString(formatUnixTimestamp(tradeLockExpiryTimestamp)); // Trading lock expiry timestamp
-            this.response.appendString(""); //Last Purchase Timestamp
+            this.response.appendString(formatUnixTimestamp(lastPurchaseTimestamp));   // Last Purchase Timestamp
-            this.response.appendInt(this.set.getInt("user_id")); //Personal Identification #
+            this.response.appendInt(userId); //Personal Identification #
-            this.response.appendInt(0); // Number of account bans
+            this.response.appendInt(identityRelatedBanCount); // Number of account bans on the same machine_id
            this.response.appendString(this.hideMail ? "" : this.set.getString("mail"));
            this.response.appendString("Rank (" + this.set.getInt("rank_id") + "): " + this.set.getString("rank_name")); //user_class_txt
@@ -90,4 +86,87 @@ public class ModToolUserInfoComposer extends MessageComposer {
    public ResultSet getSet() {
        return set;
    }
    private static int countBansForUser(int userId) {
        try (Connection connection = Emulator.getDatabase().getDataSource().getConnection();
             PreparedStatement statement = connection.prepareStatement("SELECT COUNT(*) AS amount FROM bans WHERE user_id = ?")) {
            statement.setInt(1, userId);
            try (ResultSet set = statement.executeQuery()) {
                if (set.next()) return set.getInt("amount");
            }
        } catch (SQLException e) {
            LOGGER.error("Caught SQL exception", e);
        }
        return 0;
    }
    /**
     * Most recent purchase timestamp from logs_shop_purchases for this
     * user. Returns 0 when the user has never bought anything (in which
     * case the wire field stays empty and the client shows the empty
     * placeholder).
     */
    private static int fetchLastPurchaseTimestamp(int userId) {
        try (Connection connection = Emulator.getDatabase().getDataSource().getConnection();
             PreparedStatement statement = connection.prepareStatement("SELECT MAX(`timestamp`) AS ts FROM logs_shop_purchases WHERE user_id = ?")) {
            statement.setInt(1, userId);
            try (ResultSet set = statement.executeQuery()) {
                if (set.next()) return set.getInt("ts");
            }
        } catch (SQLException e) {
            LOGGER.error("Caught SQL exception", e);
        }
        return 0;
    }
    /**
     * Latest active trade-lock expiry from the sanctions table. Only
     * locks expiring in the future are considered — past entries don't
     * count. Returns 0 when no active lock exists.
     */
    private static int fetchActiveTradeLockExpiry(int userId, int now) {
        try (Connection connection = Emulator.getDatabase().getDataSource().getConnection();
             PreparedStatement statement = connection.prepareStatement("SELECT MAX(trade_locked_until) AS expiry FROM sanctions WHERE habbo_id = ? AND trade_locked_until > ?")) {
            statement.setInt(1, userId);
            statement.setInt(2, now);
            try (ResultSet set = statement.executeQuery()) {
                if (set.next()) return set.getInt("expiry");
            }
        } catch (SQLException e) {
            LOGGER.error("Caught SQL exception", e);
        }
        return 0;
    }
    /**
     * Count of OTHER user accounts that have been banned from the same
     * machine_id as this user. An empty machine_id (default '') is
     * ignored — never matches anything by definition. Self is excluded
     * because the user's own bans are already counted under banCount.
     */
    private static int countIdentityRelatedBans(int userId, String machineId) {
        if (machineId == null || machineId.isEmpty()) return 0;
        try (Connection connection = Emulator.getDatabase().getDataSource().getConnection();
             PreparedStatement statement = connection.prepareStatement("SELECT COUNT(DISTINCT user_id) AS amount FROM bans WHERE machine_id = ? AND user_id != ?")) {
            statement.setString(1, machineId);
            statement.setInt(2, userId);
            try (ResultSet set = statement.executeQuery()) {
                if (set.next()) return set.getInt("amount");
            }
        } catch (SQLException e) {
            LOGGER.error("Caught SQL exception", e);
        }
        return 0;
    }
    /**
     * Wire format for date fields is `yyyy-MM-dd HH:mm`. A 0 timestamp
     * is rendered as an empty string so the client falls back to its
     * empty-state placeholder.
     */
    private static String formatUnixTimestamp(int timestamp) {
        if (timestamp <= 0) return "";
        return DATE_FORMAT.format(new Date(timestamp * 1000L));
    }
 }
@@ -62,6 +62,7 @@ public class RoomPetComposer extends MessageComposer implements TIntObjectProced
        this.response.appendString("");
        this.response.appendString("unknown");
        this.response.appendInt(0);
        this.response.appendInt(0);
        return true;
    }
@@ -33,6 +33,7 @@ public class RoomUserDataComposer extends MessageComposer {
        this.response.appendString(customizationData.prefixEffect);
        this.response.appendString(customizationData.prefixFont);
        this.response.appendString(customizationData.displayOrder);
        this.response.appendInt(this.habbo.getHabboInfo().getInfostandBorder());
        return this.response;
    }
@@ -78,6 +78,7 @@ public class RoomUsersComposer extends MessageComposer {
            this.response.appendString(customizationData.displayOrder);
            this.response.appendString(this.habbo.getHabboInfo().getRoomEntryMethod());
            this.response.appendInt(this.habbo.getHabboInfo().getRoomEntryTeleportId());
            this.response.appendInt(this.habbo.getHabboInfo().getInfostandBorder());
        } else if (this.habbos != null) {
            this.response.appendInt(this.habbos.size());
            for (Habbo habbo : this.habbos) {
@@ -120,6 +121,7 @@ public class RoomUsersComposer extends MessageComposer {
                    this.response.appendString(customizationData.displayOrder);
                    this.response.appendString(habbo.getHabboInfo().getRoomEntryMethod());
                    this.response.appendInt(habbo.getHabboInfo().getRoomEntryTeleportId());
                    this.response.appendInt(habbo.getHabboInfo().getInfostandBorder());
                }
            }
        } else if (this.bot != null) {
@@ -154,6 +156,7 @@ public class RoomUsersComposer extends MessageComposer {
            this.response.appendShort(9);
            this.response.appendString("unknown");
            this.response.appendInt(0);
            this.response.appendInt(0);
        } else if (this.bots != null) {
            this.response.appendInt(this.bots.size());
            for (Bot bot : this.bots) {
@@ -187,6 +190,7 @@ public class RoomUsersComposer extends MessageComposer {
                this.response.appendShort(9);
                this.response.appendString("unknown");
                this.response.appendInt(0);
                this.response.appendInt(0);
            }
        }
        return this.response;
@@ -1,11 +1,57 @@
 package com.eu.habbo.messages.outgoing.users;
 import com.eu.habbo.Emulator;
 import com.eu.habbo.habbohotel.permissions.Permission;
 import com.eu.habbo.habbohotel.permissions.PermissionSetting;
 import com.eu.habbo.habbohotel.permissions.Rank;
 import com.eu.habbo.habbohotel.users.Habbo;
 import com.eu.habbo.messages.ServerMessage;
 import com.eu.habbo.messages.outgoing.MessageComposer;
 import com.eu.habbo.messages.outgoing.Outgoing;
 import com.eu.habbo.plugin.HabboPlugin;
 import java.util.LinkedHashMap;
 import java.util.Map;
 /**
 * Sends the full per-user permission state to the connected client.
