This update introduces one of the most requested features from the community.

MinePanel now includes a built-in File Manager, allowing server owners to manage server files directly from the web panel without accessing FTP or SSH.

This feature focuses on safe file management while keeping server security as the highest priority.


✨ New Feature — File Manager System

MinePanel now supports direct file management inside the web panel.

Available functions:

- Browse files and folders
- Read text-based files
- Edit and save configuration files
- Upload files
- Download files
- Create folders
- Rename files and folders
- Delete files and folders

This allows server owners to manage important server files directly from the browser.


File Browser

Added a new File Manager page.

Supported:

- Folder navigation
- Parent directory navigation
- File size display
- File type detection
- Folder/file separation

Users can now browse server files without leaving MinePanel.


Built-in Text Editor

Added a lightweight built-in text editor.

Features:

- Monospace editor layout
- Line number support
- UTF-8 safe file handling
- Direct file save

Supported editable file types:

- .txt
- .yml
- .yaml
- .json
- .properties
- .log
- .conf
- .toml
- .xml

This makes editing configuration files much easier.


⬆ File Upload System

Added file upload support.

Implementation:

- multipart/form-data upload handling
- NanoHTTPD native body parsing
- Maximum upload size limit (5MB)

Supported upload types:

- png
- jpg
- txt
- json
- yml
- yaml
- properties
- log

Unsafe file types are blocked automatically.


⬇ Direct File Download

Added direct file download support.

Implementation:

- Native NanoHTTPD file streaming
- Content-Disposition attachment support
- Binary-safe downloads

No Base64 encoding is used.

This reduces memory usage and improves performance.


Folder Management

Added folder management features.

Supported:

- Create folder
- Rename file/folder
- Delete file/folder

Delete operations now require confirmation before execution.


New File Permissions System

Added new permissions for role-based access.

New permissions:

- files.view
- files.read
- files.edit
- files.upload
- files.download
- files.delete
- files.rename
- files.mkdir

Permission mapping:

Owner

Full file access

- files.*

Admin

Limited file access

- files.view
- files.read
- files.edit
- files.download

Moderator

No file access

Viewer

No file access


Security Improvements

File Manager was designed with security as a priority.

Added protections:

Path Traversal Protection

Blocked dangerous path access attempts such as:

All paths now use canonical path validation.


Dangerous File Blocking

Blocked dangerous file types:

These files cannot be uploaded or edited.


Server Core Protection

Blocked access to server core files.

Protected examples:

This prevents accidental server corruption.


Large File Protection

Files larger than the safe editor limit cannot be opened in the editor.

This prevents memory spikes caused by extremely large files.


3-Layer Permission Protection

File Manager uses the same security architecture as RBAC.

Layer 1 — Sidebar Protection

Users without file permissions cannot see File Manager navigation.


Layer 2 — Frontend Protection

Restricted users cannot open File Manager pages.

Displayed message:


Layer 3 — Backend API Protection

All file APIs validate permissions server-side.

Direct unauthorized API requests using:

- curl
- Postman
- Browser requests

Return:


⚙ Internal Changes

Added systems:

- FileManagerService.java
- Native multipart upload handler
- Native binary file streaming
- Text file editor system
- Path validation system
- Dangerous file filtering
- File permission middleware
- Frontend file browser UI


Notes

This version focuses on **Safe File Management**.

Advanced features are intentionally not included in this release.

Not included in this version:

- ZIP / Unzip
- Plugin JAR upload
- Backup system
- Cloud backup
- Syntax highlighting editor
- Plugin Manager
- File version history

These may be considered in future versions.


Compatibility

Minecraft Versions

- 1.13.2+
- Tested up to 26.2

Java Versions

- Java 8+
- Tested on Java 8 / Java 21 / Java 25

Supported Server Software

- Spigot
- Paper
- Purpur (Experimental)

---

Thank you to everyone providing feedback and helping improve MinePanel.

MinePanel continues evolving based on real community feedback.

