История коммитов

- Add PSR-4 Johncms\Modules\Album\ mapping and config/services.php
- Move Installer to src/Install with Johncms\Modules\Album\Install namespace
- Add Eloquent models Album, AlbumPhoto, AlbumVote
- Add AlbumAccess enum normalizing legacy access values (3 -> Private)

All profile actions are migrated, so delete the legacy index.php dispatcher and drop the legacy profile.index route. Simplify the routes closure signature to (RouteCollection $router) since the User argument is no longer used.

Replace legacy skl.php with public RestorePasswordController and clean URLs under /profile/password-recovery (+ /set/{id}/{code}). Add SendPasswordRecoveryUseCase, GetRecoveryContextUseCase, CompletePasswordRecoveryUseCase, PasswordGenerator service, SendRecoveryCommand and PasswordRecoveryException.

Set-flow uses a confirmation form + POST instead of mutating on GET. Captcha validated via Validator. Extend ProfileUserRepository with findByNameLat/startPasswordRecovery/clearPasswordRecovery/completePasswordRecovery. Update 'Forgot password?' link in login.phtml; remove skl.php and restore_password_result.phtml.

Migrate ban/cancel/delete/clear-history actions and ban history to BanController under /profile/{id}/bans with dedicated use cases (BanUserUseCase, CancelBanUseCase, DeleteBanUseCase, ClearBanHistoryUseCase, GetBanHistoryUseCase, GetBanFormContextUseCase) and BanRepositoryInterface/EloquentBanRepository.

Add CSRF protection to all write actions; map rights guards to HTTP 403; align karma penalty rollback. Update links in view.phtml, GetProfileViewUseCase, notifications GetNotificationListUseCase and admin ban_panel.php. Remove legacy includes/ban.php; index.php reduced to pageNotFound().

Add KarmaController (8 routes under /profile/{id}/karma) with GetKarmaListUseCase, GetNewKarmaUseCase, GetVoteContextUseCase, VoteKarmaUseCase, DeleteKarmaVoteUseCase, CleanKarmaUseCase and KarmaListDTO/VoteContextDTO/VoteKarmaCommand. Reuse Johncms\Users\Karma model; extend KarmaRepository and ProfileUserRepository karma counters.

Switch delete to standard csrf_token; non-rights-9 delete/clean -> 403. Update karma links in GetProfileViewUseCase. Remove legacy includes/karma.php and drop karma from $mods.

Replace legacy includes/images.php with AvatarController and PhotoController
backed by UploadAvatarUseCase and UploadPhotoUseCase (Intervention ImageManager).

New clean URLs, nested under the edit page:
- GET/POST /profile/{id}/edit/avatar (profile.edit.avatar / .upload)
- GET/POST /profile/{id}/edit/photo (profile.edit.photo / .upload)

Access is guarded by the shared GetEditContextUseCase (equivalent to the legacy
images guard, additionally blocking banned editors like the edit page). File
size validation and image processing live in the use cases; failures surface as
ImageUploadException re-rendering the result page. Avatar (150x150 png) and photo
(1024x960 jpg + 400x300 preview) processing kept 1:1 with legacy.

Avatar/photo upload links in edit.phtml updated to the new URLs.

Replace legacy includes/settings.php with SettingsController covering the three
settings sections (general/forum/mail), backed by UserSettingsUseCase,
ForumSettingsUseCase and MailSettingsUseCase plus their command DTOs.

New clean URLs (all self-only, behind the auth middleware):
- GET/POST /profile/settings (profile.settings / .save)
- POST /profile/settings/reset (profile.settings.reset)
- GET/POST /profile/settings/forum (profile.settings.forum / .save)
- POST /profile/settings/forum/reset (profile.settings.forum.reset)
- GET/POST /profile/settings/mail (profile.settings.mail / .save)

Settings resets moved from GET links to CSRF-less POST submit buttons (aligned
with reset-settings/edit conventions). Validation, clamps and the general PRG
flow are kept 1:1 with legacy; settings are persisted through loaded models so
the UserSettings/Serialize casts apply.

account.phtml link and template reset links updated to the new URLs.

Replace legacy includes/edit.php with EditProfileController (form/save/
delete-avatar/delete-photo) backed by GetEditContextUseCase, UpdateProfileUseCase
and DeleteAvatar/DeletePhoto use cases.

New clean URLs:
- GET /profile/{id}/edit (profile.edit)
- POST /profile/{id}/edit (profile.edit.save)
- POST /profile/{id}/edit/delete-avatar (profile.edit.delete-avatar)
- POST /profile/{id}/edit/delete-photo (profile.edit.delete-photo)

Guard (owner or admin over a no-higher user; banned editor blocked) lives in
GetEditContextUseCase; all forbidden cases now return HTTP 403. Avatar/photo
deletion moved from GET to CSRF-protected POST. Validation kept 1:1 with legacy,
including the deferred email-change confirmation flow.

All profile-view links pointing to ?act=edit updated to the new URL.

Replace the legacy ?act=reset include with a ResetSettingsController (POST /profile/{id}/reset-settings). Guard (rights>=7 and over a lower-rights user) is folded into GetResetSettingsContextUseCase; ResetUserSettingsUseCase performs the action via ProfileUserRepository::resetSettings, resetting set_user/set_forum through a loaded model so the casts serialize correctly. Convert the legacy edit.phtml link to a POST submit button and drop reset from the legacy dispatcher.

- Add ChangePasswordController (GET form / POST change), URL /profile/{id}/password
- Add GetChangePasswordContextUseCase (guard: owner or admin rights>=7 over lower-rights user)
- Add ChangePasswordUseCase + ChangePasswordCommand with legacy-equivalent validation
- Add ChangePasswordException (own constructor; parent withErrors() returned wrong type)
- Add ProfileUserRepository::updatePassword()
- Update password links in account.phtml and edit.phtml to clean URLs
- Remove legacy includes/password.php and 'password' from $mods