 *
 * Wire layout (each trailing block is guarded by `bytesAvailable` on
 * the client so older Nitro builds keep parsing the prefix and stop):
 *
 *   int     clubLevel
 *   int     rank.level                           // mapped to securityLevel on the client
 *   bool    isAmbassador                         // legacy ACC_AMBASSADOR flag
 *   --- rank metadata (Arcturus ≥ 4.2.10) ---
 *   int     rank.id
 *   string  rank.name                            // permission_ranks.rank_name
 *   string  rank.badge
 *   string  rank.prefix
 *   string  rank.prefixColor
 *   --- resolved permission map (Arcturus ≥ 4.2.10) ---
 *   int     count
 *   loop:   string permission_key + int value   // 1 = ALLOWED, 2 = ROOM_OWNER
 *
 * The map is the union of:
 *   • rank entries with `PermissionSetting != DISALLOWED` — same data
 *     `Rank.hasPermission(key, isRoomOwner)` reads server-side.
 *   • plugin grants — for each key the rank doesn't allow, every
 *     installed `HabboPlugin.hasPermission(habbo, key)` is consulted;
 *     if any plugin grants it, the key lands on the wire with value 1
 *     (plugins don't have a ROOM_OWNER concept).
 *
 * The React-side `useHasPermission(key)` / `useUserPermissions()`
 * consumers read the map directly so UI gates follow the same
 * semantics as `PermissionsManager.hasPermission(habbo, key)`
 * server-side — including plugin-granted permissions, which were
 * invisible to the client before this commit.
 *
 * Two send points:
 *   1. End of `SecureLoginEvent` — client receives the full state once.
 *   2. Inside `HabboManager.setRank` — runtime promote/demote refresh.
 *   3. Inside `UpdatePermissionsCommand` — broadcast after
 *      `:update_permissions` reloads the tables at runtime.
 */
 public class UserPermissionsComposer extends MessageComposer {
    private final int clubLevel;
@@ -20,11 +66,70 @@ public class UserPermissionsComposer extends MessageComposer {
    protected ServerMessage composeInternal() {
        this.response.init(Outgoing.UserPermissionsComposer);
        this.response.appendInt(this.clubLevel);
-        this.response.appendInt(this.habbo.getHabboInfo().getRank().getLevel());
+
        Rank rank = this.habbo.getHabboInfo().getRank();
        this.response.appendInt(rank.getLevel());
        this.response.appendBoolean(this.habbo.hasPermission(Permission.ACC_AMBASSADOR));
        // Rank metadata
        this.response.appendInt(rank.getId());
        this.response.appendString(rank.getName());
        this.response.appendString(rank.getBadge());
        this.response.appendString(rank.getPrefix());
        this.response.appendString(rank.getPrefixColor());
        // Build the resolved permission map. Walk rank.getPermissions()
        // (Rank.permissions has every row from permission_definitions
        // because PermissionsManager.loadPermissionsNormalized() calls
        // rank.setPermission(key, …) for every key, including DISALLOWED
        // ones) and emit the final value per key:
        //   ALLOWED                 → 1
        //   ROOM_OWNER              → 2
        //   DISALLOWED + plugin yes → 1
        //   DISALLOWED + plugin no  → omit
        //
        // LinkedHashMap preserves the alphabetical order that the rank
        // table was populated with, which is helpful for snapshotting
        // and grep'ing wire dumps.
        Map<String, Permission> rankPermissions = rank.getPermissions();
        Map<String, Integer> resolved = new LinkedHashMap<>(rankPermissions.size());
        for (Map.Entry<String, Permission> entry : rankPermissions.entrySet()) {
            String key = entry.getKey();
            Permission rankPerm = entry.getValue();
            if (rankPerm.setting == PermissionSetting.ALLOWED) {
                resolved.put(key, 1);
            } else if (rankPerm.setting == PermissionSetting.ROOM_OWNER) {
                resolved.put(key, 2);
            } else if (this.anyPluginGrants(key)) {
                resolved.put(key, 1);
            }
        }
        // Plugins may also grant CUSTOM keys that aren't in
        // permission_definitions — rare but legal. There's no enumeration
        // API on HabboPlugin to discover them, so they stay invisible
        // here. Document the limitation rather than over-engineer.
