Add funding.json

Drop support for docker-compose v1
Remove unnecessary $
2025-11-06 12:22:18 +00:00 · 2025-11-01 18:27:32 +00:00 · 2025-10-05 16:39:00 +01:00 · 2025-10-05 16:35:08 +01:00 · 2025-10-05 16:29:53 +01:00 · 2025-09-23 19:35:15 +01:00
597 changed files with 377333 additions and 17470 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,3 +1,6 @@
 .git
-data
+data*
 uploads
+*.pyc
+__pycache__
+env
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,5 @@
+# These are supported funding model platforms
+
+liberapay: rubenwardy
+patreon: rubenwardy
+custom: [ "https://rubenwardy.com/donate/" ]
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -2,8 +2,8 @@

 ## Supported Versions

-We only support the latest production version, deployed to <https://content.minetest.net>.
-See the [releases page](https://github.com/minetest/contentdb/releases).
+We only support the latest production version, deployed to <https://content.luanti.org>.
+This is usually the latest `master` commit.

 ## Reporting a Vulnerability

@@ -12,8 +12,5 @@ to give us time to fix them. You can do that by using one of the methods outline

 * https://rubenwardy.com/contact/

-Depending on severity, we will either create a private issue for the vulnerability
-and release a security update, or give you permission to file the issue publicly.
-
 For more information on the justification of this policy, see
 [Responsible Disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure).
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -0,0 +1,23 @@
+name: Tests
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Install docker-compose
+      run: sudo apt-get install -y docker-compose
+    - uses: actions/checkout@v4
+    - name: Copy config
+      run: cp utils/ci/* .
+    - name: Build the Docker image
+      run: docker-compose build
+    - name: Start Docker
+      run: docker-compose up -d
+    - name: Run migrations
+      run: ./utils/run_migrations.sh
+    - name: Run tests
+      run: ./utils/tests_cov.sh
+    - name: Stop Docker
+      run: docker-compose down
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,5 @@
-config.cfg
-*.env
+/config.cfg
+/*.env
 *.sqlite
 .vscode
 custom.css
@@ -10,6 +10,8 @@ app/public/uploads
 app/public/thumbnails
 celerybeat-schedule
 /data
+.idea
+*.mo

 # Created by https://www.gitignore.io/api/linux,macos,python,windows

@@ -104,10 +106,6 @@ coverage.xml
 *.cover
 .hypothesis/

-# Translations
-*.mo
-*.pot
-
 # Flask stuff:
 instance/
 .webassets-cache
--- a/27
+++ b/27
@@ -1,19 +1,28 @@
-FROM python:3.6
+FROM python:3.10.11-alpine

-RUN groupadd -g 5123 cdb && \
-    useradd -r -u 5123 -g cdb cdb
+RUN addgroup --gid 5123 cdb && \
+    adduser --uid 5123 -S cdb -G cdb

 WORKDIR /home/cdb

-COPY requirements.txt requirements.txt
-RUN pip install -r ./requirements.txt
-RUN pip install gunicorn
+RUN \
+	apk add --no-cache postgresql-libs git bash unzip && \
+	apk add --no-cache --virtual .build-deps gcc musl-dev postgresql-dev g++
+
+RUN mkdir /var/cdb
+RUN chown -R cdb:cdb /var/cdb
+
+COPY requirements.lock.txt requirements.lock.txt
+RUN pip install -r requirements.lock.txt && \
+	pip install gunicorn

 COPY utils utils
-COPY config.cfg ./config.cfg
+COPY config.cfg config.cfg
 COPY migrations migrations
 COPY app app
+COPY translations translations
+
+RUN pybabel compile -d translations
+RUN chown -R cdb:cdb /home/cdb

-RUN mkdir /home/cdb/app/public/uploads/
-RUN chown cdb:cdb /home/cdb -R
 USER cdb
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -0,0 +1,660 @@
+### GNU AFFERO GENERAL PUBLIC LICENSE
+
+Version 3, 19 November 2007
+
+Copyright (C) 2007 Free Software Foundation, Inc.
+<https://fsf.org/>
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+### Preamble
+
+The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains
+free software for all its users.
+
+When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate. Many developers of free software are heartened and
+encouraged by the resulting cooperation. However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community. It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server. Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals. This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing
+under this license.
+
+The precise terms and conditions for copying, distribution and
+modification follow.
+
+### TERMS AND CONDITIONS
+
+#### 0. Definitions.
+
+"This License" refers to version 3 of the GNU Affero General Public
+License.
+
+"Copyright" also means copyright-like laws that apply to other kinds
+of works, such as semiconductor masks.
+
+"The Program" refers to any copyrightable work licensed under this
+License. Each licensee is addressed as "you". "Licensees" and
+"recipients" may be individuals or organizations.
+
+To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of
+an exact copy. The resulting work is called a "modified version" of
+the earlier work or a work "based on" the earlier work.
+
+A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy. Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies. Mere interaction with a user
+through a computer network, with no transfer of a copy, is not
+conveying.
+
+An interactive user interface displays "Appropriate Legal Notices" to
+the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License. If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+#### 1. Source Code.
+
+The "source code" for a work means the preferred form of the work for
+making modifications to it. "Object code" means any non-source form of
+a work.
+
+A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form. A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities. However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work. For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+The Corresponding Source need not include anything that users can
+regenerate automatically from other parts of the Corresponding Source.
+
+The Corresponding Source for a work in source code form is that same
+work.
+
+#### 2. Basic Permissions.
+
+All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met. This License explicitly affirms your unlimited
+permission to run the unmodified Program. The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work. This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+You may make, run and propagate covered works that you do not convey,
+without conditions so long as your license otherwise remains in force.
+You may convey covered works to others for the sole purpose of having
+them make modifications exclusively for you, or provide you with
+facilities for running those works, provided that you comply with the
+terms of this License in conveying all material for which you do not
+control copyright. Those thus making or running the covered works for
+you must do so exclusively on your behalf, under your direction and
+control, on terms that prohibit them from making any copies of your
+copyrighted material outside their relationship with you.
+
+Conveying under any other circumstances is permitted solely under the
+conditions stated below. Sublicensing is not allowed; section 10 makes
+it unnecessary.
+
+#### 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such
+circumvention is effected by exercising rights under this License with
+respect to the covered work, and you disclaim any intention to limit
+operation or modification of the work as a means of enforcing, against
+the work's users, your or third parties' legal rights to forbid
+circumvention of technological measures.
+
+#### 4. Conveying Verbatim Copies.
+
+You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+#### 5. Conveying Modified Source Versions.
+
+You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these
+conditions:
+
+-   a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+-   b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under
+    section 7. This requirement modifies the requirement in section 4
+    to "keep intact all notices".
+-   c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy. This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged. This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+-   d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit. Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+#### 6. Conveying Non-Source Forms.
+
+You may convey a covered work in object code form under the terms of
+sections 4 and 5, provided that you also convey the machine-readable
+Corresponding Source under the terms of this License, in one of these
+ways:
+
+-   a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+-   b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the Corresponding
+    Source from a network server at no charge.
+-   c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source. This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+-   d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge. You need not require recipients to copy the
+    Corresponding Source along with the object code. If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source. Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+-   e) Convey the object code using peer-to-peer transmission,
+    provided you inform other peers where the object code and
+    Corresponding Source of the work are being offered to the general
+    public at no charge under subsection 6d.
+
+A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal,
+family, or household purposes, or (2) anything designed or sold for
+incorporation into a dwelling. In determining whether a product is a
+consumer product, doubtful cases shall be resolved in favor of
+coverage. For a particular product received by a particular user,
+"normally used" refers to a typical or common use of that class of
+product, regardless of the status of the particular user or of the way
+in which the particular user actually uses, or expects or is expected
+to use, the product. A product is a consumer product regardless of
+whether the product has substantial commercial, industrial or
+non-consumer uses, unless such uses represent the only significant
+mode of use of the product.
+
+"Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to
+install and execute modified versions of a covered work in that User
+Product from a modified version of its Corresponding Source. The
+information must suffice to ensure that the continued functioning of
+the modified object code is in no case prevented or interfered with
+solely because modification has been made.
+
+If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information. But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or
+updates for a work that has been modified or installed by the
+recipient, or for the User Product in which it has been modified or
+installed. Access to a network may be denied when the modification
+itself materially and adversely affects the operation of the network
+or violates the rules and protocols for communication across the
+network.
+
+Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+#### 7. Additional Terms.
+
+"Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law. If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it. (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.) You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders
+of that material) supplement the terms of this License with terms:
+
+-   a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+-   b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+-   c) Prohibiting misrepresentation of the origin of that material,
+    or requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+-   d) Limiting the use for publicity purposes of names of licensors
+    or authors of the material; or
+-   e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+-   f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions
+    of it) with contractual assumptions of liability to the recipient,
+    for any liability that these contractual assumptions directly
+    impose on those licensors and authors.
+
+All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10. If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term. If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions; the
+above requirements apply either way.
+
+#### 8. Termination.
+
+You may not propagate or modify a covered work except as expressly
+provided under this License. Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+However, if you cease all violation of this License, then your license
+from a particular copyright holder is reinstated (a) provisionally,
+unless and until the copyright holder explicitly and finally
+terminates your license, and (b) permanently, if the copyright holder
+fails to notify you of the violation by some reasonable means prior to
+60 days after the cessation.
+
+Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License. If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+#### 9. Acceptance Not Required for Having Copies.
+
+You are not required to accept this License in order to receive or run
+a copy of the Program. Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance. However,
+nothing other than this License grants you permission to propagate or
+modify any covered work. These actions infringe copyright if you do
+not accept this License. Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+#### 10. Automatic Licensing of Downstream Recipients.
+
+Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License. You are not responsible
+for enforcing compliance by third parties with this License.
+
+An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations. If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License. For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+#### 11. Patents.
+
+A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based. The
+work thus licensed is called the contributor's "contributor version".
+
+A contributor's "essential patent claims" are all patent claims owned
+or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version. For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement). To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients. "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+A patent license is "discriminatory" if it does not include within the
+scope of its coverage, prohibits the exercise of, or is conditioned on
+the non-exercise of one or more of the rights that are specifically
+granted under this License. You may not convey a covered work if you
+are a party to an arrangement with a third party that is in the
+business of distributing software, under which you make payment to the
+third party based on the extent of your activity of conveying the
+work, and under which the third party grants, to any of the parties
+who would receive the covered work from you, a discriminatory patent
+license (a) in connection with copies of the covered work conveyed by
+you (or copies made from those copies), or (b) primarily for and in
+connection with specific products or compilations that contain the
+covered work, unless you entered into that arrangement, or that patent
+license was granted, prior to 28 March 2007.
+
+Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+#### 12. No Surrender of Others' Freedom.
+
+If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under
+this License and any other pertinent obligations, then as a
+consequence you may not convey it at all. For example, if you agree to
+terms that obligate you to collect a royalty for further conveying
+from those to whom you convey the Program, the only way you could
+satisfy both those terms and this License would be to refrain entirely
+from conveying the Program.
+
+#### 13. Remote Network Interaction; Use with the GNU General Public License.
+
+Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your
+version supports such interaction) an opportunity to receive the
+Corresponding Source of your version by providing access to the
+Corresponding Source from a network server at no charge, through some
+standard or customary means of facilitating copying of software. This
+Corresponding Source shall include the Corresponding Source for any
+work covered by version 3 of the GNU General Public License that is
+incorporated pursuant to the following paragraph.
+
+Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work. The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+#### 14. Revised Versions of this License.
+
+The Free Software Foundation may publish revised and/or new versions
+of the GNU Affero General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation. If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever
+published by the Free Software Foundation.
+
+If the Program specifies that a proxy can decide which future versions
+of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+Later license versions may give you additional or different
+permissions. However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+#### 15. Disclaimer of Warranty.
+
+THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT
+WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
+PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE
+DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
+CORRECTION.
+
+#### 16. Limitation of Liability.
+
+IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR
+CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES
+ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT
+NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
+LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM
+TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER
+PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+#### 17. Interpretation of Sections 15 and 16.
+
+If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+END OF TERMS AND CONDITIONS
+
+### How to Apply These Terms to Your New Programs
+
+If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these
+terms.
+
+To do so, attach the following notices to the program. It is safest to
+attach them to the start of each source file to most effectively state
+the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
+
+        <one line to give the program's name and a brief idea of what it does.>
+        Copyright (C) <year>  <name of author>
+
+        This program is free software: you can redistribute it and/or modify
+        it under the terms of the GNU Affero General Public License as
+        published by the Free Software Foundation, either version 3 of the
+        License, or (at your option) any later version.
+
+        This program is distributed in the hope that it will be useful,
+        but WITHOUT ANY WARRANTY; without even the implied warranty of
+        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+        GNU Affero General Public License for more details.
+
+        You should have received a copy of the GNU Affero General Public License
+        along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper
+mail.
+
+If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source. For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code. There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for
+the specific requirements.
+
+You should also get your employer (if you work as a programmer) or
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. For more information on this, and how to apply and follow
+the GNU AGPL, see <https://www.gnu.org/licenses/>.
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -1,674 +0,0 @@
-GNU GENERAL PUBLIC LICENSE
-   Version 3, 29 June 2007
-
-Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
-Everyone is permitted to copy and distribute verbatim copies
-of this license document, but changing it is not allowed.
-
-		Preamble
-
-The GNU General Public License is a free, copyleft license for
-software and other kinds of works.
-
-The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-the GNU General Public License is intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.  We, the Free Software Foundation, use the
-GNU General Public License for most of our software; it applies also to
-any other work released this way by its authors.  You can apply it to
-your programs, too.
-
-When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-To protect your rights, we need to prevent others from denying you
-these rights or asking you to surrender the rights.  Therefore, you have
-certain responsibilities if you distribute copies of the software, or if
-you modify it: responsibilities to respect the freedom of others.
-
-For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must pass on to the recipients the same
-freedoms that you received.  You must make sure that they, too, receive
-or can get the source code.  And you must show them these terms so they
-know their rights.
-
-Developers that use the GNU GPL protect your rights with two steps:
-(1) assert copyright on the software, and (2) offer you this License
-giving you legal permission to copy, distribute and/or modify it.
-
-For the developers' and authors' protection, the GPL clearly explains
-that there is no warranty for this free software.  For both users' and
-authors' sake, the GPL requires that modified versions be marked as
-changed, so that their problems will not be attributed erroneously to
-authors of previous versions.
-
-Some devices are designed to deny users access to install or run
-modified versions of the software inside them, although the manufacturer
-can do so.  This is fundamentally incompatible with the aim of
-protecting users' freedom to change the software.  The systematic
-pattern of such abuse occurs in the area of products for individuals to
-use, which is precisely where it is most unacceptable.  Therefore, we
-have designed this version of the GPL to prohibit the practice for those
-products.  If such problems arise substantially in other domains, we
-stand ready to extend this provision to those domains in future versions
-of the GPL, as needed to protect the freedom of users.
-
-Finally, every program is threatened constantly by software patents.
-States should not allow patents to restrict development and use of
-software on general-purpose computers, but in those that do, we wish to
-avoid the special danger that patents applied to a free program could
-make it effectively proprietary.  To prevent this, the GPL assures that
-patents cannot be used to render the program non-free.
-
-The precise terms and conditions for copying, distribution and
-modification follow.
-
-   TERMS AND CONDITIONS
-
-0. Definitions.
-
-"This License" refers to version 3 of the GNU General Public License.
-
-"Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-"The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-1. Source Code.
-
-The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-The Corresponding Source for a work in source code form is that
-same work.
-
-2. Basic Permissions.
-
-All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-4. Conveying Verbatim Copies.
-
-You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-5. Conveying Modified Source Versions.
-
-You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-a) The work must carry prominent notices stating that you modified
-it, and giving a relevant date.
-
-b) The work must carry prominent notices stating that it is
-released under this License and any conditions added under section
-7.  This requirement modifies the requirement in section 4 to
-"keep intact all notices".
-
-c) You must license the entire work, as a whole, under this
-License to anyone who comes into possession of a copy.  This
-License will therefore apply, along with any applicable section 7
-additional terms, to the whole of the work, and all its parts,
-regardless of how they are packaged.  This License gives no
-permission to license the work in any other way, but it does not
-invalidate such permission if you have separately received it.
-
-d) If the work has interactive user interfaces, each must display
-Appropriate Legal Notices; however, if the Program has interactive
-interfaces that do not display Appropriate Legal Notices, your
-work need not make them do so.
-
-A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-6. Conveying Non-Source Forms.
-
-You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-a) Convey the object code in, or embodied in, a physical product
-(including a physical distribution medium), accompanied by the
-Corresponding Source fixed on a durable physical medium
-customarily used for software interchange.
-
-b) Convey the object code in, or embodied in, a physical product
-(including a physical distribution medium), accompanied by a
-written offer, valid for at least three years and valid for as
-long as you offer spare parts or customer support for that product
-model, to give anyone who possesses the object code either (1) a
-copy of the Corresponding Source for all the software in the
-product that is covered by this License, on a durable physical
-medium customarily used for software interchange, for a price no
-more than your reasonable cost of physically performing this
-conveying of source, or (2) access to copy the
-Corresponding Source from a network server at no charge.
-
-c) Convey individual copies of the object code with a copy of the
-written offer to provide the Corresponding Source.  This
-alternative is allowed only occasionally and noncommercially, and
-only if you received the object code with such an offer, in accord
-with subsection 6b.
-
-d) Convey the object code by offering access from a designated
-place (gratis or for a charge), and offer equivalent access to the
-Corresponding Source in the same way through the same place at no
-further charge.  You need not require recipients to copy the
-Corresponding Source along with the object code.  If the place to
-copy the object code is a network server, the Corresponding Source
-may be on a different server (operated by you or a third party)
-that supports equivalent copying facilities, provided you maintain
-clear directions next to the object code saying where to find the
-Corresponding Source.  Regardless of what server hosts the
-Corresponding Source, you remain obligated to ensure that it is
-available for as long as needed to satisfy these requirements.
-
-e) Convey the object code using peer-to-peer transmission, provided
-you inform other peers where the object code and Corresponding
-Source of the work are being offered to the general public at no
-charge under subsection 6d.
-
-A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-"Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-7. Additional Terms.
-
-"Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-a) Disclaiming warranty or limiting liability differently from the
-terms of sections 15 and 16 of this License; or
-
-b) Requiring preservation of specified reasonable legal notices or
-author attributions in that material or in the Appropriate Legal
-Notices displayed by works containing it; or
-
-c) Prohibiting misrepresentation of the origin of that material, or
-requiring that modified versions of such material be marked in
-reasonable ways as different from the original version; or
-
-d) Limiting the use for publicity purposes of names of licensors or
-authors of the material; or
-
-e) Declining to grant rights under trademark law for use of some
-trade names, trademarks, or service marks; or
-
-f) Requiring indemnification of licensors and authors of that
-material by anyone who conveys the material (or modified versions of
-it) with contractual assumptions of liability to the recipient, for
-any liability that these contractual assumptions directly impose on
-those licensors and authors.
-
-All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-8. Termination.
-
-You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-9. Acceptance Not Required for Having Copies.
-
-You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-10. Automatic Licensing of Downstream Recipients.
-
-Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-11. Patents.
-
-A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-12. No Surrender of Others' Freedom.
-
-If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-13. Use with the GNU Affero General Public License.
-
-Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU Affero General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the special requirements of the GNU Affero General Public License,
-section 13, concerning interaction through a network will apply to the
-combination as such.
-
-14. Revised Versions of this License.
-
-The Free Software Foundation may publish revised and/or new versions of
-the GNU General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-If the Program specifies that a proxy can decide which future
-versions of the GNU General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-15. Disclaimer of Warranty.
-
-THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-16. Limitation of Liability.
-
-IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-17. Interpretation of Sections 15 and 16.
-
-If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
- END OF TERMS AND CONDITIONS
-
-How to Apply These Terms to Your New Programs
-
-If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-<one line to give the program's name and a brief idea of what it does.>
-Copyright (C) <year>  <name of author>
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License
-along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program does terminal interaction, make it output a short
-notice like this when it starts in an interactive mode:
-
-<program>  Copyright (C) <year>  <name of author>
-This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-This is free software, and you are welcome to redistribute it
-under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, your program's commands
-might be different; for a GUI interface, you would use an "about box".
-
-You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU GPL, see
-<https://www.gnu.org/licenses/>.
-
-The GNU General Public License does not permit incorporating your program
-into proprietary programs.  If your program is a subroutine library, you
-may consider it more useful to permit linking proprietary applications with
-the library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.  But first, please read
-<https://www.gnu.org/licenses/why-not-lgpl.html>.
--- a/README.md
+++ b/README.md
@@ -1,27 +1,101 @@
-# Content Database
+# ContentDB
+![Build Status](https://github.com/luanti-org/contentdb/actions/workflows/test.yml/badge.svg)

-Content database for Minetest mods, games, and more.
+A content database for Luanti mods, games, and more.\
+Developed by rubenwardy, license AGPLv3.0+.

-Developed by rubenwardy, license GPLv3.0+.
+See [Getting Started](docs/getting_started.md) for setting up a development/prodiction environment.
+
+See [Developer Intro](docs/dev_intro.md) for an overview of the code organisation.
+
+## Credits
+
+* `app/public/static/placeholder.png`: erlehmann, Warr1024. License: CC BY-SA 3.0

 ## How-tos

-Note: you should first read one of the guides on the [Github repo wiki](https://github.com/minetest/contentdb/wiki)
-
 ```sh
-# Run celery worker
-FLASK_CONFIG=../config.cfg celery -A app.tasks.celery worker
+# Hot/live reload (only works with FLASK_DEBUG=1)
+./utils/reload.sh

-# if sqlite
-python utils/setup.py -t
-rm db.sqlite && python setup.py -t && FLASK_CONFIG=../config.cfg FLASK_APP=app/__init__.py flask db stamp head
-
-# Create migration
-FLASK_CONFIG=../config.cfg FLASK_APP=app/__init__.py flask db migrate
-
-# Run migration
-FLASK_CONFIG=../config.cfg FLASK_APP=app/__init__.py flask db upgrade
+# Cold update a running version of CDB with minimal downtime (production)
+./utils/update.sh

 # Enter docker
-docker exec -it contentdb_app_1 bash
+./utils/bash.sh
+
+# Run migrations
+./utils/run_migrations.sh
+
+# Create new migration
+./utils/create_migration.sh
+
+# Delete database
+docker-compose down && sudo rm -rf data/db
+```
+
+
+### VSCode: Setting up Linting
+
+* (optional) Install the [Docker extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-docker)
+* Install the [Python extension](https://marketplace.visualstudio.com/items?itemName=ms-python.python)
+	* Click no to installing pylint (we don't want it to be installed outside a virtual env)
+* Set up a virtual env
+	* Replace `psycopg2` with `psycopg2_binary` in requirements.txt (because postgresql won't be installed on the system)
+	* `python3 -m venv env`
+	* Click yes to prompt to select virtual env for workspace
+	* Click yes to any prompts about installing pylint
+	* `source env/bin/activate`
+	* `pip install -r requirements`
+	* `pip install pylint` (if a prompt didn't appear)
+	* Undo changes to requirements.txt
+
+### VSCode: Material Icon Folder Designations
+
+```json
+"material-icon-theme.folders.associations": {
+	"packages": "",
+	"tasks": "",
+	"api": "",
+	"meta": "",
+	"blueprints": "routes",
+	"scss": "sass",
+	"flatpages": "markdown",
+	"data": "temp",
+	"migrations": "archive",
+	"textures": "images",
+	"sounds": "audio"
+}
+```
+
+
+## Database
+
+
+```mermaid
+classDiagram
+
+User "1" --> "*" Package
+User --> UserEmailVerification
+User "1" --> "*" Notification
+Package "1" --> "*" Release
+Package "1" --> "*" Dependency
+Package "1" --> "*" Tag
+Package "1" --> "*" MetaPackage : provides
+Release --> LuantiVersion
+Package --> License
+Dependency --> Package
+Dependency --> MetaPackage
+MetaPackage "1" --> "*" Package
+Package "1" --> "*" Screenshot
+Package "1" --> "*" Thread
+Thread "1" --> "*" Reply
+Thread "1" --> "*" User : watchers
+User "1" --> "*" Thread
+User "1" --> "*" Reply
+User "1" --> "*" ForumTopic
+
+User --> "0..1" EmailPreferences
+User "1" --> "*" APIToken
+APIToken --> Package
 ```
--- a/app/init.py
+++ b/app/init.py
@@ -1,93 +1,245 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
+# ContentDB
+# Copyright (C) 2018-21  rubenwardy
 #
 # This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Affero General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.

+import datetime
+import os
+import redis

-from flask import *
-from flask_user import *
-from flask_gravatar import Gravatar
-import flask_menu as menu
-from flask_mail import Mail
-from flaskext.markdown import Markdown
-from flask_github import GitHub
-from flask_wtf.csrf import CsrfProtect
+from flask import redirect, url_for, render_template, flash, request, Flask, send_from_directory, make_response, render_template_string
+from flask_babel import Babel, gettext
 from flask_flatpages import FlatPages
-from flask_babel import Babel
-import os, redis
+from flask_github import GitHub
+from flask_login import logout_user, current_user, LoginManager
+from flask_mail import Mail
+from flask_wtf.csrf import CSRFProtect
+
+from app.markdown import init_markdown, render_markdown
+
+import sentry_sdk
+from sentry_sdk.integrations.flask import FlaskIntegration
+
+
+if os.getenv("SENTRY_DSN"):
+	def before_send(event, hint):
+		from app.tasks import TaskError
+		if "exc_info" in hint:
+			exc_type, exc_value, tb = hint["exc_info"]
+			if isinstance(exc_value, TaskError):
+				return None
+		return event
+
+	environment = os.getenv("SENTRY_ENVIRONMENT")
+	assert environment is not None
+	sentry_sdk.init(
+		dsn=os.getenv("SENTRY_DSN"),
+		environment=environment,
+
+		integrations=[FlaskIntegration()],
+		# Set traces_sample_rate to 1.0 to capture 100%
+		# of transactions for performance monitoring.
+		traces_sample_rate=0.1,
+		# Set profiles_sample_rate to 1.0 to profile 100%
+		# of sampled transactions.
+		# We recommend adjusting this value in production.
+		profiles_sample_rate=0.1,
+
+		before_send=before_send,
+	)
+

 app = Flask(__name__, static_folder="public/static")
+
+
+def my_flatpage_renderer(text):
+	# Render with jinja first
+	prerendered_body = render_template_string(text)
+	return render_markdown(prerendered_body, clean=False)
+
+
 app.config["FLATPAGES_ROOT"] = "flatpages"
 app.config["FLATPAGES_EXTENSION"] = ".md"
+app.config["FLATPAGES_HTML_RENDERER"] = my_flatpage_renderer
+app.config["WTF_CSRF_TIME_LIMIT"] = None
+
+app.config["BABEL_TRANSLATION_DIRECTORIES"] = "../translations"
+app.config["LANGUAGES"] = {
+	"en": "English",
+	"cs": "čeština",
+	"de": "Deutsch",
+	"es": "Español",
+	"fr": "Français",
+	"id": "Bahasa Indonesia",
+	"it": "Italiano",
+	"ms": "Bahasa Melayu",
+	"pl": "Język Polski",
+	"ru": "русский язык",
+	"sk": "Slovenčina",
+	"sv": "Svenska",
+	"ta": "தமிழ்",
+	"tr": "Türkçe",
+	"uk": "Українська",
+	"vi": "tiếng Việt",
+	"zh_CN": "汉语",
+}
+
 app.config.from_pyfile(os.environ["FLASK_CONFIG"])

-r = redis.Redis.from_url(app.config["REDIS_URL"])
+if not app.config["ADMIN_CONTACT_URL"]:
+	raise Exception("Missing config property: ADMIN_CONTACT_URL")
+
+redis_client = redis.Redis.from_url(app.config["REDIS_URL"])

-menu.Menu(app=app)
-markdown = Markdown(app, extensions=["fenced_code"], safe_mode=True, output_format="html5")
 github = GitHub(app)
-csrf = CsrfProtect(app)
+csrf = CSRFProtect(app)
 mail = Mail(app)
 pages = FlatPages(app)
-babel = Babel(app)
-gravatar = Gravatar(app,
-		size=58,
-		rating='g',
-		default='mp',
-		force_default=False,
-		force_lower=False,
-		use_ssl=True,
-		base_url=None)
+babel = Babel()
+init_markdown(app)

-from .sass import sass
+login_manager = LoginManager()
+login_manager.init_app(app)
+login_manager.login_view = "users.login"
+
+
+from .sass import init_app as sass
 sass(app)


-if not app.debug and app.config["MAIL_UTILS_ERROR_SEND_TO"]:
-	from .maillogger import register_mail_error_handler
-	register_mail_error_handler(app, mail)
+from . import models, template_filters


-@babel.localeselector
-def get_locale():
-	return request.accept_languages.best_match(app.config['LANGUAGES'].keys())
+@login_manager.user_loader
+def load_user(user_id):
+	return models.User.query.filter_by(username=user_id).first()

-from . import models, tasks, template_filters

 from .blueprints import create_blueprints
 create_blueprints(app)

-from flask_login import logout_user

@app.route("/uploads/<path:path>")
 def send_upload(path):
-	return send_from_directory("public/uploads", path)
+	return send_from_directory(app.config["UPLOAD_DIR"], path)

-@menu.register_menu(app, ".help", "Help", order=19, endpoint_arguments_constructor=lambda: { 'path': 'help' })
-@app.route('/<path:path>/')
+
+@app.route("/<path:path>/")
 def flatpage(path):
-    page = pages.get_or_404(path)
-    template = page.meta.get('template', 'flatpage.html')
-    return render_template(template, page=page)
+	page = pages.get_or_404(path)
+	template = page.meta.get("template", "flatpage.html")
+	return render_template(template, page=page)
+