More updates coming soon

MinePanel v1.3.0 — User Permissions Update
This update introduces a complete fixed role-based permission system for MinePanel.

MinePanel can now be used more safely by server teams with different staff permission levels.

New Role-Based Permission System
Added 4 fixed roles:

• Owner
  
• Admin
  
• Moderator
  
• Viewer

Each role has different access permissions across the panel.

Permission Roles
Owner
Full access to everything.

Owner can:

• View dashboard
  
• View and execute console commands
  
• View and manage players
  
• Kick and ban players
  
• Manage whitelist
  
• Manage bans
  
• Use weather and time controls
  
• Save, reload, and stop the server
  
• View and manage users

Admin
Administrative server access without user or server control access.

Admin can:

• View dashboard
  
• View and execute console commands
  
• View and manage players
  
• Kick and ban players
  
• Manage whitelist
  
• Manage bans
  
• Use weather and time controls

Admin cannot:

• Manage users
  
• Reload or stop the server

Moderator
Basic moderation access.

Moderator can:

• View dashboard
  
• View console
  
• View player list
  
• Kick players

Moderator cannot:

• Execute console commands
  
• Ban players
  
• Manage whitelist
  
• Use player admin actions
  
• Manage users
  
• Reload or stop the server

Viewer
Read-only access.

Viewer can:

• View dashboard
  
• View players

Viewer cannot perform any server actions.

3-Layer Permission Protection
MinePanel now protects restricted actions in 3 layers.

Layer 1 — Sidebar Protection
Navigation items are hidden if the user does not have permission.

Layer 2 — Page Access Protection
If a user tries to open a restricted page, MinePanel blocks access and displays:

You are not able to see this

Layer 3 — Backend API Protection
All protected API endpoints now check permissions on the server side.

Direct API calls using tools such as curl or Postman will return:

Frontend Permission Behavior
The interface now automatically hides unavailable actions.

Examples:

• Users without player.kick will not see the Kick button
  
• Users without server.reload will not see Reload controls
  
• Users without users.* will not see User Management
  
• Users without console access cannot open the Console page
  
• Restricted player actions are hidden automatically

This makes the panel cleaner and safer for staff members.

Default Account Change
The default account has been changed.

Before:

Now:

The default account is created with:

Users are still required to change the default password after first login.

User Management Security Rules
Added several protections to prevent account lockout or privilege mistakes.

Security rules:

• Owner account cannot be deleted
  
• Owner cannot change its own role
  
• Owner account cannot be created from the UI
  
• Only Owner can manage users
  
• Admin, Moderator, and Viewer cannot manage users

Permission Matrix

Code (Text):

| Feature | Owner | Admin | Moderator | Viewer |
|----------|------|------|------------|--------|
| Dashboard | ✅ | ✅ | ✅ | ✅ |
| Players List | ✅ | ✅ | ✅ | ✅ |
| Console View | ✅ | ✅ | ✅ | ❌ |
| Console Commands | ✅ | ✅ | ❌ | ❌ |
| Bans List | ✅ | ✅ | ❌ | ❌ |
| Whitelist View | ✅ | ✅ | ❌ | ❌ |
| Whitelist Add/Remove | ✅ | ✅ | ❌ | ❌ |
| Weather / Time Controls | ✅ | ✅ | ❌ | ❌ |
| Kick Player | ✅ | ✅ | ✅ | ❌ |
| Ban / Heal / Feed / Kill / Gamemode / TP | ✅ | ✅ | ❌ | ❌ |
| Save Server | ✅ | ❌ | ❌ | ❌ |
| Reload Server | ✅ | ❌ | ❌ | ❌ |
| Stop Server | ✅ | ❌ | ❌ | ❌ |
| User Management | ✅ | ❌ | ❌ | ❌ |
 

Internal Improvements

• Added centralized permissions map
  
• Added backend hasPermission() checks
  
• Added frontend permission-based UI rendering
  
• Added 403 handling for unauthorized API requests
  
• Updated user account structure to support roles
  
• Updated default user creation flow

Notes
This update uses fixed roles only.