        this.response.appendInt(resolved.size());
        for (Map.Entry<String, Integer> entry : resolved.entrySet()) {
            this.response.appendString(entry.getKey());
            this.response.appendInt(entry.getValue());
        }
        return this.response;
    }
    private boolean anyPluginGrants(String key) {
        for (HabboPlugin plugin : Emulator.getPluginManager().getPlugins()) {
            if (plugin.hasPermission(this.habbo, key)) return true;
        }
        return false;
    }
    public int getClubLevel() {
        return clubLevel;
    }
@@ -5,6 +5,7 @@ import com.eu.habbo.messages.PacketManager;
 import com.eu.habbo.networking.gameserver.auth.AuthHttpHandler;
 import com.eu.habbo.networking.gameserver.auth.NitroSecureApiHandler;
 import com.eu.habbo.networking.gameserver.auth.NitroSecureAssetHandler;
 import com.eu.habbo.networking.gameserver.badges.BadgeLeaderboardHttpHandler;
 import com.eu.habbo.networking.gameserver.badges.BadgeHttpHandler;
 import com.eu.habbo.networking.gameserver.codec.WebSocketCodec;
 import com.eu.habbo.networking.gameserver.crypto.WsHandshakeHandler;
@@ -60,6 +61,7 @@ public class WebSocketChannelInitializer extends ChannelInitializer<SocketChanne
        ch.pipeline().addLast("nitroSecureApiHandler", new NitroSecureApiHandler());
        ch.pipeline().addLast("authHttpHandler", new AuthHttpHandler());
        ch.pipeline().addLast("badgeHttpHandler", new BadgeHttpHandler());
        ch.pipeline().addLast("badgeLeaderboardHttpHandler", new BadgeLeaderboardHttpHandler());
        ch.pipeline().addLast("wsProtocolHandler", new WebSocketServerProtocolHandler(this.wsConfig));
        ch.pipeline().addLast("wsFrameAggregator", new WebSocketFrameAggregator(MAX_FRAME_SIZE));
        ch.pipeline().addLast("wsCodec", new WebSocketCodec());
@@ -0,0 +1,458 @@
 package com.eu.habbo.networking.gameserver.badges;
 import com.eu.habbo.Emulator;
 import com.eu.habbo.networking.gameserver.auth.AccessTokenService;
 import com.eu.habbo.networking.gameserver.auth.CorsOriginGate;
 import com.google.gson.JsonArray;
 import com.google.gson.JsonObject;
 import io.netty.buffer.Unpooled;
 import io.netty.channel.ChannelFutureListener;
 import io.netty.channel.ChannelHandlerContext;
 import io.netty.channel.ChannelInboundHandlerAdapter;
 import io.netty.handler.codec.http.*;
 import io.netty.util.ReferenceCountUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.nio.charset.StandardCharsets;
 import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.util.*;
 public class BadgeLeaderboardHttpHandler extends ChannelInboundHandlerAdapter {
    private static final Logger LOGGER = LoggerFactory.getLogger(BadgeLeaderboardHttpHandler.class);
    private static final String BASE_PATH = "/api/badges/leaderboard";
    private static final long CACHE_TTL_MS = 15_000L;
    private static final int MAX_BOARD_USERS = 100;
    private static volatile Snapshot cache = null;
    private static final class Snapshot {
        final List<UserBadgeAggregate> badgeUsers;
        final List<UserAchievementAggregate> achievementUsers;
        final JsonArray badgeStats;
        final long expiresAt;
        Snapshot(List<UserBadgeAggregate> badgeUsers, List<UserAchievementAggregate> achievementUsers, JsonArray badgeStats, long expiresAt) {
            this.badgeUsers = badgeUsers;
            this.achievementUsers = achievementUsers;
            this.badgeStats = badgeStats;
            this.expiresAt = expiresAt;
        }
    }
    private static final class UserBadgeAggregate {
        final int userId;
        final String username;
        final String figure;
        final int totalBadges;
        final EnumMap<Rarity, Integer> counts;
        UserBadgeAggregate(int userId, String username, String figure, int totalBadges, EnumMap<Rarity, Integer> counts) {
            this.userId = userId;
            this.username = username;
            this.figure = figure;
            this.totalBadges = totalBadges;
            this.counts = counts;
        }
    }
    private static final class UserAchievementAggregate {
        final int userId;
        final String username;
        final String figure;
        final int achievementScore;
        UserAchievementAggregate(int userId, String username, String figure, int achievementScore) {
            this.userId = userId;
            this.username = username;
            this.figure = figure;
            this.achievementScore = achievementScore;
        }
    }
    private static final class ViewerProfile {
        final int userId;
        final String username;
        final String figure;
        ViewerProfile(int userId, String username, String figure) {
            this.userId = userId;
            this.username = username;
            this.figure = figure;
        }
    }
    private enum Rarity {
        COMMON("common"),
        RARE("rare"),
        EPIC("epic"),
        LEGENDARY("legendary"),
        MYTHICAL("mythical"),
        UNIQUE("unique");
        final String key;
        Rarity(String key) {
            this.key = key;
        }
    }
    @Override
    public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
        if (!(msg instanceof FullHttpRequest req)) {
            super.channelRead(ctx, msg);
            return;
        }
        String path = new QueryStringDecoder(req.uri()).path();
        if (!path.equals(BASE_PATH) && !path.startsWith(BASE_PATH + "/")) {
            super.channelRead(ctx, msg);
            return;
        }
        try {
            handle(ctx, req);
        } finally {
            ReferenceCountUtil.release(req);
        }
    }
    private void handle(ChannelHandlerContext ctx, FullHttpRequest req) {
        if (req.method() == HttpMethod.OPTIONS) {
            sendCors(ctx, req);
            return;
        }
        if (req.method() != HttpMethod.GET && req.method() != HttpMethod.HEAD) {
            sendJson(ctx, req, HttpResponseStatus.METHOD_NOT_ALLOWED, error("Use GET."));
            return;
        }
        try {
            Snapshot snapshot = loadSnapshot();
            int viewerUserId = authenticateOptional(req);
            ViewerProfile viewerProfile = loadViewerProfile(viewerUserId);
            JsonObject payload = new JsonObject();
            payload.addProperty("viewerUserId", viewerUserId);
            payload.add("badgeStats", cloneArray(snapshot.badgeStats));