@app.before_request
 def check_for_ban():
 	if current_user.is_authenticated:
-		if current_user.rank == models.UserRank.BANNED:
-			flash("You have been banned.", "error")
-			logout_user()
-			return redirect(url_for('user.login'))
-		elif current_user.rank == models.UserRank.NOT_JOINED:
-			current_user.rank = models.UserRank.MEMBER
+		if current_user.ban and current_user.ban.has_expired:
+			models.db.session.delete(current_user.ban)
+			if current_user.rank == models.UserRank.BANNED:
+				current_user.rank = models.UserRank.MEMBER
 			models.db.session.commit()
+		elif current_user.is_banned:
+			if current_user.ban:
+				flash(gettext("Banned:") + " " + current_user.ban.message, "danger")
+			else:
+				flash(gettext("You have been banned."), "danger")
+			logout_user()
+			return redirect(url_for("users.login"))
+		elif current_user.rank == models.UserRank.NOT_JOINED:
+			current_user.rank = models.UserRank.NEW_MEMBER
+			models.db.session.commit()
+
+
+from .utils import clear_notifications, is_safe_url, create_session
+
+
+@app.before_request
+def check_for_notifications():
+	clear_notifications(request.path)
+
+
+@app.errorhandler(404)
+def page_not_found(e):
+	return render_template("404.html"), 404
+
+
+@app.errorhandler(500)
+def server_error(e):
+	return render_template("500.html"), 500
+
+
+def get_locale():
+	if not request:
+		return None
+
+	locales = app.config["LANGUAGES"].keys()
+
+	if current_user.is_authenticated and current_user.locale in locales:
+		return current_user.locale
+
+	locale = request.cookies.get("locale")
+	if locale not in locales:
+		locale = request.accept_languages.best_match(locales)
+
+	if locale and current_user.is_authenticated:
+		with create_session() as new_session:
+			new_session.query(models.User) \
+				.filter(models.User.username == current_user.username) \
+				.update({"locale": locale})
+			new_session.commit()
+
+	return locale
+
+
+babel.init_app(app, locale_selector=get_locale)
+
+
+@app.route("/set-locale/", methods=["POST"])
+@csrf.exempt
+def set_locale():
+	locale = request.form.get("locale")
+	if locale not in app.config["LANGUAGES"].keys():
+		flash("Unknown locale {}".format(locale), "danger")
+		locale = None
+
+	next_url = request.form.get("r")
+	if next_url and is_safe_url(next_url):
+		resp = make_response(redirect(next_url))
+	else:
+		resp = make_response(redirect(url_for("homepage.home")))
+
+	if locale:
+		expire_date = datetime.datetime.now()
+		expire_date = expire_date + datetime.timedelta(days=5*365)
+		resp.set_cookie("locale", locale, expires=expire_date, secure=True, samesite="Lax")
+
+		if current_user.is_authenticated:
+			current_user.locale = locale
+			models.db.session.commit()
+
+	return resp
+
+
+@app.route("/set-nonfree/", methods=["POST"])
+def set_nonfree():
+	resp = redirect(url_for("homepage.home"))
+	if request.cookies.get("hide_nonfree") == "1":
+		resp.set_cookie("hide_nonfree", "0", expires=0, secure=True, samesite="Lax")
+	else:
+		expire_date = datetime.datetime.now()
+		expire_date = expire_date + datetime.timedelta(days=5*365)
+		resp.set_cookie("hide_nonfree", "1", expires=expire_date, secure=True, samesite="Lax")
+
+	return resp
--- a/app/_translations.py
+++ b/app/_translations.py
@@ -0,0 +1,252 @@
+# THIS FILE IS AUTOGENERATED: utils/extract_translations.py
+
+from flask_babel import pgettext
+
+# NOTE: tags: title for 128px
+pgettext("tags", "128px+")
+# NOTE: tags: description for 128px
+pgettext("tags", "For 128px or higher texture packs")
+# NOTE: tags: title for 16px
+pgettext("tags", "16px")
+# NOTE: tags: description for 16px
+pgettext("tags", "For 16px texture packs")
+# NOTE: tags: title for 32px
+pgettext("tags", "32px")
+# NOTE: tags: description for 32px
+pgettext("tags", "For 32px texture packs")
+# NOTE: tags: title for 64px
+pgettext("tags", "64px")
+# NOTE: tags: description for 64px
+pgettext("tags", "For 64px texture packs")
+# NOTE: tags: title for adventure__rpg
+pgettext("tags", "Adventure / RPG")
+# NOTE: tags: title for april_fools
+pgettext("tags", "Joke")
+# NOTE: tags: description for april_fools
+pgettext("tags", "For humorous content, meant as a novelty or joke, not to be taken seriously, and that is not meant to be used seriously or long-term.")
+# NOTE: tags: title for building
+pgettext("tags", "Building")
+# NOTE: tags: description for building
+pgettext("tags", "Focuses on building, such as adding new materials or nodes")
+# NOTE: tags: title for building_mechanics
+pgettext("tags", "Building Mechanics and Tools")
+# NOTE: tags: description for building_mechanics
+pgettext("tags", "Adds game mechanics or tools that change how players build.")
+# NOTE: tags: title for chat
+pgettext("tags", "Chat / Commands")
+# NOTE: tags: description for chat
+pgettext("tags", "Focus on player chat/communication or console interaction.")
+# NOTE: tags: title for commerce
+pgettext("tags", "Commerce / Economy")
+# NOTE: tags: description for commerce
+pgettext("tags", "Related to economies, money, and trading")
+# NOTE: tags: title for complex_installation
+pgettext("tags", "Complex installation")
+# NOTE: tags: description for complex_installation
+pgettext("tags", "Requires futher installation steps, such as installing LuaRocks or editing the trusted mod setting")
+# NOTE: tags: title for crafting
+pgettext("tags", "Crafting")
+# NOTE: tags: description for crafting
+pgettext("tags", "Big changes to crafting gameplay")
+# NOTE: tags: title for creative
+pgettext("tags", "Creative")
+# NOTE: tags: description for creative
+pgettext("tags", "Written specifically or exclusively for use in creative mode. Adds content only available through a creative inventory, or provides tools that facilitate ingame creation and doesn't add difficulty or scarcity")
+# NOTE: tags: title for custom_mapgen
+pgettext("tags", "Custom mapgen")
+# NOTE: tags: description for custom_mapgen
+pgettext("tags", "Contains a completely custom mapgen implemented in Lua, usually requires worlds to be set to the 'singlenode' mapgen.")
+# NOTE: tags: title for decorative
+pgettext("tags", "Decorative")
+# NOTE: tags: description for decorative
+pgettext("tags", "Adds nodes with no other purpose than for use in building")
+# NOTE: tags: title for developer_tools
+pgettext("tags", "Developer Tools")
+# NOTE: tags: description for developer_tools
+pgettext("tags", "Tools for game and mod developers")
+# NOTE: tags: title for education
+pgettext("tags", "Education")
+# NOTE: tags: description for education
+pgettext("tags", "Either has educational value, or is a tool to help teachers ")
+# NOTE: tags: title for environment
+pgettext("tags", "Environment / Weather")
+# NOTE: tags: description for environment
+pgettext("tags", "Improves the world, adding weather, ambient sounds, or other environment mechanics")
+# NOTE: tags: title for food
+pgettext("tags", "Food / Drinks")
+# NOTE: tags: title for gui
+pgettext("tags", "GUI")
+# NOTE: tags: description for gui
+pgettext("tags", "For content whose main utility or features are provided within a GUI, on-screen menu, or similar")
+# NOTE: tags: title for hud
+pgettext("tags", "HUD")
+# NOTE: tags: description for hud
+pgettext("tags", "For mods that grant the player extra information in the HUD")
+# NOTE: tags: title for inventory
+pgettext("tags", "Inventory")
+# NOTE: tags: description for inventory
+pgettext("tags", "Changes the inventory GUI")
+# NOTE: tags: title for jam_combat_mod
+pgettext("tags", "Jam / Combat 2020")
+# NOTE: tags: description for jam_combat_mod
+pgettext("tags", "For mods created for the Discord \"Combat\" modding event in 2020")
+# NOTE: tags: title for jam_game_2021
+pgettext("tags", "Jam / Game 2021")
+# NOTE: tags: description for jam_game_2021
+pgettext("tags", "Entries to the 2021 Minetest Game Jam")
+# NOTE: tags: title for jam_game_2022
+pgettext("tags", " Jam / Game 2022")
+# NOTE: tags: description for jam_game_2022
+pgettext("tags", "Entries to the 2022 Minetest Game Jam ")
+# NOTE: tags: title for jam_game_2023
+pgettext("tags", "Jam / Game 2023")
+# NOTE: tags: description for jam_game_2023
+pgettext("tags", "Entries to the 2023 Minetest Game Jam ")
+# NOTE: tags: title for jam_game_2024
+pgettext("tags", "Jam / Game 2024")
+# NOTE: tags: description for jam_game_2024
+pgettext("tags", "Entries to the 2024 Luanti Game Jam")
+# NOTE: tags: title for jam_weekly_2021
+pgettext("tags", "Jam / Weekly Challenges 2021")
+# NOTE: tags: description for jam_weekly_2021
+pgettext("tags", "For mods created for the Discord \"Weekly Challenges\" modding event in 2021")
+# NOTE: tags: title for less_than_px
+pgettext("tags", "<16px")
+# NOTE: tags: description for less_than_px
+pgettext("tags", "For less than 16px texture packs ")
+# NOTE: tags: title for library
+pgettext("tags", "API / Library")
+# NOTE: tags: description for library
+pgettext("tags", "Primarily adds an API for other mods to use")
+# NOTE: tags: title for magic
+pgettext("tags", "Magic / Enchanting")
+# NOTE: tags: title for mapgen
+pgettext("tags", "Mapgen / Biomes / Decoration")
+# NOTE: tags: description for mapgen
+pgettext("tags", "New mapgen or changes mapgen")
+# NOTE: tags: title for mini-game
+pgettext("tags", "Mini-game")
+# NOTE: tags: description for mini-game
+pgettext("tags", "Adds a mini-game to be played within Luanti")
+# NOTE: tags: title for mobs
+pgettext("tags", "Mobs / Animals / NPCs")
+# NOTE: tags: description for mobs
+pgettext("tags", "Adds mobs, animals, and non-player characters")
+# NOTE: tags: title for mtg
+pgettext("tags", "Minetest Game improved")
+# NOTE: tags: description for mtg
+pgettext("tags", "Forks of Minetest Game")
+# NOTE: tags: title for multiplayer
+pgettext("tags", "Multiplayer-focused")
+# NOTE: tags: description for multiplayer
+pgettext("tags", "Can/should only be used in multiplayer")
+# NOTE: tags: title for oneofakind__original
+pgettext("tags", "One-of-a-kind / Original")
+# NOTE: tags: description for oneofakind__original
+pgettext("tags", "For games and such that are of their own kind, distinct and original in nature to others of the same category.")
+# NOTE: tags: title for plants_and_farming
+pgettext("tags", "Plants and Farming")
+# NOTE: tags: description for plants_and_farming
+pgettext("tags", "Adds new plants or other farmable resources.")
+# NOTE: tags: title for player_effects
+pgettext("tags", "Player Effects / Power Ups")
+# NOTE: tags: description for player_effects
+pgettext("tags", "For content that changes player effects, including physics, for example: speed, jump height or gravity.")
+# NOTE: tags: title for puzzle
+pgettext("tags", "Puzzle")
+# NOTE: tags: description for puzzle
+pgettext("tags", "Focus on puzzle solving instead of combat")
+# NOTE: tags: title for pve
+pgettext("tags", "Player vs Environment (PvE)")
+# NOTE: tags: description for pve
+pgettext("tags", "For content designed for one or more players that focus on combat against the world, mobs, or NPCs.")
+# NOTE: tags: title for pvp
+pgettext("tags", "Player vs Player (PvP)")
+# NOTE: tags: description for pvp
+pgettext("tags", "Designed to be played competitively against other players")
+# NOTE: tags: title for seasonal
+pgettext("tags", "Seasonal")
+# NOTE: tags: description for seasonal
+pgettext("tags", "For content generally themed around a certain season or holiday")
+# NOTE: tags: title for server_tools
+pgettext("tags", "Server Moderation and Tools")
+# NOTE: tags: description for server_tools
+pgettext("tags", "Helps with server maintenance and moderation")
+# NOTE: tags: title for shooter
+pgettext("tags", "Shooter")
+# NOTE: tags: description for shooter
+pgettext("tags", "First person shooters (FPS) and more")
+# NOTE: tags: title for simulation
+pgettext("tags", "Sims")
+# NOTE: tags: description for simulation
+pgettext("tags", "Mods and games that aim to simulate real life activity. Similar to SimCity/The Sims/OpenTTD/etc.")
+# NOTE: tags: title for singleplayer
+pgettext("tags", "Singleplayer-focused")
+# NOTE: tags: description for singleplayer
+pgettext("tags", "Content that can be played alone")
+# NOTE: tags: title for skins
+pgettext("tags", "Player customization / Skins")
+# NOTE: tags: description for skins
+pgettext("tags", "Allows the player to customize their character by changing the texture or adding accessories.")
+# NOTE: tags: title for sound_music
+pgettext("tags", "Sounds / Music")
+# NOTE: tags: description for sound_music
+pgettext("tags", "Focuses on or adds new sounds or musical things")
+# NOTE: tags: title for sports
+pgettext("tags", "Sports")
+# NOTE: tags: title for storage
+pgettext("tags", "Storage")
+# NOTE: tags: description for storage
+pgettext("tags", "Adds or improves item storage mechanics")
+# NOTE: tags: title for strategy_rts
+pgettext("tags", "Strategy / RTS")
+# NOTE: tags: description for strategy_rts
+pgettext("tags", "Games and mods with a heavy strategy component, whether real-time or turn-based")
+# NOTE: tags: title for survival
+pgettext("tags", "Survival")
+# NOTE: tags: description for survival
+pgettext("tags", "Written specifically for survival gameplay with a focus on game-balance, difficulty level, or resources available through crafting, mining, ...")
+# NOTE: tags: title for technology
+pgettext("tags", "Machines / Electronics")
+# NOTE: tags: description for technology
+pgettext("tags", "Adds machines useful in automation, tubes, or power.")
+# NOTE: tags: title for tools
+pgettext("tags", "Tools / Weapons / Armor")
+# NOTE: tags: description for tools
+pgettext("tags", "Adds or changes tools, weapons, and armor")
+# NOTE: tags: title for transport
+pgettext("tags", "Transport")
+# NOTE: tags: description for transport
+pgettext("tags", "Adds or changes transportation methods. Includes teleportation, vehicles, ridable mobs, transport infrastructure and thematic content")
+# NOTE: tags: title for world_tools
+pgettext("tags", "World Maintenance and Tools")
+# NOTE: tags: description for world_tools
+pgettext("tags", "Tools to manage the world")
+# NOTE: content_warnings: title for alcohol_tobacco
+pgettext("content_warnings", "Alcohol / Tobacco")
+# NOTE: content_warnings: description for alcohol_tobacco
+pgettext("content_warnings", "Contains alcohol and/or tobacco")
+# NOTE: content_warnings: title for bad_language
+pgettext("content_warnings", "Bad Language")
+# NOTE: content_warnings: description for bad_language
+pgettext("content_warnings", "Contains swearing")
+# NOTE: content_warnings: title for drugs
+pgettext("content_warnings", "Drugs")
+# NOTE: content_warnings: description for drugs
+pgettext("content_warnings", "Contains recreational drugs other than alcohol or tobacco")
+# NOTE: content_warnings: title for gambling
+pgettext("content_warnings", "Gambling")
+# NOTE: content_warnings: description for gambling
+pgettext("content_warnings", "Games of chance, gambling games, etc")
+# NOTE: content_warnings: title for gore
+pgettext("content_warnings", "Gore")
+# NOTE: content_warnings: description for gore
+pgettext("content_warnings", "Blood, etc")
+# NOTE: content_warnings: title for horror
+pgettext("content_warnings", "Fear / Horror")
+# NOTE: content_warnings: description for horror
+pgettext("content_warnings", "Shocking and scary content. May scare young children")
+# NOTE: content_warnings: title for violence
+pgettext("content_warnings", "Violence")
+# NOTE: content_warnings: description for violence
+pgettext("content_warnings", "Non-cartoon violence. May be towards fantasy or  human-like characters")
--- a/app/blueprints/init.py
+++ b/app/blueprints/init.py
@@ -1,4 +1,22 @@
-import os, importlib
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import importlib
+import os
+

 def create_blueprints(app):
 	dir = os.path.dirname(os.path.realpath(__file__))
--- a/app/blueprints/admin/init.py
+++ b/app/blueprints/admin/init.py
@@ -1,17 +1,17 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
 #
 # This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Affero General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.


@@ -19,4 +19,4 @@ from flask import Blueprint

 bp = Blueprint("admin", __name__)

-from . import admin, licenseseditor, tagseditor, versioneditor
+from . import admin, audit, licenseseditor, tagseditor, versioneditor, warningseditor, languageseditor, email, approval_stats
--- a/app/blueprints/admin/actions.py
+++ b/app/blueprints/admin/actions.py
@@ -0,0 +1,434 @@
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+import datetime
+import os
+from typing import List
+
+import requests
+from celery import group, uuid
+from flask import redirect, url_for, flash, current_app
+from sqlalchemy import or_, and_, not_, func
+
+from app.models import PackageRelease, db, Package, PackageState, PackageScreenshot, MetaPackage, User, \
+	NotificationType, PackageUpdateConfig, License, UserRank, PackageType, Thread, AuditLogEntry, ReportAttachment
+from app.tasks.emails import send_pending_digests
+from app.tasks.forumtasks import import_topic_list, check_all_forum_accounts
+from app.tasks.importtasks import import_repo_screenshot, check_zip_release, check_for_updates, update_all_game_support, \
+	import_languages, check_all_zip_files
+from app.tasks.usertasks import import_github_user_ids, do_delete_likely_spammers
+from app.tasks.pkgtasks import notify_about_git_forum_links, clear_removed_packages, check_package_for_broken_links, update_file_size_bytes
+from app.utils import add_notification, get_system_user
+
+actions = {}
+
+
+def action(title: str):
+	def func(f):
+		name = f.__name__
+		actions[name] = {
+			"title": title,
+			"func": f,
+		}
+
+		return f
+
+	return func
+
+
+@action("Delete stuck releases")
+def del_stuck_releases():
+	PackageRelease.query.filter(PackageRelease.task_id.isnot(None)).delete()
+	db.session.commit()
+	return redirect(url_for("admin.admin_page"))
+
+@action("Delete unused uploads")
+def clean_uploads():
+	upload_dir = current_app.config['UPLOAD_DIR']
+
+	(_, _, filenames) = next(os.walk(upload_dir))
+	existing_uploads = set(filenames)
+
+	if len(existing_uploads) != 0:
+		def get_filenames_from_column(column):
+			results = db.session.query(column).filter(column.isnot(None), column != "").all()
+			return set([os.path.basename(x[0]) for x in results])
+
+		release_urls = get_filenames_from_column(PackageRelease.url)
+		screenshot_urls = get_filenames_from_column(PackageScreenshot.url)
+		attachment_urls = get_filenames_from_column(ReportAttachment.url)
+		pp_urls = get_filenames_from_column(User.profile_pic)
+
+		db_urls = release_urls.union(screenshot_urls).union(pp_urls).union(attachment_urls)
+		unreachable = existing_uploads.difference(db_urls)
+
+		import sys
+		print("On Disk: ", existing_uploads, file=sys.stderr)
+		print("In DB: ", db_urls, file=sys.stderr)
+		print("Unreachable: ", unreachable, file=sys.stderr)
+
+		for filename in unreachable:
+			os.remove(os.path.join(upload_dir, filename))
+
+		flash("Deleted " + str(len(unreachable)) + " unreachable uploads", "success")
+	else:
+		flash("No downloads to create", "danger")
+
+	return redirect(url_for("admin.admin_page"))
+
+
+@action("Delete unused mod names")
+def del_mod_names():
+	query = MetaPackage.query.filter(~MetaPackage.dependencies.any(), ~MetaPackage.packages.any())
+	count = query.count()
+	query.delete(synchronize_session=False)
+	db.session.commit()
+
+	flash("Deleted " + str(count) + " unused mod names", "success")
+	return redirect(url_for("admin.admin_page"))
+
+
+@action("Recalc package scores")
+def recalc_scores():
+	for package in Package.query.all():
+		package.recalculate_score()
+
+	db.session.commit()
+
+	flash("Recalculated package scores", "success")
+	return redirect(url_for("admin.admin_page"))
+
+
+@action("Import forum topic list")
+def do_import_topic_list():
+	task = import_topic_list.delay()
+	return redirect(url_for("tasks.check", id=task.id, r=url_for("admin.admin_page")))
+
+
+@action("Check all forum accounts")
+def check_all_forum_accounts():
+	task = check_all_forum_accounts.delay()
+	return redirect(url_for("tasks.check", id=task.id, r=url_for("admin.admin_page")))
+
+
+@action("Run update configs")
+def run_update_config():
+	check_for_updates.delay()
+
+	flash("Started update configs", "success")
+	return redirect(url_for("admin.admin_page"))
+
+
+def _package_list(packages: List[str]):
+	# Who needs translations?
+	if len(packages) >= 3:
+		packages[len(packages) - 1] = "and " + packages[len(packages) - 1]
+		return ", ".join(packages)
+	else:
+		return " and ".join(packages)
+
+
+@action("Send WIP package notification")
+def remind_wip():
+	users = User.query.filter(User.packages.any(or_(
+			Package.state == PackageState.WIP, Package.state == PackageState.CHANGES_NEEDED)))
+	system_user = get_system_user()
+	for user in users:
+		packages = Package.query.filter(
+				Package.author_id == user.id,
+				or_(Package.state == PackageState.WIP, Package.state == PackageState.CHANGES_NEEDED)) \
+			.all()
+
+		packages = [pkg.title for pkg in packages]
+		packages_list = _package_list(packages)
+		havent = "haven't" if len(packages) > 1 else "hasn't"
+
+		add_notification(user, system_user, NotificationType.PACKAGE_APPROVAL,
+			f"Did you forget? {packages_list} {havent} been submitted for review yet",
+						 url_for('todo.view_user', username=user.username))
+	db.session.commit()
+
+
+@action("Send outdated package notification")
+def remind_outdated():
+	users = User.query.filter(User.maintained_packages.any(
+			Package.update_config.has(PackageUpdateConfig.outdated_at.isnot(None))))
+	system_user = get_system_user()
+	for user in users:
+		packages = Package.query.filter(
+				Package.maintainers.contains(user),
+				Package.update_config.has(PackageUpdateConfig.outdated_at.isnot(None))) \
+			.all()
+
+		packages = [pkg.title for pkg in packages]
+		packages_list = _package_list(packages)
+
+		add_notification(user, system_user, NotificationType.PACKAGE_APPROVAL,
+				f"The following packages may be outdated: {packages_list}",
+						 url_for('todo.view_user', username=user.username))
+
+	db.session.commit()
+
+
+@action("Import licenses from SPDX")
+def import_licenses():
+	renames = {
+		"GPLv2": "GPL-2.0-only",
+		"GPLv3": "GPL-3.0-only",
+		"AGPLv2": "AGPL-2.0-only",
+		"AGPLv3": "AGPL-3.0-only",
+		"LGPLv2.1": "LGPL-2.1-only",
+		"LGPLv3": "LGPL-3.0-only",
+		"Apache 2.0": "Apache-2.0",
+		"BSD 2-Clause / FreeBSD": "BSD-2-Clause-FreeBSD",
+		"BSD 3-Clause": "BSD-3-Clause",
+		"CC0": "CC0-1.0",
+		"CC BY 3.0": "CC-BY-3.0",
+		"CC BY 4.0": "CC-BY-4.0",
+		"CC BY-NC-SA 3.0": "CC-BY-NC-SA-3.0",
+		"CC BY-SA 3.0": "CC-BY-SA-3.0",
+		"CC BY-SA 4.0": "CC-BY-SA-4.0",
+		"NPOSLv3": "NPOSL-3.0",
+		"MPL 2.0": "MPL-2.0",
+		"EUPLv1.2": "EUPL-1.2",
+		"SIL Open Font License v1.1": "OFL-1.1",
+	}
+
+	for old_name, new_name in renames.items():
+		License.query.filter_by(name=old_name).update({ "name": new_name })
+
+	r = requests.get(
+			"https://raw.githubusercontent.com/spdx/license-list-data/master/json/licenses.json")
+	licenses = r.json()["licenses"]
+
+	existing_licenses = {}
+	for license_data in License.query.all():
+		assert license_data.name not in renames.keys()
+		existing_licenses[license_data.name.lower()] = license_data
+
+	for license_data in licenses:
+		obj = existing_licenses.get(license_data["licenseId"].lower())
+		if obj:
+			obj.url = license_data["reference"]
+		elif license_data.get("isOsiApproved") and license_data.get("isFsfLibre") and not license_data["isDeprecatedLicenseId"]:
+			obj = License(license_data["licenseId"], True, license_data["reference"])
+			db.session.add(obj)
+
+	db.session.commit()
+
+
+@action("Delete inactive users")
+def delete_inactive_users():
+	users = User.query.filter(User.is_active == False, ~User.packages.any(), ~User.forum_topics.any(),
+			User.rank == UserRank.NOT_JOINED).all()
+	for user in users:
+		db.session.delete(user)
+	db.session.commit()
+
+
+@action("Send Video URL notification")
+def remind_video_url():
+	users = User.query.filter(User.maintained_packages.any(
+			and_(Package.video_url == None, Package.type == PackageType.GAME, Package.state == PackageState.APPROVED)))
+	system_user = get_system_user()
+	for user in users:
+		packages = Package.query.filter(
+				or_(Package.author == user, Package.maintainers.contains(user)),
+				Package.video_url == None,
+				Package.type == PackageType.GAME,
+				Package.state == PackageState.APPROVED) \
+			.all()
+
+		package_names = [pkg.title for pkg in packages]
+		packages_list = _package_list(package_names)
+
+		add_notification(user, system_user, NotificationType.PACKAGE_APPROVAL,
+				f"You should add a video to {packages_list}",
+						 url_for('users.profile', username=user.username))
+
+	db.session.commit()
+
+
+@action("Send missing game support notifications")
+def remind_missing_game_support():
+	users = User.query.filter(
+		User.maintained_packages.any(and_(
+			Package.state != PackageState.DELETED,
+			Package.type.in_([PackageType.MOD, PackageType.TXP]),
+			~Package.supported_games.any(),
+			Package.supports_all_games == False))).all()
+
+	system_user = get_system_user()
+	for user in users:
+		packages = Package.query.filter(
+			Package.maintainers.contains(user),
+			Package.state != PackageState.DELETED,
+			Package.type.in_([PackageType.MOD, PackageType.TXP]),
+			~Package.supported_games.any(),
+			Package.supports_all_games == False) \
+			.all()
+
+		packages = [pkg.title for pkg in packages]
+		packages_list = _package_list(packages)
+
+		add_notification(user, system_user, NotificationType.PACKAGE_APPROVAL,
+				f"You need to confirm whether the following packages support all games: {packages_list}",
+				url_for('todo.all_game_support', username=user.username))
+
+	db.session.commit()
+
+
+@action("Detect game support")
+def detect_game_support():
+	task_id = uuid()
+	update_all_game_support.apply_async((), task_id=task_id)
+	return redirect(url_for("tasks.check", id=task_id, r=url_for("admin.admin_page")))
+
+
+@action("Send pending notif digests")
+def do_send_pending_digests():
+	send_pending_digests.delay()
+
+
+@action("Import user ids from GitHub")
+def do_import_github_user_ids():
+	task_id = uuid()
+	import_github_user_ids.apply_async((), task_id=task_id)
+	return redirect(url_for("tasks.check", id=task_id, r=url_for("admin.admin_page")))
+
+
+@action("Notify about links to git/forums instead of CDB")
+def do_notify_git_forums_links():
+	task_id = uuid()
+	notify_about_git_forum_links.apply_async((), task_id=task_id)
+	return redirect(url_for("tasks.check", id=task_id, r=url_for("admin.admin_page")))
+
+
+@action("Check all zip files")
+def do_check_all_zip_files():
+	task_id = uuid()
+	check_all_zip_files.apply_async((), task_id=task_id)
+	return redirect(url_for("tasks.check", id=task_id, r=url_for("admin.admin_page")))
+
+
+@action("Update file_size_bytes")
+def do_update_file_size_bytes():
+	task_id = uuid()
+	update_file_size_bytes.apply_async((), task_id=task_id)
+	return redirect(url_for("tasks.check", id=task_id, r=url_for("admin.admin_page")))
+
+
+@action("DANGER: Delete less popular removed packages")
+def del_less_popular_removed_packages():
+	task_id = uuid()
+	clear_removed_packages.apply_async((False, ), task_id=task_id)
+	return redirect(url_for("tasks.check", id=task_id, r=url_for("admin.admin_page")))
+
+
+@action("DANGER: Delete all removed packages")
+def del_removed_packages():
+	task_id = uuid()
+	clear_removed_packages.apply_async((True, ), task_id=task_id)
+	return redirect(url_for("tasks.check", id=task_id, r=url_for("admin.admin_page")))
+
+
+@action("DANGER: Check all releases (postReleaseCheckUpdate)")
+def check_releases():
+	releases = PackageRelease.query.filter(PackageRelease.url.like("/uploads/%")).all()
+
+	tasks = []
+	for release in releases:
+		tasks.append(check_zip_release.s(release.id, release.file_path))
+
+	result = group(tasks).apply_async()
+
+	while not result.ready():
+		import time
+		time.sleep(0.1)
+
+	return redirect(url_for("todo.view_editor"))
+
+
+@action("DANGER: Check latest release of all packages (postReleaseCheckUpdate)")
+def reimport_packages():
+	tasks = []
+	for package in Package.query.filter(Package.state == PackageState.APPROVED).all():
+		release = package.releases.first()
+		if release:
+			tasks.append(check_zip_release.s(release.id, release.file_path))
+
+	result = group(tasks).apply_async()
+
+	while not result.ready():
+		import time
+		time.sleep(0.1)
+
+	return redirect(url_for("todo.view_editor"))
+
+
+@action("DANGER: Import translations")
+def reimport_translations():
+	tasks = []
+	for package in Package.query.filter(Package.state == PackageState.APPROVED).all():
+		release = package.releases.first()
+		if release:
+			tasks.append(import_languages.s(release.id, release.file_path))
+
+	result = group(tasks).apply_async()
+	while not result.ready():
+		import time
+		time.sleep(0.1)
+
+	return redirect(url_for("todo.view_editor"))
+
+
+@action("DANGER: Import screenshots from Git")
+def import_screenshots():
+	packages = Package.query \
+		.filter(Package.state != PackageState.DELETED) \
+		.outerjoin(PackageScreenshot, Package.id == PackageScreenshot.package_id) \
+		.filter(PackageScreenshot.id == None) \
+		.all()
+	for package in packages:
+		import_repo_screenshot.delay(package.id)
+
+	return redirect(url_for("admin.admin_page"))
+
+
+@action("DANGER: Delete empty threads")
+def delete_empty_threads():
+	query = Thread.query.filter(~Thread.replies.any())
+	count = query.count()
+	for thread in query.all():
+		thread.watchers.clear()
+		db.session.delete(thread)
+	db.session.commit()
+
+	flash(f"Deleted {count} threads", "success")
+
+	return redirect(url_for("admin.admin_page"))
+
+
+@action("DANGER: Check for broken links in all packages")
+def check_for_broken_links():
+	for package in Package.query.filter_by(state=PackageState.APPROVED).all():
+		check_package_for_broken_links.delay(package.id)
+
+
+@action("DANGER: Delete likely spammers")
+def delete_likely_spammers():
+	task_id = uuid()
+	do_delete_likely_spammers.apply_async((), task_id=task_id)
+	return redirect(url_for("tasks.check", id=task_id, r=url_for("admin.admin_page")))
--- a/app/blueprints/admin/admin.py
+++ b/app/blueprints/admin/admin.py
@@ -1,109 +1,48 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
 #
 # This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Affero General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.

-
-from flask import *
-from flask_user import *
-import flask_menu as menu
-from . import bp
-from app.models import *
-from celery import uuid
-from app.tasks.importtasks import importRepoScreenshot, importAllDependencies, makeVCSRelease
-from app.tasks.forumtasks  import importTopicList, checkAllForumAccounts
+from flask import redirect, render_template, url_for, request, flash
+from flask_login import current_user, login_user
 from flask_wtf import FlaskForm
-from wtforms import *
-from app.utils import loginUser, rank_required, triggerNotif
-import datetime
+from wtforms import StringField, SubmitField, BooleanField
+from wtforms.validators import InputRequired, Length, Optional
+from app.utils import rank_required, add_audit_log, add_notification, get_system_user, nonempty_or_none, \
+	get_int_or_abort
+from sqlalchemy import func
+from . import bp
+from .actions import actions
+from app.models import UserRank, Package, db, PackageState, PackageRelease, PackageScreenshot, User, AuditSeverity, NotificationType, PackageAlias
+from ...querybuilder import QueryBuilder
+

@bp.route("/admin/", methods=["GET", "POST"])
-@rank_required(UserRank.ADMIN)
+@rank_required(UserRank.EDITOR)
 def admin_page():
-	if request.method == "POST":
+	if request.method == "POST" and current_user.rank.at_least(UserRank.ADMIN):
 		action = request.form["action"]
-		if action == "delstuckreleases":
-			PackageRelease.query.filter(PackageRelease.task_id != None).delete()
-			db.session.commit()
-			return redirect(url_for("admin.admin_page"))
-		elif action == "importmodlist":
-			task = importTopicList.delay()
-			return redirect(url_for("tasks.check", id=task.id, r=url_for("todo.topics")))
-		elif action == "checkusers":
-			task = checkAllForumAccounts.delay()
-			return redirect(url_for("tasks.check", id=task.id, r=url_for("admin.admin_page")))
-		elif action == "importscreenshots":
-			packages = Package.query \
-				.filter_by(soft_deleted=False) \
-				.outerjoin(PackageScreenshot, Package.id==PackageScreenshot.package_id) \
-				.filter(PackageScreenshot.id==None) \
-				.all()
-			for package in packages:
-				importRepoScreenshot.delay(package.id)
-
-			return redirect(url_for("admin.admin_page"))
-		elif action == "restore":
-			package = Package.query.get(request.form["package"])
-			if package is None:
-				flash("Unknown package", "error")
-			else:
-				package.soft_deleted = False
-				db.session.commit()
-				return redirect(url_for("admin.admin_page"))
-		elif action == "importdepends":
-			task = importAllDependencies.delay()
-			return redirect(url_for("tasks.check", id=task.id, r=url_for("admin.admin_page")))
-		elif action == "modprovides":
-			packages = Package.query.filter_by(type=PackageType.MOD).all()
-			mpackage_cache = {}
-			for p in packages:
-				if len(p.provides) == 0:
-					p.provides.append(MetaPackage.GetOrCreate(p.name, mpackage_cache))
-
-			db.session.commit()
-			return redirect(url_for("admin.admin_page"))
-		elif action == "recalcscores":
-			for p in Package.query.all():
-				p.setStartScore()
-
-			db.session.commit()
-			return redirect(url_for("admin.admin_page"))
-		elif action == "vcsrelease":
-			for package in Package.query.filter(Package.repo.isnot(None)).all():
-				if package.releases.count() != 0:
-					continue
-
-				rel = PackageRelease()
-				rel.package  = package
-				rel.title    = datetime.date.today().isoformat()
-				rel.url      = ""
-				rel.task_id  = uuid()
-				rel.approved = True
-				db.session.add(rel)
-				db.session.commit()
-
-				makeVCSRelease.apply_async((rel.id, "master"), task_id=rel.task_id)
-
-				msg = "{}: Release {} created".format(package.title, rel.title)
-				triggerNotif(package.author, current_user, msg, rel.getEditURL())
-				db.session.commit()
+		if action in actions:
+			ret = actions[action]["func"]()
+			if ret:
+				return ret

 		else:
-			flash("Unknown action: " + action, "error")
+			flash("Unknown action: " + action, "danger")
+
+	return render_template("admin/list.html", actions=actions)

-	deleted_packages = Package.query.filter_by(soft_deleted=True).all()
-	return render_template("admin/list.html", deleted_packages=deleted_packages)

 class SwitchUserForm(FlaskForm):
 	username = StringField("Username")
@@ -114,15 +53,171 @@ class SwitchUserForm(FlaskForm):
@rank_required(UserRank.ADMIN)
 def switch_user():
 	form = SwitchUserForm(formdata=request.form)
-	if request.method == "POST" and form.validate():
-		user = User.query.filter_by(username=form["username"].data).first()
+	if form.validate_on_submit():
+		user = User.query.filter_by(username=form.username.data).first()
 		if user is None:
-			flash("Unable to find user", "error")
-		elif loginUser(user):
+			flash("Unable to find user", "danger")
+		elif login_user(user):
 			return redirect(url_for("users.profile", username=current_user.username))
 		else:
-			flash("Unable to login as user", "error")
-
+			flash("Unable to login as user", "danger")

