# Codebase Overview — centrumcopy.com.pl

## Project Summary

B2B e-commerce/catalogue website for a photocopier and office equipment distributor. The site is a legacy PHP application built on Kohana 2.3.4 (2009-era, EOL framework) hosted on shared hosting (Hostido) and deployed via FTP.

**Live domain:** centrumcopy.com.pl  
**Deployment:** FTP upload via VS Code `ftp-kr` extension

## Quick Stats

| Item | Value |
|------|-------|
| Framework | Kohana 2.3.4 (EOL ~2016) |
| Language | PHP (5.2+ minimum, likely running 7.x on host) |
| Database | MySQL — 5 tables |
| Frontend | Vanilla HTML/CSS/JS, no build tools |
| Test coverage | 0% |
| External APIs | None functional (all legacy/defunct) |

## Key Features

- **CMS pages** — slug-based content via `page` table, hierarchical navigation (`parent_id`)
- **Product catalogue** — static pages managed via admin CMS
- **Admin panel** — CRUD for pages, users, gallery, news (some incomplete)
- **Gallery** — image gallery module (admin side unimplemented)
- **News** — news module (controller missing, planned only)
- **Contact** — form with Google Maps (v2, non-functional)

## Critical Issues (act immediately)

1. **Backdoor** — `admin/force/login` grants full admin access with no password (`application/controllers/admin/force.php`)
2. **Credentials in git** — DB password in `application/config/database.php`, FTP password in `.vscode/ftp-kr.json`
3. **Debug data leak** — `print_r($_POST)` in login controller exposes credentials in HTTP response
4. **Install controller** — `application/controllers/install.php` is publicly accessible and can reset users

## Architecture in One Paragraph

`index.php` bootstraps Kohana's event system. URLs route to controllers under `application/controllers/front/` (public) or `application/controllers/admin/` (protected). Controllers extend `Base_Front_Controller` or `Base_Admin_Controller` which set up layout/auth. Models are thin Kohana ORM wrappers. Views use a layout+partial pattern: controller assigns an inner view to `$this->view->content`, then calls `$this->view->render(true)`.

## Document Index

| Document | Contents |
|----------|----------|
| [stack.md](stack.md) | Languages, framework, libraries, external services, infrastructure |
| [architecture.md](architecture.md) | Directory structure, MVC layout, routing, business domains |
| [conventions.md](conventions.md) | Naming, code style, patterns, auth, security practices |
| [concerns.md](concerns.md) | Security issues, technical debt, risks — with severity ratings |
| [db_schema.md](db_schema.md) | Table structures, columns, relationships |

## What's Working

- Public CMS pages render correctly
- Admin login and page management
- Contact form (email via SwiftMailer)
- Static product catalogue pages

## What's Broken / Missing

- Google Maps contact page (API v2 shutdown 2010)
- Flash banner (Flash EOL)
- Gallery admin (no controller)
- News section (no controller)
- Google Analytics (key empty + `IN_PRODUCTION=false`)
- IE7.js CDN (Google Code shutdown 2016)