            payload.add("thresholds", buildThresholdsPayload());
            JsonObject boards = new JsonObject();
            boards.add("totalBadges", buildBadgeBoard(snapshot.badgeUsers, viewerUserId, viewerProfile, null));
            boards.add("achievementLevel", buildAchievementBoard(snapshot.achievementUsers, viewerUserId, viewerProfile));
            JsonObject rarityBoards = new JsonObject();
            for (Rarity rarity : Rarity.values()) {
                rarityBoards.add(rarity.key, buildBadgeBoard(snapshot.badgeUsers, viewerUserId, viewerProfile, rarity));
            }
            boards.add("rarity", rarityBoards);
            payload.add("leaderboards", boards);
            sendJson(ctx, req, HttpResponseStatus.OK, payload);
        } catch (Exception e) {
            LOGGER.error("[badges/leaderboard] unexpected error", e);
            sendJson(ctx, req, HttpResponseStatus.INTERNAL_SERVER_ERROR, error("Server error."));
        }
    }
    private Snapshot loadSnapshot() throws Exception {
        long now = System.currentTimeMillis();
        Snapshot current = cache;
        if (current != null && current.expiresAt >= now) return current;
        synchronized (BadgeLeaderboardHttpHandler.class) {
            current = cache;
            if (current != null && current.expiresAt >= now) return current;
            JsonArray badgeStats = new JsonArray();
            List<UserBadgeAggregate> badgeUsers = new ArrayList<>();
            List<UserAchievementAggregate> achievementUsers = new ArrayList<>();
            try (Connection connection = Emulator.getDatabase().getDataSource().getConnection()) {
                loadBadgeStats(connection, badgeStats);
                loadBadgeUsers(connection, badgeUsers);
                loadAchievementUsers(connection, achievementUsers);
            }
            Snapshot built = new Snapshot(badgeUsers, achievementUsers, badgeStats, now + CACHE_TTL_MS);
            cache = built;
            return built;
        }
    }
    private void loadBadgeStats(Connection connection, JsonArray badgeStats) throws Exception {
        try (PreparedStatement statement = connection.prepareStatement(
                "SELECT badge_code, COUNT(DISTINCT user_id) AS owner_count " +
                        "FROM users_badges GROUP BY badge_code ORDER BY owner_count ASC, badge_code ASC")) {
            try (ResultSet set = statement.executeQuery()) {
                while (set.next()) {
                    String badgeCode = set.getString("badge_code");
                    int ownerCount = set.getInt("owner_count");
                    JsonObject entry = new JsonObject();
                    entry.addProperty("badgeCode", badgeCode);
                    entry.addProperty("ownerCount", ownerCount);
                    entry.addProperty("rarity", classify(ownerCount).key);
                    badgeStats.add(entry);
                }
            }
        }
    }
    private void loadBadgeUsers(Connection connection, List<UserBadgeAggregate> badgeUsers) throws Exception {
        String sql =
                "SELECT u.id AS user_id, u.username, u.look, " +
                        "COUNT(DISTINCT ub.badge_code) AS total_badges, " +
                        "COUNT(DISTINCT CASE WHEN counts.owner_count > 50 THEN ub.badge_code END) AS common_count, " +
                        "COUNT(DISTINCT CASE WHEN counts.owner_count > 10 AND counts.owner_count <= 50 THEN ub.badge_code END) AS rare_count, " +
                        "COUNT(DISTINCT CASE WHEN counts.owner_count > 6 AND counts.owner_count <= 10 THEN ub.badge_code END) AS epic_count, " +
                        "COUNT(DISTINCT CASE WHEN counts.owner_count > 3 AND counts.owner_count <= 6 THEN ub.badge_code END) AS legendary_count, " +
                        "COUNT(DISTINCT CASE WHEN counts.owner_count > 1 AND counts.owner_count <= 3 THEN ub.badge_code END) AS mythical_count, " +
                        "COUNT(DISTINCT CASE WHEN counts.owner_count = 1 THEN ub.badge_code END) AS unique_count " +
                        "FROM users_badges ub " +
                        "INNER JOIN users u ON u.id = ub.user_id " +
                        "INNER JOIN (SELECT badge_code, COUNT(DISTINCT user_id) AS owner_count FROM users_badges GROUP BY badge_code) counts ON counts.badge_code = ub.badge_code " +
                        "GROUP BY u.id, u.username, u.look";
        try (PreparedStatement statement = connection.prepareStatement(sql)) {
            try (ResultSet set = statement.executeQuery()) {
                while (set.next()) {
                    EnumMap<Rarity, Integer> counts = new EnumMap<>(Rarity.class);
                    counts.put(Rarity.COMMON, set.getInt("common_count"));
                    counts.put(Rarity.RARE, set.getInt("rare_count"));
                    counts.put(Rarity.EPIC, set.getInt("epic_count"));
                    counts.put(Rarity.LEGENDARY, set.getInt("legendary_count"));
                    counts.put(Rarity.MYTHICAL, set.getInt("mythical_count"));
                    counts.put(Rarity.UNIQUE, set.getInt("unique_count"));
                    badgeUsers.add(new UserBadgeAggregate(
                            set.getInt("user_id"),
                            safe(set.getString("username")),
                            safe(set.getString("look")),
                            set.getInt("total_badges"),
                            counts
                    ));
                }
            }
        }
    }
    private void loadAchievementUsers(Connection connection, List<UserAchievementAggregate> achievementUsers) throws Exception {
        try (PreparedStatement statement = connection.prepareStatement(
                "SELECT u.id AS user_id, u.username, u.look, COALESCE(us.achievement_score, 0) AS achievement_score " +
                        "FROM users u INNER JOIN users_settings us ON us.user_id = u.id " +
                        "WHERE COALESCE(us.achievement_score, 0) > 0")) {
            try (ResultSet set = statement.executeQuery()) {
                while (set.next()) {
                    achievementUsers.add(new UserAchievementAggregate(
                            set.getInt("user_id"),
                            safe(set.getString("username")),
                            safe(set.getString("look")),
                            set.getInt("achievement_score")
                    ));