 	# Process GET or invalid POST
 	return render_template("admin/switch_user.html", form=form)
+
+
+class SendNotificationForm(FlaskForm):
+	title = StringField("Title", [InputRequired(), Length(1, 300)])
+	url = StringField("URL", [InputRequired(), Length(1, 100)], default="/")
+	submit = SubmitField("Send")
+
+
+@bp.route("/admin/send-notification/", methods=["GET", "POST"])
+@rank_required(UserRank.ADMIN)
+def send_bulk_notification():
+	form = SendNotificationForm(request.form)
+	if form.validate_on_submit():
+		add_audit_log(AuditSeverity.MODERATION, current_user,
+				"Sent bulk notification", url_for("admin.admin_page"), None, form.title.data)
+
+		users = User.query.filter(User.rank >= UserRank.NEW_MEMBER).all()
+		add_notification(users, get_system_user(), NotificationType.OTHER, form.title.data, form.url.data, None)
+		db.session.commit()
+
+		return redirect(url_for("admin.admin_page"))
+
+	return render_template("admin/send_bulk_notification.html", form=form)
+
+
+@bp.route("/admin/restore/", methods=["GET", "POST"])
+@rank_required(UserRank.EDITOR)
+def restore():
+	if request.method == "POST":
+		target = request.form["submit"]
+		if "Review" in target:
+			target = PackageState.READY_FOR_REVIEW
+		elif "Changes" in target:
+			target = PackageState.CHANGES_NEEDED
+		else:
+			target = PackageState.WIP
+
+		package = Package.query.get(request.form["package"])
+		if package is None:
+			flash("Unknown package", "danger")
+		else:
+			package.state = target
+
+			add_audit_log(AuditSeverity.EDITOR, current_user, f"Restored package to state {target.value}",
+						  package.get_url("packages.view"), package)
+
+			db.session.commit()
+			return redirect(package.get_url("packages.view"))
+
+	deleted_packages = Package.query \
+		.filter(Package.state == PackageState.DELETED) \
+		.join(Package.author) \
+		.order_by(db.asc(User.username), db.asc(Package.name)) \
+		.all()
+
+	return render_template("admin/restore.html", deleted_packages=deleted_packages)
+
+
+class TransferPackageForm(FlaskForm):
+	old_username = StringField("Old Username", [InputRequired()])
+	new_username = StringField("New Username", [InputRequired()])
+	package = StringField("Package", [Optional()])
+	remove_maintainer = BooleanField("Remove current owner from maintainers")
+	submit = SubmitField("Transfer")
+
+
+def perform_transfer(form: TransferPackageForm):
+	query = Package.query.filter(Package.author.has(username=form.old_username.data))
+	if nonempty_or_none(form.package.data):
+		query = query.filter_by(name=form.package.data)
+
+	packages = query.all()
+	if len(packages) == 0:
+		flash("Unable to find package(s)", "danger")
+		return
+
+	new_user = User.query.filter_by(username=form.new_username.data).first()
+	if new_user is None:
+		flash("Unable to find new user", "danger")
+		return
+
+	names = [x.name for x in packages]
+	already_existing = Package.query.filter(Package.author_id == new_user.id, Package.name.in_(names)).all()
+	if len(already_existing) > 0:
+		existing_names = [x.name for x in already_existing]
+		flash("Unable to transfer packages as names exist at destination: " + ", ".join(existing_names), "danger")
+		return
+
+	for package in packages:
+		if form.remove_maintainer.data:
+			package.maintainers.remove(package.author)
+		package.author = new_user
+		package.maintainers.append(new_user)
+		package.aliases.append(PackageAlias(form.old_username.data, package.name))
+
+		add_audit_log(AuditSeverity.MODERATION, current_user,
+				f"Transferred {form.old_username.data}/{package.name} to {form.new_username.data}",
+				package.get_url("packages.view"), package)
+
+	db.session.commit()
+
+	flash("Transferred " + ", ".join([x.name for x in packages]), "success")
+
+	return redirect(url_for("admin.transfer"))
+
+
+@bp.route("/admin/transfer/", methods=["GET", "POST"])
+@rank_required(UserRank.MODERATOR)
+def transfer():
+	form = TransferPackageForm(formdata=request.form)
+	if form.validate_on_submit():
+		ret = perform_transfer(form)
+		if ret is not None:
+			return ret
+
+	# Process GET or invalid POST
+	return render_template("admin/transfer.html", form=form)
+
+
+def sum_file_sizes(clazz):
+	ret = {}
+	for entry in (db.session
+			.query(clazz.package_id, func.sum(clazz.file_size_bytes))
+			.select_from(clazz)
+			.group_by(clazz.package_id)
+			.all()):
+		ret[entry[0]] = entry[1]
+	return ret
+
+
+@bp.route("/admin/storage/")
+@rank_required(UserRank.EDITOR)
+def storage():
+	qb = QueryBuilder(request.args, cookies=True)
+	qb.only_approved = False
+	packages = qb.build_package_query().all()
+
+	show_all = len(packages) < 100
+	min_size = get_int_or_abort(request.args.get("min_size"), 0 if show_all else 50)
+
+	package_size_releases = sum_file_sizes(PackageRelease)
+	package_size_screenshots = sum_file_sizes(PackageScreenshot)
+
+	data = []
+	for package in packages:
+		size_releases = package_size_releases.get(package.id, 0)
+		size_screenshots = package_size_screenshots.get(package.id, 0)
+		size_total = size_releases + size_screenshots
+		if size_total < min_size * 1024 * 1024:
+			continue
+
+		latest_release = package.releases.first()
+		size_latest = latest_release.file_size_bytes if latest_release else 0
+		data.append([package, size_total, size_releases, size_screenshots, size_latest])
+
+	data.sort(key=lambda x: x[1], reverse=True)
+	return render_template("admin/storage.html", data=data)
--- a/app/blueprints/admin/approval_stats.py
+++ b/app/blueprints/admin/approval_stats.py
@@ -0,0 +1,77 @@
+# ContentDB
+# Copyright (C) 2024 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import datetime
+from flask import render_template, request, abort, redirect, url_for, jsonify
+
+from . import bp
+from app.logic.approval_stats import get_approval_statistics
+from app.models import UserRank
+from app.utils import rank_required
+
+
+@bp.route("/admin/approval_stats/")
+@rank_required(UserRank.APPROVER)
+def approval_stats():
+	start = request.args.get("start")
+	end = request.args.get("end")
+	if start and end:
+		try:
+			start = datetime.datetime.fromisoformat(start)
+			end = datetime.datetime.fromisoformat(end)
+		except ValueError:
+			abort(400)
+	elif start:
+		return redirect(url_for("admin.approval_stats", start=start, end=datetime.datetime.utcnow().date().isoformat()))
+	elif end:
+		return redirect(url_for("admin.approval_stats", start="2020-07-01", end=end))
+	else:
+		end = datetime.datetime.utcnow()
+		start = end - datetime.timedelta(days=365)
+
+	stats = get_approval_statistics(start, end)
+	return render_template("admin/approval_stats.html", stats=stats, start=start, end=end)
+
+
+@bp.route("/admin/approval_stats.json")
+@rank_required(UserRank.APPROVER)
+def approval_stats_json():
+	start = request.args.get("start")
+	end = request.args.get("end")
+	if start and end:
+		try:
+			start = datetime.datetime.fromisoformat(start)
+			end = datetime.datetime.fromisoformat(end)
+		except ValueError:
+			abort(400)
+	else:
+		end = datetime.datetime.utcnow()
+		start = end - datetime.timedelta(days=365)
+
+	stats = get_approval_statistics(start, end)
+	for key, value in stats.packages_info.items():
+		stats.packages_info[key] = value.__dict__()
+
+	return jsonify({
+		"start": start.isoformat(),
+		"end": end.isoformat(),
+		"editor_approvals": stats.editor_approvals,
+		"packages_info": stats.packages_info,
+		"turnaround_time": {
+			"avg": stats.avg_turnaround_time,
+			"max": stats.max_turnaround_time,
+		},
+	})
--- a/app/blueprints/admin/audit.py
+++ b/app/blueprints/admin/audit.py
@@ -0,0 +1,73 @@
+# ContentDB
+# Copyright (C) 2020  rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from flask import render_template, request, abort
+from flask_babel import lazy_gettext
+from flask_login import current_user, login_required
+from flask_wtf import FlaskForm
+from wtforms import StringField, SubmitField
+from wtforms.validators import Optional, Length
+
+from app.models import db, AuditLogEntry, UserRank, User, Permission
+from app.utils import rank_required, get_int_or_abort
+
+from . import bp
+
+
+class AuditForm(FlaskForm):
+	username = StringField(lazy_gettext("Username"), [Optional(), Length(0, 25)])
+	q = StringField(lazy_gettext("Query"), [Optional(), Length(0, 300)])
+	url = StringField(lazy_gettext("URL"), [Optional(), Length(0, 300)])
+	submit = SubmitField(lazy_gettext("Search"), name=None)
+
+
+@bp.route("/admin/audit/")
+@rank_required(UserRank.APPROVER)
+def audit():
+	page = get_int_or_abort(request.args.get("page"), 1)
+	num = min(40, get_int_or_abort(request.args.get("n"), 100))
+
+	query = AuditLogEntry.query.order_by(db.desc(AuditLogEntry.created_at))
+
+	form = AuditForm(request.args)
+	username = form.username.data
+	q = form.q.data
+	url = form.url.data
+	if username:
+		user = User.query.filter_by(username=username).first_or_404()
+		query = query.filter_by(causer=user)
+
+	if q:
+		query = query.filter(AuditLogEntry.title.ilike(f"%{q}%"))
+
+	if url:
+		query = query.filter(AuditLogEntry.url.ilike(f"%{url}%"))
+
+	if not current_user.rank.at_least(UserRank.MODERATOR):
+		query = query.filter(AuditLogEntry.package)
+
+	pagination = query.paginate(page=page, per_page=num)
+	return render_template("admin/audit.html", log=pagination.items, pagination=pagination, form=form)
+
+
+@bp.route("/admin/audit/<int:id_>/")
+@login_required
+def audit_view(id_):
+	entry: AuditLogEntry = AuditLogEntry.query.get_or_404(id_)
+	if not entry.check_perm(current_user, Permission.VIEW_AUDIT_DESCRIPTION):
+		abort(403)
+
+	return render_template("admin/audit_view.html", entry=entry)
--- a/app/blueprints/admin/email.py
+++ b/app/blueprints/admin/email.py
@@ -0,0 +1,77 @@
+# ContentDB
+# Copyright (C) 2020  rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from flask import request, abort, url_for, redirect, render_template, flash
+from flask_login import current_user
+from flask_wtf import FlaskForm
+from wtforms import TextAreaField, SubmitField, StringField
+from wtforms.validators import InputRequired, Length
+
+from app.markdown import render_markdown
+from app.tasks.emails import send_user_email, send_bulk_email as task_send_bulk
+from app.utils import rank_required, add_audit_log, normalize_line_endings
+from . import bp
+from app.models import UserRank, User, AuditSeverity
+
+
+class SendEmailForm(FlaskForm):
+	subject = StringField("Subject", [InputRequired(), Length(1, 300)])
+	text    = TextAreaField("Message", [InputRequired()], filters=[normalize_line_endings])
+	submit  = SubmitField("Send")
+
+
+@bp.route("/admin/send-email/", methods=["GET", "POST"])
+@rank_required(UserRank.ADMIN)
+def send_single_email():
+	username = request.args["username"]
+	user = User.query.filter_by(username=username).first()
+	if user is None:
+		abort(404)
+
+	next_url = url_for("users.profile", username=user.username)
+
+	if user.email is None:
+		flash("User has no email address!", "danger")
+		return redirect(next_url)
+
+	form = SendEmailForm(request.form)
+	if form.validate_on_submit():
+		add_audit_log(AuditSeverity.MODERATION, current_user,
+				"Sent email to {}".format(user.display_name), url_for("users.profile", username=username))
+
+		text = form.text.data
+		html = render_markdown(text)
+		task = send_user_email.delay(user.email, user.locale or "en", form.subject.data, text, html)
+		return redirect(url_for("tasks.check", id=task.id, r=next_url))
+
+	return render_template("admin/send_email.html", form=form, user=user)
+
+
+@bp.route("/admin/send-bulk-email/", methods=["GET", "POST"])
+@rank_required(UserRank.ADMIN)
+def send_bulk_email():
+	form = SendEmailForm(request.form)
+	if form.validate_on_submit():
+		add_audit_log(AuditSeverity.MODERATION, current_user,
+				"Sent bulk email", url_for("admin.admin_page"), None, form.text.data)
+
+		text = form.text.data
+		html = render_markdown(text)
+		task_send_bulk.delay(form.subject.data, text, html)
+
+		return redirect(url_for("admin.admin_page"))
+
+	return render_template("admin/send_bulk_email.html", form=form)
--- a/app/blueprints/admin/languageseditor.py
+++ b/app/blueprints/admin/languageseditor.py
@@ -0,0 +1,73 @@
+# ContentDB
+# Copyright (C) 2018-24 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+
+from flask import redirect, render_template, abort, url_for
+from flask_login import current_user
+from flask_wtf import FlaskForm
+from wtforms import StringField, TextAreaField, SubmitField
+from wtforms.validators import InputRequired, Length, Optional
+
+from app.models import db, AuditSeverity, UserRank, Language, Package, PackageState, PackageTranslation
+from app.utils import add_audit_log, rank_required, normalize_line_endings
+from . import bp
+
+
+@bp.route("/admin/languages/")
+@rank_required(UserRank.ADMIN)
+def language_list():
+	at_least_one_count = db.session.query(PackageTranslation.package_id).group_by(PackageTranslation.package_id).count()
+	total_package_count = Package.query.filter_by(state=PackageState.APPROVED).count()
+	return render_template("admin/languages/list.html",
+		languages=Language.query.all(), total_package_count=total_package_count,
+		at_least_one_count=at_least_one_count)
+
+
+class LanguageForm(FlaskForm):
+	id = StringField("Id", [InputRequired(), Length(2, 10)])
+	title = TextAreaField("Title", [Optional(), Length(2, 100)], filters=[normalize_line_endings])
+	submit = SubmitField("Save")
+
+
+@bp.route("/admin/languages/new/", methods=["GET", "POST"])
+@bp.route("/admin/languages/<id_>/edit/", methods=["GET", "POST"])
+@rank_required(UserRank.ADMIN)
+def create_edit_language(id_=None):
+	language = None
+	if id_ is not None:
+		language = Language.query.filter_by(id=id_).first()
+		if language is None:
+			abort(404)
+
+	form = LanguageForm(obj=language)
+	if form.validate_on_submit():
+		if language is None:
+			language = Language()
+			db.session.add(language)
+			form.populate_obj(language)
+
+			add_audit_log(AuditSeverity.EDITOR, current_user, f"Created language {language.id}",
+					url_for("admin.create_edit_language", id_=language.id))
+		else:
+			form.populate_obj(language)
+
+			add_audit_log(AuditSeverity.EDITOR, current_user, f"Edited language {language.id}",
+					url_for("admin.create_edit_language", id_=language.id))
+
+		db.session.commit()
+		return redirect(url_for("admin.create_edit_language", id_=language.id))
+
+	return render_template("admin/languages/edit.html", language=language, form=form)
--- a/app/blueprints/admin/licenseseditor.py
+++ b/app/blueprints/admin/licenseseditor.py
@@ -1,38 +1,43 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
 #
 # This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Affero General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.


-from flask import *
-from flask_user import *
-from . import bp
-from app.models import *
+from flask import redirect, render_template, abort, url_for, request, flash
+from flask_login import current_user
 from flask_wtf import FlaskForm
-from wtforms import *
-from wtforms.validators import *
-from app.utils import rank_required
+from wtforms import StringField, BooleanField, SubmitField, URLField
+from wtforms.validators import InputRequired, Length, Optional
+
+from app.utils import rank_required, nonempty_or_none, add_audit_log
+from . import bp
+from app.models import UserRank, License, db, AuditSeverity
+

@bp.route("/licenses/")
@rank_required(UserRank.MODERATOR)
 def license_list():
 	return render_template("admin/licenses/list.html", licenses=License.query.order_by(db.asc(License.name)).all())

+
 class LicenseForm(FlaskForm):
-	name	 = StringField("Name", [InputRequired(), Length(3,100)])
-	is_foss  = BooleanField("Is FOSS")
-	submit   = SubmitField("Save")
+	name = StringField("Name", [InputRequired(), Length(3, 100)])
+	is_foss = BooleanField("Is FOSS")
+	url = URLField("URL", [Optional()], filters=[nonempty_or_none])
+	submit = SubmitField("Save")
+

@bp.route("/licenses/new/", methods=["GET", "POST"])
@bp.route("/licenses/<name>/edit/", methods=["GET", "POST"])
@@ -47,14 +52,20 @@ def create_edit_license(name=None):
 	form = LicenseForm(formdata=request.form, obj=license)
 	if request.method == "GET" and license is None:
 		form.is_foss.data = True
-	elif request.method == "POST" and form.validate():
+	elif form.validate_on_submit():
 		if license is None:
 			license = License(form.name.data)
 			db.session.add(license)
 			flash("Created license " + form.name.data, "success")
+
+			add_audit_log(AuditSeverity.MODERATION, current_user, f"Created license {license.name}",
+						  url_for("admin.license_list"))
 		else:
 			flash("Updated license " + form.name.data, "success")

+			add_audit_log(AuditSeverity.MODERATION, current_user, f"Edited license {license.name}",
+						  url_for("admin.license_list"))
+
 		form.populate_obj(license)
 		db.session.commit()
 		return redirect(url_for("admin.license_list"))
--- a/app/blueprints/admin/tagseditor.py
+++ b/app/blueprints/admin/tagseditor.py
@@ -1,42 +1,58 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
 #
 # This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Affero General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.


-from flask import *
-from flask_user import *
-from . import bp
-from app.models import *
+from flask import redirect, render_template, abort, url_for, request
+from flask_login import current_user, login_required
 from flask_wtf import FlaskForm
-from wtforms import *
-from wtforms.validators import *
-from app.utils import rank_required
+from wtforms import StringField, TextAreaField, BooleanField, SubmitField
+from wtforms.validators import InputRequired, Length, Optional, Regexp
+
+from . import bp
+from app.models import Permission, Tag, db, AuditSeverity
+from app.utils import add_audit_log, normalize_line_endings
+

@bp.route("/tags/")
-@rank_required(UserRank.MODERATOR)
+@login_required
 def tag_list():
-	return render_template("admin/tags/list.html", tags=Tag.query.order_by(db.asc(Tag.title)).all())
+	if not Permission.EDIT_TAGS.check(current_user):
+		abort(403)
+
+	query = Tag.query
+
+	if request.args.get("sort") == "views":
+		query = query.order_by(db.desc(Tag.views))
+	else:
+		query = query.order_by(db.asc(Tag.title))
+
+	return render_template("admin/tags/list.html", tags=query.all())
+

 class TagForm(FlaskForm):
-	title	 = StringField("Title", [InputRequired(), Length(3,100)])
-	name     = StringField("Name", [Optional(), Length(1, 20), Regexp("^[a-z0-9_]", 0, "Lower case letters (a-z), digits (0-9), and underscores (_) only")])
-	submit   = SubmitField("Save")
+	title = StringField("Title", [InputRequired(), Length(3, 100)])
+	description = TextAreaField("Description", [Optional(), Length(0, 500)], filters=[normalize_line_endings])
+	name = StringField("Name", [Optional(), Length(1, 20), Regexp("^[a-z0-9_]", 0,
+			"Lower case letters (a-z), digits (0-9), and underscores (_) only")])
+	submit = SubmitField("Save")
+

@bp.route("/tags/new/", methods=["GET", "POST"])
@bp.route("/tags/<name>/edit/", methods=["GET", "POST"])
-@rank_required(UserRank.MODERATOR)
+@login_required
 def create_edit_tag(name=None):
 	tag = None
 	if name is not None:
@@ -44,14 +60,29 @@ def create_edit_tag(name=None):
 		if tag is None:
 			abort(404)

-	form = TagForm(formdata=request.form, obj=tag)
-	if request.method == "POST" and form.validate():
+	if not Permission.check_perm(current_user, Permission.EDIT_TAGS if tag else Permission.CREATE_TAG):
+		abort(403)
+
+	form = TagForm(obj=tag)
+	if form.validate_on_submit():
 		if tag is None:
 			tag = Tag(form.title.data)
+			tag.description = form.description.data
 			db.session.add(tag)
+
+			add_audit_log(AuditSeverity.EDITOR, current_user, f"Created tag {tag.name}",
+						  url_for("admin.create_edit_tag", name=tag.name))
 		else:
 			form.populate_obj(tag)
+
+			add_audit_log(AuditSeverity.EDITOR, current_user, f"Edited tag {tag.name}",
+						  url_for("admin.create_edit_tag", name=tag.name))
+
 		db.session.commit()
-		return redirect(url_for("admin.create_edit_tag", name=tag.name))
+
+		if Permission.EDIT_TAGS.check(current_user):
+			return redirect(url_for("admin.create_edit_tag", name=tag.name))
+		else:
+			return redirect(url_for("homepage.home"))

 	return render_template("admin/tags/edit.html", tag=tag, form=form)
--- a/app/blueprints/admin/versioneditor.py
+++ b/app/blueprints/admin/versioneditor.py
@@ -1,38 +1,43 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
 #
 # This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Affero General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.


-from flask import *
-from flask_user import *
-from . import bp
-from app.models import *
+from flask import redirect, render_template, abort, url_for, request, flash
+from flask_login import current_user
 from flask_wtf import FlaskForm
-from wtforms import *
-from wtforms.validators import *
-from app.utils import rank_required
+from wtforms import StringField, IntegerField, SubmitField
+from wtforms.validators import InputRequired, Length
+
+from app.utils import rank_required, add_audit_log
+from . import bp
+from app.models import UserRank, LuantiRelease, db, AuditSeverity
+

@bp.route("/versions/")
@rank_required(UserRank.MODERATOR)
 def version_list():
-	return render_template("admin/versions/list.html", versions=MinetestRelease.query.order_by(db.asc(MinetestRelease.id)).all())
+	return render_template("admin/versions/list.html",
+			versions=LuantiRelease.query.order_by(db.asc(LuantiRelease.id)).all())
+

 class VersionForm(FlaskForm):
-	name	 = StringField("Name", [InputRequired(), Length(3,100)])
+	name = StringField("Name", [InputRequired(), Length(3, 100)])
 	protocol = IntegerField("Protocol")
-	submit   = SubmitField("Save")
+	submit = SubmitField("Save")
+

@bp.route("/versions/new/", methods=["GET", "POST"])
@bp.route("/versions/<name>/edit/", methods=["GET", "POST"])
@@ -40,19 +45,25 @@ class VersionForm(FlaskForm):
 def create_edit_version(name=None):
 	version = None
 	if name is not None:
-		version = MinetestRelease.query.filter_by(name=name).first()
+		version = LuantiRelease.query.filter_by(name=name).first()
 		if version is None:
 			abort(404)

 	form = VersionForm(formdata=request.form, obj=version)
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		if version is None:
-			version = MinetestRelease(form.name.data)
+			version = LuantiRelease(form.name.data)
 			db.session.add(version)
 			flash("Created version " + form.name.data, "success")
+
+			add_audit_log(AuditSeverity.MODERATION, current_user, f"Created version {version.name}",
+						  url_for("admin.license_list"))
 		else:
 			flash("Updated version " + form.name.data, "success")

+			add_audit_log(AuditSeverity.MODERATION, current_user, f"Edited version {version.name}",
+						  url_for("admin.version_list"))
+
 		form.populate_obj(version)
 		db.session.commit()
 		return redirect(url_for("admin.version_list"))
--- a/app/blueprints/admin/warningseditor.py
+++ b/app/blueprints/admin/warningseditor.py
@@ -0,0 +1,63 @@
+# ContentDB
+# Copyright (C) 2020  rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+
+from flask import redirect, render_template, abort, url_for, request
+from flask_wtf import FlaskForm
+from wtforms import StringField, TextAreaField, SubmitField
+from wtforms.validators import InputRequired, Length, Optional, Regexp
+
+from app.utils import rank_required, normalize_line_endings
+from . import bp
+from app.models import UserRank, ContentWarning, db
+
+
+@bp.route("/admin/warnings/")
+@rank_required(UserRank.ADMIN)
+def warning_list():
+	return render_template("admin/warnings/list.html", warnings=ContentWarning.query.order_by(db.asc(ContentWarning.title)).all())
+
+
+class WarningForm(FlaskForm):
+	title = StringField("Title", [InputRequired(), Length(3, 100)])
+	description = TextAreaField("Description", [Optional(), Length(0, 500)], filters=[normalize_line_endings])
+	name = StringField("Name", [Optional(), Length(1, 20),
+					Regexp("^[a-z0-9_]", 0, "Lower case letters (a-z), digits (0-9), and underscores (_) only")])
+	submit = SubmitField("Save")
+
+
+@bp.route("/admin/warnings/new/", methods=["GET", "POST"])
+@bp.route("/admin/warnings/<name>/edit/", methods=["GET", "POST"])
+@rank_required(UserRank.ADMIN)
+def create_edit_warning(name=None):
+	warning = None
+	if name is not None:
+		warning = ContentWarning.query.filter_by(name=name).first()
+		if warning is None:
+			abort(404)
+
+	form = WarningForm(formdata=request.form, obj=warning)
+	if form.validate_on_submit():
+		if warning is None:
+			warning = ContentWarning(form.title.data, form.description.data)
+			db.session.add(warning)
+		else:
+			form.populate_obj(warning)
+		db.session.commit()
+
+		return redirect(url_for("admin.warning_list"))
+
+	return render_template("admin/warnings/edit.html", warning=warning, form=form)
--- a/app/blueprints/api/init.py
+++ b/app/blueprints/api/init.py
@@ -1,100 +1,49 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
 #
 # This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Affero General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.

+import json
+from flask import Blueprint

-from flask import *
-from flask_user import *
-from app.models import *
-from app.utils import is_package_page
-from app.querybuilder import QueryBuilder
+from .support import error

 bp = Blueprint("api", __name__)

-@bp.route("/api/packages/")
-def packages():
-	qb    = QueryBuilder(request.args)
-	query = qb.buildPackageQuery()
-	ver   = qb.getMinetestVersion()

-	pkgs = [package.getAsDictionaryShort(current_app.config["BASE_URL"], version=ver) \
-			for package in query.all()]
-	return jsonify(pkgs)
+from . import tokens, endpoints


-@bp.route("/api/packages/<author>/<name>/")
-@is_package_page
-def package(package):
-	return jsonify(package.getAsDictionary(current_app.config["BASE_URL"]))
+@bp.errorhandler(400)
+@bp.errorhandler(401)
+@bp.errorhandler(403)
+@bp.errorhandler(404)
+def handle_exception(e):
+	"""Return JSON instead of HTML for HTTP errors."""
+	# start with the correct headers and status code from the error
+	response = e.get_response()
+	# replace the body with JSON
+	response.data = json.dumps({
+		"success": False,
+		"code": e.code,
+		"name": e.name,
+		"description": e.description,
+	})
+	response.content_type = "application/json"
+	return response


