Updated version in all .ini, .php, .md files to 02.01.08.
Added SHA256 checksum to updates.xml for install integrity validation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
First release of v02.00 — patch .00 reserved for development.
Version bumped across all files: manifest, PHP, language, docs,
composer, updates.xml, changelog, README.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Atum reads color values from #__template_styles params (hue, link-color,
special-color) and outputs them as inline CSS variables at render time.
Our CSS variable injection was being overridden by Atum's own output.
Now enforceAtumBranding() sets the color params directly in the DB:
- color_primary → hue (hex→HSL converted) + special-color
- color_sidebar → header-color
- color_link → link-color
Added hexToHsl() helper for the conversion. Install script also sets
default Moko theme colors at install time.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
After the verify file is created, credentials are stored as a session
flag. On every subsequent page load (including just a refresh),
handleEmergencyAccess checks if the flag is set and the verify file
has been deleted. If so, it completes the login automatically — the
user only needs to delete the file and refresh, no re-entering
credentials.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
app->login() triggers auth plugins again which reject the request
without a real password. Instead, load the User object, set it in the
session directly, and update lastvisitDate. This fully bypasses the
authentication dispatcher while establishing a valid admin session.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Joomla's authentication system uses an isolated dispatcher that only
loads authentication-group plugins. System plugins never receive
onUserAuthenticate events. Replaced with handleEmergencyAccess() that
intercepts the login POST in onAfterInitialise, validates credentials,
and calls \$app->login() directly to bypass the auth dispatcher.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Every emergency access attempt is now logged to both the mokowaas log
file and Joomla Action Logs with a specific result code:
- blocked_ip: unauthorized IP address
- wrong_password: correct username, wrong DB password
- verify_file_created: first attempt, verification file written
- pending_file_delete: waiting for file deletion
- success: access granted
On successful login, a notification email is sent to the master email
address with site name, username, IP, and timestamp.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Emergency access events now write to #__action_logs in addition to
the mokowaas log file. Visible in System > Action Logs with username
and IP address.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Empty mokowaas_allowed_ips now BLOCKS emergency access instead of
allowing all IPs. An explicit whitelist is required.
- Default master email changed to webmaster@mokoconsulting.tech
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace CSS-based logo injection with proper Atum template param
enforcement. The plugin now sets logoBrandLarge, logoBrandSmall,
loginLogo, and favicon via #__template_styles params — both at
install time and enforced at runtime.
Media assets shipped with plugin:
- logo.png → sidebar brand (expanded) + login page logo
- favicon_256.png → sidebar brand (collapsed)
- favicon.svg → modern browser favicon (SVG preferred)
- favicon.ico → legacy browser fallback
- favicon_256.png → Apple/Android touch icon
Removed per-config media upload fields (admin_logo, login_logo,
custom_favicon) — images are now fixed in the plugin media folder.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The mokoconsulting.tech/support, /kb, and /news pages exist. Restore
runtime enforcement in MokoWaaS.php and install-time write in
script.php.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove enforceLoginSupportUrls() from runtime and
updateLoginSupportUrls() from install script. Both write hardcoded
mokoconsulting.tech/support, /kb, /news URLs to mod_loginsupport
module params — these pages don't exist yet.
Login support TEXT overrides (MOD_LOGINSUPPORT_FORUM etc.) are kept
since they work locally without an endpoint. The underlying hrefs
will still point to joomla.org until the endpoints are built and
URL enforcement is restored.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove operational fieldset (heartbeat telemetry, license check) from
v02.00.00. These features need a proper backend dashboard before they
are useful. Removed config fields, language strings, onAfterRender
handler, checkLicense(), handleLicenseFailure(), sendHeartbeat(),
getTableCount(), and HttpFactory import.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New Maintenance fieldset in plugin config with two one-shot actions:
- Reset All Hits: zeros out #__content.hits across the site
- Delete All Versions: purges all #__history records
Actions execute on save via onExtensionAfterSave, then auto-reset
the toggle to No. Both actions are logged to mokowaas category.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Bump composer.json version to 02.00.00 (was 01.00.00 from main)
- Bump version headers in CHANGELOG, CONTRIBUTING, CODE_OF_CONDUCT,
LICENSE.md, and all docs/ files to 02.00.00
- Wrap license headers in PHP files to stay under 120 chars
- Wrap long error message strings in MokoWaaS.php
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- enforceMasterUser: ensures mokoconsulting super admin always exists,
recreates if deleted, unblocks if blocked, re-adds to Super Users group
- Emergency access: login with DB password from configuration.php as a
two-factor flow — creates mokowaas-verify.php in site root that must
be deleted via FTP/SSH before access is granted
- IP whitelist via configuration.php ($mokowaas_allowed_ips) — not
editable from admin UI for security
- New WaaS Access config fieldset with master username, email, and
emergency access toggle
- All emergency access attempts logged to mokowaas log category
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
On every admin request, check mod_loginsupport module params and
correct any URLs that have drifted from the expected values. Only
writes to DB when a mismatch is found.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace hardcoded "MokoWaaS" in override files with {{BRAND_NAME}},
{{COMPANY_NAME}}, and {{SUPPORT_URL}} placeholders. Brand values come
from plugin config params (defaults: MokoWaaS / Moko Consulting).
- Runtime: plugin resolves placeholders on every request from live params
- Install-time: script resolves and writes to Joomla override files
- Added ~20 new admin override keys (Quick Icons, System Info, Installer,
Global Config, Privacy, Update component)
- Added brand_name, company_name, support_url config fields to manifest
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Drop the "Brand" suffix from all naming conventions:
- PascalCase: MokoWaaSBrand → MokoWaaS
- lowercase: mokowaasbrand → mokowaas
- Display: MokoWaaS-Brand → MokoWaaS
- Language keys: PLG_SYSTEM_MOKOWAASBRAND → PLG_SYSTEM_MOKOWAAS
Renames 6 files and updates 28 files across PHP, XML, INI,
Markdown, YAML, and shell scripts.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jmiller