Custom role creation is not included in this version. This keeps the permission system simple, stable, and easy to maintain.

Custom roles may be considered in a future version based on community feedback.

Thank you to the community for the feedback that helped shape this update.

MinePanel v1.2.1 — Compatibility Update

Compatibility
- Added tested support for Minecraft 26.1 - 26.2
- Tested on Java 25
- Confirmed MinePanel core features work on the latest server versions

Notes
- No major code changes were required
- MinePanel is compiled with Java 8 target bytecode for broad compatibility
- Newer Java runtimes such as Java 21 and Java 25 can run the existing build normally

Tested Features
- Web dashboard
- Login system
- Session cookie authentication
- Live console
- Player management
- Network host/port configuration

MinePanel v1.2.0 — Network Compatibility Update
This release focuses on improving MinePanel compatibility with VPS, local machines, Docker-based hosting, shared Minecraft hosting, Pterodactyl-style environments, NAT port mapping, and reverse proxy setups.

Highlights

• Added safer host binding behavior
• Added public IP detection and automatic fallback
• Added host: auto support
• Added fallback-to-any option
• Improved compatibility with shared hosting providers
• Improved reverse proxy support
• Improved network error logging
• Prevented plugin startup failure caused by invalid public IP binding

Network Binding Improvements
MinePanel now handles more hosting environments safely.
Supported host values:
Supported examples:

• 0.0.0.0 — listen on all interfaces
• 127.0.0.1 — local only
• localhost — normalized to 127.0.0.1
• 192.168.x.x — local LAN IP
• auto — auto-detects the best available LAN host
• Public IPs — now detected and safely redirected to 0.0.0.0

Public IP Binding Fix
Fixed an issue where users could not start MinePanel when using a public IP address in config.yml.

Before
Using:

could cause MinePanel to fail because public IP addresses are usually not available as local network interfaces inside Docker, shared hosting, or NAT-based hosting environments.

Now
MinePanel detects public IP addresses and automatically falls back to:

This prevents startup failure and improves compatibility with hosting providers that generate or map public ports.

Safe Bind Fallback
Added a new option:

If MinePanel cannot bind to the configured host, it will automatically try:

0.0.0.0

If fallback is disabled, MinePanel will stop the web server startup safely and print a clear error message instead of crashing the plugin.

Improved Error Logging
Network errors are now easier to understand.

MinePanel now explains possible causes such as:

• Docker container environment
• Shared Minecraft hosting
• Pterodactyl-style hosting
• Public IP not assigned to the local machine
• Port already in use
• Reverse proxy or NAT port mapping setup

The log also recommends fixes such as:

• Use host: 0.0.0.0
• Use the port generated by your hosting provider
• Configure port forwarding correctly
• Use Nginx or Cloudflare Tunnel as a reverse proxy

Reverse Proxy Support
MinePanel continues to support reverse proxy environments through X-Forwarded-For detection.

This helps preserve the real client IP when running behind:

• Nginx
• Cloudflare Tunnel
• Reverse proxy systems

Config Update
The config structure remains backward compatible.
Existing users do not need to recreate their config file.

New comments were added to explain:

• When to use 0.0.0.0
• When to use 127.0.0.1
• Why public IPs should not be used directly
• How fallback-to-any works

Compatibility Matrix
Config Before v1.2.0
Changed Files

• config.yml
  • Added detailed host binding comments
  • Added fallback-to-any
  • Improved network configuration documentation
• ServerWebAdmin.java
  • Removed old local-interface-only host validation
  • Added public IP detection
  • Added host: auto
  • Added safe bind fallback
  • Improved BindException and IOException logging

Recommended Hosting Config
For most users, especially shared hosting or Pterodactyl-style environments:

web:
Do not set host to your public IP address.

Use the port provided by your hosting panel or configure port forwarding through your hosting provider.

Thank you to the community members who helped test and report hosting compatibility issues.

This release introduces major improvements focused on network security, dashboard redesign, console stability, user experience, and automation improvements.