-@bp.route("/api/packages/<author>/<name>/dependencies/")
-@is_package_page
-def package_dependencies(package):
-	ret = []
-
-	for dep in package.dependencies:
-		name = None
-		fulfilled_by = None
-
-		if dep.package:
-			name = dep.package.name
-			fulfilled_by = [ dep.package.getAsDictionaryKey() ]
-
-		elif dep.meta_package:
-			name = dep.meta_package.name
-			fulfilled_by = [ pkg.getAsDictionaryKey() for pkg in dep.meta_package.packages]
-
-		else:
-			raise "Malformed dependency"
-
-		ret.append({
-			"name": name,
-			"is_optional": dep.optional,
-			"packages": fulfilled_by
-		})
-
-	return jsonify(ret)
-
-
-@bp.route("/api/topics/")
-def topics():
-	qb     = QueryBuilder(request.args)
-	query  = qb.buildTopicQuery(show_added=True)
-	return jsonify([t.getAsDictionary() for t in query.all()])
-
-
-@bp.route("/api/topic_discard/", methods=["POST"])
-@login_required
-def topic_set_discard():
-	tid = request.args.get("tid")
-	discard = request.args.get("discard")
-	if tid is None or discard is None:
-		abort(400)
-
-	topic = ForumTopic.query.get(tid)
-	if not topic.checkPerm(current_user, Permission.TOPIC_DISCARD):
-		abort(403)
-
-	topic.discarded = discard == "true"
-	db.session.commit()
-
-	return jsonify(topic.getAsDictionary())
-
-
-@bp.route("/api/minetest_versions/")
-def versions():
-	return jsonify([{ "name": rel.name, "protocol_version": rel.protocol }\
-			for rel in MinetestRelease.query.all() if rel.getActual() is not None])
+@bp.route("/api/<path:path>")
+def page_not_found(path):
+	error(404, "Endpoint or method not found")
--- a/app/blueprints/api/auth.py
+++ b/app/blueprints/api/auth.py
@@ -0,0 +1,46 @@
+# ContentDB
+# Copyright (C) 2019  rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from functools import wraps
+
+from flask import request, abort
+
+from app.models import APIToken
+from .support import error
+
+
+def is_api_authd(f):
+	@wraps(f)
+	def decorated_function(*args, **kwargs):
+		token = None
+
+		value = request.headers.get("authorization")
+		if value is None:
+			pass
+		elif value[0:7].lower() == "bearer ":
+			access_token = value[7:]
+			if len(access_token) < 10:
+				error(400, "API token is too short")
+
+			token = APIToken.query.filter_by(access_token=access_token).first()
+			if token is None:
+				error(403, "Unknown API token")
+		else:
+			error(403, "Unsupported authentication method")
+
+		return f(token=token, *args, **kwargs)
+
+	return decorated_function
--- a/app/blueprints/api/endpoints.py
+++ b/app/blueprints/api/endpoints.py
@@ -0,0 +1,940 @@
+# ContentDB
+# Copyright (C) 2018-21  rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import math
+import os
+from typing import List
+
+import flask_sqlalchemy
+from flask import request, jsonify, current_app
+from flask_babel import gettext
+from sqlalchemy import and_, or_
+from sqlalchemy.orm import joinedload
+from sqlalchemy.sql.expression import func
+
+from app import csrf
+from app.logic.graphs import get_package_stats, get_package_stats_for_user, get_all_package_stats
+from app.markdown import render_markdown
+from app.models import Tag, PackageState, PackageType, Package, db, PackageRelease, Permission, \
+	LuantiRelease, APIToken, PackageScreenshot, License, ContentWarning, User, PackageReview, Thread, Collection, \
+	PackageAlias, Language
+from app.querybuilder import QueryBuilder
+from app.utils import is_package_page, get_int_or_abort, url_set_query, abs_url, is_yes, get_request_date, cached, \
+	cors_allowed
+from app.utils.luanti_hypertext import html_to_luanti, package_info_as_hypertext, package_reviews_as_hypertext
+from . import bp
+from .auth import is_api_authd
+from .support import error, api_create_vcs_release, api_create_zip_release, api_create_screenshot, \
+	api_order_screenshots, api_edit_package, api_set_cover_image
+
+
+@bp.route("/api/packages/")
+@cors_allowed
+@cached(300)
+def packages():
+	allowed_languages = set([x[0] for x in db.session.query(Language.id).all()])
+	lang = request.accept_languages.best_match(allowed_languages)
+
+	qb = QueryBuilder(request.args, lang=lang)
+	query = qb.build_package_query()
+
+	fmt = request.args.get("fmt")
+	if fmt == "keys":
+		return jsonify([pkg.as_key_dict() for pkg in query.all()])
+
+	include_vcs = fmt == "vcs"
+	pkgs = qb.convert_to_dictionary(query.all(), include_vcs)
+	if "engine_version" in request.args or "protocol_version" in request.args:
+		pkgs = [pkg for pkg in pkgs if pkg.get("release")]
+
+	# Promote featured packages
+	if "sort" not in request.args and \
+			"order" not in request.args and \
+			"q" not in request.args and \
+			"limit" not in request.args:
+		featured_lut = set()
+		featured = qb.convert_to_dictionary(query.filter(
+			Package.collections.any(and_(Collection.name == "featured", Collection.author.has(username="ContentDB")))).all(),
+			include_vcs)
+		for pkg in featured:
+			featured_lut.add(f"{pkg['author']}/{pkg['name']}")
+			pkg["short_description"] = gettext("Featured") + ". " + pkg["short_description"]
+			pkg["featured"] = True
+
+		not_featured = [pkg for pkg in pkgs if f"{pkg['author']}/{pkg['name']}" not in featured_lut]
+		pkgs = featured + not_featured
+
+	resp = jsonify(pkgs)
+	resp.vary = "Accept-Language"
+	return resp
+
+
+@bp.route("/api/packages/<author>/<name>/")
+@is_package_page
+@cors_allowed
+def package_view(package):
+	allowed_languages = set([x[0] for x in db.session.query(Language.id).all()])
+	lang = request.accept_languages.best_match(allowed_languages)
+
+	data = package.as_dict(current_app.config["BASE_URL"], lang=lang)
+	resp = jsonify(data)
+	resp.vary = "Accept-Language"
+	return resp
+
+
+@bp.route("/api/packages/<author>/<name>/for-client/")
+@is_package_page
+@cors_allowed
+def package_view_client(package: Package):
+	protocol_version = request.args.get("protocol_version")
+	engine_version = request.args.get("engine_version")
+	if protocol_version or engine_version:
+		version = LuantiRelease.get(engine_version, get_int_or_abort(protocol_version))
+	else:
+		version = None
+
+	allowed_languages = set([x[0] for x in db.session.query(Language.id).all()])
+	lang = request.accept_languages.best_match(allowed_languages)
+
+	data = package.as_dict(current_app.config["BASE_URL"], version, lang=lang, screenshots_dict=True)
+
+	formspec_version = get_int_or_abort(request.args["formspec_version"])
+	include_images = is_yes(request.args.get("include_images", "true"))
+	page_url = package.get_url("packages.view", absolute=True)
+	if data["long_description"] is not None:
+		html = render_markdown(data["long_description"])
+		data["long_description"] = html_to_luanti(html, page_url, formspec_version, include_images)
+
+	data["info_hypertext"] = package_info_as_hypertext(package, formspec_version)
+
+	data["download_size"] = package.get_download_release(version).file_size
+
+	data["reviews"] = {
+		"positive": package.reviews.filter(PackageReview.rating > 3).count(),
+		"neutral": package.reviews.filter(PackageReview.rating == 3).count(),
+		"negative": package.reviews.filter(PackageReview.rating < 3).count(),
+	}
+
+	resp = jsonify(data)
+	resp.vary = "Accept-Language"
+	return resp
+
+
+@bp.route("/api/packages/<author>/<name>/for-client/reviews/")
+@is_package_page
+@cors_allowed
+def package_view_client_reviews(package: Package):
+	formspec_version = get_int_or_abort(request.args["formspec_version"])
+	data = package_reviews_as_hypertext(package, formspec_version)
+
+	resp = jsonify(data)
+	resp.vary = "Accept-Language"
+	return resp
+
+
+@bp.route("/api/packages/<author>/<name>/hypertext/")
+@is_package_page
+@cors_allowed
+def package_hypertext(package):
+	formspec_version = get_int_or_abort(request.args["formspec_version"])
+	include_images = is_yes(request.args.get("include_images", "true"))
+	html = render_markdown(package.desc if package.desc else "")
+	page_url = package.get_url("packages.view", absolute=True)
+	return jsonify(html_to_luanti(html, page_url, formspec_version, include_images))
+
+
+@bp.route("/api/packages/<author>/<name>/", methods=["PUT"])
+@csrf.exempt
+@is_package_page
+@is_api_authd
+@cors_allowed
+def edit_package(token, package):
+	if not token:
+		error(401, "Authentication needed")
+
+	return api_edit_package(token, package, request.json)
+
+
+def resolve_package_deps(out, package, only_hard, depth=1):
+	id_ = package.get_id()
+	if id_ in out:
+		return
+
+	ret = []
+	out[id_] = ret
+
+	if package.type != PackageType.MOD:
+		return
+
+	for dep in package.dependencies:
+		if only_hard and dep.optional:
+			continue
+
+		if dep.package:
+			name = dep.package.name
+			fulfilled_by = [ dep.package.get_id() ]
+			resolve_package_deps(out, dep.package, only_hard, depth)
+
+		elif dep.meta_package:
+			name = dep.meta_package.name
+			fulfilled_by = [ pkg.get_id() for pkg in dep.meta_package.packages if pkg.state == PackageState.APPROVED]
+
+			if depth == 1 and not dep.optional:
+				most_likely = next((pkg for pkg in dep.meta_package.packages \
+						if pkg.type == PackageType.MOD and pkg.state == PackageState.APPROVED), None)
+				if most_likely:
+					resolve_package_deps(out, most_likely, only_hard, depth + 1)
+
+		else:
+			raise Exception("Malformed dependency")
+
+		ret.append({
+			"name": name,
+			"is_optional": dep.optional,
+			"packages": fulfilled_by
+		})
+
+
+@bp.route("/api/packages/<author>/<name>/dependencies/")
+@is_package_page
+@cors_allowed
+@cached(300)
+def package_dependencies(package):
+	only_hard = request.args.get("only_hard")
+
+	out = {}
+	resolve_package_deps(out, package, only_hard)
+
+	return jsonify(out)
+
+
+@bp.route("/api/topics/")
+@cors_allowed
+def topics():
+	qb = QueryBuilder(request.args)
+	query = qb.build_topic_query(show_added=True)
+	return jsonify([t.as_dict() for t in query.all()])
+
+
+@bp.route("/api/whoami/")
+@is_api_authd
+@cors_allowed
+def whoami(token):
+	if token is None:
+		return jsonify({ "is_authenticated": False, "username": None })
+	else:
+		return jsonify({ "is_authenticated": True, "username": token.owner.username })
+
+
+@bp.route("/api/delete-token/", methods=["DELETE"])
+@csrf.exempt
+@is_api_authd
+@cors_allowed
+def api_delete_token(token):
+	if token is None:
+		error(404, "Token not found")
+
+	db.session.delete(token)
+	db.session.commit()
+
+	return jsonify({"success": True})
+
+
+@bp.route("/api/markdown/", methods=["POST"])
+@csrf.exempt
+def markdown():
+	return render_markdown(request.data.decode("utf-8"))
+
+
+@bp.route("/api/releases/")
+@cors_allowed
+def list_all_releases():
+	query = PackageRelease.query.filter_by(approved=True) \
+			.filter(PackageRelease.package.has(state=PackageState.APPROVED)) \
+			.order_by(db.desc(PackageRelease.created_at))
+
+	if "author" in request.args:
+		author = User.query.filter_by(username=request.args["author"]).first()
+		if author is None:
+			error(404, "Author not found")
+		query = query.filter(PackageRelease.package.has(author=author))
+
+	if "maintainer" in request.args:
+		maintainer = User.query.filter_by(username=request.args["maintainer"]).first()
+		if maintainer is None:
+			error(404, "Maintainer not found")
+		query = query.join(Package)
+		query = query.filter(Package.maintainers.contains(maintainer))
+
+	return jsonify([ rel.as_long_dict() for rel in query.limit(30).all() ])
+
+
+@bp.route("/api/packages/<author>/<name>/releases/")
+@is_package_page
+@cors_allowed
+def list_releases(package):
+	return jsonify([ rel.as_dict() for rel in package.releases.all() ])
+
+
+@bp.route("/api/packages/<author>/<name>/releases/new/", methods=["POST"])
+@csrf.exempt
+@is_package_page
+@is_api_authd
+@cors_allowed
+def create_release(token, package):
+	if not token:
+		error(401, "Authentication needed")
+
+	if not package.check_perm(token.owner, Permission.APPROVE_RELEASE):
+		error(403, "You do not have the permission to approve releases")
+
+	if request.headers.get("Content-Type") == "application/json":
+		data = request.json
+	else:
+		data = request.form
+
+	if not ("title" in data or "name" in data):
+		error(400, "name is required in the POST data")
+
+	name = data.get("name")
+	title = data.get("title") or name
+	name = name or title
+
+	if data.get("method") == "git":
+		for option in ["method", "ref"]:
+			if option not in data:
+				error(400, option + " is required in the POST data")
+
+		return api_create_vcs_release(token, package, name, title, data.get("release_notes"), data["ref"])
+
+	elif request.files:
+		file = request.files.get("file")
+		if file is None:
+			error(400, "Missing 'file' in multipart body")
+
+		commit_hash = data.get("commit")
+
+		return api_create_zip_release(token, package,  name, title, data.get("release_notes"), file, None, None, "API", commit_hash)
+
+	else:
+		error(400, "Unknown release-creation method. Specify the method or provide a file.")
+
+
+@bp.route("/api/packages/<author>/<name>/releases/<int:id>/")
+@is_package_page
+@cors_allowed
+def release_view(package: Package, id: int):
+	release = PackageRelease.query.get(id)
+	if release is None or release.package != package:
+		error(404, "Release not found")
+
+	return jsonify(release.as_dict())
+
+
+@bp.route("/api/packages/<author>/<name>/releases/<int:id>/", methods=["DELETE"])
+@csrf.exempt
+@is_package_page
+@is_api_authd
+@cors_allowed
+def delete_release(token: APIToken, package: Package, id: int):
+	release = PackageRelease.query.get(id)
+	if release is None or release.package != package:
+		error(404, "Release not found")
+
+	if not token:
+		error(401, "Authentication needed")
+
+	if not token.can_operate_on_package(package):
+		error(403, "API token does not have access to the package")
+
+	if not release.check_perm(token.owner, Permission.DELETE_RELEASE):
+		error(403, "Unable to delete the release, make sure there's a newer release available")
+
+	db.session.delete(release)
+	db.session.commit()
+
+	if release.file_path and os.path.isfile(release.file_path):
+		os.remove(release.file_path)
+
+	return jsonify({"success": True})
+
+
+@bp.route("/api/packages/<author>/<name>/screenshots/")
+@is_package_page
+@cors_allowed
+def list_screenshots(package):
+	screenshots = package.screenshots.all()
+	return jsonify([ss.as_dict(current_app.config["BASE_URL"]) for ss in screenshots])
+
+
+@bp.route("/api/packages/<author>/<name>/screenshots/new/", methods=["POST"])
+@csrf.exempt
+@is_package_page
+@is_api_authd
+@cors_allowed
+def create_screenshot(token: APIToken, package: Package):
+	if not token:
+		error(401, "Authentication needed")
+
+	if not package.check_perm(token.owner, Permission.ADD_SCREENSHOTS):
+		error(403, "You do not have the permission to create screenshots")
+
+	data = request.form
+	if "title" not in data:
+		error(400, "Title is required in the POST data")
+
+	file = request.files.get("file")
+	if file is None:
+		error(400, "Missing 'file' in multipart body")
+
+	return api_create_screenshot(token, package, data["title"], file, is_yes(data.get("is_cover_image")))
+
+
+@bp.route("/api/packages/<author>/<name>/screenshots/<int:id>/")
+@is_package_page
+@cors_allowed
+def screenshot(package, id):
+	ss = PackageScreenshot.query.get(id)
+	if ss is None or ss.package != package:
+		error(404, "Screenshot not found")
+
+	return jsonify(ss.as_dict(current_app.config["BASE_URL"]))
+
+
+@bp.route("/api/packages/<author>/<name>/screenshots/<int:id>/", methods=["DELETE"])
+@csrf.exempt
+@is_package_page
+@is_api_authd
+@cors_allowed
+def delete_screenshot(token: APIToken, package: Package, id: int):
+	ss = PackageScreenshot.query.get(id)
+	if ss is None or ss.package != package:
+		error(404, "Screenshot not found")
+
+	if not token:
+		error(401, "Authentication needed")
+
+	if not package.check_perm(token.owner, Permission.ADD_SCREENSHOTS):
+		error(403, "You do not have the permission to delete screenshots")
+
+	if not token.can_operate_on_package(package):
+		error(403, "API token does not have access to the package")
+
+	if package.cover_image == ss:
+		package.cover_image = None
+		db.session.merge(package)
+
+	db.session.delete(ss)
+	db.session.commit()
+
+	os.remove(ss.file_path)
+
+	return jsonify({ "success": True })
+
+
+@bp.route("/api/packages/<author>/<name>/screenshots/order/", methods=["POST"])
+@csrf.exempt
+@is_package_page
+@is_api_authd
+@cors_allowed
+def order_screenshots(token: APIToken, package: Package):
+	if not token:
+		error(401, "Authentication needed")
+
+	if not package.check_perm(token.owner, Permission.ADD_SCREENSHOTS):
+		error(403, "You do not have the permission to change screenshots")
+
+	if not token.can_operate_on_package(package):
+		error(403, "API token does not have access to the package")
+
+	json = request.json
+	if json is None or not isinstance(json, list):
+		error(400, "Expected order body to be array")
+
+	return api_order_screenshots(token, package, request.json)
+
+
+@bp.route("/api/packages/<author>/<name>/screenshots/cover-image/", methods=["POST"])
+@csrf.exempt
+@is_package_page
+@is_api_authd
+@cors_allowed
+def set_cover_image(token: APIToken, package: Package):
+	if not token:
+		error(401, "Authentication needed")
+
+	if not package.check_perm(token.owner, Permission.ADD_SCREENSHOTS):
+		error(403, "You do not have the permission to change screenshots")
+
+	if not token.can_operate_on_package(package):
+		error(403, "API token does not have access to the package")
+
+	json = request.json
+	if json is None or not isinstance(json, dict) or "cover_image" not in json:
+		error(400, "Expected body to be an object with cover_image as a key")
+
+	return api_set_cover_image(token, package, request.json["cover_image"])
+
+
+@bp.route("/api/packages/<author>/<name>/reviews/")
+@is_package_page
+@cors_allowed
+def list_reviews(package):
+	reviews = package.reviews
+	return jsonify([review.as_dict() for review in reviews])
+
+
+@bp.route("/api/reviews/")
+@cors_allowed
+def list_all_reviews():
+	page = get_int_or_abort(request.args.get("page"), 1)
+	num = min(get_int_or_abort(request.args.get("n"), 100), 200)
+
+	query = PackageReview.query
+	query = query.options(joinedload(PackageReview.author), joinedload(PackageReview.package))
+
+	if "for_user" in request.args:
+		query = query.filter(PackageReview.package.has(Package.author.has(username=request.args["for_user"])))
+
+	if "author" in request.args:
+		query = query.filter(PackageReview.author.has(User.username == request.args.get("author")))
+
+	if "is_positive" in request.args:
+		if is_yes(request.args.get("is_positive")):
+			query = query.filter(PackageReview.rating > 3)
+		else:
+			query = query.filter(PackageReview.rating <= 3)
+
+	q = request.args.get("q")
+	if q:
+		query = query.filter(PackageReview.thread.has(Thread.title.ilike(f"%{q}%")))
+
+	query = query.order_by(db.desc(PackageReview.created_at))
+
+	pagination: flask_sqlalchemy.Pagination = query.paginate(page=page, per_page=num)
+	return jsonify({
+		"page": pagination.page,
+		"per_page": pagination.per_page,
+		"page_count": math.ceil(pagination.total / pagination.per_page),
+		"total": pagination.total,
+		"urls": {
+			"previous": abs_url(url_set_query(page=page - 1)) if pagination.has_prev else None,
+			"next": abs_url(url_set_query(page=page + 1)) if pagination.has_next else None,
+		},
+		"items": [review.as_dict(True) for review in pagination.items],
+	})
+
+
+@bp.route("/api/packages/<author>/<name>/stats/")
+@is_package_page
+@cors_allowed
+@cached(300)
+def package_stats(package: Package):
+	start = get_request_date("start")
+	end = get_request_date("end")
+	return jsonify(get_package_stats(package, start, end))
+
+
+@bp.route("/api/package_stats/")
+@cors_allowed
+@cached(900)
+def all_package_stats():
+	return jsonify(get_all_package_stats())
+
+
+@bp.route("/api/scores/")
+@cors_allowed
+@cached(900)
+def package_scores():
+	qb = QueryBuilder(request.args)
+	query = qb.build_package_query()
+
+	pkgs = [package.as_score_dict() for package in query.all()]
+	return jsonify(pkgs)
+
+
+@bp.route("/api/tags/")
+@cors_allowed
+@cached(60*60)
+def tags():
+	return jsonify([tag.as_dict() for tag in Tag.query.order_by(db.asc(Tag.name)).all()])
+
+
+@bp.route("/api/content_warnings/")
+@cors_allowed
+@cached(60*60)
+def content_warnings():
+	return jsonify([warning.as_dict() for warning in ContentWarning.query.order_by(db.asc(ContentWarning.name)).all() ])
+
+
+@bp.route("/api/licenses/")
+@cors_allowed
+@cached(60*60)
+def licenses():
+	all_licenses = License.query.order_by(db.asc(License.name)).all()
+	return jsonify([{"name": license.name, "is_foss": license.is_foss} for license in all_licenses])
+
+
+@bp.route("/api/homepage/")
+@cors_allowed
+@cached(300)
+def homepage():
+	query = Package.query.filter_by(state=PackageState.APPROVED)
+	count = query.count()
+
+	spotlight = query.filter(
+			Package.collections.any(and_(Collection.name == "spotlight", Collection.author.has(username="ContentDB")))) \
+		.order_by(func.random()).limit(6).all()
+	new = query.order_by(db.desc(Package.approved_at)).limit(4).all()
+	pop_mod = query.filter_by(type=PackageType.MOD).order_by(db.desc(Package.score)).limit(8).all()
+	pop_gam = query.filter_by(type=PackageType.GAME).order_by(db.desc(Package.score)).limit(8).all()
+	pop_txp = query.filter_by(type=PackageType.TXP).order_by(db.desc(Package.score)).limit(8).all()
+	high_reviewed = query.order_by(db.desc(Package.score - Package.score_downloads)) \
+			.filter(Package.reviews.any()).limit(4).all()
+
+	updated = db.session.query(Package).select_from(PackageRelease).join(Package) \
+			.filter_by(state=PackageState.APPROVED) \
+			.order_by(db.desc(PackageRelease.created_at)) \
+			.limit(20).all()
+	updated = updated[:4]
+
+	downloads_result = db.session.query(func.sum(Package.downloads)).one_or_none()
+	downloads = 0 if not downloads_result or not downloads_result[0] else downloads_result[0]
+
+	def map_packages(packages: List[Package]):
+		return [pkg.as_short_dict(current_app.config["BASE_URL"]) for pkg in packages]
+
+	return jsonify({
+		"count": count,
+		"downloads": downloads,
+		"spotlight": map_packages(spotlight),
+		"new": map_packages(new),
+		"updated": map_packages(updated),
+		"pop_mod": map_packages(pop_mod),
+		"pop_txp": map_packages(pop_txp),
+		"pop_game": map_packages(pop_gam),
+		"high_reviewed": map_packages(high_reviewed)
+	})
+
+
+@bp.route("/api/minetest_versions/")
+@cors_allowed
+def versions():
+	protocol_version = request.args.get("protocol_version")
+	engine_version = request.args.get("engine_version")
+	if protocol_version or engine_version:
+		rel = LuantiRelease.get(engine_version, get_int_or_abort(protocol_version))
+		if rel is None:
+			error(404, "No releases found")
+
+		return jsonify(rel.as_dict())
+
+	return jsonify([rel.as_dict() \
+			for rel in LuantiRelease.query.all() if rel.get_actual() is not None])
+
+
+@bp.route("/api/languages/")
+@cors_allowed
+def languages():
+	return jsonify([x.as_dict() for x in Language.query.all()])
+
+
+@bp.route("/api/dependencies/")
+@cors_allowed
+def all_deps():
+	qb = QueryBuilder(request.args)
+	query = qb.build_package_query()
+
+	def format_pkg(pkg: Package):
+		return {
+			"type": pkg.type.to_name(),
+			"author": pkg.author.username,
+			"name": pkg.name,
+			"provides": [x.name for x in pkg.provides],
+			"depends": [str(x) for x in pkg.dependencies if not x.optional],
+			"optional_depends": [str(x) for x in pkg.dependencies if x.optional],
+		}
+
+	page = get_int_or_abort(request.args.get("page"), 1)
+	num = min(get_int_or_abort(request.args.get("n"), 100), 300)
+	pagination: flask_sqlalchemy.Pagination = query.paginate(page=page, per_page=num)
+	return jsonify({
+		"page": pagination.page,
+		"per_page": pagination.per_page,
+		"page_count": math.ceil(pagination.total / pagination.per_page),
+		"total": pagination.total,
+		"urls": {
+			"previous": abs_url(url_set_query(page=page - 1)) if pagination.has_prev else None,
+			"next": abs_url(url_set_query(page=page + 1)) if pagination.has_next else None,
+		},
+		"items": [format_pkg(pkg) for pkg in pagination.items],
+	})
+
+
+@bp.route("/api/users/<username>/")
+@cors_allowed
+def user_view(username: str):
+	user = User.query.filter_by(username=username).first()
+	if user is None:
+		error(404, "User not found")
+
+	return jsonify(user.get_dict())
+
+
+@bp.route("/api/users/<username>/stats/")
+@cors_allowed
+@cached(300)
+def user_stats(username: str):
+	user = User.query.filter_by(username=username).first()
+	if user is None:
+		error(404, "User not found")
+
+	start = get_request_date("start")
+	end = get_request_date("end")
+	return jsonify(get_package_stats_for_user(user, start, end))
+
+
+@bp.route("/api/cdb_schema/")
+@cors_allowed
+@cached(60*60)
+def json_schema():
+	tags = Tag.query.all()
+	warnings = ContentWarning.query.all()
+	licenses = License.query.order_by(db.asc(License.name)).all()
+	return jsonify({
+		"title": "CDB Config",
+		"description": "Package Configuration",
+		"type": "object",
+		"$defs": {
+			"license": {
+				"enum": [license.name for license in licenses],
+				"enumDescriptions": [license.is_foss and "FOSS" or "NON-FOSS" for license in licenses]
+			},
+		},
+		"properties": {
+			"type": {
+				"description": "Package Type",
+				"enum": ["MOD", "GAME", "TXP"],
+				"enumDescriptions": ["Mod", "Game", "Texture Pack"]
+			},
+			"title": {
+				"description": "Human-readable title",
+				"type": "string"
+			},
+			"name": {
+				"description": "Technical name (needs permission if already approved).",
+				"type": "string",
+				"pattern": "^[a-z_]+$"
+			},
+			"short_description": {
+				"description": "Package Short Description",
+				"type": ["string", "null"]
+			},
+			"dev_state": {
+				"description": "Development State",
+				"enum": [
+					"WIP",
+					"BETA",
+					"ACTIVELY_DEVELOPED",
+					"MAINTENANCE_ONLY",
+					"AS_IS",
+					"DEPRECATED",
+					"LOOKING_FOR_MAINTAINER"
+				]
+			},
+			"tags": {
+				"description": "Package Tags",
+				"type": "array",
+				"items": {
+					"enum": [tag.name for tag in tags],
+					"enumDescriptions": [tag.title for tag in tags]
+				},
+				"uniqueItems": True,
+			},
+			"content_warnings": {
+				"description": "Package Content Warnings",
+				"type": "array",
+				"items": {
+					"enum": [warning.name for warning in warnings],
+					"enumDescriptions": [warning.title for warning in warnings]
+				},
+				"uniqueItems": True,
+			},
+			"license": {
+				"description": "Package License",
+				"$ref": "#/$defs/license"
+			},
+			"media_license": {
+				"description": "Package Media License",
+				"$ref": "#/$defs/license"
+			},
+			"long_description": {
+				"description": "Package Long Description",
+				"type": ["string", "null"]
+			},
+			"repo": {
+				"description": "Git Repository URL",
+				"type": "string",
+				"format": "uri"
+			},
+			"website": {
+				"description": "Website URL",
+				"type": ["string", "null"],
+				"format": "uri"
+			},
+			"issue_tracker": {
+				"description": "Issue Tracker URL",
+				"type": ["string", "null"],
+				"format": "uri"
+			},
+			"forums": {
+				"description": "Forum Topic ID",
+				"type": ["integer", "null"],
+				"minimum": 0
+			},
+			"video_url": {
+				"description": "URL to a Video",
+				"type": ["string", "null"],
+				"format": "uri"
+			},
+			"donate_url": {
+				"description": "URL to a donation page",
+				"type": ["string", "null"],
+				"format": "uri"
+			},
+			"translation_url": {
+				"description": "URL to send users interested in translating your package",
+				"type": ["string", "null"],
+				"format": "uri"
+			}
+		},
+	})
+
+
+@bp.route("/api/hypertext/", methods=["POST"])
+@csrf.exempt
+@cors_allowed
+def hypertext():
+	formspec_version = get_int_or_abort(request.args["formspec_version"])
+	include_images = is_yes(request.args.get("include_images", "true"))
+
+	html = request.data.decode("utf-8")
+	if request.content_type == "text/markdown":
+		html = render_markdown(html)
+
+	return jsonify(html_to_luanti(html, "", formspec_version, include_images))
+
+
+@bp.route("/api/collections/")
+@cors_allowed
+def collection_list():
+	if "author" in request.args:
+		user = User.query.filter_by(username=request.args["author"]).one_or_404()
+		query = user.collections
+	else:
+		query = Collection.query.order_by(db.asc(Collection.title))
+
+	if "package" in request.args:
+		id_ = request.args["package"]
+		package = Package.get_by_key(id_)
+		if package is None:
+			error(404, f"Package {id_} not found")
+
+		query = query.filter(Collection.packages.contains(package))
+
+	collections = [x.as_short_dict() for x in query.all() if not x.private]
+	return jsonify(collections)
+
+
+@bp.route("/api/collections/<author>/<name>/")
+@is_api_authd
+@cors_allowed
+def collection_view(token, author, name):
+	user = token.owner if token else None
+
+	collection = Collection.query \
+		.filter(Collection.name == name, Collection.author.has(username=author)) \
+		.one_or_404()
+
+	if not collection.check_perm(user, Permission.VIEW_COLLECTION):
+		error(404, "Collection not found")
+
+	items = collection.items
+	if not collection.check_perm(user, Permission.EDIT_COLLECTION):
+		items = [x for x in items if x.package.check_perm(user, Permission.VIEW_PACKAGE)]
+
+	ret = collection.as_dict()
+	ret["items"] = [x.as_dict() for x in items]
+	return jsonify(ret)
+
+
+@bp.route("/api/updates/")
+@cors_allowed
+@cached(300)
+def updates():
+	protocol_version = get_int_or_abort(request.args.get("protocol_version"))
+	engine_version = request.args.get("engine_version")
+	if protocol_version or engine_version:
+		version = LuantiRelease.get(engine_version, protocol_version)
+	else:
+		version = None
+
+	# Subquery to get the latest release for each package
+	latest_release_query = (db.session.query(
+		PackageRelease.package_id,
+		func.max(PackageRelease.id).label('max_release_id'))
+			.select_from(PackageRelease)
+			.filter(PackageRelease.approved == True))
+
+	if version:
+		latest_release_query = (latest_release_query
+			.filter(or_(PackageRelease.min_rel_id == None,
+				PackageRelease.min_rel_id <= version.id))
+			.filter(or_(PackageRelease.max_rel_id == None,
+				PackageRelease.max_rel_id >= version.id)))
+
+	latest_release_subquery = (
+		latest_release_query
+		.group_by(PackageRelease.package_id)
+		.subquery()
+	)
+
+	# Get package id and latest release
+	query = (db.session.query(User.username, Package.name, latest_release_subquery.c.max_release_id)
+		.select_from(Package)
+		.join(User, Package.author)
+		.join(latest_release_subquery, Package.id == latest_release_subquery.c.package_id)
+		.filter(Package.state == PackageState.APPROVED)
+		.all())
+
+	ret = {}
+	for author_username, package_name, release_id in query:
+		ret[f"{author_username}/{package_name}"] = release_id
+
+	# Get aliases
+	aliases = (db.session.query(PackageAlias.author, PackageAlias.name, User.username, Package.name)
+		.select_from(PackageAlias)
+		.join(Package, PackageAlias.package)
+		.join(User, Package.author)
+		.filter(Package.state == PackageState.APPROVED)
+		.all())
+
+	for old_author, old_name, new_author, new_name in aliases:
+		new_release = ret.get(f"{new_author}/{new_name}")
+		if new_release is not None:
+			ret[f"{old_author}/{old_name}"] = new_release
+
+	return jsonify(ret)
--- a/app/blueprints/api/support.py
+++ b/app/blueprints/api/support.py
@@ -0,0 +1,120 @@
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from typing import Optional
+from flask import jsonify, abort, make_response, url_for, current_app
+
+from app.logic.packages import do_edit_package
+from app.logic.releases import LogicError, do_create_vcs_release, do_create_zip_release
+from app.logic.screenshots import do_create_screenshot, do_order_screenshots, do_set_cover_image
+from app.models import APIToken, Package, LuantiRelease, PackageScreenshot
+
+
+def error(code: int, msg: str):
+	abort(make_response(jsonify({ "success": False, "error": msg }), code))
+
+
+# Catches LogicErrors and aborts with JSON error
+def guard(f):
+	def ret(*args, **kwargs):
+		try:
+			return f(*args, **kwargs)
+		except LogicError as e:
+			error(e.code, e.message)
+
+	return ret
+
+
+def api_create_vcs_release(token: APIToken, package: Package, name: str, title: Optional[str], release_notes: Optional[str], ref: str,
+		min_v: LuantiRelease = None, max_v: LuantiRelease = None, reason="API"):
+	if not token.can_operate_on_package(package):
+		error(403, "API token does not have access to the package")
+
+	reason += ", token=" + token.name
+
+	rel = guard(do_create_vcs_release)(token.owner, package, name, title, release_notes, ref, min_v, max_v, reason)
+
+	return jsonify({
+		"success": True,
+		"task": url_for("tasks.check", id=rel.task_id),
+		"release": rel.as_dict()
+	})
+
+
+def api_create_zip_release(token: APIToken, package: Package, name: str, title: Optional[str], release_notes: Optional[str], file,
+		min_v: LuantiRelease = None, max_v: LuantiRelease = None, reason="API", commit_hash: str = None):
+	if not token.can_operate_on_package(package):
+		error(403, "API token does not have access to the package")
+
+	reason += ", token=" + token.name
+
+	rel = guard(do_create_zip_release)(token.owner, package, name, title, release_notes, file, min_v, max_v, reason, commit_hash)
+
+	return jsonify({
+		"success": True,
+		"task": url_for("tasks.check", id=rel.task_id),
+		"release": rel.as_dict()
+	})
+
+
+def api_create_screenshot(token: APIToken, package: Package, title: str, file, is_cover_image: bool, reason="API"):
+	if not token.can_operate_on_package(package):
+		error(403, "API token does not have access to the package")
+
+	reason += ", token=" + token.name
+
+	ss : PackageScreenshot = guard(do_create_screenshot)(token.owner, package, title, file, is_cover_image, reason)
+
+	return jsonify({
+		"success": True,
+		"screenshot": ss.as_dict()
+	})
+
+
+def api_order_screenshots(token: APIToken, package: Package, order: [any]):
+	if not token.can_operate_on_package(package):
+		error(403, "API token does not have access to the package")
+
+	guard(do_order_screenshots)(token.owner, package, order)
+
+	return jsonify({
+		"success": True
+	})
+
+
+def api_set_cover_image(token: APIToken, package: Package, cover_image):
+	if not token.can_operate_on_package(package):
+		error(403, "API token does not have access to the package")
+
+	guard(do_set_cover_image)(token.owner, package, cover_image)
+
+	return jsonify({
+		"success": True
+	})
+
+
+def api_edit_package(token: APIToken, package: Package, data: dict, reason: str = "API"):
+	if not token.can_operate_on_package(package):
+		error(403, "API token does not have access to the package")
+
+	reason += ", token=" + token.name
+
+	was_modified = guard(do_edit_package)(token.owner, package, False, False, data, reason)
+	return jsonify({
+		"success": True,
+		"package": package.as_dict(current_app.config["BASE_URL"]),
+		"was_modified": was_modified,
+	})
--- a/app/blueprints/api/tokens.py
+++ b/app/blueprints/api/tokens.py
@@ -0,0 +1,144 @@
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+
+from flask import render_template, redirect, request, session, url_for, abort
+from flask_babel import lazy_gettext
+from flask_login import login_required, current_user
+from flask_wtf import FlaskForm
+from wtforms import StringField, SubmitField
+from wtforms.validators import InputRequired, Length
+from wtforms_sqlalchemy.fields import QuerySelectField
+
+from app.models import db, User, APIToken, Permission
+from app.utils import random_string
+from . import bp
+from ..users.settings import get_setting_tabs
+
+
+class CreateAPIToken(FlaskForm):
+	name	     = StringField(lazy_gettext("Name"), [InputRequired(), Length(1, 30)])
+	package      = QuerySelectField(lazy_gettext("Limit to package"), allow_blank=True,
+			get_pk=lambda a: a.id, get_label=lambda a: a.title)
+	submit	     = SubmitField(lazy_gettext("Save"))
+
+
+@bp.route("/user/tokens/")
+@login_required
+def list_tokens_redirect():
+	return redirect(url_for("api.list_tokens", username=current_user.username))
+
+
+@bp.route("/users/<username>/tokens/")
+@login_required
+def list_tokens(username):
+	user = User.query.filter_by(username=username).first()
+	if user is None:
+		abort(404)
+
+	if not user.check_perm(current_user, Permission.CREATE_TOKEN):
+		abort(403)
+
+	return render_template("api/list_tokens.html", user=user, tabs=get_setting_tabs(user), current_tab="api_tokens")
+
+
+@bp.route("/users/<username>/tokens/new/", methods=["GET", "POST"])
+@bp.route("/users/<username>/tokens/<int:id>/edit/", methods=["GET", "POST"])
+@login_required
+def create_edit_token(username, id=None):
+	user = User.query.filter_by(username=username).one_or_404()
+	if not user.check_perm(current_user, Permission.CREATE_TOKEN):
+		abort(403)
+
+	is_new = id is None
+
+	token = None
+	access_token = None
+	if not is_new:
+		token = APIToken.query.get(id)
+		if token is None or token.owner != user:
+			abort(404)
+
+		access_token = session.pop("token_" + str(token.id), None)
+
+	form = CreateAPIToken(formdata=request.form, obj=token)
+	form.package.query_factory = lambda: user.maintained_packages.all()
+
+	if form.validate_on_submit():
+		if is_new:
+			token = APIToken()
+			db.session.add(token)
+			token.owner = user
+			token.access_token = random_string(32)
+
+		form.populate_obj(token)
+		db.session.commit()
+
+		if is_new:
+			# Store token so it can be shown in the edit page
+			session["token_" + str(token.id)] = token.access_token
+
+		return redirect(url_for("api.create_edit_token", username=username, id=token.id))
+
+	return render_template("api/create_edit_token.html", user=user, form=form, token=token, access_token=access_token)
+
+
+@bp.route("/users/<username>/tokens/<int:id>/reset/", methods=["POST"])
+@login_required
+def reset_token(username, id):
+	user = User.query.filter_by(username=username).first()
+	if user is None:
+		abort(404)
+
+	if not user.check_perm(current_user, Permission.CREATE_TOKEN):
+		abort(403)
+
+	token = APIToken.query.get(id)
+	if token is None:
+		abort(404)
+	elif token.owner != user:
+		abort(403)
+
+	token.access_token = random_string(32)
+
+	db.session.commit() # save
+
+	# Store token so it can be shown in the edit page
+	session["token_" + str(token.id)] = token.access_token
+
+	return redirect(url_for("api.create_edit_token", username=username, id=token.id))
+
+
+@bp.route("/users/<username>/tokens/<int:id>/delete/", methods=["POST"])
+@login_required
+def delete_token(username, id):
+	user = User.query.filter_by(username=username).first()
+	if user is None:
+		abort(404)
+
+	if not user.check_perm(current_user, Permission.CREATE_TOKEN):
+		abort(403)
+
+	token = APIToken.query.get(id)
+	if token is None:
+		abort(404)
+	elif token.owner != user:
+		abort(403)
+
+	db.session.delete(token)
+	db.session.commit()
+
+	return redirect(url_for("api.list_tokens", username=username))
--- a/app/blueprints/collections/init.py
+++ b/app/blueprints/collections/init.py
@@ -0,0 +1,384 @@
+# ContentDB
+# Copyright (C) 2023 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import re
+import typing
+
+from flask import Blueprint, request, redirect, render_template, flash, abort, url_for, jsonify
+from flask_babel import lazy_gettext, gettext
+from flask_login import current_user, login_required
+from flask_wtf import FlaskForm
+from wtforms import StringField, BooleanField, SubmitField, FieldList, HiddenField, TextAreaField
+from wtforms.validators import InputRequired, Length, Optional, Regexp
+
+from app.models import Collection, db, Package, Permission, CollectionPackage, User, UserRank, AuditSeverity
+from app.utils import nonempty_or_none, normalize_line_endings, should_return_json
+from app.utils.models import is_package_page, add_audit_log, create_session
+
+bp = Blueprint("collections", __name__)
+
+
+regex_invalid_chars = re.compile("[^a-z0-9_]")
+
+
+@bp.route("/collections/")
+@bp.route("/collections/<author>/")
+def list_all(author=None):
+	if author:
+		user = User.query.filter_by(username=author).one_or_404()
+		query = user.collections
+	else:
+		user = None
+		query = Collection.query.filter(Collection.items.any()).order_by(db.asc(Collection.title))
+
+	if "package" in request.args:
+		package = Package.get_by_key(request.args["package"])
+		if package is None:
+			abort(404)
+
+		query = query.filter(Collection.packages.contains(package))
+
+	collections = [x for x in query.all() if x.check_perm(current_user, Permission.VIEW_COLLECTION)]
+	return render_template("collections/list.html",
+		user=user, collections=collections,
+		noindex=len(collections) == 0)
+
+
+@bp.route("/collections/<author>/<name>/")
+def view(author, name):
+	collection = Collection.query \
+		.filter(Collection.name == name, Collection.author.has(username=author)) \
+		.one_or_404()
+
+	if not collection.check_perm(current_user, Permission.VIEW_COLLECTION):
+		abort(404)
+
+	items = collection.items
+	if not collection.check_perm(current_user, Permission.EDIT_COLLECTION):
+		items = [x for x in items if x.package.check_perm(current_user, Permission.VIEW_PACKAGE)]
+
+	if should_return_json():
+		return jsonify([ item.package.as_key_dict() for item in items ])
+	else:
+		return render_template("collections/view.html", collection=collection, items=items)
+
+
+class CollectionForm(FlaskForm):
+	title = StringField(lazy_gettext("Title"), [InputRequired(), Length(3, 100)])
+	name = StringField("URL", [Optional(), Length(1, 20), Regexp("^[a-z0-9_]", 0,
+		"Lower case letters (a-z), digits (0-9), and underscores (_) only")])
+	short_description = StringField(lazy_gettext("Short Description"), [Optional(), Length(0, 200)])
+	long_description = TextAreaField(lazy_gettext("Page Content"), [Optional()], filters=[nonempty_or_none, normalize_line_endings])
+	private = BooleanField(lazy_gettext("Private"))
+	pinned = BooleanField(lazy_gettext("Pinned to my profile"))
+	descriptions = FieldList(
+		StringField(lazy_gettext("Short Description"), [Optional(), Length(0, 500)], filters=[nonempty_or_none]),
+		min_entries=0)
+	package_ids = FieldList(HiddenField(), min_entries=0)
+	package_removed = FieldList(HiddenField(), min_entries=0)
+	order = HiddenField()
+	submit = SubmitField(lazy_gettext("Save"))
+
+
+@bp.route("/collections/new/", methods=["GET", "POST"])
+@bp.route("/collections/<author>/<name>/edit/", methods=["GET", "POST"])
+@login_required
+def create_edit(author=None, name=None):
+	collection: typing.Optional[Collection] = None
+	if author is not None and name is not None:
+		collection = Collection.query \
+			.filter(Collection.name == name, Collection.author.has(username=author)) \
+			.one_or_404()
+		if not collection.check_perm(current_user, Permission.EDIT_COLLECTION):
+			abort(403)
+	elif "author" in request.args:
+		author = request.args["author"]
+		if author != current_user.username and not current_user.rank.at_least(UserRank.EDITOR):
+			abort(403)
+
+	if author is None:
+		author = current_user
+	else:
+		author = User.query.filter_by(username=author).one()
+
+	form = CollectionForm(formdata=request.form, obj=collection)
+
+	initial_packages = []
+	if "package" in request.args:
+		for package_id in request.args.getlist("package"):
+			package = Package.get_by_key(package_id)
+			if package:
+				initial_packages.append(package)
+
+	if request.method == "GET":
+		# HACK: fix bug in wtforms
+		form.private.data = collection.private if collection else False
+		form.pinned.data = collection.pinned if collection else False
+		if collection:
+			for item in collection.items:
+				form.descriptions.append_entry(item.description)
+				form.package_ids.append_entry(item.package.get_id())
+				form.package_removed.append_entry("0")
+		else:
+			form.name = None
+			form.pinned = None
+
+	if form.validate_on_submit():
+		ret = handle_create_edit(collection, form, initial_packages, author)
+		if ret:
+			return ret
+
+	return render_template("collections/create_edit.html",
+			collection=collection, form=form)
+
+
+def handle_create_edit(collection: Collection, form: CollectionForm,
+		initial_packages: typing.List[Package], author: User):
+
+	severity = AuditSeverity.NORMAL if author == current_user else AuditSeverity.EDITOR
+	name = form.name.data if collection else regex_invalid_chars.sub("", form.title.data.lower().replace(" ", "_"))
+
+	if collection is None or name != collection.name:
+		if Collection.query \
+				.filter(Collection.name == name, Collection.author == author) \
+				.count() > 0:
+			flash(gettext("A collection with a similar title already exists"), "danger")
+			return
+
+		if Package.query \
+				.filter(Package.name == name, Package.author == author) \
+				.count() > 0:
+			flash(gettext("Unable to create collection as a package with that name already exists"), "danger")
+			return
+
+	if collection is None:
+		collection = Collection()
+		collection.author = author
+		form.populate_obj(collection)
+		collection.name = name
+		db.session.add(collection)
+
+		for package in initial_packages:
+			link = CollectionPackage()
+			link.package = package
+			link.collection = collection
+			link.order = len(collection.items)
+			db.session.add(link)
+
+		add_audit_log(severity, current_user,
+				f"Created collection {collection.author.username}/{collection.name}",
+				collection.get_url("collections.view"), None)
+
+	else:
+		form.populate_obj(collection)
+		collection.name = name
+
+		link_lookup = {}
+		for link in collection.items:
+			link_lookup[link.package.get_id()] = link
+
+		for i, package_id in enumerate(form.package_ids):
+			link = link_lookup.get(package_id.data)
+			to_delete = form.package_removed[i].data == "1"
+			if link is None:
+				if to_delete:
+					continue
+
+				package = Package.get_by_key(package_id.data)
+				if package is None:
+					abort(400)
+
+				link = CollectionPackage()
+				link.package = package
+				link.collection = collection
+				link.description = form.descriptions[i].data
+				link_lookup[link.package.get_id()] = link
+				db.session.add(link)
+			elif to_delete:
+				db.session.delete(link)
+			else:
+				link.description = form.descriptions[i].data
+
+		for i, package_id in enumerate(form.order.data.split(",")):
+			if package_id != "":
+				link_lookup[package_id].order = i + 1
+
+		add_audit_log(severity, current_user,
+				f"Edited collection {collection.author.username}/{collection.name}",
+				collection.get_url("collections.view"), None)
+
+	db.session.commit()
+	return redirect(collection.get_url("collections.view"))
+
+
+@bp.route("/collections/<author>/<name>/delete/", methods=["GET", "POST"])
+@login_required
+def delete(author, name):
+	collection = Collection.query \
+		.filter(Collection.name == name, Collection.author.has(username=author)) \
+		.one_or_404()
+	if not collection.check_perm(current_user, Permission.EDIT_COLLECTION):
+		abort(403)
+
+	if request.method == "POST":
+		add_audit_log(AuditSeverity.NORMAL, current_user,
+				f"Deleted collection {collection.author.username}/{collection.name}",
+				collection.get_url("collections.view"), None)
+
+		db.session.delete(collection)
+		db.session.commit()
+		return redirect(url_for("collections.list_all", author=author))
+
+	return render_template("collections/delete.html", collection=collection)
+
+
+def toggle_package(collection: Collection, package: Package):
+	severity = AuditSeverity.NORMAL if collection.author == current_user else AuditSeverity.EDITOR
+
+	author = User.query.get(collection.author_id) if collection.author is None else collection.author
+
+	if package in collection.packages:
+		CollectionPackage.query \
+			.filter(CollectionPackage.collection == collection, CollectionPackage.package == package) \
+			.delete(synchronize_session=False)
+		add_audit_log(severity, current_user,
+				f"Removed {package.get_id()} from collection {author.username}/{collection.name}",
+				collection.get_url("collections.view"), None)
+		db.session.commit()
+		return False
+	else:
+		link = CollectionPackage()
+		link.package = package
+		link.collection = collection
+		link.order = len(collection.items)
+		db.session.add(link)
+		add_audit_log(severity, current_user,
+				f"Added {package.get_id()} to collection {author.username}/{collection.name}",
+				collection.get_url("collections.view"), None)
+		db.session.commit()
+		return True
+
+
+def get_or_create_favorites(session):
+	collection = Collection.query.filter(Collection.name == "favorites", Collection.author == current_user).first()
+	if collection is None:
+		is_new = True
+		collection = Collection()
+		collection.title = "Favorites"
+		collection.name = "favorites"
+		collection.short_description = "My favorites"
+		collection.author_id = current_user.id
+		session.add(collection)
+	else:
+		is_new = False
+
+	return collection, is_new
+
+
+@bp.route("/packages/<author>/<name>/add-to/", methods=["GET", "POST"])
+@is_package_page
+@login_required
+def package_add(package):
+	with create_session() as new_session:
+		collection, is_new = get_or_create_favorites(new_session)
+		if is_new:
+			new_session.commit()
+
+	if request.method == "POST":
+		collection_id = request.form["collection"]
+		collection = Collection.query.get(collection_id)
+		if collection is None:
+			abort(404)
+
+		if not collection.check_perm(current_user, Permission.EDIT_COLLECTION):
+			abort(403)
+
+		if toggle_package(collection, package):
+			flash(gettext("Added package to collection"), "success")
+		else:
+			flash(gettext("Removed package from collection"), "success")
+
+		return redirect(package.get_url("collections.package_add"))
+
+	collections = current_user.collections.all()
+	if current_user.rank.at_least(UserRank.EDITOR) and current_user.username != "ContentDB":
+		collections.extend(Collection.query.filter(Collection.author.has(username="ContentDB")).all())
+
+	return render_template("collections/package_add_to.html", package=package, collections=collections)
+
+
+@bp.route("/packages/<author>/<name>/favorite/", methods=["POST"])
+@is_package_page
+@login_required
+def package_toggle_favorite(package):
+	collection, _is_new = get_or_create_favorites(db.session)
+	collection.author = current_user
+
+	if toggle_package(collection, package):
+		msg = gettext("Added package to favorites collection")
+		if not collection.private:
+			msg += " " + gettext("(Public, change from Profile > My Collections)")
+
+		flash(msg, "success")
+	else:
+		flash(gettext("Removed package from favorites collection"), "success")
+
+	return redirect(package.get_url("packages.view"))
+
+
+@bp.route("/collections/<author>/<name>/clone/", methods=["POST"])
+@login_required
+def clone(author, name):
+	old_collection: typing.Optional[Collection] = Collection.query \
+		.filter(Collection.name == name, Collection.author.has(username=author)) \
+		.one_or_404()
+
+	index = 0
+	new_name = name
+	new_title = old_collection.title
+	while True:
+		if Collection.query \
+				.filter(Collection.name == new_name, Collection.author == current_user) \
+				.count() == 0:
+			break
+
+		index += 1
+		new_name = f"{name}_{index}"
+		new_title = f"{old_collection.title} ({index})"
+
+	collection = Collection()
+	collection.title = new_title
+	collection.author = current_user
+	collection.short_description = old_collection.short_description
+	collection.name = new_name
+	collection.private = True
+	db.session.add(collection)
+
+	for item in old_collection.items:
+		new_item = CollectionPackage()
+		new_item.package = item.package
+		new_item.collection = collection
+		new_item.description = item.description
+		new_item.order = item.order
+		db.session.add(new_item)
+
+	add_audit_log(AuditSeverity.NORMAL, current_user,
+			f"Created collection {collection.name} from {old_collection.author.username}/{old_collection.name} ",
+			collection.get_url("collections.view"), None)
+
+	db.session.commit()
+
+	return redirect(collection.get_url("collections.view"))
--- a/app/blueprints/donate/init.py
+++ b/app/blueprints/donate/init.py
@@ -0,0 +1,49 @@
+# ContentDB
+# Copyright (C) 2023 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+
+from flask import Blueprint, render_template
+from flask_login import current_user
+from sqlalchemy import or_, and_
+
+from app.models import User, Package, PackageState, db, License, PackageReview, Collection
+
+bp = Blueprint("donate", __name__)
+
+
+@bp.route("/donate/")
+def donate():
+	reviewed_packages = None
+	if current_user.is_authenticated:
+		reviewed_packages = Package.query.filter(
+			Package.state == PackageState.APPROVED,
+			or_(Package.reviews.any(and_(PackageReview.author_id == current_user.id, PackageReview.rating >= 3)),
+				Package.collections.any(and_(Collection.author_id == current_user.id, Collection.name == "favorites"))),
+			or_(Package.donate_url.isnot(None), Package.author.has(User.donate_url.isnot(None)))
+		).order_by(db.asc(Package.title)).all()
+
+	query = Package.query.filter(
+			Package.license.has(License.is_foss == True),
+			Package.media_license.has(License.is_foss == True),
+			Package.state == PackageState.APPROVED,
+			or_(Package.donate_url.isnot(None), Package.author.has(User.donate_url.isnot(None)))
+	).order_by(db.desc(Package.score))
+
+	packages_count = query.count()
+	top_packages = query.limit(40).all()
+
+	return render_template("donate/index.html",
+			reviewed_packages=reviewed_packages, top_packages=top_packages, packages_count=packages_count)
--- a/app/blueprints/feeds/init.py
+++ b/app/blueprints/feeds/init.py
@@ -0,0 +1,179 @@
+# ContentDB
+# Copyright (C) 2024 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+
+from flask import Blueprint, jsonify, render_template, make_response
+from flask_babel import gettext
+
+from app.markdown import render_markdown
+from app.models import Package, PackageState, db, PackageRelease
+from app.utils import is_package_page, abs_url_for, cached, cors_allowed
+
+bp = Blueprint("feeds", __name__)
+
+
+def _make_feed(title: str, feed_url: str, items: list):
+	return {
+		"version": "https://jsonfeed.org/version/1",
+		"title": title,
+		"description": gettext("Welcome to the best place to find Luanti mods, games, and texture packs"),
+		"home_page_url": "https://content.luanti.org/",
+		"feed_url": feed_url,
+		"icon": "https://content.luanti.org/favicon-128.png",
+		"expired": False,
+		"items": items,
+	}
+
+
+def _render_link(url: str):
+	return f"<p><a href='{url}'>Read more</a></p>"
+
+
+def _get_new_packages_feed(feed_url: str) -> dict:
+	packages = (Package.query
+		.filter(Package.state == PackageState.APPROVED)
+		.order_by(db.desc(Package.approved_at))
+		.limit(100)
+		.all())
+
+	items = [{
+			"id": package.get_url("packages.view", absolute=True),
+			"language": "en",
+			"title": f"New: {package.title}",
+			"content_html": render_markdown(package.desc) \
+				if package.desc else _render_link(package.get_url("packages.view", absolute=True)),
+			"author": {
+				"name": package.author.display_name,
+				"avatar": package.author.get_profile_pic_url(absolute=True),
+				"url": abs_url_for("users.profile", username=package.author.username),
+			},
+			"image": package.get_thumb_url(level=4, abs=True, format="png"),
+			"url": package.get_url("packages.view", absolute=True),
+			"summary": package.short_desc,
+			"date_published": package.approved_at.isoformat(timespec="seconds") + "Z",
+			"tags": ["new_package"],
+		} for package in packages]
+
+	return _make_feed(gettext("ContentDB new packages"), feed_url, items)
+
+
+def _get_releases_feed(query, feed_url: str):
+	releases = (query
+		.filter(PackageRelease.package.has(state=PackageState.APPROVED), PackageRelease.approved==True)
+		.order_by(db.desc(PackageRelease.created_at))
+		.limit(250)
+		.all())
+
+	items = [{
+			"id": release.package.get_url("packages.view_release", id=release.id, absolute=True),
+			"language": "en",
+			"title": f"\"{release.package.title}\" updated: {release.title}",
+			"content_html": render_markdown(release.release_notes) \
+				if release.release_notes else _render_link(release.package.get_url("packages.view_release", id=release.id, absolute=True)),
+			"author": {
+				"name": release.package.author.display_name,
+				"avatar": release.package.author.get_profile_pic_url(absolute=True),
+				"url": abs_url_for("users.profile", username=release.package.author.username),
+			},
+			"url": release.package.get_url("packages.view_release", id=release.id, absolute=True),
+			"image": release.package.get_thumb_url(level=4, abs=True, format="png"),
+			"summary": release.summary,
+			"date_published": release.created_at.isoformat(timespec="seconds") + "Z",
+			"tags": ["release"],
+		} for release in releases]
+
+	return _make_feed(gettext("ContentDB package updates"), feed_url, items)
+
+
+def _get_all_feed(feed_url: str):
+	releases = _get_releases_feed(PackageRelease.query, "")["items"]
+	packages = _get_new_packages_feed("")["items"]
+	items = releases + packages
+	items.sort(reverse=True, key=lambda x: x["date_published"])
+
+	return _make_feed(gettext("ContentDB all"), feed_url, items)
+
+
+def _atomify(feed):
+	resp = make_response(render_template("feeds/json_to_atom.xml", feed=feed))
+	resp.headers["Content-type"] = "application/atom+xml; charset=utf-8"
+	return resp
+
+
+@bp.route("/feeds/all.json")
+@cors_allowed
+@cached(1800)
+def all_json():
+	feed = _get_all_feed(abs_url_for("feeds.all_json"))
+	return jsonify(feed)
+
+
+@bp.route("/feeds/all.atom")
+@cors_allowed
+@cached(1800)
+def all_atom():
+	feed = _get_all_feed(abs_url_for("feeds.all_atom"))
+	return _atomify(feed)
+
+
+@bp.route("/feeds/packages.json")
+@cors_allowed
+@cached(1800)
+def packages_all_json():
+	feed = _get_new_packages_feed(abs_url_for("feeds.packages_all_json"))
+	return jsonify(feed)
+
+
+@bp.route("/feeds/packages.atom")
+@cors_allowed
+@cached(1800)
+def packages_all_atom():
+	feed = _get_new_packages_feed(abs_url_for("feeds.packages_all_atom"))
+	return _atomify(feed)
+
+
+@bp.route("/feeds/releases.json")
+@cors_allowed
+@cached(1800)
+def releases_all_json():
+	feed = _get_releases_feed(PackageRelease.query, abs_url_for("feeds.releases_all_json"))
+	return jsonify(feed)
+
+
+@bp.route("/feeds/releases.atom")
+@cors_allowed
+@cached(1800)
+def releases_all_atom():
+	feed = _get_releases_feed(PackageRelease.query, abs_url_for("feeds.releases_all_atom"))
+	return _atomify(feed)
+
+
+@bp.route("/packages/<author>/<name>/releases_feed.json")
+@cors_allowed
+@is_package_page
+@cached(1800)
+def releases_package_json(package: Package):
+	feed = _get_releases_feed(package.releases, package.get_url("feeds.releases_package_json", absolute=True))
+	return jsonify(feed)
+
+
+@bp.route("/packages/<author>/<name>/releases_feed.atom")
+@cors_allowed
+@is_package_page
+@cached(1800)
+def releases_package_atom(package: Package):
+	feed = _get_releases_feed(package.releases, package.get_url("feeds.releases_package_atom", absolute=True))
+	return _atomify(feed)
--- a/app/blueprints/homepage/init.py
+++ b/app/blueprints/homepage/init.py
@@ -1,20 +1,136 @@
-from flask import Blueprint, render_template
+# ContentDB
+# Copyright (C) 2018-23 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from flask import Blueprint, render_template, redirect
+from sqlalchemy import and_
+
+from app.models import Package, PackageReview, Thread, User, PackageState, db, PackageType, PackageRelease, Tags, Tag, \
+	Collection, License, Language

