- Avatar circles in top/worst-5 tables: initials from name, hsl color from hash of name
- Structural skeleton on first load: 4 shimmer card boxes + 5 row placeholders (replaces
LS.state.loading spinner for better layout-anchored feedback)
- @media ≤640px: 2-column main grid, hero card reverts to normal size, quick-grid 2-col
- Palette: existing per-card colors (violet/cyan/green/amber) already form a good muted
hue family with vivid pink/amber for alert cards — kept as is to avoid regression
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Security review caught: per-row hover actions (users.js) and async
user picker (shop.js, gam.js) interpolated user-controlled name into
JS string literals inside onclick. LS.esc() escapes & < > " but
NOT backslash; the .replace(/'/g, '\'') fallback was broken.
Attack: any authenticated user could set their name to
a\'); alert(1); //
via PATCH /api/auth/profile (stripTags doesn't strip \) — admin
viewing the users/shop/gam picker would execute arbitrary JS.
Fix: switch from JS-string interpolation to data-uid/data-name
attributes, read via dataset in handler. esc() correctly escapes
for HTML-attribute context; dataset returns the raw string with
zero parse re-entry.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Now that the deep pages (sub-commit 1) work, retire the legacy
.user-panel inline overlay entirely.
* admin.html: removed <div class="user-panel" id="user-panel"> block
inside #tab-users, removed dead .user-panel* CSS (kept .btn-close
for any external use).
* users.js: removed openUserPanel / closeUserPanel / reloadUserPanel
and their closure state (activeTr, activeUserRole). User row onclick
switched from openUserPanel(...) → AdminRouter.navigate('#users/N').
clearUserHistory / toggleBanUser / confirmDeleteUser / openEditUserModal
/ openUserPermsModal / doSet/doReset* all refactored to use the
getActiveUid() helper (reads window.activeUid, set by user-detail.init)
+ reloadDetailAndList() helper (refreshes deep page + list together).
* sessions.js: row click + eye-button switched from toggleDrawer(id)
→ gotoSession(id) → AdminRouter.navigate('#sessions/N'). Removed
toggleDrawer + renderDrawer functions (~60L) and openDrawerId state.
Inline drawer markup removed from the row template.
Verified node --check on all touched JS. ast-index confirms zero
remaining usages of openUserPanel / closeUserPanel / reloadUserPanel /
toggleDrawer across the repo.
This completes Phase 6 and the admin-redesign feature.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add user-detail.js (~370L) and session-detail.js (~180L) section
modules that render full pages for #users/:id and #sessions/:id, plus
admin.js dispatch and HTML tab-panes. The legacy .user-panel overlay
is intentionally still in place — sub-commit 2 will remove it once the
deep pages are verified.
* admin.js: DEEP_ROUTES map + activateDeepPane(); activate(route, params)
signature; initial dispatch respects hash params (so F5 on #users/123
goes straight to the deep page).
* admin.html: new tab-panes #tab-user-detail / #tab-session-detail and
two script tags. Old #user-panel overlay untouched.
* user-detail.js: header (avatar/role/email/meta) + sub-tabs
(Обзор/Сессии/Классы/Audit) with URL-synced sub-tab routing
(#users/N/sessions etc). Overview: 4 stat cards + per-subject SVG
bar chart. Sessions: clickable rows that navigate to #sessions/N.
Classes: placeholder empty-state (no per-user classes endpoint).
Audit: client-side filter of /admin/audit-log by uid match. Header
action buttons (Изменить/Права/История/Бан/Удалить) call existing
overlay handlers; window.activeUid is set before opening any modal.
* session-detail.js: full header (user/subject/score/stats) + per-
question correctness layout reusing the drawer renderer. Delete
button uses LS.adminDeleteSession then navigates to #sessions.
Clicking the user name opens the user deep page.
* users.js: quickOpenUserSessions now navigates to
#users/<uid>/sessions instead of the bare #sessions list.
Verified node --check on all new/modified JS. baseline npm test still
shows pre-existing 3 auth failures unrelated to this change.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Phase 2 review caught this: updateCharCounter was defined inside
questions.js IIFE but never exposed via window.X; admin.html:1672
calls it via oninput, would throw ReferenceError on every keypress.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace ~3500L admin.js monolith with thin orchestrator (~700L) +
14 IIFE-wrapped per-section modules under /js/admin/sections/.
Section modules expose AdminSections.<name>.init/reload (lazy init via
switchTab/router) and re-expose onclick handlers via window.X for
backward compat. Shared helpers (MODES/DIFFS, fmtDate, pctClass,
renderMath, qTypeBadge, pagination) live in /js/admin/_shared.js
exposed on window.AdminCtx.
switchTab now dispatches to AdminSections via ROUTE_TO_SECTION map;
non-extracted system tabs (topics/audit/errors/health/classroom/avatars)
remain inline in admin.js. user-panel overlay markup untouched — Phase 6
will remove it.
Maxim Dolgolyov