Network Configuration & Reverse Proxy Support
A major infrastructure update focused on improving deployment flexibility and security.

Added

• Configurable web server host and port in config.yml
  
• New allow-external option for controlling external access
  
• Support for localhost-only mode (127.0.0.1) for secure reverse proxy setups
  
• Reverse proxy IP detection via X-Forwarded-For

Improved

• Better compatibility with reverse proxies such as Nginx and Cloudflare Tunnel
  
• Graceful handling for BindException when port is already in use
  
• Graceful handling for invalid hostname (UnknownHostException)
  
• Automatic web server shutdown on plugin reload

Complete Dashboard Redesign
The dashboard has been fully redesigned for a cleaner and more professional server management experience.

New Dashboard Layout

• New banner card with server MOTD and Minecraft version
  
• Added quick action SVG buttons
  
• 4 new system monitoring cards:
  • Online Players
    
  • TPS Monitor
    
  • RAM Usage (with progress bar)
    
  • CPU Usage (real system CPU percentage)

Layout Improvements

• New 40/60 split dashboard layout
  
• System Information section:
  • Operating System
    
  • Server Uptime
• Live Console Preview integrated directly into dashboard

Page Restructure

• Removed player list from dashboard
  
• Added dedicated Players Management page

Sidebar Navigation Improvements
Sidebar is now organized into logical sections for better navigation.

New Structure
Main

• Dashboard
  
• Console

Administration

• Players
  
• Whitelist
  
• Bans

Management

• Users

UI Improvements

• Added section titles
  
• New semantic action button colors:
  • Save
    
  • Reload
    
  • Stop

Performance Monitoring Improvements
Added

• Real CPU monitoring using Java reflection (com.sun.management)
  
• CPU status indicator with dynamic color coding:
  • Green → Healthy
    
  • Amber → Medium load
    
  • Red → High load

Console Stability Improvements
Fixed console log reading issues on different server environments.

Fixed

• Console now properly reads server logs using correct server root path
  
• Better fallback handling when console output is empty

New /webadmin reload Command
Added plugin hot reload support.

Added

• /webadmin reload

This command now:

• Stops current web server safely
  
• Reloads configuration
  
• Reinitializes plugin automatically

Custom Confirm Modal System
Browser native alerts and confirm dialogs have been completely replaced.

New Modal Features

• Custom confirmation modal system
  
• Better UI consistency across all actions
  
• Dedicated danger confirmation button styling

Protected Actions
Added confirmation modal for:

• Kick Player
  
• Ban Player
  
• Stop Server
  
• Reload Server
  
• Unban Player
  
• Remove Whitelist Entry
  
• Remove User

New Reason Input
Kick and Ban actions now require reason input before confirmation.

Auto Refresh System
Several pages now refresh automatically for better real-time monitoring.

Added

• Players page refresh every 5 seconds
  
• Bans page refresh every 10 seconds
  
• Users page refresh every 30 seconds

Internal Improvements

• Improved page loading system
  
• Added failsafe protection for missing DOM elements
  
• Improved route hash navigation
  
• Better frontend state handling

Thank you to everyone testing MinePanel and providing valuable feedback.

More improvements coming soon

MinePanel v1.0.1

Major Architecture Update

• Extracted all UI files from embedded Java strings
• Moved HTML, CSS, and JavaScript into standalone resource files
• Removed around 900 lines from `WebServer.java`
• Improved maintainability and frontend development workflow

Security & Authentication

• Added username/password login
• Added BCrypt password hashing
• Added UUID v4 session tokens
• Added HttpOnly cookie-based sessions
• Added 5-minute inactivity timeout
• Added forced password change for the default admin account
• Added logout session cleanup

UI Improvements

• Added Light/Dark theme toggle
• Added persistent theme preference
• Added fixed sidebar layout
• Improved mobile layout
• Added login loading state

Compatibility

• Token lookup now supports both cookie-based sessions and `?token=` query parameter for backward compatibility