 bp = Blueprint("homepage", __name__)

-from app.models import *
-import flask_menu as menu
+from sqlalchemy.orm import joinedload, subqueryload, load_only, noload
 from sqlalchemy.sql.expression import func

+
+PKGS_PER_ROW = 4
+
+# GAMEJAM_BANNER = "https://jam.luanti.org/img/banner.png"
+#
+# class GameJam:
+# 	cover_image = type("", (), dict(url=GAMEJAM_BANNER))()
+# 	tags = []
+#
+# 	def get_cover_image_url(self):
+# 		return GAMEJAM_BANNER
+#
+# 	def get_url(self, _name):
+# 		return "/gamejam/"
+#
+# 	title = "Luanti Game Jam 2023: \"Unexpected\""
+# 	author = None
+#
+# 	short_desc = "The game jam has finished! It's now up to the community to play and rate the games."
+# 	type = type("", (), dict(value="Competition"))()
+# 	content_warnings = []
+# 	reviews = []
+
+
+@bp.route("/gamejam/")
+def gamejam():
+	return redirect("https://jam.luanti.org/")
+
+
@bp.route("/")
-@menu.register_menu(bp, ".", "Home")
 def home():
-	query   = Package.query.filter_by(approved=True, soft_deleted=False)
-	count   = query.count()
-	new     = query.order_by(db.desc(Package.created_at)).limit(8).all()
-	pop_mod = query.filter_by(type=PackageType.MOD).order_by(db.desc(Package.score)).limit(8).all()
-	pop_gam = query.filter_by(type=PackageType.GAME).order_by(db.desc(Package.score)).limit(4).all()
-	pop_txp = query.filter_by(type=PackageType.TXP).order_by(db.desc(Package.score)).limit(4).all()
-	downloads = db.session.query(func.sum(PackageRelease.downloads)).first()[0]
-	return render_template("index.html", count=count, downloads=downloads, \
-			new=new, pop_mod=pop_mod, pop_txp=pop_txp, pop_gam=pop_gam)
+	def package_load(query):
+		return query.options(
+				load_only(Package.name, Package.title, Package.short_desc, Package.state, raiseload=True),
+				subqueryload(Package.main_screenshot),
+				joinedload(Package.author).load_only(User.username, User.display_name, raiseload=True),
+				joinedload(Package.license).load_only(License.name, License.is_foss, raiseload=True),
+				joinedload(Package.media_license).load_only(License.name, License.is_foss, raiseload=True))
+
+	def package_spotlight_load(query):
+		return query.options(
+				load_only(Package.name, Package.title, Package.type, Package.short_desc, Package.state, Package.cover_image_id, raiseload=True),
+				subqueryload(Package.main_screenshot),
+				joinedload(Package.tags),
+				joinedload(Package.content_warnings),
+				joinedload(Package.author).load_only(User.username, User.display_name, raiseload=True),
+				subqueryload(Package.cover_image),
+				joinedload(Package.license).load_only(License.name, License.is_foss, raiseload=True),
+				joinedload(Package.media_license).load_only(License.name, License.is_foss, raiseload=True))
+
+	def review_load(query):
+		return query.options(
+			load_only(PackageReview.id, PackageReview.rating, PackageReview.created_at, PackageReview.language_id, raiseload=True),
+			joinedload(PackageReview.author).load_only(User.username, User.rank, User.email, User.display_name, User.profile_pic, User.is_active, raiseload=True),
+			joinedload(PackageReview.votes),
+			joinedload(PackageReview.language).load_only(Language.title, raiseload=True),
+			joinedload(PackageReview.thread).load_only(Thread.title, Thread.replies_count, raiseload=True).subqueryload(Thread.first_reply),
+			joinedload(PackageReview.package)
+				.load_only(Package.title, Package.name, raiseload=True)
+				.joinedload(Package.author).load_only(User.username, User.display_name, raiseload=True))
+
+	query = Package.query.filter_by(state=PackageState.APPROVED)
+	count = db.session.query(Package.id).filter(Package.state == PackageState.APPROVED).count()
+
+	spotlight_pkgs = package_spotlight_load(query.filter(
+			Package.collections.any(and_(Collection.name == "spotlight", Collection.author.has(username="ContentDB"))))
+		.order_by(func.random())).limit(6).all()
+	# spotlight_pkgs.insert(0, GameJam())
+
+	new = package_load(query).order_by(db.desc(Package.approved_at)).limit(PKGS_PER_ROW).all() # 0.06
+	pop_mod = package_load(query).filter_by(type=PackageType.MOD).order_by(db.desc(Package.score)).limit(2*PKGS_PER_ROW).all()
+	pop_gam = package_load(query).filter_by(type=PackageType.GAME).order_by(db.desc(Package.score)).limit(2*PKGS_PER_ROW).all()
+	pop_txp = package_load(query).filter_by(type=PackageType.TXP).order_by(db.desc(Package.score)).limit(2*PKGS_PER_ROW).all()
+
+	high_reviewed = package_load(query.order_by(db.desc(Package.score - Package.score_downloads))
+			.filter(Package.reviews.any()).limit(PKGS_PER_ROW)).all()
+
+	recent_releases_query = (
+		db.session.query(
+			Package.id,
+			func.max(PackageRelease.created_at).label("max_created_at")
+		)
+		.join(PackageRelease, Package.releases)
+		.group_by(Package.id)
+		.order_by(db.desc("max_created_at"))
+		.limit(3*PKGS_PER_ROW)
+		.subquery())
+
+	updated = (
+		package_load(db.session.query(Package)
+			.select_from(recent_releases_query)
+			.join(Package, Package.id == recent_releases_query.c.id)
+			.filter(Package.state == PackageState.APPROVED)
+			.limit(PKGS_PER_ROW))
+			.all())
+
+	reviews = review_load(PackageReview.query.filter(PackageReview.rating > 3)
+			.order_by(db.desc(PackageReview.created_at))).limit(5).all()
+
+	downloads_result = db.session.query(func.sum(Package.downloads)).one_or_none()
+	downloads = 0 if not downloads_result or not downloads_result[0] else downloads_result[0]
+
+	tags = db.session.query(func.count(Tags.c.tag_id), Tag) \
+		.select_from(Tag).outerjoin(Tags).join(Package).filter(Package.state == PackageState.APPROVED)\
+		.group_by(Tag.id).order_by(db.asc(Tag.title)).all()
+
+	return render_template("index.html", count=count, downloads=downloads, tags=tags, spotlight_pkgs=spotlight_pkgs,
+			new=new, updated=updated, pop_mod=pop_mod, pop_txp=pop_txp, pop_gam=pop_gam, high_reviewed=high_reviewed,
+			reviews=reviews)
--- a/app/blueprints/metapackages/init.py
+++ b/app/blueprints/metapackages/init.py
@@ -1,36 +0,0 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-
-from flask import *
-
-bp = Blueprint("metapackages", __name__)
-
-from flask_user import *
-from app.models import *
-
-@bp.route("/metapackages/")
-def list_all():
-	mpackages = MetaPackage.query.order_by(db.asc(MetaPackage.name)).all()
-	return render_template("meta/list.html", mpackages=mpackages)
-
-@bp.route("/metapackages/<name>/")
-def view(name):
-	mpackage = MetaPackage.query.filter_by(name=name).first()
-	if mpackage is None:
-		abort(404)
-
-	return render_template("meta/view.html", mpackage=mpackage)
--- a/app/blueprints/metrics/init.py
+++ b/app/blueprints/metrics/init.py
@@ -0,0 +1,126 @@
+# ContentDB
+# Copyright (C) 2020  rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import datetime
+
+from flask import Blueprint, make_response
+from sqlalchemy import or_, and_
+from sqlalchemy.sql.expression import func
+
+from app.models import Package, db, User, UserRank, PackageState, PackageReview, ThreadReply, Collection, AuditLogEntry, \
+	PackageTranslation, Language
+from app.rediscache import get_key
+
+bp = Blueprint("metrics", __name__)
+
+
+def generate_metrics():
+	def write_single_stat(name, help, type, value):
+		fmt = "# HELP {name} {help}\n# TYPE {name} {type}\n{name} {value}\n\n"
+
+		return fmt.format(name=name, help=help, type=type, value=value)
+
+	def gen_labels(labels):
+		pieces = [f"{key}=\"{val}\"" for key, val in labels.items()]
+		return ",".join(pieces)
+
+	def write_array_stat(name, help, type, data):
+		result = "# HELP {name} {help}\n# TYPE {name} {type}\n" \
+			.format(name=name, help=help, type=type)
+
+		for entry in data:
+			assert(len(entry) == 2)
+			result += "{name}{{{labels}}} {value}\n" \
+				.format(name=name, labels=gen_labels(entry[0]), value=entry[1])
+
+		return result + "\n"
+
+	downloads_result = db.session.query(func.sum(Package.downloads)).one_or_none()
+	downloads = 0 if not downloads_result or not downloads_result[0] else downloads_result[0]
+
+	packages = Package.query.filter_by(state=PackageState.APPROVED).count()
+	users = User.query.filter(User.rank > UserRank.NOT_JOINED, User.rank != UserRank.BOT, User.is_active).count()
+	authors = User.query.filter(User.packages.any(state=PackageState.APPROVED)).count()
+
+	one_day_ago = datetime.datetime.now() - datetime.timedelta(days=1)
+	one_week_ago = datetime.datetime.now() - datetime.timedelta(weeks=1)
+	one_month_ago = datetime.datetime.now() - datetime.timedelta(weeks=4)
+
+	active_users_day = User.query.filter(and_(User.rank != UserRank.BOT, or_(
+		User.audit_log_entries.any(AuditLogEntry.created_at > one_day_ago),
+		User.replies.any(ThreadReply.created_at > one_day_ago)))).count()
+	active_users_week = User.query.filter(and_(User.rank != UserRank.BOT, or_(
+		User.audit_log_entries.any(AuditLogEntry.created_at > one_week_ago),
+		User.replies.any(ThreadReply.created_at > one_week_ago)))).count()
+	active_users_month = User.query.filter(and_(User.rank != UserRank.BOT, or_(
+		User.audit_log_entries.any(AuditLogEntry.created_at > one_month_ago),
+		User.replies.any(ThreadReply.created_at > one_month_ago)))).count()
+
+	reviews = PackageReview.query.count()
+	comments = ThreadReply.query.count()
+	collections = Collection.query.count()
+
+	score_result = db.session.query(func.sum(Package.score)).one_or_none()
+	score = 0 if not score_result or not score_result[0] else score_result[0]
+
+	packages_with_translations = (db.session.query(PackageTranslation.package_id)
+			.filter(PackageTranslation.language_id != "en")
+			.group_by(PackageTranslation.package_id).count())
+	packages_with_translations_meta = (db.session.query(PackageTranslation.package_id)
+			.filter(PackageTranslation.short_desc.is_not(None), PackageTranslation.language_id != "en")
+			.group_by(PackageTranslation.package_id).count())
+	languages_packages = (db.session.query(PackageTranslation.language_id, func.count(Package.id))
+			.select_from(PackageTranslation).outerjoin(Package)
+			.order_by(db.asc(PackageTranslation.language_id))
+			.group_by(PackageTranslation.language_id).all())
+	languages_packages_meta = (db.session.query(PackageTranslation.language_id, func.count(Package.id))
+			.select_from(PackageTranslation).outerjoin(Package)
+			.filter(PackageTranslation.short_desc.is_not(None))
+			.order_by(db.asc(PackageTranslation.language_id))
+			.group_by(PackageTranslation.language_id).all())
+
+	ret = ""
+	ret += write_single_stat("contentdb_packages", "Total packages", "gauge", packages)
+	ret += write_single_stat("contentdb_users", "Number of registered users", "gauge", users)
+	ret += write_single_stat("contentdb_authors", "Number of users with packages", "gauge", authors)
+	ret += write_single_stat("contentdb_users_active_1d", "Number of daily active registered users", "gauge", active_users_day)
+	ret += write_single_stat("contentdb_users_active_1w", "Number of weekly active registered users", "gauge", active_users_week)
+	ret += write_single_stat("contentdb_users_active_1m", "Number of monthly active registered users", "gauge", active_users_month)
+	ret += write_single_stat("contentdb_downloads", "Total downloads", "gauge", downloads)
+	ret += write_single_stat("contentdb_emails", "Number of emails sent", "counter", int(get_key("emails_sent", "0")))
+	ret += write_single_stat("contentdb_reviews", "Number of reviews", "gauge", reviews)
+	ret += write_single_stat("contentdb_comments", "Number of comments", "gauge", comments)
+	ret += write_single_stat("contentdb_collections", "Number of collections", "gauge", collections)
+	ret += write_single_stat("contentdb_score", "Total package score", "gauge", score)
+	ret += write_single_stat("contentdb_packages_with_translations", "Number of packages with translations", "gauge",
+			packages_with_translations)
+	ret += write_single_stat("contentdb_packages_with_translations_meta", "Number of packages with translated meta",
+			"gauge", packages_with_translations_meta)
+	ret += write_array_stat("contentdb_languages_translated",
+			"Number of packages per language", "gauge",
+			[({"language": x[0]}, x[1]) for x in languages_packages])
+	ret += write_array_stat("contentdb_languages_translated_meta",
+			"Number of packages with translated short desc per language", "gauge",
+			[({"language": x[0]}, x[1]) for x in languages_packages_meta])
+
+	return ret
+
+
+@bp.route("/metrics")
+def metrics():
+	response = make_response(generate_metrics(), 200)
+	response.mimetype = "text/plain"
+	return response
--- a/app/blueprints/modnames/init.py
+++ b/app/blueprints/modnames/init.py
@@ -0,0 +1,68 @@
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from flask import Blueprint, redirect, render_template, abort
+from sqlalchemy import func
+from app.models import MetaPackage, Package, db, Dependency, PackageState, ForumTopic
+
+bp = Blueprint("modnames", __name__)
+
+
+@bp.route("/metapackages/<path:path>")
+def mp_redirect(path):
+	return redirect("/modnames/" + path)
+
+
+@bp.route("/modnames/")
+def list_all():
+	modnames = db.session.query(MetaPackage, func.count(Package.id)) \
+			.select_from(MetaPackage).outerjoin(MetaPackage.packages) \
+			.order_by(db.asc(MetaPackage.name)) \
+			.group_by(MetaPackage.id).all()
+	return render_template("modnames/list.html", modnames=modnames)
+
+
+@bp.route("/modnames/<name>/")
+def view(name):
+	modname = MetaPackage.query.filter_by(name=name).first()
+	if modname is None:
+		abort(404)
+
+	dependers = db.session.query(Package) \
+		.select_from(MetaPackage) \
+		.filter(MetaPackage.name==name) \
+		.join(MetaPackage.dependencies) \
+		.join(Dependency.depender) \
+		.filter(Dependency.optional==False, Package.state==PackageState.APPROVED) \
+		.all()
+
+	optional_dependers = db.session.query(Package) \
+		.select_from(MetaPackage) \
+		.filter(MetaPackage.name==name) \
+		.join(MetaPackage.dependencies) \
+		.join(Dependency.depender) \
+		.filter(Dependency.optional==True, Package.state==PackageState.APPROVED) \
+		.all()
+
+	similar_topics = ForumTopic.query \
+		.filter_by(name=name) \
+		.filter(~ db.exists().where(Package.forums == ForumTopic.topic_id)) \
+		.order_by(db.asc(ForumTopic.name), db.asc(ForumTopic.title)) \
+		.all()
+
+	return render_template("modnames/view.html", modname=modname,
+			dependers=dependers, optional_dependers=optional_dependers,
+			similar_topics=similar_topics)
--- a/app/blueprints/notifications/init.py
+++ b/app/blueprints/notifications/init.py
@@ -1,34 +1,48 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
 #
 # This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Affero General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.

+from flask import Blueprint, render_template, redirect, url_for
+from flask_login import current_user, login_required
+from sqlalchemy import or_, desc

-from flask import Blueprint, render_template, redirect
-from flask_user import current_user, login_required
-from app.models import db
+from app.models import db, Notification, NotificationType

 bp = Blueprint("notifications", __name__)

+
@bp.route("/notifications/")
@login_required
 def list_all():
-	return render_template("notifications/list.html")
+	notifications = Notification.query.filter(Notification.user == current_user,
+			Notification.type != NotificationType.EDITOR_ALERT, Notification.type != NotificationType.EDITOR_MISC) \
+			.order_by(desc(Notification.created_at)) \
+			.all()
+
+	editor_notifications = Notification.query.filter(Notification.user == current_user,
+			or_(Notification.type == NotificationType.EDITOR_ALERT, Notification.type == NotificationType.EDITOR_MISC)) \
+			.order_by(desc(Notification.created_at)) \
+			.all()
+
+	return render_template("notifications/list.html",
+			notifications=notifications, editor_notifications=editor_notifications)
+

@bp.route("/notifications/clear/", methods=["POST"])
@login_required
 def clear():
-	current_user.notifications.clear()
+	Notification.query.filter_by(user=current_user).delete()
 	db.session.commit()
 	return redirect(url_for("notifications.list_all"))
--- a/app/blueprints/oauth/init.py
+++ b/app/blueprints/oauth/init.py
@@ -0,0 +1,264 @@
+# ContentDB
+# Copyright (C) 2023 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import urllib.parse as urlparse
+from urllib.parse import urlencode
+
+import typing
+from flask import Blueprint, render_template, redirect, url_for, request, jsonify, abort, make_response, flash
+from flask_babel import lazy_gettext, gettext
+from flask_login import current_user, login_required
+from flask_wtf import FlaskForm
+from wtforms import StringField, SubmitField, URLField, SelectField
+from wtforms.validators import InputRequired, Length, Optional
+
+from app import csrf
+from app.blueprints.users.settings import get_setting_tabs
+from app.models import db, OAuthClient, User, Permission, APIToken, AuditSeverity, UserRank
+from app.utils import random_string, add_audit_log
+
+bp = Blueprint("oauth", __name__)
+
+
+def build_redirect_url(url: str, code: str, state: typing.Optional[str]):
+	params = {"code": code}
+	if state is not None:
+		params["state"] = state
+	url_parts = list(urlparse.urlparse(url))
+	query = dict(urlparse.parse_qsl(url_parts[4]))
+	query.update(params)
+	url_parts[4] = urlencode(query)
+	return urlparse.urlunparse(url_parts)
+
+
+@bp.route("/oauth/authorize/", methods=["GET", "POST"])
+@login_required
+def oauth_start():
+	response_type = request.args.get("response_type", "code")
+	if response_type != "code":
+		return "Unsupported response_type, only code is supported", 400
+
+	client_id = request.args.get("client_id", "")
+	if client_id == "":
+		return "Missing client_id", 400
+
+	redirect_uri = request.args.get("redirect_uri", "")
+	if redirect_uri == "":
+		return "Missing redirect_uri", 400
+
+	client = OAuthClient.query.get_or_404(client_id)
+	if client.redirect_url != redirect_uri:
+		return "redirect_uri does not match client", 400
+
+	if not client.approved and client.owner != current_user:
+		abort(404)
+
+	scope = request.args.get("scope", "public")
+	if scope != "public":
+		return "Unsupported scope, only public is supported", 400
+
+	state = request.args.get("state")
+
+	token = APIToken.query.filter(APIToken.client == client, APIToken.owner == current_user).first()
+	if token:
+		token.access_token = random_string(32)
+		token.auth_code = random_string(32)
+		db.session.commit()
+		return redirect(build_redirect_url(client.redirect_url, token.auth_code, state))
+
+	if request.method == "POST":
+		action = request.form["action"]
+		if action == "cancel":
+			return redirect(client.redirect_url)
+
+		elif action == "authorize":
+			token = APIToken()
+			token.access_token = random_string(32)
+			token.name = f"Token for {client.title} by {client.owner.username}"
+			token.owner = current_user
+			token.client = client
+			assert client is not None
+			token.auth_code = random_string(32)
+			db.session.add(token)
+
+			add_audit_log(AuditSeverity.USER, current_user,
+					f"Granted \"{scope}\" to OAuth2 application \"{client.title}\" by {client.owner.username} [{client_id}] ",
+					url_for("users.profile", username=current_user.username))
+
+			db.session.commit()
+
+			return redirect(build_redirect_url(client.redirect_url, token.auth_code, state))
+
+	return render_template("oauth/authorize.html", client=client)
+
+
+def error(code: int, msg: str):
+	abort(make_response(jsonify({"success": False, "error": msg}), code))
+
+
+@bp.route("/oauth/token/", methods=["POST"])
+@csrf.exempt
+def oauth_grant():
+	form = request.form
+
+	grant_type = request.args.get("grant_type", "authorization_code")
+	if grant_type != "authorization_code":
+		error(400, "Unsupported grant_type, only authorization_code is supported")
+
+	client_id = form.get("client_id", "")
+	if client_id == "":
+		error(400, "Missing client_id")
+
+	client_secret = form.get("client_secret", "")
+	if client_secret == "":
+		error(400, "Missing client_secret")
+
+	code = form.get("code", "")
+	if code == "":
+		error(400, "Missing code")
+
+	client = OAuthClient.query.filter_by(id=client_id, secret=client_secret).first()
+	if client is None:
+		error(400, "client_id and/or client_secret is incorrect")
+
+	token = APIToken.query.filter_by(auth_code=code).first()
+	if token is None or token.client != client:
+		error(400, "Incorrect code. It may have already been redeemed")
+
+	token.auth_code = None
+	db.session.commit()
+
+	return jsonify({
+		"success": True,
+		"access_token": token.access_token,
+		"token_type": "Bearer",
+	})
+
+
+@bp.route("/user/apps/")
+@login_required
+def list_clients_redirect():
+	return redirect(url_for("oauth.list_clients", username=current_user.username))
+
+
+@bp.route("/users/<username>/apps/")
+@login_required
+def list_clients(username):
+	user = User.query.filter_by(username=username).first_or_404()
+	if not user.check_perm(current_user, Permission.CREATE_OAUTH_CLIENT):
+		abort(403)
+
+	return render_template("oauth/list_clients.html", user=user, tabs=get_setting_tabs(user), current_tab="oauth_clients")
+
+
+class OAuthClientForm(FlaskForm):
+	title = StringField(lazy_gettext("Title"), [InputRequired(), Length(5, 30)])
+	description = StringField(lazy_gettext("Description"), [Optional()])
+	redirect_url = URLField(lazy_gettext("Redirect URL"), [InputRequired(), Length(5, 123)])
+	app_type = SelectField(lazy_gettext("App Type"), [InputRequired()], choices=[
+		("server", "Server-side (client_secret is kept safe)"),
+		("client", "Client-side (client_secret is visible to all users)"),
+	], coerce=lambda x: x)
+	submit = SubmitField(lazy_gettext("Save"))
+
+
+@bp.route("/users/<username>/apps/new/", methods=["GET", "POST"])
+@bp.route("/users/<username>/apps/<id_>/edit/", methods=["GET", "POST"])
+@login_required
+def create_edit_client(username, id_=None):
+	user = User.query.filter_by(username=username).first_or_404()
+	if not user.check_perm(current_user, Permission.CREATE_OAUTH_CLIENT):
+		abort(403)
+
+	is_new = id_ is None
+	client = None
+	if id_ is not None:
+		client = OAuthClient.query.get_or_404(id_)
+		if client.owner != user:
+			abort(404)
+
+	form = OAuthClientForm(formdata=request.form, obj=client)
+
+	if form.validate_on_submit():
+		if is_new:
+			if OAuthClient.query.filter(OAuthClient.title.ilike(form.title.data.strip())).count() > 0:
+				flash(gettext("An OAuth client with that title already exists. Please choose a new title."), "danger")
+				return render_template("oauth/create_edit.html", user=user, form=form, client=client)
+
+			client = OAuthClient()
+			db.session.add(client)
+			client.owner = user
+			client.id = random_string(24)
+			client.secret = random_string(32)
+			client.approved = current_user.rank.at_least(UserRank.EDITOR)
+
+
+		form.populate_obj(client)
+
+		verb = "Created" if is_new else "Edited"
+		add_audit_log(AuditSeverity.NORMAL, current_user,
+				f"{verb} OAuth2 application {client.title} by {client.owner.username} [{client.id}]",
+				url_for("oauth.create_edit_client", username=client.owner.username, id_=client.id))
+
+		db.session.commit()
+
+		return redirect(url_for("oauth.create_edit_client", username=username, id_=client.id))
+
+	return render_template("oauth/create_edit.html", user=user, form=form, client=client)
+
+
+@bp.route("/users/<username>/apps/<id_>/delete/", methods=["POST"])
+@login_required
+def delete_client(username, id_):
+	user = User.query.filter_by(username=username).first_or_404()
+	if not user.check_perm(current_user, Permission.CREATE_OAUTH_CLIENT):
+		abort(403)
+
+	client = OAuthClient.query.get(id_)
+	if client is None or client.owner != user:
+		abort(404)
+
+	add_audit_log(AuditSeverity.NORMAL, current_user,
+			f"Deleted OAuth2 application {client.title} by {client.owner.username} [{client.id}]",
+			url_for("users.profile", username=current_user.username))
+
+	db.session.delete(client)
+	db.session.commit()
+
+	return redirect(url_for("oauth.list_clients", username=username))
+
+
+@bp.route("/users/<username>/apps/<id_>/revoke-all/", methods=["POST"])
+@login_required
+def revoke_all(username, id_):
+	user = User.query.filter_by(username=username).first_or_404()
+	if not user.check_perm(current_user, Permission.CREATE_OAUTH_CLIENT):
+		abort(403)
+
+	client = OAuthClient.query.get(id_)
+	if client is None or client.owner != user:
+		abort(404)
+
+	add_audit_log(AuditSeverity.NORMAL, current_user,
+			f"Revoked all user tokens for OAuth2 application {client.title} by {client.owner.username} [{client.id}]",
+			url_for("oauth.create_edit_client", username=client.owner.username, id_=client.id))
+
+	client.tokens = []
+	db.session.commit()
+
+	flash(gettext("Revoked all user tokens"), "success")
+
+	return redirect(url_for("oauth.create_edit_client", username=client.owner.username, id_=client.id))
--- a/app/blueprints/packages/init.py
+++ b/app/blueprints/packages/init.py
@@ -1,21 +1,87 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
 #
 # This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Affero General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.