                }
            }
        }
    }
    private ViewerProfile loadViewerProfile(int viewerUserId) throws Exception {
        if (viewerUserId <= 0) return null;
        try (Connection connection = Emulator.getDatabase().getDataSource().getConnection();
             PreparedStatement statement = connection.prepareStatement(
                     "SELECT id, username, look FROM users WHERE id = ? LIMIT 1")) {
            statement.setInt(1, viewerUserId);
            try (ResultSet set = statement.executeQuery()) {
                if (!set.next()) return null;
                return new ViewerProfile(
                        set.getInt("id"),
                        safe(set.getString("username")),
                        safe(set.getString("look"))
                );
            }
        }
    }
    private JsonObject buildBadgeBoard(List<UserBadgeAggregate> users, int viewerUserId, ViewerProfile viewerProfile, Rarity rarity) {
        List<JsonObject> ranked = new ArrayList<>();
        for (UserBadgeAggregate user : users) {
            int score = (rarity == null) ? user.totalBadges : user.counts.getOrDefault(rarity, 0);
            if (score <= 0) continue;
            ranked.add(toEntry(user.userId, user.username, user.figure, score));
        }
        ranked.sort((a, b) -> {
            int scoreCompare = Integer.compare(b.get("score").getAsInt(), a.get("score").getAsInt());
            if (scoreCompare != 0) return scoreCompare;
            return Integer.compare(a.get("userId").getAsInt(), b.get("userId").getAsInt());
        });
        return finalizeBoard(ranked, viewerUserId, viewerProfile);
    }
    private JsonObject buildAchievementBoard(List<UserAchievementAggregate> users, int viewerUserId, ViewerProfile viewerProfile) {
        List<JsonObject> ranked = new ArrayList<>();
        for (UserAchievementAggregate user : users) {
            if (user.achievementScore <= 0) continue;
            ranked.add(toEntry(user.userId, user.username, user.figure, user.achievementScore));
        }
        ranked.sort((a, b) -> {
            int scoreCompare = Integer.compare(b.get("score").getAsInt(), a.get("score").getAsInt());
            if (scoreCompare != 0) return scoreCompare;
            return Integer.compare(a.get("userId").getAsInt(), b.get("userId").getAsInt());
        });
        return finalizeBoard(ranked, viewerUserId, viewerProfile);
    }
    private JsonObject finalizeBoard(List<JsonObject> ranked, int viewerUserId, ViewerProfile viewerProfile) {
        JsonArray entries = new JsonArray();
        JsonObject viewerEntry = null;
        int cappedSize = Math.min(ranked.size(), MAX_BOARD_USERS);
        for (int index = 0; index < cappedSize; index++) {
            JsonObject entry = ranked.get(index).deepCopy();
            int rank = index + 1;
            entry.addProperty("rank", rank);
            entries.add(entry);
            if (viewerUserId > 0 && entry.get("userId").getAsInt() == viewerUserId) viewerEntry = entry;
        }
        if (viewerEntry == null && viewerUserId > 0) {
            for (int index = 0; index < ranked.size(); index++) {
                JsonObject entry = ranked.get(index);
                if (entry.get("userId").getAsInt() != viewerUserId) continue;
                viewerEntry = entry.deepCopy();
                viewerEntry.addProperty("rank", index + 1);
                break;
            }
        }
        if (viewerEntry == null && viewerProfile != null) {
            viewerEntry = toEntry(viewerProfile.userId, viewerProfile.username, viewerProfile.figure, 0);
            viewerEntry.addProperty("rank", 0);
        }
        JsonObject board = new JsonObject();
        board.add("entries", entries);
        board.addProperty("totalPlayers", cappedSize);
        board.add("viewerEntry", viewerEntry != null ? viewerEntry : new JsonObject());
        return board;
    }
    private JsonObject toEntry(int userId, String username, String figure, int score) {
        JsonObject entry = new JsonObject();
        entry.addProperty("userId", userId);
        entry.addProperty("username", username);
        entry.addProperty("figure", figure);
        entry.addProperty("score", score);
        return entry;
    }
    private JsonObject buildThresholdsPayload() {
        JsonObject thresholds = new JsonObject();
        thresholds.addProperty("commonMinOwners", 51);
        thresholds.addProperty("rareMinOwners", 11);
        thresholds.addProperty("epicMinOwners", 7);
        thresholds.addProperty("legendaryMinOwners", 4);
        thresholds.addProperty("mythicalMinOwners", 2);
        thresholds.addProperty("uniqueOwners", 1);
        return thresholds;
    }
    private static Rarity classify(int ownerCount) {
        if (ownerCount > 50) return Rarity.COMMON;
        if (ownerCount > 10) return Rarity.RARE;
        if (ownerCount > 6) return Rarity.EPIC;
        if (ownerCount > 3) return Rarity.LEGENDARY;
        if (ownerCount > 1) return Rarity.MYTHICAL;
        if (ownerCount > 0) return Rarity.UNIQUE;
        return Rarity.COMMON;
    }
    private static int authenticateOptional(FullHttpRequest req) {
        String header = req.headers().get(HttpHeaderNames.AUTHORIZATION);
        if (header == null || header.isEmpty()) return 0;
        String token = header.startsWith("Bearer ") ? header.substring(7).trim() : header.trim();
        return AccessTokenService.verify(token);
    }
    private static JsonArray cloneArray(JsonArray source) {
        JsonArray copy = new JsonArray();
        source.forEach(element -> copy.add(element.deepCopy()));
        return copy;
    }
    private static String safe(String value) {
        return value == null ? "" : value;
    }
    private static JsonObject error(String message) {
        JsonObject obj = new JsonObject();
        obj.addProperty("error", message);
        return obj;
    }
    private static void sendJson(ChannelHandlerContext ctx, FullHttpRequest req, HttpResponseStatus status, JsonObject body) {
        byte[] bytes = body.toString().getBytes(StandardCharsets.UTF_8);
        FullHttpResponse response = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, status, Unpooled.wrappedBuffer(bytes));
        response.headers().set(HttpHeaderNames.CONTENT_TYPE, "application/json; charset=utf-8");
        response.headers().setInt(HttpHeaderNames.CONTENT_LENGTH, bytes.length);