 from flask import Blueprint
+from flask_babel import gettext
+
+from app.models import User, Package, Permission, PackageType

 bp = Blueprint("packages", __name__)

-from . import packages, screenshots, releases
+
+def get_package_tabs(user: User, package: Package):
+	if package is None or not package.check_perm(user, Permission.EDIT_PACKAGE):
+		return []
+
+	retval = [
+		{
+			"id": "edit",
+			"title": gettext("Edit Details"),
+			"url": package.get_url("packages.create_edit")
+		},
+		{
+			"id": "translation",
+			"title": gettext("Translation"),
+			"url": package.get_url("packages.translation")
+		},
+		{
+			"id": "releases",
+			"title": gettext("Releases"),
+			"url": package.get_url("packages.list_releases")
+		},
+		{
+			"id": "screenshots",
+			"title": gettext("Screenshots"),
+			"url": package.get_url("packages.screenshots")
+		},
+		{
+			"id": "maintainers",
+			"title": gettext("Maintainers"),
+			"url": package.get_url("packages.edit_maintainers")
+		},
+		{
+			"id": "audit",
+			"title": gettext("Audit Log"),
+			"url": package.get_url("packages.audit")
+		},
+		{
+			"id": "stats",
+			"title": gettext("Statistics"),
+			"url": package.get_url("packages.statistics")
+		},
+		{
+			"id": "share",
+			"title": gettext("Share and Badges"),
+			"url": package.get_url("packages.share")
+		},
+		{
+			"id": "remove",
+			"title": gettext("Remove / Unpublish"),
+			"url": package.get_url("packages.remove")
+		}
+	]
+
+	if package.type == PackageType.MOD or package.type == PackageType.TXP:
+		retval.insert(2, {
+			"id": "game_support",
+			"title": gettext("Supported Games"),
+			"url": package.get_url("packages.game_support")
+		})
+
+	return retval
+
+
+from . import packages, advanced_search, screenshots, releases, reviews, game_hub
--- a/app/blueprints/packages/advanced_search.py
+++ b/app/blueprints/packages/advanced_search.py
@@ -0,0 +1,103 @@
+# ContentDB
+# Copyright (C) 2024 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from flask import render_template
+from flask_babel import lazy_gettext, gettext
+from flask_wtf import FlaskForm
+from wtforms.fields.choices import SelectField, SelectMultipleField
+from wtforms.fields.simple import StringField, BooleanField
+from wtforms.validators import Optional
+from wtforms_sqlalchemy.fields import QuerySelectMultipleField, QuerySelectField
+
+from . import bp
+from ...models import PackageType, Tag, db, ContentWarning, License, Language, LuantiRelease, Package, PackageState
+
+
+def make_label(obj: Tag | ContentWarning):
+	translated = obj.get_translated()
+	if translated["description"]:
+		return "{}: {}".format(translated["title"], translated["description"])
+	else:
+		return translated["title"]
+
+
+def get_hide_choices():
+	ret = [
+		("android_default", gettext("Android Default")),
+		("desktop_default", gettext("Desktop Default")),
+		("nonfree", gettext("Non-free")),
+		("wip", gettext("Work in Progress")),
+		("deprecated", gettext("Deprecated")),
+		("*", gettext("All content warnings")),
+	]
+	content_warnings = ContentWarning.query.order_by(db.asc(ContentWarning.name)).all()
+	tags = Tag.query.order_by(db.asc(Tag.name)).all()
+	ret += [(x.name, make_label(x)) for x in content_warnings + tags]
+	return ret
+
+
+class AdvancedSearchForm(FlaskForm):
+	q = StringField(lazy_gettext("Query"), [Optional()])
+	type = SelectMultipleField(lazy_gettext("Type"), [Optional()],
+			choices=PackageType.choices(), coerce=PackageType.coerce)
+	author = StringField(lazy_gettext("Author"), [Optional()])
+	tag = QuerySelectMultipleField(lazy_gettext('Tags'),
+			query_factory=lambda: Tag.query.order_by(db.asc(Tag.name)),
+			get_pk=lambda a: a.name, get_label=make_label)
+	flag = QuerySelectMultipleField(lazy_gettext('Content Warnings'),
+			query_factory=lambda: ContentWarning.query.order_by(db.asc(ContentWarning.name)),
+			get_pk=lambda a: a.name, get_label=make_label)
+	license = QuerySelectMultipleField(lazy_gettext("License"), [Optional()],
+			query_factory=lambda: License.query.order_by(db.asc(License.name)),
+			allow_blank=True, blank_value="",
+			get_pk=lambda a: a.name, get_label=lambda a: a.name)
+	game = QuerySelectField(lazy_gettext("Supports Game"), [Optional()],
+			query_factory=lambda: Package.query.filter(Package.type == PackageType.GAME, Package.state == PackageState.APPROVED).order_by(db.asc(Package.name)),
+			allow_blank=True, blank_value="",
+			get_pk=lambda a: f"{a.author.username}/{a.name}",
+			get_label=lambda a: lazy_gettext("%(title)s by %(author)s", title=a.title, author=a.author.display_name))
+	lang = QuerySelectField(lazy_gettext("Language"),
+			query_factory=lambda: Language.query.order_by(db.asc(Language.title)),
+			allow_blank=True, blank_value="",
+			get_pk=lambda a: a.id, get_label=lambda a: a.title)
+	hide = SelectMultipleField(lazy_gettext("Hide Tags and Content Warnings"), [Optional()])
+	engine_version = QuerySelectField(lazy_gettext("Luanti Version"),
+			query_factory=lambda: LuantiRelease.query.order_by(db.asc(LuantiRelease.id)),
+			allow_blank=True, blank_value="",
+			get_pk=lambda a: a.value, get_label=lambda a: a.name)
+	sort = SelectField(lazy_gettext("Sort by"), [Optional()], choices=[
+		("", ""),
+		("name", lazy_gettext("Name")),
+		("title", lazy_gettext("Title")),
+		("score", lazy_gettext("Package score")),
+		("reviews", lazy_gettext("Reviews")),
+		("downloads", lazy_gettext("Downloads")),
+		("created_at", lazy_gettext("Created At")),
+		("approved_at", lazy_gettext("Approved At")),
+		("last_release", lazy_gettext("Last Release")),
+	])
+	order = SelectField(lazy_gettext("Order"), [Optional()], choices=[
+		("desc", lazy_gettext("Descending")),
+		("asc", lazy_gettext("Ascending")),
+	])
+	random = BooleanField(lazy_gettext("Random order"))
+
+
+@bp.route("/packages/advanced-search/")
+def advanced_search():
+	form = AdvancedSearchForm()
+	form.hide.choices = get_hide_choices()
+	return render_template("packages/advanced_search.html", form=form)
--- a/app/blueprints/packages/editrequests.py
+++ b/app/blueprints/packages/editrequests.py
@@ -1,173 +0,0 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-from flask import *
-from flask_user import *
-from app import app
-from app.models import *
-
-from app.utils import *
-
-from flask_wtf import FlaskForm
-from wtforms import *
-from wtforms.validators import *
-from wtforms.ext.sqlalchemy.fields import QuerySelectField, QuerySelectMultipleField
-
-from . import PackageForm
-
-
-class EditRequestForm(PackageForm):
-	edit_title = StringField("Edit Title", [InputRequired(), Length(1, 100)])
-	edit_desc  = TextField("Edit Description", [Optional()])
-
-@app.route("/packages/<author>/<name>/requests/new/", methods=["GET","POST"])
-@app.route("/packages/<author>/<name>/requests/<id>/edit/", methods=["GET","POST"])
-@login_required
-@is_package_page
-def create_edit_editrequest_page(package, id=None):
-	edited_package = package
-
-	erequest = None
-	if id is not None:
-		erequest = EditRequest.query.get(id)
-		if erequest.package != package:
-			abort(404)
-
-		if not erequest.checkPerm(current_user, Permission.EDIT_EDITREQUEST):
-			abort(403)
-
-		if erequest.status != 0:
-			flash("Can't edit EditRequest, it has already been merged or rejected", "error")
-			return redirect(erequest.getURL())
-
-		edited_package = Package(package)
-		erequest.applyAll(edited_package)
-
-	form = EditRequestForm(request.form, obj=edited_package)
-	if request.method == "GET":
-		deps = edited_package.dependencies
-		form.harddep_str.data  = ",".join([str(x) for x in deps if not x.optional])
-		form.softdep_str.data  = ",".join([str(x) for x in deps if     x.optional])
-		form.provides_str.data = MetaPackage.ListToSpec(edited_package.provides)
-
-	if request.method == "POST" and form.validate():
-		if erequest is None:
-			erequest = EditRequest()
-			erequest.package = package
-			erequest.author  = current_user
-
-		erequest.title   = form["edit_title"].data
-		erequest.desc    = form["edit_desc"].data
-		db.session.add(erequest)
-
-		EditRequestChange.query.filter_by(request=erequest).delete()
-
-		wasChangeMade = False
-		for e in PackagePropertyKey:
-			newValue = form[e.name].data
-			oldValue = getattr(package, e.name)
-
-			newValueComp = newValue
-			oldValueComp = oldValue
-			if type(newValue) is str:
-				newValue = newValue.replace("\r\n", "\n")
-				newValueComp = newValue.strip()
-				oldValueComp = "" if oldValue is None else oldValue.strip()
-
-			if newValueComp != oldValueComp:
-				change = EditRequestChange()
-				change.request = erequest
-				change.key = e
-				change.oldValue = e.convert(oldValue)
-				change.newValue = e.convert(newValue)
-				db.session.add(change)
-				wasChangeMade = True
-
-		if wasChangeMade:
-			msg = "{}: Edit request #{} {}" \
-					.format(package.title, erequest.id, "created" if id is None else "edited")
-			triggerNotif(package.author, current_user, msg, erequest.getURL())
-			triggerNotif(erequest.author, current_user, msg, erequest.getURL())
-			db.session.commit()
-			return redirect(erequest.getURL())
-		else:
-			flash("No changes detected", "warning")
-	elif erequest is not None:
-		form["edit_title"].data = erequest.title
-		form["edit_desc"].data  = erequest.desc
-
-	return render_template("packages/editrequest_create_edit.html", package=package, form=form)
-
-
-@app.route("/packages/<author>/<name>/requests/<id>/")
-@is_package_page
-def view_editrequest_page(package, id):
-	erequest = EditRequest.query.get(id)
-	if erequest is None or erequest.package != package:
-		abort(404)
-
-	clearNotifications(erequest.getURL())
-	return render_template("packages/editrequest_view.html", package=package, request=erequest)
-
-
-@app.route("/packages/<author>/<name>/requests/<id>/approve/", methods=["POST"])
-@is_package_page
-def approve_editrequest_page(package, id):
-	if not package.checkPerm(current_user, Permission.APPROVE_CHANGES):
-		flash("You don't have permission to do that.", "error")
-		return redirect(package.getDetailsURL())
-
-	erequest = EditRequest.query.get(id)
-	if erequest is None or erequest.package != package:
-		abort(404)
-
-	if erequest.status != 0:
-		flash("Edit request has already been resolved", "error")
-
-	else:
-		erequest.status = 1
-		erequest.applyAll(package)
-
-		msg = "{}: Edit request #{} merged".format(package.title, erequest.id)
-		triggerNotif(erequest.author, current_user, msg, erequest.getURL())
-		triggerNotif(package.author, current_user, msg, erequest.getURL())
-		db.session.commit()
-
-	return redirect(package.getDetailsURL())
-
-@app.route("/packages/<author>/<name>/requests/<id>/reject/", methods=["POST"])
-@is_package_page
-def reject_editrequest_page(package, id):
-	if not package.checkPerm(current_user, Permission.APPROVE_CHANGES):
-		flash("You don't have permission to do that.", "error")
-		return redirect(package.getDetailsURL())
-
-	erequest = EditRequest.query.get(id)
-	if erequest is None or erequest.package != package:
-		abort(404)
-
-	if erequest.status != 0:
-		flash("Edit request has already been resolved", "error")
-
-	else:
-		erequest.status = 2
-
-		msg = "{}: Edit request #{} rejected".format(package.title, erequest.id)
-		triggerNotif(erequest.author, current_user, msg, erequest.getURL())
-		triggerNotif(package.author, current_user, msg, erequest.getURL())
-		db.session.commit()
-
-	return redirect(package.getDetailsURL())
--- a/app/blueprints/packages/game_hub.py
+++ b/app/blueprints/packages/game_hub.py
@@ -0,0 +1,53 @@
+# ContentDB
+# Copyright (C) 2022 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from flask import render_template, abort
+from sqlalchemy.orm import joinedload
+
+from . import bp
+from app.utils import is_package_page
+from app.models import Package, PackageType, PackageState, db, PackageRelease
+
+
+@bp.route("/packages/<author>/<name>/hub/")
+@is_package_page
+def game_hub(package: Package):
+	if package.type != PackageType.GAME:
+		abort(404)
+
+	def join(query):
+		return query.options(
+			joinedload(Package.license),
+			joinedload(Package.media_license))
+
+	query = Package.query.filter(Package.supported_games.any(game=package, supports=True), Package.state==PackageState.APPROVED)
+	count = query.count()
+
+	new = join(query.order_by(db.desc(Package.approved_at))).limit(4).all()
+	pop_mod = join(query.filter_by(type=PackageType.MOD).order_by(db.desc(Package.score))).limit(8).all()
+	pop_txp = join(query.filter_by(type=PackageType.TXP).order_by(db.desc(Package.score))).limit(8).all()
+	high_reviewed = join(query.order_by(db.desc(Package.score - Package.score_downloads))) \
+		.filter(Package.reviews.any()).limit(4).all()
+
+	updated = db.session.query(Package).select_from(PackageRelease).join(Package) \
+		.filter(Package.supported_games.any(game=package, supports=True), Package.state==PackageState.APPROVED) \
+		.order_by(db.desc(PackageRelease.created_at)) \
+		.limit(20).all()
+	updated = updated[:4]
+
+	return render_template("packages/game_hub.html", package=package, count=count,
+			new=new, updated=updated, pop_mod=pop_mod, pop_txp=pop_txp,
+			high_reviewed=high_reviewed)
--- a/app/blueprints/packages/packages.py
+++ b/app/blueprints/packages/packages.py
--- a/app/blueprints/packages/releases.py
+++ b/app/blueprints/packages/releases.py
@@ -1,123 +1,124 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
 #
 # This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Affero General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
+import os

-
-from flask import *
-from flask_user import *
-
-from . import bp
-
-from app.rediscache import has_key, set_key, make_download_key
-from app.models import *
-from app.tasks.importtasks import makeVCSRelease
-from app.utils import *
-
-from celery import uuid
+from flask import render_template, request, redirect, flash, url_for, abort
+from flask_babel import lazy_gettext, gettext
+from flask_login import login_required, current_user
 from flask_wtf import FlaskForm
-from wtforms import *
-from wtforms.validators import *
-from wtforms.ext.sqlalchemy.fields import QuerySelectField
+from wtforms import StringField, SubmitField, BooleanField, RadioField, FileField
+from wtforms.fields.simple import TextAreaField
+from wtforms.validators import InputRequired, Length, Optional
+from wtforms_sqlalchemy.fields import QuerySelectField
+
+from app.logic.releases import do_create_vcs_release, LogicError, do_create_zip_release
+from app.models import Package, db, User, PackageState, Permission, UserRank, PackageDailyStats, LuantiRelease, \
+	PackageRelease, PackageUpdateTrigger, PackageUpdateConfig
+from app.rediscache import has_key, set_temp_key, make_download_key
+from app.tasks.importtasks import check_update_config
+from app.utils import is_user_bot, is_package_page, nonempty_or_none, normalize_line_endings
+from . import bp, get_package_tabs
+
+
+@bp.route("/packages/<author>/<name>/releases/", methods=["GET", "POST"])
+@is_package_page
+def list_releases(package):
+	return render_template("packages/releases_list.html",
+			package=package,
+			tabs=get_package_tabs(current_user, package), current_tab="releases")


 def get_mt_releases(is_max):
-	query = MinetestRelease.query.order_by(db.asc(MinetestRelease.id))
+	query = LuantiRelease.query.order_by(db.asc(LuantiRelease.id))
 	if is_max:
 		query = query.limit(query.count() - 1)
 	else:
-		query = query.filter(MinetestRelease.name != "0.4.17")
+		query = query.filter(LuantiRelease.name != "0.4.17")

 	return query


 class CreatePackageReleaseForm(FlaskForm):
-	title	   = StringField("Title", [InputRequired(), Length(1, 30)])
-	uploadOpt  = RadioField ("Method", choices=[("upload", "File Upload")], default="upload")
-	vcsLabel   = StringField("VCS Commit Hash, Branch, or Tag", default="master")
-	fileUpload = FileField("File Upload")
-	min_rel    = QuerySelectField("Minimum Minetest Version", [InputRequired()],
+	name        = StringField(lazy_gettext("Name"), [InputRequired(), Length(1, 30)])
+	title       = StringField(lazy_gettext("Title"), [Optional(), Length(1, 100)], filters=[nonempty_or_none])
+	release_notes = TextAreaField(lazy_gettext("Release Notes"), [Optional(), Length(1, 5000)],
+			filters=[nonempty_or_none, normalize_line_endings])
+	upload_mode = RadioField(lazy_gettext("Method"), choices=[("upload", lazy_gettext("File Upload"))], default="upload")
+	vcs_label   = StringField(lazy_gettext("Git reference (ie: commit hash, branch, or tag)"), default=None)
+	file_upload = FileField(lazy_gettext("File Upload"))
+	min_rel     = QuerySelectField(lazy_gettext("Minimum Luanti Version"), [InputRequired()],
 			query_factory=lambda: get_mt_releases(False), get_pk=lambda a: a.id, get_label=lambda a: a.name)
-	max_rel    = QuerySelectField("Maximum Minetest Version", [InputRequired()],
+	max_rel     = QuerySelectField(lazy_gettext("Maximum Luanti Version"), [InputRequired()],
 			query_factory=lambda: get_mt_releases(True), get_pk=lambda a: a.id, get_label=lambda a: a.name)
-	submit	   = SubmitField("Save")
+	submit      = SubmitField(lazy_gettext("Save"))
+

 class EditPackageReleaseForm(FlaskForm):
-	title    = StringField("Title", [InputRequired(), Length(1, 30)])
-	url      = StringField("URL", [URL])
-	task_id  = StringField("Task ID", filters = [lambda x: x or None])
-	approved = BooleanField("Is Approved")
-	min_rel  = QuerySelectField("Minimum Minetest Version", [InputRequired()],
+	name     = StringField(lazy_gettext("Name"), [InputRequired(), Length(1, 30)])
+	title    = StringField(lazy_gettext("Title"), [InputRequired(), Length(1, 30)], filters=[nonempty_or_none])
+	release_notes = TextAreaField(lazy_gettext("Release Notes"), [Optional(), Length(1, 5000)],
+			filters=[nonempty_or_none, normalize_line_endings])
+	url      = StringField(lazy_gettext("URL"), [Optional()])
+	task_id  = StringField(lazy_gettext("Task ID"), filters = [lambda x: x or None])
+	approved = BooleanField(lazy_gettext("Is Approved"))
+	min_rel  = QuerySelectField(lazy_gettext("Minimum Luanti Version"), [InputRequired()],
 			query_factory=lambda: get_mt_releases(False), get_pk=lambda a: a.id, get_label=lambda a: a.name)
-	max_rel  = QuerySelectField("Maximum Minetest Version", [InputRequired()],
+	max_rel  = QuerySelectField(lazy_gettext("Maximum Luanti Version"), [InputRequired()],
 			query_factory=lambda: get_mt_releases(True), get_pk=lambda a: a.id, get_label=lambda a: a.name)
-	submit   = SubmitField("Save")
+	submit   = SubmitField(lazy_gettext("Save"))
+

@bp.route("/packages/<author>/<name>/releases/new/", methods=["GET", "POST"])
@login_required
@is_package_page
 def create_release(package):
-	if not package.checkPerm(current_user, Permission.MAKE_RELEASE):
-		return redirect(package.getDetailsURL())
+	if current_user.email is None and not current_user.rank.at_least(UserRank.ADMIN):
+		flash(gettext("You must add an email address to your account and confirm it before you can manage packages"), "danger")
+		return redirect(url_for("users.email_notifications"))
+
+	if not package.check_perm(current_user, Permission.MAKE_RELEASE):
+		return redirect(package.get_url("packages.view"))

 	# Initial form class from post data and default data
 	form = CreatePackageReleaseForm()
 	if package.repo is not None:
-		form["uploadOpt"].choices = [("vcs", "From Git Commit or Branch"), ("upload", "File Upload")]
-		if request.method != "POST":
-			form["uploadOpt"].data = "vcs"
+		form.upload_mode.choices = [("vcs", gettext("Import from Git")), ("upload", gettext("Upload .zip file"))]
+		if request.method == "GET":
+			form.upload_mode.data = "vcs"
+			form.vcs_label.data = request.args.get("ref")

-	if request.method == "POST" and form.validate():
-		if form["uploadOpt"].data == "vcs":
-			rel = PackageRelease()
-			rel.package = package
-			rel.title   = form["title"].data
-			rel.url     = ""
-			rel.task_id = uuid()
-			rel.min_rel = form["min_rel"].data.getActual()
-			rel.max_rel = form["max_rel"].data.getActual()
-			db.session.add(rel)
-			db.session.commit()
+	if request.method == "GET":
+		form.title.data = request.args.get("title")

-			makeVCSRelease.apply_async((rel.id, form["vcsLabel"].data), task_id=rel.task_id)
-
-			msg = "{}: Release {} created".format(package.title, rel.title)
-			triggerNotif(package.author, current_user, msg, rel.getEditURL())
-			db.session.commit()
-
-			return redirect(url_for("tasks.check", id=rel.task_id, r=rel.getEditURL()))
-		else:
-			uploadedPath = doFileUpload(form.fileUpload.data, "zip", "a zip file")
-			if uploadedPath is not None:
-				rel = PackageRelease()
-				rel.package = package
-				rel.title = form["title"].data
-				rel.url = uploadedPath
-				rel.min_rel = form["min_rel"].data.getActual()
-				rel.max_rel = form["max_rel"].data.getActual()
-				rel.approve(current_user)
-				db.session.add(rel)
-				db.session.commit()
-
-				msg = "{}: Release {} created".format(package.title, rel.title)
-				triggerNotif(package.author, current_user, msg, rel.getEditURL())
-				db.session.commit()
-				return redirect(package.getDetailsURL())
+	if form.validate_on_submit():
+		try:
+			if form.upload_mode.data == "vcs":
+				rel = do_create_vcs_release(current_user, package, form.name.data, form.title.data, form.release_notes.data,
+						form.vcs_label.data, form.min_rel.data.get_actual(), form.max_rel.data.get_actual())
+			else:
+				rel = do_create_zip_release(current_user, package, form.name.data, form.title.data, form.release_notes.data,
+						form.file_upload.data, form.min_rel.data.get_actual(), form.max_rel.data.get_actual())
+			return redirect(url_for("tasks.check", id=rel.task_id, r=rel.get_edit_url()))
+		except LogicError as e:
+			flash(e.message, "danger")

 	return render_template("packages/release_new.html", package=package, form=form)

-@bp.route("/packages/<author>/<name>/releases/<id>/download/")
+
+@bp.route("/packages/<author>/<name>/releases/<int:id>/download/")
@is_package_page
 def download_release(package, id):
 	release = PackageRelease.query.get(id)
@@ -125,103 +126,270 @@ def download_release(package, id):
 		abort(404)

 	ip = request.headers.get("X-Forwarded-For") or request.remote_addr
-	if ip is not None:
+	if ip is not None and not is_user_bot():
+		user_agent = request.headers.get("User-Agent") or ""
+		is_luanti = user_agent.startswith("Luanti") or user_agent.startswith("Minetest")
+		reason = request.args.get("reason")
+		PackageDailyStats.update(package, is_luanti, reason)
+
 		key = make_download_key(ip, release.package)
 		if not has_key(key):
-			set_key(key, "true")
+			set_temp_key(key, "true")

-			bonus = 1
-			if not package.getIsFOSS():
-				bonus *= 0.1
+			bonus = 0
+			if reason == "new":
+				bonus = 1
+			elif reason == "dependency" or reason == "update":
+				bonus = 0.5

 			PackageRelease.query.filter_by(id=release.id).update({
 					"downloads": PackageRelease.downloads + 1
 				})

 			Package.query.filter_by(id=package.id).update({
+					"downloads": Package.downloads + 1,
+					"score_downloads": Package.score_downloads + bonus,
 					"score": Package.score + bonus
 				})

-			db.session.commit()
+		db.session.commit()

-	return redirect(release.url, code=300)
+	return redirect(release.url)

-@bp.route("/packages/<author>/<name>/releases/<id>/", methods=["GET", "POST"])
-@login_required
+
+@bp.route("/packages/<author>/<name>/releases/<int:id>/")
@is_package_page
-def edit_release(package, id):
-	release = PackageRelease.query.get(id)
+def view_release(package, id):
+	release: PackageRelease = PackageRelease.query.get(id)
 	if release is None or release.package != package:
 		abort(404)

-	clearNotifications(release.getEditURL())
+	return render_template("packages/release_view.html", package=package, release=release)

-	canEdit	= package.checkPerm(current_user, Permission.MAKE_RELEASE)
-	canApprove = package.checkPerm(current_user, Permission.APPROVE_RELEASE)
+
+@bp.route("/packages/<author>/<name>/releases/<int:id>/edit/", methods=["GET", "POST"])
+@login_required
+@is_package_page
+def edit_release(package, id):
+	release: PackageRelease = PackageRelease.query.get(id)
+	if release is None or release.package != package:
+		abort(404)
+
+	canEdit	= package.check_perm(current_user, Permission.MAKE_RELEASE)
+	canApprove = release.check_perm(current_user, Permission.APPROVE_RELEASE)
 	if not (canEdit or canApprove):
-		return redirect(package.getDetailsURL())
+		return redirect(package.get_url("packages.view"))

 	# Initial form class from post data and default data
 	form = EditPackageReleaseForm(formdata=request.form, obj=release)
-	if request.method == "POST" and form.validate():
-		wasApproved = release.approved
-		if canEdit:
-			release.title = form["title"].data
-			release.min_rel = form["min_rel"].data.getActual()
-			release.max_rel = form["max_rel"].data.getActual()

-		if package.checkPerm(current_user, Permission.CHANGE_RELEASE_URL):
-			release.url = form["url"].data
-			release.task_id = form["task_id"].data
+	if request.method == "GET":
+		# HACK: fix bug in wtforms
+		form.approved.data = release.approved
+
+	if form.validate_on_submit():
+		if canEdit:
+			release.name = form.name.data
+			release.title = form.title.data
+			release.release_notes = form.release_notes.data
+			release.min_rel = form.min_rel.data.get_actual()
+			release.max_rel = form.max_rel.data.get_actual()
+
+		if package.check_perm(current_user, Permission.CHANGE_RELEASE_URL):
+			release.url = form.url.data
+			release.task_id = form.task_id.data
 			if release.task_id is not None:
 				release.task_id = None

-		if canApprove:
-			release.approved = form["approved"].data
-		else:
-			release.approved = wasApproved
+		if form.approved.data:
+			release.approve(current_user)
+		elif canApprove:
+			release.approved = False

 		db.session.commit()
-		return redirect(package.getDetailsURL())
+		return redirect(package.get_url("packages.list_releases"))

 	return render_template("packages/release_edit.html", package=package, release=release, form=form)



 class BulkReleaseForm(FlaskForm):
-	set_min = BooleanField("Set Min")
-	min_rel  = QuerySelectField("Minimum Minetest Version", [InputRequired()],
+	set_min = BooleanField(lazy_gettext("Set Min"))
+	min_rel  = QuerySelectField(lazy_gettext("Minimum Luanti Version"), [InputRequired()],
 			query_factory=lambda: get_mt_releases(False), get_pk=lambda a: a.id, get_label=lambda a: a.name)
-	set_max = BooleanField("Set Max")
-	max_rel  = QuerySelectField("Maximum Minetest Version", [InputRequired()],
+	set_max = BooleanField(lazy_gettext("Set Max"))
+	max_rel  = QuerySelectField(lazy_gettext("Maximum Luanti Version"), [InputRequired()],
 			query_factory=lambda: get_mt_releases(True), get_pk=lambda a: a.id, get_label=lambda a: a.name)
-	only_change_none = BooleanField("Only change values previously set as none")
-	submit   = SubmitField("Update")
+	only_change_none = BooleanField(lazy_gettext("Only change values previously set as none"))
+	submit   = SubmitField(lazy_gettext("Update"))


@bp.route("/packages/<author>/<name>/releases/bulk_change/", methods=["GET", "POST"])
@login_required
@is_package_page
 def bulk_change_release(package):
-	if not package.checkPerm(current_user, Permission.MAKE_RELEASE):
-		return redirect(package.getDetailsURL())
+	if not package.check_perm(current_user, Permission.MAKE_RELEASE):
+		return redirect(package.get_url("packages.view"))

 	# Initial form class from post data and default data
 	form = BulkReleaseForm()

 	if request.method == "GET":
 		form.only_change_none.data = True
-	elif request.method == "POST" and form.validate():
+	elif form.validate_on_submit():
 		only_change_none = form.only_change_none.data

 		for release in package.releases.all():
-			if form["set_min"].data and (not only_change_none or release.min_rel is None):
-				release.min_rel = form["min_rel"].data.getActual()
-			if form["set_max"].data and (not only_change_none or release.max_rel is None):
-				release.max_rel = form["max_rel"].data.getActual()
+			if form.set_min.data and (not only_change_none or release.min_rel is None):
+				release.min_rel = form.min_rel.data.get_actual()
+			if form.set_max.data and (not only_change_none or release.max_rel is None):
+				release.max_rel = form.max_rel.data.get_actual()

 		db.session.commit()

-		return redirect(package.getDetailsURL())
+		return redirect(package.get_url("packages.list_releases"))

 	return render_template("packages/release_bulk_change.html", package=package, form=form)
+
+
+@bp.route("/packages/<author>/<name>/releases/<int:id>/delete/", methods=["POST"])
+@login_required
+@is_package_page
+def delete_release(package, id):
+	release = PackageRelease.query.get(id)
+	if release is None or release.package != package:
+		abort(404)
+
+	if not release.check_perm(current_user, Permission.DELETE_RELEASE):
+		return redirect(package.get_url("packages.list_releases"))
+
+	db.session.delete(release)
+	db.session.commit()
+
+	if release.file_path and os.path.isfile(release.file_path):
+		os.remove(release.file_path)
+
+	return redirect(package.get_url("packages.view"))
+
+
+class PackageUpdateConfigFrom(FlaskForm):
+	trigger = RadioField(lazy_gettext("Trigger"), [InputRequired()],
+			choices=[(PackageUpdateTrigger.COMMIT, lazy_gettext("New Commit")),
+					(PackageUpdateTrigger.TAG, lazy_gettext("New Tag"))],
+			coerce=PackageUpdateTrigger.coerce, default=PackageUpdateTrigger.TAG)
+	ref     = StringField(lazy_gettext("Branch name"), [Optional()], default=None)
+	action  = RadioField(lazy_gettext("Action"), [InputRequired()],
+			choices=[("notification", lazy_gettext("Send notification and mark as outdated")), ("make_release", lazy_gettext("Create release"))],
+			default="make_release")
+	submit  = SubmitField(lazy_gettext("Save Settings"))
+	disable = SubmitField(lazy_gettext("Disable Automation"))
+
+
+def set_update_config(package, form):
+	if package.update_config is None:
+		package.update_config = PackageUpdateConfig()
+		db.session.add(package.update_config)
+
+	form.populate_obj(package.update_config)
+	package.update_config.ref = nonempty_or_none(form.ref.data)
+	package.update_config.make_release = form.action.data == "make_release"
+
+	if package.update_config.trigger == PackageUpdateTrigger.COMMIT:
+		if package.update_config.last_commit is None:
+			last_release = package.releases.first()
+			if last_release and last_release.commit_hash:
+				package.update_config.last_commit = last_release.commit_hash
+	elif package.update_config.trigger == PackageUpdateTrigger.TAG:
+		# Only create releases for tags created after this
+		package.update_config.last_commit = None
+		package.update_config.last_tag = None
+
+	package.update_config.outdated_at = None
+	package.update_config.auto_created = False
+
+	db.session.commit()
+
+	if package.update_config.last_commit is None:
+		check_update_config.delay(package.id)
+
+
+@bp.route("/packages/<author>/<name>/update-config/", methods=["GET", "POST"])
+@login_required
+@is_package_page
+def update_config(package):
+	if not package.check_perm(current_user, Permission.MAKE_RELEASE):
+		abort(403)
+
+	if not package.repo:
+		flash(gettext("Please add a Git repository URL in order to set up automatic releases"), "danger")
+		return redirect(package.get_url("packages.create_edit"))
+
+	form = PackageUpdateConfigFrom(obj=package.update_config)
+	if request.method == "GET":
+		if package.update_config:
+			form.action.data = "make_release" if package.update_config.make_release else "notification"
+		elif request.args.get("action") == "notification":
+			form.trigger.data = PackageUpdateTrigger.COMMIT
+			form.action.data = "notification"
+
+		if "trigger" in request.args:
+			form.trigger.data = PackageUpdateTrigger.get(request.args["trigger"])
+
+	if form.validate_on_submit():
+		if form.disable.data:
+			flash(gettext("Deleted update configuration"), "success")
+			if package.update_config:
+				db.session.delete(package.update_config)
+			db.session.commit()
+		else:
+			set_update_config(package, form)
+
+		if not form.disable.data and package.releases.count() == 0:
+			flash(gettext("Now, please create an initial release"), "success")
+			return redirect(package.get_url("packages.create_release"))
+
+		return redirect(package.get_url("packages.list_releases"))
+
+	return render_template("packages/update_config.html", package=package, form=form)
+
+
+@bp.route("/packages/<author>/<name>/setup-releases/")
+@login_required
+@is_package_page
+def setup_releases(package):
+	if not package.check_perm(current_user, Permission.MAKE_RELEASE):
+		abort(403)
+
+	if package.update_config:
+		return redirect(package.get_url("packages.update_config"))
+
+	return render_template("packages/release_wizard.html", package=package)
+
+
+@bp.route("/user/update-configs/")
+@bp.route("/users/<username>/update-configs/", methods=["GET", "POST"])
+@login_required
+def bulk_update_config(username=None):
+	if username is None:
+		return redirect(url_for("packages.bulk_update_config", username=current_user.username))
+
+	user: User = User.query.filter_by(username=username).first()
+	if not user:
+		abort(404)
+
+	if current_user != user and not current_user.rank.at_least(UserRank.EDITOR):
+		abort(403)
+
+	form = PackageUpdateConfigFrom()
+	if form.validate_on_submit():
+		for package in user.packages.filter(Package.state != PackageState.DELETED, Package.repo.isnot(None)).all():
+			set_update_config(package, form)
+
+		return redirect(url_for("packages.bulk_update_config", username=username))
+
+	confs = user.packages \
+		.filter(Package.state != PackageState.DELETED,
+			Package.update_config.has()) \
+		.order_by(db.asc(Package.title)).all()
+
+	return render_template("packages/bulk_update_conf.html", user=user, confs=confs, form=form)
--- a/app/blueprints/packages/reviews.py
+++ b/app/blueprints/packages/reviews.py
@@ -0,0 +1,276 @@
+# ContentDB
+# Copyright (C) 2020  rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from collections import namedtuple
+
+import typing
+from flask import render_template, request, redirect, flash, url_for, abort, jsonify
+from flask_babel import gettext, lazy_gettext, get_locale
+from flask_login import current_user, login_required
+from flask_wtf import FlaskForm
+from wtforms import StringField, TextAreaField, SubmitField, RadioField
+from wtforms.validators import InputRequired, Length, DataRequired
+from wtforms_sqlalchemy.fields import QuerySelectField
+
+from app.models import db, PackageReview, Thread, ThreadReply, NotificationType, PackageReviewVote, Package, UserRank, \
+	Permission, AuditSeverity, PackageState, Language
+from app.tasks.webhooktasks import post_discord_webhook
+from app.utils import is_package_page, add_notification, get_int_or_abort, is_yes, is_safe_url, rank_required, \
+	add_audit_log, has_blocked_domains, should_return_json, normalize_line_endings
+from . import bp
+
+
+@bp.route("/reviews/")
+def list_reviews():
+	page = get_int_or_abort(request.args.get("page"), 1)
+	num = min(40, get_int_or_abort(request.args.get("n"), 100))
+
+	pagination = PackageReview.query.order_by(db.desc(PackageReview.created_at)).paginate(page=page, per_page=num)
+	return render_template("packages/reviews_list.html", pagination=pagination, reviews=pagination.items)
+
+
+def get_default_language():
+	locale = get_locale()
+	if locale:
+		return Language.query.filter_by(id=locale.language).first()
+
+	return None
+
+class ReviewForm(FlaskForm):
+	title = StringField(lazy_gettext("Title"), [InputRequired(), Length(3, 100)])
+	language = QuerySelectField(lazy_gettext("Language"), [DataRequired()],
+			allow_blank=True,
+			query_factory=lambda: Language.query.order_by(db.asc(Language.title)),
+			get_pk=lambda a: a.id,
+			get_label=lambda a: a.title,
+			default=get_default_language)
+	comment = TextAreaField(lazy_gettext("Comment"), [InputRequired(), Length(10, 2000)], filters=[normalize_line_endings])
+	rating = RadioField(lazy_gettext("Rating"), [InputRequired()],
+			choices=[("5", lazy_gettext("Yes")), ("3", lazy_gettext("Neutral")), ("1", lazy_gettext("No"))])
+	btn_submit = SubmitField(lazy_gettext("Save"))
+
+
+@bp.route("/packages/<author>/<name>/review/", methods=["GET", "POST"])
+@login_required
+@is_package_page
+def review(package):
+	if current_user in package.maintainers:
+		flash(gettext("You can't review your own package!"), "danger")
+		return redirect(package.get_url("packages.view"))
+
+	if package.state != PackageState.APPROVED:
+		abort(404)
+
+	review = PackageReview.query.filter_by(package=package, author=current_user).first()
+	can_review = review is not None or current_user.can_review_ratelimit()
+
+	if not can_review:
+		flash(gettext("You've reviewed too many packages recently. Please wait before trying again, and consider making your reviews more detailed"), "danger")
+
+	form = ReviewForm(formdata=request.form, obj=review)
+
+	# Set default values
+	if request.method == "GET" and review:
+		form.title.data = review.thread.title
+		form.rating.data = str(review.rating)
+		form.comment.data = review.thread.first_reply.comment
+
+	# Validate and submit
+	elif can_review and form.validate_on_submit():
+		if has_blocked_domains(form.comment.data, current_user.username, f"review of {package.get_id()}"):
+			flash(gettext("Linking to blocked sites is not allowed"), "danger")
+		else:
+			was_new = False
+			if not review:
+				was_new = True
+				review = PackageReview()
+				review.package = package
+				review.author  = current_user
+				db.session.add(review)
+
+			review.rating = int(form.rating.data)
+			review.language = form.language.data
+
+			thread = review.thread
+			if not thread:
+				thread = Thread()
+				thread.author  = current_user
+				thread.private = False
+				thread.package = package
+				thread.review = review
+				db.session.add(thread)
+
+				thread.watchers.append(current_user)
+
+				reply = ThreadReply()
+				reply.thread  = thread
+				reply.author  = current_user
+				reply.comment = form.comment.data
+				db.session.add(reply)
+
+				thread.replies.append(reply)
+			else:
+				reply = thread.first_reply
+				reply.comment = form.comment.data
+
+			thread.title   = form.title.data
+
+			db.session.commit()
+
+			package.recalculate_score()
+
+			if was_new:
+				notif_msg = "New review '{}'".format(form.title.data)
+				type = NotificationType.NEW_REVIEW
+			else:
+				notif_msg = "Updated review '{}'".format(form.title.data)
+				type = NotificationType.OTHER
+
+			add_notification(package.maintainers, current_user, type, notif_msg,
+							 url_for("threads.view", id=thread.id), package)
+
+			if was_new:
+				msg = f"Reviewed {package.title} ({review.language.title}): {thread.get_view_url(absolute=True)}"
+				post_discord_webhook.delay(thread.author.display_name, msg, False)
+
+			db.session.commit()
+
+			return redirect(package.get_url("packages.view"))
+
+	return render_template("packages/review_create_edit.html",
+			form=form, package=package, review=review)
+
+
+@bp.route("/packages/<author>/<name>/reviews/<reviewer>/delete/", methods=["POST"])
+@login_required
+@is_package_page
+def delete_review(package, reviewer):
+	review = PackageReview.query \
+		.filter(PackageReview.package == package, PackageReview.author.has(username=reviewer)) \
+		.first()
+	if review is None or review.package != package:
+		abort(404)
+
+	if not review.check_perm(current_user, Permission.DELETE_REVIEW):
+		abort(403)
+
+	thread = review.thread
+
+	reply = ThreadReply()
+	reply.thread  = thread
+	reply.author  = current_user
+	reply.comment = "_converted review into a thread_"
+	reply.is_status_update = True
+	db.session.add(reply)
+
+	thread.review = None
+
+	msg = "Converted review by {} to thread".format(review.author.display_name)
+	add_audit_log(AuditSeverity.MODERATION if current_user.username != reviewer else AuditSeverity.NORMAL,
+				  current_user, msg, thread.get_view_url(), thread.package)
+
+	notif_msg = "Deleted review '{}', comments were kept as a thread".format(thread.title)
+	add_notification(package.maintainers, current_user, NotificationType.OTHER, notif_msg, url_for("threads.view", id=thread.id), package)
+
+	db.session.delete(review)
+
+	package.recalculate_score()
+
+	db.session.commit()
+
+	return redirect(thread.get_view_url())
+
+
+def handle_review_vote(package: Package, review_id: int) -> typing.Optional[str]:
+	if current_user in package.maintainers:
+		return gettext("You can't vote on the reviews on your own package!")
+
+	review: PackageReview = PackageReview.query.get(review_id)
+	if review is None or review.package != package:
+		abort(404)
+
+	if review.author == current_user:
+		return gettext("You can't vote on your own reviews!")
+
+	is_positive = is_yes(request.form["is_positive"])
+
+	vote = PackageReviewVote.query.filter_by(review=review, user=current_user).first()
+	if vote is None:
+		vote = PackageReviewVote()
+		vote.review = review
+		vote.user = current_user
+		vote.is_positive = is_positive
+		db.session.add(vote)
+	elif vote.is_positive == is_positive:
+		db.session.delete(vote)
+	else:
+		vote.is_positive = is_positive
+
+	review.update_score()
+	db.session.commit()
+
+
+@bp.route("/packages/<author>/<name>/review/<int:review_id>/", methods=["POST"])
+@login_required
+@is_package_page
+def review_vote(package, review_id):
+	msg = handle_review_vote(package, review_id)
+	if should_return_json():
+		if msg:
+			return jsonify({"success": False, "error": msg}), 403
+		else:
+			return jsonify({"success": True})
+
+	if msg:
+		flash(msg, "danger")
+
+	next_url = request.args.get("r")
+	if next_url and is_safe_url(next_url):
+		return redirect(next_url)
+	else:
+		return redirect(review.thread.get_view_url())
+
+
+@bp.route("/packages/<author>/<name>/review-votes/")
+@rank_required(UserRank.ADMIN)
+@is_package_page
+def review_votes(package):
+	user_biases = {}
+	for review in package.reviews:
+		review_sign = review.as_weight()
+		for vote in review.votes:
+			user_biases[vote.user.username] = user_biases.get(vote.user.username, [0, 0])
+			vote_sign = 1 if vote.is_positive else -1
+			vote_bias = review_sign * vote_sign
+			if vote_bias == 1:
+				user_biases[vote.user.username][0] += 1
+			else:
+				user_biases[vote.user.username][1] += 1
+
+	reviews = package.reviews.all()
+
+	BiasInfo = namedtuple("BiasInfo", "username balance with_ against no_vote perc_with")
+	user_biases_info = []
+	for username, bias in user_biases.items():
+		total_votes = bias[0] + bias[1]
+		balance = bias[0] - bias[1]
+		perc_with = round((100 * bias[0]) / total_votes)
+		user_biases_info.append(BiasInfo(username, balance, bias[0], bias[1], len(reviews) - total_votes, perc_with))
+
+	user_biases_info.sort(key=lambda x: -abs(x.balance))
+
+	return render_template("packages/review_votes.html", package=package, reviews=reviews,
+			user_biases=user_biases_info)
--- a/app/blueprints/packages/screenshots.py
+++ b/app/blueprints/packages/screenshots.py
@@ -1,74 +1,100 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
 #
 # This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Affero General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
+import os

-
-from flask import *
-from flask_user import *
-
-from . import bp
-
-from app.models import *
-from app.utils import *
-
+from flask import render_template, request, redirect, flash, url_for, abort
+from flask_babel import lazy_gettext, gettext
+from flask_login import login_required, current_user
 from flask_wtf import FlaskForm
-from wtforms import *
-from wtforms.validators import *
+from flask_wtf.file import FileRequired
+from wtforms import StringField, SubmitField, BooleanField, FileField
+from wtforms.validators import Length, DataRequired, Optional
+from wtforms_sqlalchemy.fields import QuerySelectField
+
+from app.logic.LogicError import LogicError
+from app.logic.screenshots import do_create_screenshot, do_order_screenshots
+from . import bp, get_package_tabs
+from app.models import Permission, db, PackageScreenshot
+from app.utils import is_package_page


 class CreateScreenshotForm(FlaskForm):
-	title	   = StringField("Title/Caption", [Optional()])
-	fileUpload = FileField("File Upload", [InputRequired()])
-	submit	   = SubmitField("Save")
+	title	   = StringField(lazy_gettext("Title/Caption"), [Optional(), Length(-1, 100)])
+	file_upload = FileField(lazy_gettext("File Upload"), [FileRequired()])
+	submit	   = SubmitField(lazy_gettext("Save"))


 class EditScreenshotForm(FlaskForm):
-	title	 = StringField("Title/Caption", [Optional()])
-	approved = BooleanField("Is Approved")
-	delete   = BooleanField("Delete")
-	submit   = SubmitField("Save")
+	title	 = StringField(lazy_gettext("Title/Caption"), [Optional(), Length(-1, 100)])
+	approved = BooleanField(lazy_gettext("Is Approved"))
+	submit   = SubmitField(lazy_gettext("Save"))
+
+
+class EditPackageScreenshotsForm(FlaskForm):
+	cover_image      = QuerySelectField(lazy_gettext("Cover Image"), [DataRequired()], allow_blank=True, get_pk=lambda a: a.id, get_label=lambda a: a.title)
+	submit	         = SubmitField(lazy_gettext("Save"))
+
+
+@bp.route("/packages/<author>/<name>/screenshots/", methods=["GET", "POST"])
+@login_required
+@is_package_page
+def screenshots(package):
+	if not package.check_perm(current_user, Permission.ADD_SCREENSHOTS):
+		return redirect(package.get_url("packages.view"))
+
+	form = EditPackageScreenshotsForm(obj=package)
+	form.cover_image.query = package.screenshots
+
+	if request.method == "POST":
+		order = request.form.get("order")
+		if order:
+			try:
+				do_order_screenshots(current_user, package, order.split(","))
+				return redirect(package.get_url("packages.view"))
+			except LogicError as e:
+				flash(e.message, "danger")
+
+		if form.validate_on_submit():
+			form.populate_obj(package)
+			db.session.commit()
+
+	return render_template("packages/screenshots.html", package=package, form=form,
+			tabs=get_package_tabs(current_user, package), current_tab="screenshots")
+

@bp.route("/packages/<author>/<name>/screenshots/new/", methods=["GET", "POST"])
@login_required
@is_package_page
-def create_screenshot(package, id=None):
-	if not package.checkPerm(current_user, Permission.ADD_SCREENSHOTS):
-		return redirect(package.getDetailsURL())
+def create_screenshot(package):
+	if not package.check_perm(current_user, Permission.ADD_SCREENSHOTS):
+		return redirect(package.get_url("packages.view"))

 	# Initial form class from post data and default data
 	form = CreateScreenshotForm()
-	if request.method == "POST" and form.validate():
-		uploadedPath = doFileUpload(form.fileUpload.data, "image",
-				"a PNG or JPG image file")
-		if uploadedPath is not None:
-			ss = PackageScreenshot()
-			ss.package  = package
-			ss.title    = form["title"].data or "Untitled"
-			ss.url      = uploadedPath
-			ss.approved = package.checkPerm(current_user, Permission.APPROVE_SCREENSHOT)
-			db.session.add(ss)
-
-			msg = "{}: Screenshot added {}" \
-					.format(package.title, ss.title)
-			triggerNotif(package.author, current_user, msg, package.getDetailsURL())
-			db.session.commit()
-			return redirect(package.getDetailsURL())
+	if form.validate_on_submit():
+		try:
+			do_create_screenshot(current_user, package, form.title.data, form.file_upload.data, False)
+			return redirect(package.get_url("packages.screenshots"))
+		except LogicError as e:
+			flash(e.message, "danger")

 	return render_template("packages/screenshot_new.html", package=package, form=form)

-@bp.route("/packages/<author>/<name>/screenshots/<id>/edit/", methods=["GET", "POST"])
+
+@bp.route("/packages/<author>/<name>/screenshots/<int:id>/edit/", methods=["GET", "POST"])
@login_required
@is_package_page
 def edit_screenshot(package, id):
@@ -76,31 +102,49 @@ def edit_screenshot(package, id):
 	if screenshot is None or screenshot.package != package:
 		abort(404)

-	canEdit	= package.checkPerm(current_user, Permission.ADD_SCREENSHOTS)
-	canApprove = package.checkPerm(current_user, Permission.APPROVE_SCREENSHOT)
-	if not (canEdit or canApprove):
-		return redirect(package.getDetailsURL())
-
-	clearNotifications(screenshot.getEditURL())
+	can_edit = package.check_perm(current_user, Permission.ADD_SCREENSHOTS)
+	can_approve = package.check_perm(current_user, Permission.APPROVE_SCREENSHOT)
+	if not (can_edit or can_approve):
+		return redirect(package.get_url("packages.screenshots"))

 	# Initial form class from post data and default data
-	form = EditScreenshotForm(formdata=request.form, obj=screenshot)
-	if request.method == "POST" and form.validate():
-		if canEdit and form["delete"].data:
-			PackageScreenshot.query.filter_by(id=id).delete()
+	form = EditScreenshotForm(obj=screenshot)
+	if form.validate_on_submit():
+		was_approved = screenshot.approved

+		if can_edit:
+			screenshot.title = form.title.data or "Untitled"
+
+		if can_approve:
+			screenshot.approved = form.approved.data
 		else:
-			wasApproved = screenshot.approved
-
-			if canEdit:
-				screenshot.title = form["title"].data or "Untitled"
-
-			if canApprove:
-				screenshot.approved = form["approved"].data
-			else:
-				screenshot.approved = wasApproved
+			screenshot.approved = was_approved

 		db.session.commit()
-		return redirect(package.getDetailsURL())
+		return redirect(package.get_url("packages.screenshots"))

 	return render_template("packages/screenshot_edit.html", package=package, screenshot=screenshot, form=form)
+
+
+@bp.route("/packages/<author>/<name>/screenshots/<int:id>/delete/", methods=["POST"])
+@login_required
+@is_package_page
+def delete_screenshot(package, id):
+	screenshot = PackageScreenshot.query.get(id)
+	if screenshot is None or screenshot.package != package:
+		abort(404)
+
+	if not package.check_perm(current_user, Permission.ADD_SCREENSHOTS):
+		flash(gettext("Permission denied"), "danger")
+		return redirect(url_for("homepage.home"))
+
+	if package.cover_image == screenshot:
+		package.cover_image = None
+		db.session.merge(package)
+
+	db.session.delete(screenshot)
+	db.session.commit()
+
+	os.remove(screenshot.file_path)
+
+	return redirect(package.get_url("packages.screenshots"))
--- a/app/blueprints/report/init.py
+++ b/app/blueprints/report/init.py
@@ -0,0 +1,182 @@
+# ContentDB
+# Copyright (C) 2022 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from flask import Blueprint, request, render_template, url_for, abort, flash
+from flask_babel import lazy_gettext
+from flask_login import current_user
+from flask_wtf import FlaskForm
+from werkzeug.utils import redirect
+from wtforms import TextAreaField, SubmitField, URLField, StringField, SelectField, FileField
+from wtforms.validators import InputRequired, Length, Optional, DataRequired
+
+from app.logic.uploads import upload_file
+from app.models import User, UserRank, Report, db, AuditSeverity, ReportCategory, Thread, Permission, ReportAttachment
+from app.tasks.webhooktasks import post_discord_webhook
+from app.utils import (is_no, abs_url_samesite, normalize_line_endings, rank_required, add_audit_log, abs_url_for,
+					   random_string, add_replies)
+
+bp = Blueprint("report", __name__)
+
+
+class ReportForm(FlaskForm):
+	category = SelectField(lazy_gettext("Category"), [DataRequired()], choices=ReportCategory.choices(with_none=True), coerce=ReportCategory.coerce)
+
+	url = URLField(lazy_gettext("URL"), [Optional()])
+	title = StringField(lazy_gettext("Subject / Title"), [InputRequired(), Length(10, 300)])
+	message = TextAreaField(lazy_gettext("Message"), [Optional(), Length(0, 10000)], filters=[normalize_line_endings])
+	file_upload = FileField(lazy_gettext("Image Upload"), [Optional()])
+	submit = SubmitField(lazy_gettext("Report"))
+
+
+@bp.route("/report/", methods=["GET", "POST"])
+def report():
+	is_anon = not current_user.is_authenticated or not is_no(request.args.get("anon"))
+
+	url = request.args.get("url")
+	if url:
+		if url.startswith("/report/"):
+			abort(404)
+
+		url = abs_url_samesite(url)
+
+	form = ReportForm() if current_user.is_authenticated else None
+	if form and request.method == "GET":
+		try:
+			form.category.data = ReportCategory.coerce(request.args.get("category"))
+		except KeyError:
+			pass
+		form.url.data = url
+		form.title.data = request.args.get("title", "")
+
+	if form and form.validate_on_submit():
+		report = Report()
+		report.id = random_string(8)
+		report.user = current_user if current_user.is_authenticated else None
+		form.populate_obj(report)
+
+		if current_user.is_authenticated:
+			thread = Thread()
+			thread.title = f"Report: {form.title.data}"
+			thread.author = current_user
+			thread.private = True
+			thread.watchers.extend(User.query.filter(User.rank >= UserRank.MODERATOR).all())
+			db.session.add(thread)
+			db.session.flush()
+
+			report.thread = thread
+
+			add_replies(thread, current_user, f"**{report.category.title} report created**\n\n{form.message.data}")
+		else:
+			ip_addr = request.headers.get("X-Forwarded-For") or request.remote_addr
+			report.message = ip_addr + "\n\n" + report.message
+
+		db.session.add(report)
+		db.session.flush()
+
+		if form.file_upload.data:
+			atmt = ReportAttachment()
+			report.attachments.add(atmt)
+			uploaded_url, _ = upload_file(form.file_upload.data, "image", lazy_gettext("a PNG, JPEG, or WebP image file"))
+			atmt.url = uploaded_url
+			db.session.add(atmt)
+
+		if current_user.is_authenticated:
+			add_audit_log(AuditSeverity.USER, current_user, f"New report: {report.title}",
+					url_for("report.view", rid=report.id))
+
+		db.session.commit()
+
+		abs_url = abs_url_for("report.view", rid=report.id)
+		msg = f"**New Report**\nReport on `{report.url}`\n\n{report.title}\n\nView: {abs_url}"
+		post_discord_webhook.delay(None if is_anon else current_user.username, msg, True)
+
+		return redirect(url_for("report.report_received", rid=report.id))
+
+	return render_template("report/report.html", form=form, url=url, is_anon=is_anon, noindex=url is not None)
+
+
+@bp.route("/report/received/")
+def report_received():
+	rid = request.args.get("rid")
+	report = Report.query.get_or_404(rid)
+	return render_template("report/report_received.html", report=report)
+
+
+@bp.route("/admin/reports/")
+@rank_required(UserRank.EDITOR)
+def list_all():
+	reports = Report.query.order_by(db.asc(Report.is_resolved), db.asc(Report.created_at)).all()
+	return render_template("report/list.html", reports=reports)
+
+
+@bp.route("/admin/reports/<rid>/", methods=["GET", "POST"])
+def view(rid: str):
+	report = Report.query.get_or_404(rid)
+	if not report.check_perm(current_user, Permission.SEE_REPORT):
+		abort(404)
+
+	if request.method == "POST":
+		if report.is_resolved:
+			if "reopen" in request.form:
+				report.is_resolved = False
+				url = url_for("report.view", rid=report.id)
+				add_audit_log(AuditSeverity.MODERATION, current_user, f"Reopened report \"{report.title}\"", url)
+
+				if report.thread:
+					add_replies(report.thread, current_user, f"Reopened report", is_status_update=True)
+
+				db.session.commit()
+		else:
+			if "completed" in request.form:
+				outcome = "as completed"
+			elif "removed" in request.form:
+				outcome = "as content removed"
+			elif "invalid" in request.form:
+				outcome = "without action"
+				if report.thread:
+					flash("Make sure to comment why the report is invalid in the thread", "warning")
+			else:
+				abort(400)
+
+			report.is_resolved = True
+			url = url_for("report.view", rid=report.id)
+			add_audit_log(AuditSeverity.MODERATION, current_user, f"Report closed {outcome} \"{report.title}\"", url)
+
+			if report.thread:
+				add_replies(report.thread, current_user, f"Closed report {outcome}", is_status_update=True)
+
+			db.session.commit()
+
+	return render_template("report/view.html", report=report)
+
+
+@bp.route("/admin/reports/<rid>/edit/", methods=["GET", "POST"])
+def edit(rid: str):
+	report = Report.query.get_or_404(rid)
+	if not report.check_perm(current_user, Permission.SEE_REPORT):
+		abort(404)
+
+	form = ReportForm(request.form, obj=report)
+	form.submit.label.text = lazy_gettext("Save")
+	if form.validate_on_submit():
+		form.populate_obj(report)
+		url = url_for("report.view", rid=report.id)
+		add_audit_log(AuditSeverity.MODERATION, current_user, f"Edited report \"{report.title}\"", url)
+		db.session.commit()
+
+		return redirect(url_for("report.view", rid=report.id))
+
+	return render_template("report/edit.html", report=report, form=form)
--- a/app/blueprints/tasks/init.py
+++ b/app/blueprints/tasks/init.py
@@ -1,43 +1,44 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
 #
 # This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Affero General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.

+from flask import Blueprint, jsonify, url_for, request, redirect, render_template
+from flask_login import login_required, current_user

-from flask import *
-from flask_user import *
-import flask_menu as menu
 from app import csrf
-from app.models import *
-from app.tasks import celery, TaskError
-from app.tasks.importtasks import getMeta
-from app.utils import shouldReturnJson
-from app.utils import *
+from app.models import UserRank
+from app.tasks import celery
+from app.tasks.importtasks import get_meta
+from app.utils import should_return_json

 bp = Blueprint("tasks", __name__)

+
@csrf.exempt
@bp.route("/tasks/getmeta/new/", methods=["POST"])
@login_required
 def start_getmeta():
+	from flask import request
 	author = request.args.get("author")
 	author = current_user.forums_username if author is None else author
-	aresult = getMeta.delay(request.args.get("url"), author)
+	aresult = get_meta.delay(request.args.get("url"), author)
 	return jsonify({
 		"poll_url": url_for("tasks.check", id=aresult.id),
 	})

+
@bp.route("/tasks/<id>/")
 def check(id):
 	result = celery.AsyncResult(id)
@@ -45,17 +46,19 @@ def check(id):
 	traceback = result.traceback
 	result = result.result

-	info = None
 	if isinstance(result, Exception):
 		info = {
 				'id': id,
 				'status': status,
 			}

-		if current_user.is_authenticated and current_user.rank.atLeast(UserRank.ADMIN):
+		if current_user.is_authenticated and current_user.rank.at_least(UserRank.ADMIN):
 			info["error"] = str(traceback)
 		elif str(result)[1:12] == "TaskError: ":
-			info["error"] = str(result)[12:-1]
+			if hasattr(result, "value"):
+				info["error"] = result.value
+			else:
+				info["error"] = str(result)
 		else:
 			info["error"] = "Unknown server error"
 	else:
@@ -65,7 +68,7 @@ def check(id):
 				'result': result,
 			}

-	if shouldReturnJson():
+	if should_return_json():
 		return jsonify(info)
 	else:
 		r = request.args.get("r")
--- a/app/blueprints/threads/init.py
+++ b/app/blueprints/threads/init.py
@@ -1,130 +1,291 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
 #
 # This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Affero General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.

+from flask import Blueprint, request, render_template, abort, flash, redirect, url_for
+from flask_babel import gettext, lazy_gettext
+from sqlalchemy.orm import selectinload

-from flask import *
+from app.markdown import get_user_mentions, render_markdown
+from app.tasks.webhooktasks import post_discord_webhook

 bp = Blueprint("threads", __name__)

-from flask_user import *
-from app.models import *
-from app.utils import triggerNotif, clearNotifications
-
-import datetime
-
+from flask_login import current_user, login_required
+from app.models import Package, db, User, Permission, Thread, UserRank, AuditSeverity, \
+	NotificationType, ThreadReply
+from app.utils import add_notification, is_yes, add_audit_log, get_system_user, has_blocked_domains, \
+	normalize_line_endings
 from flask_wtf import FlaskForm
-from wtforms import *
-from wtforms.validators import *
+from wtforms import StringField, TextAreaField, SubmitField
+from wtforms.validators import InputRequired, Length
+from app.utils import get_int_or_abort
+

@bp.route("/threads/")
 def list_all():
 	query = Thread.query
 	if not Permission.SEE_THREAD.check(current_user):
 		query = query.filter_by(private=False)
-	return render_template("threads/list.html", threads=query.all())
+
+	package = None
+	pid = request.args.get("pid")
+	if pid:
+		pid = get_int_or_abort(pid)
+		package = Package.query.get_or_404(pid)
+		query = query.filter_by(package=package)
+
+	query = query.filter_by(review_id=None)
+
+	query = query.order_by(db.desc(Thread.created_at))
+
+	page = get_int_or_abort(request.args.get("page"), 1)
+	num = min(40, get_int_or_abort(request.args.get("n"), 100))
+
+	pagination = query.paginate(page=page, per_page=num)
+
+	return render_template("threads/list.html", pagination=pagination, threads=pagination.items,
+			package=package, noindex=pid)


@bp.route("/threads/<int:id>/subscribe/", methods=["POST"])
@login_required
 def subscribe(id):
 	thread = Thread.query.get(id)
-	if thread is None or not thread.checkPerm(current_user, Permission.SEE_THREAD):
+	if thread is None or not thread.check_perm(current_user, Permission.SEE_THREAD):
 		abort(404)

 	if current_user in thread.watchers:
-		flash("Already subscribed!", "success")
+		flash(gettext("Already subscribed!"), "success")
 	else:
-		flash("Subscribed to thread", "success")
+		flash(gettext("Subscribed to thread"), "success")
 		thread.watchers.append(current_user)
 		db.session.commit()

-	return redirect(url_for("threads.view", id=id))
+	return redirect(thread.get_view_url())


@bp.route("/threads/<int:id>/unsubscribe/", methods=["POST"])
@login_required
 def unsubscribe(id):
 	thread = Thread.query.get(id)
-	if thread is None or not thread.checkPerm(current_user, Permission.SEE_THREAD):
+	if thread is None or not thread.check_perm(current_user, Permission.SEE_THREAD):
 		abort(404)

 	if current_user in thread.watchers:
-		flash("Unsubscribed!", "success")
+		flash(gettext("Unsubscribed!"), "success")
 		thread.watchers.remove(current_user)
 		db.session.commit()
 	else:
-		flash("Not subscribed to thread", "success")
+		flash(gettext("Already not subscribed!"), "success")

-	return redirect(url_for("threads.view", id=id))
+	return redirect(thread.get_view_url())
+
+
+@bp.route("/threads/<int:id>/set-lock/", methods=["POST"])
+@login_required
+def set_lock(id):
+	thread = Thread.query.get(id)
+	if thread is None or not thread.check_perm(current_user, Permission.LOCK_THREAD):
+		abort(404)
+
+	thread.locked = is_yes(request.args.get("lock"))
+	if thread.locked is None:
+		abort(400)
+
+	if thread.locked:
+		msg = "Locked thread '{}'".format(thread.title)
+		flash(gettext("Locked thread"), "success")
+	else:
+		msg = "Unlocked thread '{}'".format(thread.title)
+		flash(gettext("Unlocked thread"), "success")
+
+	add_notification(thread.watchers, current_user, NotificationType.OTHER, msg, thread.get_view_url(), thread.package)
+	add_audit_log(AuditSeverity.MODERATION, current_user, msg, thread.get_view_url(), thread.package)
+
+	db.session.commit()
+
+	return redirect(thread.get_view_url())
+
+
+@bp.route("/threads/<int:id>/delete/", methods=["GET", "POST"])
+@login_required
+def delete_thread(id):
+	thread = Thread.query.get(id)
+	if thread is None or not thread.check_perm(current_user, Permission.DELETE_THREAD):
+		abort(404)
+
+	if request.method == "GET":
+		return render_template("threads/delete_thread.html", thread=thread)
+
+	summary = "\n\n".join([("<{}> {}".format(reply.author.display_name, reply.comment)) for reply in thread.replies])
+
+	msg = "Deleted thread {} by {}".format(thread.title, thread.author.display_name)
+
+	db.session.delete(thread)
+
+	add_audit_log(AuditSeverity.MODERATION, current_user, msg, None, thread.package, summary)
+
+	db.session.commit()
+
+	return redirect(url_for("homepage.home"))
+
+
+@bp.route("/threads/<int:id>/delete-reply/", methods=["GET", "POST"])
+@login_required
+def delete_reply(id):
+	thread = Thread.query.get(id)
+	if thread is None:
+		abort(404)
+
+	reply_id = request.args.get("reply")
+	if reply_id is None:
+		abort(404)
+
+	reply = ThreadReply.query.get(reply_id)
+	if reply is None or reply.thread != thread:
+		abort(404)
+
+	if thread.first_reply == reply:
+		flash(gettext("Cannot delete thread opening post!"), "danger")
+		return redirect(thread.get_view_url())
+
+	if not reply.check_perm(current_user, Permission.DELETE_REPLY):
+		abort(403)
+
+	if request.method == "GET":
+		return render_template("threads/delete_reply.html", thread=thread, reply=reply)
+
+	msg = "Deleted reply by {}".format(reply.author.display_name)
+	add_audit_log(AuditSeverity.MODERATION, current_user, msg, thread.get_view_url(), thread.package, reply.comment)
+
+	db.session.delete(reply)
+	db.session.commit()
+
+	return redirect(thread.get_view_url())
+
+
+class CommentForm(FlaskForm):
+	comment = TextAreaField(lazy_gettext("Comment"), [InputRequired(), Length(2, 2000)], filters=[normalize_line_endings])
+	btn_submit = SubmitField(lazy_gettext("Comment"))
+
+
+@bp.route("/threads/<int:id>/edit/", methods=["GET", "POST"])
+@login_required
+def edit_reply(id):
+	thread = Thread.query.get(id)
+	if thread is None:
+		abort(404)
+
+	reply_id = request.args.get("reply")
+	if reply_id is None:
+		abort(404)
+
+	reply: ThreadReply = ThreadReply.query.get(reply_id)
+	if reply is None or reply.thread != thread:
+		abort(404)
+
+	if not reply.check_perm(current_user, Permission.EDIT_REPLY):
+		abort(403)
+
+	form = CommentForm(formdata=request.form, obj=reply)
+	if form.validate_on_submit():
+		comment = form.comment.data
+		if has_blocked_domains(comment, current_user.username, f"edit to reply {reply.get_url(True)}"):
+			flash(gettext("Linking to blocked sites is not allowed"), "danger")
+		else:
+			msg = "Edited reply by {}".format(reply.author.display_name)
+			severity = AuditSeverity.NORMAL if current_user == reply.author else AuditSeverity.MODERATION
+			add_notification(reply.author, current_user, NotificationType.OTHER, msg, thread.get_view_url(), thread.package)
+			add_audit_log(severity, current_user, msg, thread.get_view_url(), thread.package, reply.comment)
+
+			reply.comment = comment
+
+			db.session.commit()
+
+			return redirect(thread.get_view_url())
+
+	return render_template("threads/edit_reply.html", thread=thread, reply=reply, form=form)


@bp.route("/threads/<int:id>/", methods=["GET", "POST"])
 def view(id):
-	clearNotifications(url_for("threads.view", id=id))
-
-	thread = Thread.query.get(id)
-	if thread is None or not thread.checkPerm(current_user, Permission.SEE_THREAD):
+	thread: Thread = Thread.query.get(id)
+	if thread is None or not thread.check_perm(current_user, Permission.SEE_THREAD):
 		abort(404)

-	if current_user.is_authenticated and request.method == "POST":
-		comment = request.form["comment"]
+	form = CommentForm(formdata=request.form) if thread.check_perm(current_user, Permission.COMMENT_THREAD) else None