        response.headers().set(HttpHeaderNames.CACHE_CONTROL, "no-store, no-cache, must-revalidate");
        applyCors(req, response);
        boolean keepAlive = isKeepAlive(req);
        if (keepAlive) response.headers().set(HttpHeaderNames.CONNECTION, HttpHeaderValues.KEEP_ALIVE);
        var future = ctx.writeAndFlush(response);
        if (!keepAlive) future.addListener(ChannelFutureListener.CLOSE);
    }
    private static void sendCors(ChannelHandlerContext ctx, FullHttpRequest req) {
        FullHttpResponse response = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.NO_CONTENT);
        applyCors(req, response);
        ctx.writeAndFlush(response).addListener(ChannelFutureListener.CLOSE);
    }
    private static void applyCors(FullHttpRequest req, FullHttpResponse response) {
        String origin = req.headers().get(HttpHeaderNames.ORIGIN);
        if (origin != null && !origin.isEmpty() && CorsOriginGate.isAllowed(req)) {
            response.headers().set("Access-Control-Allow-Origin", origin);
            response.headers().set("Access-Control-Allow-Credentials", "true");
        }
        response.headers().set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS");
        String requestedHeaders = req.headers().get("Access-Control-Request-Headers");
        if (requestedHeaders != null && !requestedHeaders.isEmpty()) {
            response.headers().set("Access-Control-Allow-Headers", requestedHeaders);
        } else {
            response.headers().set("Access-Control-Allow-Headers",
                    "Authorization, Content-Type, X-Requested-With, X-Nitro-Key, X-Nitro-Api");
        }
        response.headers().set("Vary", "Origin, Access-Control-Request-Headers, Access-Control-Request-Method");
        response.headers().set("Access-Control-Max-Age", "600");
        response.headers().set("Access-Control-Expose-Headers", "X-Nitro-Sec, X-Nitro-Key-Fp, X-Nitro-Derive-Fp");
    }
    private static boolean isKeepAlive(FullHttpRequest req) {
        String connection = req.headers().get(HttpHeaderNames.CONNECTION);
        return connection == null || !"close".equalsIgnoreCase(connection);
    }
 }
@@ -8,10 +8,13 @@ import io.netty.channel.ChannelHandlerContext;
 import io.netty.channel.ChannelInboundHandlerAdapter;
 import io.netty.handler.codec.http.*;
 import io.netty.util.ReferenceCountUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.net.URI;
 public class WebSocketHttpHandler extends ChannelInboundHandlerAdapter {
    private static final Logger LOGGER = LoggerFactory.getLogger(WebSocketHttpHandler.class);
    private static final String ORIGIN_HEADER = "Origin";
    @Override
@@ -27,6 +30,12 @@ public class WebSocketHttpHandler extends ChannelInboundHandlerAdapter {
    }
    private boolean handleHttpRequest(ChannelHandlerContext ctx, HttpMessage req) {
        captureForwardedIp(ctx, req);
        if (!isWebSocketUpgrade(req)) {
            return true;
        }
        String origin = "error";
        try {
@@ -38,27 +47,47 @@ public class WebSocketHttpHandler extends ChannelInboundHandlerAdapter {
        String whitelist = Emulator.getConfig().getValue("ws.whitelist", "localhost");
        if (!isWhitelisted(origin, whitelist.split(","))) {
            LOGGER.warn("WebSocket upgrade rejected — origin '{}' not in ws.whitelist='{}'",
                    req.headers().get(ORIGIN_HEADER), whitelist);
            FullHttpResponse response = new DefaultFullHttpResponse(
                    HttpVersion.HTTP_1_1,
                    HttpResponseStatus.FORBIDDEN,
                    Unpooled.wrappedBuffer("Origin forbidden".getBytes())
            );
            response.headers().set("Vary", "Origin");
            ctx.writeAndFlush(response).addListener(ChannelFutureListener.CLOSE);
            return false;
        }
        String ipHeader = Emulator.getConfig().getValue("ws.ip.header", "");
        if (!ipHeader.isEmpty() && req.headers().contains(ipHeader)) {
            String ip = req.headers().get(ipHeader);
            ctx.channel().attr(GameServerAttributes.WS_IP).set(ip);
        }
        return true;
    }
    private static void captureForwardedIp(ChannelHandlerContext ctx, HttpMessage req) {
        String ipHeader = Emulator.getConfig().getValue("ws.ip.header", "");
        if (!ipHeader.isEmpty() && req.headers().contains(ipHeader)) {
            String ip = req.headers().get(ipHeader);
            ctx.channel().attr(GameServerAttributes.WS_IP).set(ip);
        }
    }
    private static boolean isWebSocketUpgrade(HttpMessage req) {
        String upgrade = req.headers().get(HttpHeaderNames.UPGRADE);
        if (upgrade == null || !"websocket".equalsIgnoreCase(upgrade)) return false;
        String connection = req.headers().get(HttpHeaderNames.CONNECTION);
        if (connection == null) return false;
        for (String token : connection.split(",")) {
            if ("upgrade".equalsIgnoreCase(token.trim())) return true;
        }
        return false;
    }
    private static String getDomainNameFromUrl(String url) throws Exception {
        URI uri = new URI(url);
        String domain = uri.getHost();
        if (domain == null) return "error";
        return domain.startsWith("www.") ? domain.substring(4) : domain;
    }
@@ -27,16 +27,6 @@ rcon.host=127.0.0.1
 rcon.port=3001
 rcon.allowed=127.0.0.1;127.0.0.2
 #WebSocket Configuration (for Nitro)
 #Set ws.enabled to true to enable WebSocket connections.
 ws.enabled=false
 ws.host=0.0.0.0
 ws.port=2096
 #Comma-separated whitelist of allowed origins. Supports wildcards: *.example.com, * (allow all)
 ws.whitelist=localhost
 #Header name for real client IP when behind a proxy (e.g., X-Forwarded-For, CF-Connecting-IP). Leave empty if not using a proxy.
 ws.ip.header=
 # Databse configuration
 db.pool.connection_timeout_ms = 10000
 db.pool.idle_timeout_ms       = 600000
@@ -69,3 +59,12 @@ login.remember.jwt.secret=
 # Login news API.
 login.news.limit=5
 #WebSocket Configuration (for Nitro)
 #Please adjust this setting in the Database !!!!
 ### ws.enabled=false
 ### ws.host=0.0.0.0
 ### ws.port=2096
 ### ws.whitelist=localhost #Comma-separated whitelist of allowed origins. Supports wildcards: *.example.com, * (allow all)
 ### ws.ip.header=X-Forwarded-For #Header name for real client IP when behind a proxy (e.g., X-Forwarded-For, CF-Connecting-IP). Leave empty if not using a proxy.
Author	SHA1	Message	Date
github-actions[bot]	969f177108	🆙 Bump version to 4.2.13 [skip ci]	2026-05-21 07:02:08 +00:00
DuckieTM	e485c2747c	Merge pull request #116 from duckietm/dev Dev	2026-05-21 09:01:07 +02:00
DuckieTM	d99a51899b	Merge pull request #115 from simoleo89/fix/modtool-counter-bumps fix(modtool): bump users_settings counters on every sanction	2026-05-21 07:40:49 +02:00
DuckieTM	29677a19be	Merge pull request #114 from simoleo89/feat/modtool-user-info-real-data feat(modtool): populate lastPurchase / tradeLockExpiry / identityBans	2026-05-21 07:40:34 +02:00
DuckieTM	21ee36e089	Merge pull request #113 from simoleo89/fix/acc-supporttool-rank-pattern fix(permissions): acc_supporttool incorrectly granted to VIP, denied to Super Mod	2026-05-21 07:40:19 +02:00
simoleo89	4e47dbee16	fix(modtool): bump users_settings counters on every sanction The User Info panel reads its CFH / Cautions / Bans / Trade locks counters from `users_settings.cfh_send` / `cfh_warnings` / `cfh_bans` (via totalBans) / `tradelock_amount`. Historically only `cfh_send` was ever incremented (by `InsertModToolIssue` on CFH submit), so a user could accumulate any number of Alert / Mute / Ban / TradeLock sanctions without the stats reflecting it — every panel showed all zeros even on accounts with a long sanction history visible in the modern `sanctions` table. The two systems aren't going away — `ModToolSanctions` (the modern one) tracks individual sanction events with probation timestamps, while the legacy `users_settings.cfh_*` columns are flat counters the ModTool UI displays. Both need to stay in sync. Wire them up: `ModToolManager.bumpUserSettingCounter(userId, column)` Static helper, column-whitelisted (`cfh_warnings` / `cfh_bans` / `cfh_abusive` / `tradelock_amount`) to keep the dynamic SQL safe. Single UPDATE per call; SQL exceptions logged, never thrown. `ModToolSanctionAlertEvent`, `ModToolSanctionMuteEvent` → bump `cfh_warnings`. Mute is a punitive but non-banning action; both it and Alert are recorded as a warning on the legacy counter, matching what the Cautions stat card represents in the new UI. `ModToolSanctionBanEvent` → bump `cfh_bans`. The `totalBans` field the composer sends ALREADY counts entries in the `bans` table, so the wire field reflects reality immediately — this column bump is a defensive duplicate so any code that reads `users_settings.cfh_bans` directly (e.g. plugin scripts, CMS dashboards) stays in sync. `ModToolSanctionTradeLockEvent` → bump `tradelock_amount`. Mirrors what `AllowTradingCommand` already does for the command-line path. `ModToolManager.closeTicketAsAbusive` → bump `cfh_abusive` for the REPORTER (issue.senderId), not the reported user. The Abusive counter measures false reports filed by the user, so it belongs on whoever opened the CFH that got closed as abusive. No client-side changes — counter columns are unchanged, only the write paths are.	2026-05-20 21:54:07 +02:00
simoleo89	e7ba4d0926	feat(modtool): populate lastPurchase / tradeLockExpiry / identityBans ModToolUserInfoComposer used to send three trailing fields hardcoded to empty/zero — the client rendered placeholders for every user, on every panel open: appendString(""); // Trading lock expiry timestamp appendString(""); // Last Purchase Timestamp appendInt(0); // Number of account bans These are useful moderation signals and the data already exists in the live tables. Wire them up. Last Purchase Query MAX(timestamp) FROM logs_shop_purchases WHERE user_id = ?. Returns the most recent purchase epoch. Rendered as yyyy-MM-dd HH:mm. Empty when the user has never bought anything (the query returns NULL → getInt returns 0 → formatUnixTimestamp emits ""). Trading lock expiry Query MAX(trade_locked_until) FROM sanctions WHERE habbo_id = ? AND trade_locked_until > <now>. Latest ACTIVE lock only — past entries don't count. Same yyyy-MM-dd HH:mm format. Empty when no active lock. Identity related bans Count of DISTINCT other user accounts that have a ban entry against the same machine_id as the target. Self is excluded since the target's own bans already show up in banCount. An empty machine_id (default '') short-circuits to 0 so we never match accounts whose machine fingerprint was never recorded. The existing totalBans counter is extracted into a helper alongside the three new ones — cleaner than the inline try-catch tower it used to live in, same behaviour. Format choice yyyy-MM-dd HH:mm matches the timestamp shown elsewhere in moderation UI; both string fields go through the same formatter so the empty case stays consistent (empty string, not "1970-01-01..."). No client-side changes needed — ModeratorUserInfoData already parses both strings and the int, and the React ModToolsUserView already renders them. They were just always empty before.	2026-05-20 21:32:10 +02:00
simoleo89	67d2f52f64	fix(permissions): acc_supporttool incorrectly granted to VIP, denied to Super Mod The default permission_definitions seed for acc_supporttool used the pattern (0, 1, 1, 1, 1, 0, 1) across rank_1..rank_7 — apparently shifted by two columns: * rank_2 (VIP) and rank_3 (X) had ALLOWED. With acc_supporttool=1 the SecureLoginEvent path sends ModeratorInitMessageEvent on login, which makes the React client surface the ModTools toolbar button and let the user open room/user info windows. The actual sanction endpoints (ModToolSanctionBanEvent, ModToolWarnEvent, …) still gate on ACC_SUPPORTTOOL so a VIP cannot actually take moderator action — but they can request user info, room info and chatlogs they have no business reading. * rank_6 (Super Mod) was DISALLOWED, which is obviously not what the name says. Corrected pattern: (0, 0, 0, 1, 1, 1, 1) — Support (4), Moderator (5), Super Mod (6), Administrator (7). Matches the convention used by the other staff-only acc_modtool_* keys. Two changes: - Default Database/FullDatabase.sql: fix the seed for fresh installs. - Database Updates/004_fix_acc_supporttool_rank.sql: idempotent UPDATE to realign existing deployments. Found by user report: a rank-2 (VIP) account on the live retro had the ModTools button visible in the toolbar after login.	2026-05-20 20:34:37 +02:00
github-actions[bot]	69d770b65e	🆙 Bump version to 4.2.12 [skip ci]	2026-05-20 09:36:00 +00:00
DuckieTM	2492569e16	Merge pull request #112 from duckietm/dev 🆙 Added the missing pet package for the borderID	2026-05-20 11:34:57 +02:00
duckietm	9c215bea6b	🆙 Added the missing pet package for the borderID	2026-05-20 11:34:33 +02:00
github-actions[bot]	7dc3581f8f	🆙 Bump version to 4.2.11 [skip ci]	2026-05-20 06:25:19 +00:00
DuckieTM	f38eb32eee	Merge pull request #111 from duckietm/dev Dev	2026-05-20 08:24:20 +02:00
duckietm	222e356ff0	Merge branch 'dev' of https://github.com/duckietm/Arcturus-Morningstar-Extended into dev	2026-05-20 08:23:31 +02:00
duckietm	c8022ccc45	Small update	2026-05-20 08:23:22 +02:00
DuckieTM	9579833775	Merge branch 'main' into dev	2026-05-20 08:20:56 +02:00
DuckieTM	87ad289a54	Merge pull request #110 from simoleo89/pr/update-permissions-broadcast feat(commands): :update_permissions broadcasts refreshed permissions to every online client	2026-05-20 08:15:19 +02:00
DuckieTM	fd28af5f69	Merge pull request #109 from simoleo89/pr/user-permissions-composer-extension feat(messages): extend UserPermissionsComposer with rank metadata + resolved permission map	2026-05-20 08:15:03 +02:00
DuckieTM	99c938b98f	Merge pull request #108 from Lorenzune/merge-duckie-main-2026-05-06 Add badge leaderboard API endpoint	2026-05-20 08:00:20 +02:00
simoleo89	82d90418cd	feat(commands): :update_permissions broadcasts refreshed UserPermissionsComposer to every online client `PermissionsManager.reload()` rebuilds the rank table from `permission_ranks` + `permission_definitions`, but every Habbo currently online still holds a reference to the OLD `Rank` object on `HabboInfo.rank`. Server-side `hasPermission()` therefore keeps returning stale results, and any Nitro client that reads permission state from the wire keeps gating UI on the map shipped at login — until a relogin or `:give_rank` forces a per-user refresh. Extend the existing `UpdatePermissionsCommand` so after `reload()` it: 1. Iterates the online Habbos via `HabboManager.getOnlineHabbos()`. 2. Re-binds each one's `HabboInfo.rank` to the FRESH `Rank` object returned by `PermissionsManager.getRank(currentRankId)`. Falls back to rank 1 if the admin deleted the rank from `permission_ranks` between sessions, so the user is never left with a null `Rank` reference. 3. Sends a fresh `UserPermissionsComposer` to each client. With the companion composer extension PR also merged, this broadcasts the rank metadata + resolved permission map runtime — the Nitro React-side `useHasPermission(key)` / `useUserRank()` consumers re-render against the freshly-loaded tables without requiring an F5. The whisper feedback now reports how many connected users were refreshed, useful for ops feedback after a large `permission_ranks` edit. Defensive null guards on habbo / habboInfo / client survive transient state during the broadcast (e.g. a user disconnecting mid-iteration).	2026-05-19 20:20:08 +02:00
simoleo89	8b51be4940	feat(messages): extend UserPermissionsComposer with rank metadata + resolved permission map Backward-compatible wire extension of `UserPermissionsComposer` (header 411) that lets Nitro clients display per-deployment rank info and drive UI gates against the actual `permission_definitions` table instead of hardcoded SecurityLevel constants. Wire layout after this change (each trailing block is guarded by `bytesAvailable` on the client side so older Nitro builds keep parsing the prefix and stop): int clubLevel int rank.level // mapped to securityLevel on the client bool isAmbassador // existing ACC_AMBASSADOR flag --- new: rank metadata --- int rank.id string rank.name // permission_ranks.rank_name string rank.badge string rank.prefix string rank.prefixColor --- new: resolved permission map --- int count loop: string permission_key + int value // 1 = ALLOWED, 2 = ROOM_OWNER The permission map is the union of: * Rank entries whose `PermissionSetting != DISALLOWED` (value 1 for ALLOWED, 2 for ROOM_OWNER). * For every rank-DISALLOWED key, each installed `HabboPlugin.hasPermission(habbo, key)` is consulted; if any plugin grants the permission, the key lands on the wire with value 1 (plugins do not have a ROOM_OWNER concept). Iterating `rank.getPermissions().keySet()` covers every key in `permission_definitions` because `PermissionsManager.loadPermissionsNormalized()` calls `rank.setPermission(key, ...)` for every row of the table — including DISALLOWED ones. Custom keys a plugin invents that are not in `permission_definitions` stay invisible (there is no enumeration API on `HabboPlugin` to discover them); this is a rare case documented in the class-level Javadoc. The result is a client-side permission map whose semantics match exactly what `PermissionsManager.hasPermission(habbo, key)` would return server-side — including plugin-granted permissions, which were invisible to the client before. Performance: at login the loop is O(N keys × P plugins), with N ≈ 200 (size of permission_definitions) and P typically 1-5. `HabboPlugin.hasPermission` is O(1) hashset lookups in real-world implementations. Sub-millisecond at login, and the composer is only sent at login + `HabboManager.setRank` + `:update_permissions` broadcast. Backward compatibility: all new fields are appended in tail position with `bytesAvailable` guards on the parser side, so: * existing Nitro clients keep parsing only the prefix and ignore the trailing bytes (no error, no behavior change); * new Nitro clients with the matching parser extension expose the extra data via `IUserDataSnapshot` snapshot getters and the React-side `useUserRank()` / `useHasPermission(key)` / `useUserPermissions()` hooks (see companion PRs on `duckietm/Nitro_Render_V3` and `duckietm/Nitro-V3`).	2026-05-19 20:18:31 +02:00
duckietm	54259f89bd	🆕 Infostand Borders	2026-05-19 16:57:34 +02:00
Lorenzune	272a9b9f42	Add badge leaderboard API and live schema update	2026-05-19 15:30:47 +02:00
duckietm	9c94402f78	🆙 Small update to the SQL	2026-05-19 11:48:33 +02:00
github-actions[bot]	7271506262	🆙 Bump version to 4.2.10 [skip ci]	2026-05-19 09:42:32 +00:00
DuckieTM	09710fc5d6	Merge pull request #107 from duckietm/dev SMall fix for CORS	2026-05-19 11:41:32 +02:00
duckietm	d958fbc0ab	SMall fix for CORS	2026-05-19 11:41:17 +02:00
github-actions[bot]	dca405ffb5	🆙 Bump version to 4.2.9 [skip ci]	2026-05-19 08:07:32 +00:00
DuckieTM	4190fa96d4	Merge pull request #106 from duckietm/dev Dev	2026-05-19 10:06:40 +02:00
duckietm	033faaeab6	🆙 Update Database	2026-05-19 10:04:59 +02:00
DuckieTM	98326e11af	Merge pull request #104 from duckietm/main Main to DEV	2026-05-19 10:03:12 +02:00