-		if not current_user.canCommentRL():
-			flash("Please wait before commenting again", "danger")
-			if package:
-				return redirect(package.getDetailsURL())
-			else:
-				return redirect(url_for("homepage.home"))
+	# Check that title is none to load comments into textarea if redirected from new thread page
+	if form and form.validate_on_submit() and request.form.get("title") is None:
+		comment = form.comment.data

-		if len(comment) <= 500 and len(comment) > 3:
-			reply = ThreadReply()
-			reply.author = current_user
-			reply.comment = comment
-			db.session.add(reply)
+		if not current_user.can_comment_ratelimit():
+			flash(gettext("Please wait before commenting again"), "danger")
+			return redirect(thread.get_view_url())

-			thread.replies.append(reply)
-			if not current_user in thread.watchers:
-				thread.watchers.append(current_user)
+		if has_blocked_domains(comment, current_user.username, f"reply to {thread.get_view_url(True)}"):
+			flash(gettext("Linking to blocked sites is not allowed"), "danger")
+			return render_template("threads/view.html", thread=thread, form=form)

-			msg = None
-			if thread.package is None:
-				msg = "New comment on '{}'".format(thread.title)
-			else:
-				msg = "New comment on '{}' on package {}".format(thread.title, thread.package.title)
+		reply = ThreadReply()
+		reply.author = current_user
+		reply.comment = comment
+		db.session.add(reply)

+		thread.replies.append(reply)
+		if current_user not in thread.watchers:
+			thread.watchers.append(current_user)

-			for user in thread.watchers:
-				if user != current_user:
-					triggerNotif(user, current_user, msg, url_for("threads.view", id=thread.id))
+		for mentioned_username in get_user_mentions(render_markdown(comment)):
+			mentioned = User.query.filter_by(username=mentioned_username).first()
+			if mentioned is None:
+				continue

-			db.session.commit()
+			if not thread.check_perm(mentioned, Permission.SEE_THREAD):
+				continue

-			return redirect(url_for("threads.view", id=id))
+			msg = "Mentioned by {} in '{}'".format(current_user.display_name, thread.title)
+			add_notification(mentioned, current_user, NotificationType.THREAD_REPLY,
+							 msg, thread.get_view_url(), thread.package)

-		else:
-			flash("Comment needs to be between 3 and 500 characters.")
+			if mentioned not in thread.watchers:
+				thread.watchers.append(mentioned)

-	return render_template("threads/view.html", thread=thread)
+		msg = "New comment on '{}'".format(thread.title)
+		add_notification(thread.watchers, current_user, NotificationType.THREAD_REPLY, msg, thread.get_view_url(), thread.package)
+
+		if thread.author == get_system_user():
+			approvers = User.query.filter(User.rank >= UserRank.APPROVER).all()
+			add_notification(approvers, current_user, NotificationType.EDITOR_MISC, msg,
+							 thread.get_view_url(), thread.package)
+			post_discord_webhook.delay(current_user.display_name,
+					"Replied to bot messages: {}".format(thread.get_view_url(absolute=True)), True)
+
+		db.session.commit()
+
+		return redirect(thread.get_view_url())
+
+	return render_template("threads/view.html", thread=thread, form=form)


 class ThreadForm(FlaskForm):
-	title	= StringField("Title", [InputRequired(), Length(3,100)])
-	comment = TextAreaField("Comment", [InputRequired(), Length(10, 500)])
-	private = BooleanField("Private")
-	submit  = SubmitField("Open Thread")
+	title	= StringField(lazy_gettext("Title"), [InputRequired(), Length(3,100)])
+	comment = TextAreaField(lazy_gettext("Comment"), [InputRequired(), Length(10, 2000)], filters=[normalize_line_endings])
+	btn_submit  = SubmitField(lazy_gettext("Open Thread"))
+

@bp.route("/threads/new/", methods=["GET", "POST"])
@login_required
@@ -135,80 +296,112 @@ def new():
 	if "pid" in request.args:
 		package = Package.query.get(int(request.args.get("pid")))
 		if package is None:
-			flash("Unable to find that package!", "error")
+			abort(404)

-	# Don't allow making orphan threads on approved packages for now
-	if package is None:
-		abort(403)
+	if package is None and not current_user.rank.at_least(UserRank.APPROVER):
+		abort(404)

-	def_is_private   = request.args.get("private") or False
-	if package is None:
-		def_is_private = True
-	allow_change     = package and package.approved
 	is_review_thread = package and not package.approved
+	is_private_thread = is_review_thread

 	# Check that user can make the thread
-	if not package.checkPerm(current_user, Permission.CREATE_THREAD):
-		flash("Unable to create thread!", "error")
+	if package and not package.check_perm(current_user, Permission.CREATE_THREAD):
+		flash(gettext("Unable to create thread!"), "danger")
 		return redirect(url_for("homepage.home"))

 	# Only allow creating one thread when not approved
 	elif is_review_thread and package.review_thread is not None:
-		flash("A review thread already exists!", "error")
-		return redirect(url_for("threads.view", id=package.review_thread.id))
+		# Redirect submit to `view` page, which checks for `title` in the form data and so won't commit the reply
+		flash(gettext("An approval thread already exists! Consider replying there instead"), "danger")
+		return redirect(package.review_thread.get_view_url(), code=307)

-	elif not current_user.canOpenThreadRL():
-		flash("Please wait before opening another thread", "danger")
+	elif not current_user.can_open_thread_ratelimit():
+		flash(gettext("Please wait before opening another thread"), "danger")

 		if package:
-			return redirect(package.getDetailsURL())
+			return redirect(package.get_url("packages.view"))
 		else:
 			return redirect(url_for("homepage.home"))

 	# Set default values
 	elif request.method == "GET":
-		form.private.data = def_is_private
 		form.title.data   = request.args.get("title") or ""

 	# Validate and submit
-	elif request.method == "POST" and form.validate():
-		thread = Thread()
-		thread.author  = current_user
-		thread.title   = form.title.data
-		thread.private = form.private.data if allow_change else def_is_private
-		thread.package = package
-		db.session.add(thread)
-
-		thread.watchers.append(current_user)
-		if package is not None and package.author != current_user:
-			thread.watchers.append(package.author)
-
-		reply = ThreadReply()
-		reply.thread  = thread
-		reply.author  = current_user
-		reply.comment = form.comment.data
-		db.session.add(reply)
-
-		thread.replies.append(reply)
-
-		db.session.commit()
-
-		if is_review_thread:
-			package.review_thread = thread
-
-		notif_msg = None
-		if package is not None:
-			notif_msg = "New thread '{}' on package {}".format(thread.title, package.title)
-			triggerNotif(package.author, current_user, notif_msg, url_for("threads.view", id=thread.id))
+	elif form.validate_on_submit():
+		if has_blocked_domains(form.comment.data, current_user.username, f"new thread"):
+			flash(gettext("Linking to blocked sites is not allowed"), "danger")
 		else:
+			thread = Thread()
+			thread.author  = current_user
+			thread.title   = form.title.data
+			thread.private = is_private_thread
+			thread.package = package
+			db.session.add(thread)
+
+			thread.watchers.append(current_user)
+			if package and package.author != current_user:
+				thread.watchers.append(package.author)
+
+			reply = ThreadReply()
+			reply.thread  = thread
+			reply.author  = current_user
+			reply.comment = form.comment.data
+			db.session.add(reply)
+
+			thread.replies.append(reply)
+
+			db.session.commit()
+
+			if is_review_thread:
+				package.review_thread = thread
+
+			for mentioned_username in get_user_mentions(render_markdown(form.comment.data)):
+				mentioned = User.query.filter_by(username=mentioned_username).first()
+				if mentioned is None:
+					continue
+
+				msg = "Mentioned by {} in new thread '{}'".format(current_user.display_name, thread.title)
+				add_notification(mentioned, current_user, NotificationType.NEW_THREAD,
+								 msg, thread.get_view_url(), thread.package)
+
+				if mentioned not in thread.watchers:
+					thread.watchers.append(mentioned)
+
 			notif_msg = "New thread '{}'".format(thread.title)
+			if package is not None:
+				add_notification(package.maintainers, current_user, NotificationType.NEW_THREAD, notif_msg, thread.get_view_url(), package)

-		for user in User.query.filter(User.rank >= UserRank.EDITOR).all():
-			triggerNotif(user, current_user, notif_msg, url_for("threads.view", id=thread.id))
+			approvers = User.query.filter(User.rank >= UserRank.APPROVER).all()
+			add_notification(approvers, current_user, NotificationType.EDITOR_MISC, notif_msg, thread.get_view_url(), package)

-		db.session.commit()
+			if is_review_thread:
+				post_discord_webhook.delay(current_user.display_name,
+						"Opened approval thread: {}".format(thread.get_view_url(absolute=True)), True)

-		return redirect(url_for("threads.view", id=thread.id))
+			db.session.commit()
+
+			return redirect(thread.get_view_url())
+
+	return render_template("threads/new.html", form=form, package=package)


-	return render_template("threads/new.html", form=form, allow_private_change=allow_change, package=package)
+@bp.route("/users/<username>/comments/")
+def user_comments(username):
+	user = User.query.filter_by(username=username).first()
+	if user is None:
+		abort(404)
+
+	page = get_int_or_abort(request.args.get("page"), 1)
+	num = min(40, get_int_or_abort(request.args.get("n"), 40))
+
+	# Filter replies the current user can see
+	query = ThreadReply.query.options(selectinload(ThreadReply.thread)).filter_by(author=user)
+	only_public = False
+	if current_user != user and not (current_user.is_authenticated and current_user.rank.at_least(UserRank.APPROVER)):
+		query = query.filter(ThreadReply.thread.has(private=False))
+		only_public = True
+
+	pagination = query.order_by(db.desc(ThreadReply.created_at)).paginate(page=page, per_page=num)
+
+	return render_template("threads/user_comments.html", user=user, pagination=pagination, only_public=only_public)
--- a/app/blueprints/thumbnails/init.py
+++ b/app/blueprints/thumbnails/init.py
@@ -1,74 +1,145 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
 #
 # This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Affero General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.

-
-from flask import *
-
-bp = Blueprint("thumbnails", __name__)
-
+import re
+import requests
+from flask import abort, send_file, Blueprint, current_app, request
 import os
 from PIL import Image

-ALLOWED_RESOLUTIONS=[(100,67), (270,180), (350,233)]
+
+bp = Blueprint("thumbnails", __name__)
+
+
+ALLOWED_RESOLUTIONS = [(100, 67), (270, 180), (350, 233), (1100, 520)]
+ALLOWED_MIMETYPES = {
+	"png": "image/png",
+	"webp": "image/webp",
+	"jpg": "image/jpeg",
+}
+

 def mkdir(path):
-	if not os.path.isdir(path):
-		os.mkdir(path)
+	assert path != "" and path is not None
+	try:
+		if not os.path.isdir(path):
+			os.mkdir(path)
+	except FileExistsError:
+		pass

-mkdir("app/public/thumbnails/")

 def resize_and_crop(img_path, modified_path, size):
-	img = Image.open(img_path)
+	with Image.open(img_path) as img:
+		# Get current and desired ratio for the images
+		img_ratio = img.size[0] / float(img.size[1])
+		desired_ratio = size[0] / float(size[1])

-	# Get current and desired ratio for the images
-	img_ratio = img.size[0] / float(img.size[1])
-	ratio = size[0] / float(size[1])
+		# Is more portrait than target, scale and crop
+		if desired_ratio > img_ratio:
+			img = img.resize((int(size[0]), int(size[0] * img.size[1] / img.size[0])),
+					Image.BICUBIC)
+			box = (0, (img.size[1] - size[1]) / 2, img.size[0], (img.size[1] + size[1]) / 2)
+			img = img.crop(box)

-	# Is more portrait than target, scale and crop
-	if ratio > img_ratio:
-		img = img.resize((int(size[0]), int(size[0] * img.size[1] / img.size[0])),
-				Image.BICUBIC)
-		box = (0, (img.size[1] - size[1]) / 2, img.size[0], (img.size[1] + size[1]) / 2)
-		img = img.crop(box)
+		# Is more landscape than target, scale and crop
+		elif desired_ratio < img_ratio:
+			img = img.resize((int(size[1] * img.size[0] / img.size[1]), int(size[1])),
+					Image.BICUBIC)
+			box = ((img.size[0] - size[0]) / 2, 0, (img.size[0] + size[0]) / 2, img.size[1])
+			img = img.crop(box)

-	# Is more landscape than target, scale and crop
-	elif ratio < img_ratio:
-		img = img.resize((int(size[1] * img.size[0] / img.size[1]), int(size[1])),
-				Image.BICUBIC)
-		box = ((img.size[0] - size[0]) / 2, 0, (img.size[0] + size[0]) / 2, img.size[1])
-		img = img.crop(box)
+		# Is exactly the same ratio as target
+		else:
+			img = img.resize(size, Image.BICUBIC)

-	# Is exactly the same ratio as target
-	else:
-		img = img.resize(size, Image.BICUBIC)
+		if modified_path.endswith(".jpg") and img.mode != "RGB":
+			img = img.convert("RGB")

-	img.save(modified_path)
+		img.save(modified_path, lossless=True)
+
+
+def find_source_file(img):
+	upload_dir = current_app.config["UPLOAD_DIR"]
+	source_filepath = os.path.join(upload_dir, img)
+	if os.path.isfile(source_filepath):
+		return source_filepath
+
+	period = source_filepath.rfind(".")
+	start = source_filepath[:period]
+	ext = source_filepath[period + 1:]
+	if ext not in ALLOWED_MIMETYPES:
+		abort(404)
+
+	for other_ext in ALLOWED_MIMETYPES.keys():
+		other_path = f"{start}.{other_ext}"
+		if ext != other_ext and os.path.isfile(other_path):
+			return other_path
+
+	abort(404)
+
+
+def get_mimetype(cache_filepath: str) -> str:
+	period = cache_filepath.rfind(".")
+	ext = cache_filepath[period + 1:]
+	mimetype = ALLOWED_MIMETYPES.get(ext)
+	if mimetype is None:
+		abort(404)
+	return mimetype


@bp.route("/thumbnails/<int:level>/<img>")
 def make_thumbnail(img, level):
 	if level > len(ALLOWED_RESOLUTIONS) or level <= 0:
 		abort(403)
-
 	w, h = ALLOWED_RESOLUTIONS[level - 1]

-	mkdir("app/public/thumbnails/{:d}/".format(level))
+	thumbnail_dir = current_app.config["THUMBNAIL_DIR"]
+	mkdir(thumbnail_dir)

-	cache_filepath  = "public/thumbnails/{:d}/{}".format(level, img)
-	source_filepath = "public/uploads/" + img
+	output_dir = os.path.join(thumbnail_dir, str(level))
+	mkdir(output_dir)

-	resize_and_crop("app/" + source_filepath, "app/" + cache_filepath, (w, h))
-	return send_file(cache_filepath)
+	cache_filepath = os.path.join(output_dir, img)
+	if not os.path.isfile(cache_filepath):
+		source_filepath = find_source_file(img)
+		resize_and_crop(source_filepath, cache_filepath, (w, h))
+
+	res = send_file(cache_filepath, mimetype=get_mimetype(cache_filepath))
+	res.headers["Cache-Control"] = "max-age=604800" # 1 week
+	return res
+
+
+@bp.route("/thumbnails/youtube/<id_>.jpg")
+def youtube(id_: str):
+	if not re.match(r"^[A-Za-z0-9\-_]+$", id_):
+		abort(400)
+
+	cache_dir = os.path.join(current_app.config["THUMBNAIL_DIR"], "youtube")
+	os.makedirs(cache_dir, exist_ok=True)
+	cache_filepath = os.path.join(cache_dir, id_ + ".jpg")
+
+	url = f"https://img.youtube.com/vi/{id_}/default.jpg"
+
+	response = requests.get(url, stream=True)
+	if response.status_code != 200:
+		abort(response.status_code)
+
+	with open(cache_filepath, "wb") as file:
+		file.write(response.content)
+
+	res = send_file(cache_filepath)
+	res.headers["Cache-Control"] = "max-age=604800"  # 1 week
+	return res
--- a/app/blueprints/todo/init.py
+++ b/app/blueprints/todo/init.py
@@ -1,102 +1,22 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
 #
 # This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Affero General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.

-from flask import *
-from flask_user import *
-import flask_menu as menu
-from app.models import *
-from app.querybuilder import QueryBuilder
-from app.utils import get_int_or_abort
+
+from flask import Blueprint

 bp = Blueprint("todo", __name__)

-@bp.route("/todo/", methods=["GET", "POST"])
-@login_required
-def view():
-	canApproveNew = Permission.APPROVE_NEW.check(current_user)
-	canApproveRel = Permission.APPROVE_RELEASE.check(current_user)
-	canApproveScn = Permission.APPROVE_SCREENSHOT.check(current_user)
-
-	packages = None
-	if canApproveNew:
-		packages = Package.query.filter_by(approved=False, soft_deleted=False).order_by(db.desc(Package.created_at)).all()
-
-	releases = None
-	if canApproveRel:
-		releases = PackageRelease.query.filter_by(approved=False).all()
-
-	screenshots = None
-	if canApproveScn:
-		screenshots = PackageScreenshot.query.filter_by(approved=False).all()
-
-	if not canApproveNew and not canApproveRel and not canApproveScn:
-		abort(403)
-
-	if request.method == "POST":
-		if request.form["action"] == "screenshots_approve_all":
-			if not canApproveScn:
-				abort(403)
-
-			PackageScreenshot.query.update({ "approved": True })
-			db.session.commit()
-			return redirect(url_for("todo.view"))
-		else:
-			abort(400)
-
-	topic_query = ForumTopic.query \
-			.filter_by(discarded=False)
-
-	total_topics = topic_query.count()
-	topics_to_add = topic_query \
-			.filter(~ db.exists().where(Package.forums==ForumTopic.topic_id)) \
-			.count()
-
-	return render_template("todo/list.html", title="Reports and Work Queue",
-		packages=packages, releases=releases, screenshots=screenshots,
-		canApproveNew=canApproveNew, canApproveRel=canApproveRel, canApproveScn=canApproveScn,
-		topics_to_add=topics_to_add, total_topics=total_topics)
-
-
-@bp.route("/todo/topics/")
-@login_required
-def topics():
-	qb    = QueryBuilder(request.args)
-	qb.setSortIfNone("date")
-	query = qb.buildTopicQuery()
-
-	tmp_q = ForumTopic.query
-	if not qb.show_discarded:
-		tmp_q = tmp_q.filter_by(discarded=False)
-	total = tmp_q.count()
-	topic_count = query.count()
-
-	page  = get_int_or_abort(request.args.get("page"), 1)
-	num   = get_int_or_abort(request.args.get("n"), 100)
-	if num > 100 and not current_user.rank.atLeast(UserRank.EDITOR):
-		num = 100
-
-	query = query.paginate(page, num, True)
-	next_url = url_for("todo.topics", page=query.next_num, query=qb.search, \
-	 	show_discarded=qb.show_discarded, n=num, sort=qb.order_by) \
-			if query.has_next else None
-	prev_url = url_for("todo.topics", page=query.prev_num, query=qb.search, \
-	 	show_discarded=qb.show_discarded, n=num, sort=qb.order_by) \
-			if query.has_prev else None
-
-	return render_template("todo/topics.html", topics=query.items, total=total, \
-			topic_count=topic_count, query=qb.search, show_discarded=qb.show_discarded, \
-			next_url=next_url, prev_url=prev_url, page=page, page_max=query.pages, \
-			n=num, sort_by=qb.order_by)
+from . import editor, user
--- a/app/blueprints/todo/editor.py
+++ b/app/blueprints/todo/editor.py
@@ -0,0 +1,217 @@
+# ContentDB
+# Copyright (C) 2018-23 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+
+from flask import redirect, url_for, abort, render_template, request
+from flask_login import current_user, login_required
+from sqlalchemy import or_, and_
+
+from app.models import Package, PackageState, PackageScreenshot, PackageUpdateConfig, ForumTopic, db, \
+	PackageRelease, Permission, UserRank, License, MetaPackage, Dependency, AuditLogEntry, Tag, LuantiRelease, Report
+from app.querybuilder import QueryBuilder
+from app.utils import get_int_or_abort, is_yes, rank_required
+from . import bp
+
+
+@bp.route("/todo/", methods=["GET", "POST"])
+@login_required
+def view_editor():
+	can_approve_new = Permission.APPROVE_NEW.check(current_user)
+	can_approve_rel = Permission.APPROVE_RELEASE.check(current_user)
+	can_approve_scn = Permission.APPROVE_SCREENSHOT.check(current_user)
+
+	packages = None
+	wip_packages = None
+	if can_approve_new:
+		packages = Package.query.filter_by(state=PackageState.READY_FOR_REVIEW) \
+			.order_by(db.desc(Package.created_at)).all()
+		wip_packages = Package.query \
+			.filter(or_(Package.state == PackageState.WIP, Package.state == PackageState.CHANGES_NEEDED)) \
+			.order_by(db.desc(Package.created_at)).all()
+
+	releases = None
+	if can_approve_rel:
+		releases = PackageRelease.query.filter_by(approved=False, task_id=None).all()
+
+	screenshots = None
+	if can_approve_scn:
+		screenshots = PackageScreenshot.query.filter_by(approved=False).all()
+
+	if not can_approve_new and not can_approve_rel and not can_approve_scn:
+		abort(403)
+
+	if request.method == "POST":
+		if request.form["action"] == "screenshots_approve_all":
+			if not can_approve_scn:
+				abort(403)
+
+			PackageScreenshot.query.update({"approved": True})
+			db.session.commit()
+			return redirect(url_for("todo.view_editor"))
+		else:
+			abort(400)
+
+	license_needed = Package.query \
+		.filter(Package.state.in_([PackageState.READY_FOR_REVIEW, PackageState.APPROVED])) \
+		.filter(or_(Package.license.has(License.name.like("Other %")),
+			Package.media_license.has(License.name.like("Other %")))) \
+		.all()
+
+	total_packages = Package.query.filter_by(state=PackageState.APPROVED).count()
+	total_to_tag = Package.query.filter_by(state=PackageState.APPROVED, tags=None).count()
+
+	unfulfilled_meta_packages = MetaPackage.query \
+		.filter(~ MetaPackage.packages.any(state=PackageState.APPROVED)) \
+		.filter(MetaPackage.dependencies.any(Dependency.depender.has(state=PackageState.APPROVED), optional=False)) \
+		.order_by(db.asc(MetaPackage.name)).count()
+
+	audit_log = AuditLogEntry.query \
+		.filter(AuditLogEntry.package.has()) \
+		.order_by(db.desc(AuditLogEntry.created_at)) \
+		.limit(20).all()
+
+	reports = Report.query.filter_by(is_resolved=False).order_by(db.asc(Report.created_at)).all() if current_user.rank.at_least(UserRank.EDITOR) else None
+
+	return render_template("todo/editor.html", current_tab="editor",
+			packages=packages, wip_packages=wip_packages, releases=releases, screenshots=screenshots,
+			can_approve_new=can_approve_new, can_approve_rel=can_approve_rel, can_approve_scn=can_approve_scn,
+			license_needed=license_needed, total_packages=total_packages, total_to_tag=total_to_tag,
+			unfulfilled_meta_packages=unfulfilled_meta_packages, audit_log=audit_log, reports=reports)
+
+
+@bp.route("/todo/tags/")
+@login_required
+def tags():
+	qb    = QueryBuilder(request.args, cookies=True)
+	qb.set_sort_if_none("score", "desc")
+	query = qb.build_package_query()
+
+	only_no_tags = is_yes(request.args.get("no_tags"))
+	if only_no_tags:
+		query = query.filter(Package.tags == None)
+
+	tags = Tag.query.order_by(db.asc(Tag.title)).all()
+
+	return render_template("todo/tags.html", current_tab="tags", packages=query.all(),
+			tags=tags, only_no_tags=only_no_tags)
+
+
+@bp.route("/todo/modnames/")
+@login_required
+def modnames():
+	mnames = MetaPackage.query \
+			.filter(~ MetaPackage.packages.any(state=PackageState.APPROVED)) \
+			.filter(MetaPackage.dependencies.any(Dependency.depender.has(state=PackageState.APPROVED), optional=False)) \
+			.order_by(db.asc(MetaPackage.name)).all()
+
+	return render_template("todo/modnames.html", modnames=mnames)
+
+
+@bp.route("/todo/outdated/")
+@login_required
+def outdated():
+	is_mtm_only = is_yes(request.args.get("mtm"))
+
+	query = db.session.query(Package).select_from(PackageUpdateConfig) \
+			.filter(PackageUpdateConfig.outdated_at.isnot(None)) \
+			.join(PackageUpdateConfig.package) \
+			.filter(Package.state == PackageState.APPROVED)
+
+	if is_mtm_only:
+		query = query.filter(Package.repo.ilike("%github.com/minetest-mods/%"))
+
+	sort_by = request.args.get("sort")
+	if sort_by == "date":
+		query = query.order_by(db.desc(PackageUpdateConfig.outdated_at))
+	else:
+		sort_by = "score"
+		query = query.order_by(db.desc(Package.score))
+
+	return render_template("todo/outdated.html", current_tab="outdated",
+			outdated_packages=query.all(), sort_by=sort_by, is_mtm_only=is_mtm_only)
+
+
+@bp.route("/todo/screenshots/")
+@login_required
+def screenshots():
+	is_mtm_only = is_yes(request.args.get("mtm"))
+
+	query = db.session.query(Package) \
+			.filter(~Package.screenshots.any()) \
+			.filter(Package.state == PackageState.APPROVED)
+
+	if is_mtm_only:
+		query = query.filter(Package.repo.ilike("%github.com/minetest-mods/%"))
+
+	sort_by = request.args.get("sort")
+	if sort_by == "date":
+		query = query.order_by(db.desc(Package.approved_at))
+	else:
+		sort_by = "score"
+		query = query.order_by(db.desc(Package.score))
+
+	return render_template("todo/screenshots.html", current_tab="screenshots",
+			packages=query.all(), sort_by=sort_by, is_mtm_only=is_mtm_only)
+
+
+@bp.route("/todo/mtver_support/")
+@login_required
+def mtver_support():
+	is_mtm_only = is_yes(request.args.get("mtm"))
+
+	current_stable = LuantiRelease.query.filter(~LuantiRelease.name.like("%-dev")).order_by(db.desc(LuantiRelease.id)).first()
+
+	query = db.session.query(Package) \
+			.filter(~Package.releases.any(or_(PackageRelease.max_rel==None, PackageRelease.max_rel == current_stable))) \
+			.filter(Package.state == PackageState.APPROVED)
+
+	if is_mtm_only:
+		query = query.filter(Package.repo.ilike("%github.com/minetest-mods/%"))
+
+	sort_by = request.args.get("sort")
+	if sort_by == "date":
+		query = query.order_by(db.desc(Package.approved_at))
+	else:
+		sort_by = "score"
+		query = query.order_by(db.desc(Package.score))
+
+	return render_template("todo/mtver_support.html", current_tab="screenshots",
+			packages=query.all(), sort_by=sort_by, is_mtm_only=is_mtm_only, current_stable=current_stable)
+
+
+@bp.route("/todo/topics/mismatch/")
+@rank_required(UserRank.EDITOR)
+def topics_mismatch():
+	missing_topics = Package.query.filter(Package.forums.is_not(None)) .filter(~ForumTopic.query.filter(ForumTopic.topic_id == Package.forums).exists()).all()
+
+	packages_bad_author = (
+		db.session.query(Package, ForumTopic)
+		.select_from(Package)
+		.join(ForumTopic, Package.forums == ForumTopic.topic_id)
+		.filter(Package.author_id != ForumTopic.author_id)
+		.all())
+
+	packages_bad_title = (
+		db.session.query(Package, ForumTopic)
+		.select_from(Package)
+		.join(ForumTopic, Package.forums == ForumTopic.topic_id)
+		.filter(and_(ForumTopic.name != Package.name, ~ForumTopic.title.ilike("%" + Package.title + "%"), ~ForumTopic.title.ilike("%" + Package.name + "%")))
+		.all())
+
+	return render_template("todo/topics_mismatch.html",
+			missing_topics=missing_topics,
+			packages_bad_author=packages_bad_author,
+			packages_bad_title=packages_bad_title)
--- a/app/blueprints/todo/user.py
+++ b/app/blueprints/todo/user.py
@@ -0,0 +1,194 @@
+# ContentDB
+# Copyright (C) 2018-23 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from celery import uuid
+from flask import redirect, url_for, abort, render_template, flash
+from flask_babel import gettext
+from flask_login import current_user, login_required
+from sqlalchemy import or_, and_
+
+from app.models import User, Package, PackageState, PackageScreenshot, PackageUpdateConfig, ForumTopic, db, \
+	PackageRelease, Permission, NotificationType, AuditSeverity, UserRank, PackageType
+from app.tasks.importtasks import make_vcs_release
+from app.utils import add_notification, add_audit_log
+from . import bp
+
+
+@bp.route("/user/tags/")
+def tags_user():
+	return redirect(url_for('todo.tags', author=current_user.username))
+
+
+@bp.route("/user/todo/")
+@bp.route("/users/<username>/todo/")
+@login_required
+def view_user(username=None):
+	if username is None:
+		return redirect(url_for("todo.view_user", username=current_user.username))
+
+	user: User = User.query.filter_by(username=username).first()
+	if not user:
+		abort(404)
+
+	if current_user != user and not current_user.rank.at_least(UserRank.APPROVER):
+		abort(403)
+
+	unapproved_packages = user.packages \
+			.filter(or_(Package.state == PackageState.WIP,
+				Package.state == PackageState.CHANGES_NEEDED)) \
+			.order_by(db.asc(Package.created_at)).all()
+
+	outdated_packages = user.maintained_packages \
+			.filter(Package.state != PackageState.DELETED,
+					Package.update_config.has(PackageUpdateConfig.outdated_at.isnot(None))) \
+			.order_by(db.asc(Package.title)).all()
+
+	missing_game_support = user.maintained_packages.filter(
+			Package.state != PackageState.DELETED,
+			Package.type.in_([PackageType.MOD, PackageType.TXP]),
+			~Package.supported_games.any(),
+			Package.supports_all_games == False) \
+			.order_by(db.asc(Package.title)).all()
+
+	packages_with_no_screenshots = user.maintained_packages.filter(
+			~Package.screenshots.any(), Package.state == PackageState.APPROVED).all()
+
+	packages_with_small_screenshots = user.maintained_packages \
+			.filter(Package.state != PackageState.DELETED,
+					Package.screenshots.any(and_(PackageScreenshot.width < PackageScreenshot.SOFT_MIN_SIZE[0],
+					PackageScreenshot.height < PackageScreenshot.SOFT_MIN_SIZE[1]))) \
+			.all()
+
+	topics_to_add = ForumTopic.query \
+			.filter_by(author_id=user.id) \
+			.filter(~ db.exists().where(Package.forums == ForumTopic.topic_id)) \
+			.order_by(db.asc(ForumTopic.name), db.asc(ForumTopic.title)) \
+			.all()
+
+	needs_tags = user.maintained_packages \
+		.filter(Package.state != PackageState.DELETED, ~Package.tags.any()) \
+		.order_by(db.asc(Package.title)).all()
+
+	return render_template("todo/user.html", current_tab="user", user=user,
+			unapproved_packages=unapproved_packages, outdated_packages=outdated_packages,
+			missing_game_support=missing_game_support, needs_tags=needs_tags, topics_to_add=topics_to_add,
+			packages_with_no_screenshots=packages_with_no_screenshots,
+			packages_with_small_screenshots=packages_with_small_screenshots,
+			screenshot_min_size=PackageScreenshot.HARD_MIN_SIZE, screenshot_rec_size=PackageScreenshot.SOFT_MIN_SIZE)
+
+
+@bp.route("/users/<username>/update-configs/apply-all/", methods=["POST"])
+@login_required
+def apply_all_updates(username):
+	user: User = User.query.filter_by(username=username).first()
+	if not user:
+		abort(404)
+
+	if current_user != user and not current_user.rank.at_least(UserRank.EDITOR):
+		abort(403)
+
+	outdated_packages = user.maintained_packages \
+		.filter(Package.state != PackageState.DELETED,
+			Package.update_config.has(PackageUpdateConfig.outdated_at.isnot(None))) \
+		.order_by(db.asc(Package.title)).all()
+
+	for package in outdated_packages:
+		if not package.check_perm(current_user, Permission.MAKE_RELEASE):
+			continue
+
+		if package.releases.filter(or_(PackageRelease.task_id.isnot(None),
+				PackageRelease.commit_hash == package.update_config.last_commit)).count() > 0:
+			continue
+
+		title = package.update_config.title
+		ref = package.update_config.get_ref()
+
+		rel = PackageRelease()
+		rel.package = package
+		rel.name = title
+		rel.title = title
+		rel.url = ""
+		rel.task_id = uuid()
+		db.session.add(rel)
+		db.session.commit()
+
+		make_vcs_release.apply_async((rel.id, ref),
+									 task_id=rel.task_id)
+
+		msg = "Created release {} (Applied all Git Update Detection)".format(rel.title)
+		add_notification(package.maintainers, current_user, NotificationType.PACKAGE_EDIT, msg,
+				package.get_url("packages.create_edit"), package)
+		add_audit_log(AuditSeverity.NORMAL, current_user, msg, package.get_url("packages.view"), package)
+		db.session.commit()
+
+	return redirect(url_for("todo.view_user", username=username))
+
+
+@bp.route("/user/game_support/")
+@bp.route("/users/<username>/game_support/")
+@login_required
+def all_game_support(username=None):
+	if username is None:
+		return redirect(url_for("todo.all_game_support", username=current_user.username))
+
+	user: User = User.query.filter_by(username=username).one_or_404()
+	if current_user != user and not current_user.rank.at_least(UserRank.EDITOR):
+		abort(403)
+
+	packages = user.maintained_packages.filter(
+				Package.state != PackageState.DELETED,
+				Package.type.in_([PackageType.MOD, PackageType.TXP])) \
+			.order_by(db.asc(Package.title)).all()
+
+	bulk_support_names = db.session.query(Package.title) \
+		.select_from(Package).filter(
+			Package.maintainers.contains(user),
+			Package.state != PackageState.DELETED,
+			Package.type.in_([PackageType.MOD, PackageType.TXP]),
+			~Package.supported_games.any(),
+			Package.supports_all_games == False) \
+		.order_by(db.asc(Package.title)).all()
+
+	bulk_support_names = ", ".join([x[0] for x in bulk_support_names])
+
+	return render_template("todo/game_support.html", user=user, packages=packages, bulk_support_names=bulk_support_names)
+
+
+@bp.route("/users/<username>/confirm_supports_all_games/", methods=["POST"])
+@login_required
+def confirm_supports_all_games(username=None):
+	user: User = User.query.filter_by(username=username).one_or_404()
+	if current_user != user and not current_user.rank.at_least(UserRank.EDITOR):
+		abort(403)
+
+	packages = user.maintained_packages.filter(
+		Package.state != PackageState.DELETED,
+		Package.type.in_([PackageType.MOD, PackageType.TXP]),
+		~Package.supported_games.any(),
+		Package.supports_all_games == False) \
+		.all()
+
+	for package in packages:
+		package.supports_all_games = True
+		db.session.merge(package)
+
+		add_audit_log(AuditSeverity.NORMAL, current_user, "Enabled 'Supports all games' (bulk)",
+					  package.get_url("packages.game_support"), package)
+
+	db.session.commit()
+
+	flash(gettext("Done"), "success")
+	return redirect(url_for("todo.all_game_support", username=current_user.username))
--- a/app/blueprints/translate/init.py
+++ b/app/blueprints/translate/init.py
@@ -0,0 +1,48 @@
+# ContentDB
+# Copyright (C) 2024 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+
+from flask import Blueprint, render_template, request
+from sqlalchemy import or_
+
+from app.models import Package, PackageState, db, PackageTranslation
+
+bp = Blueprint("translate", __name__)
+
+
+@bp.route("/translate/")
+def translate():
+	query = Package.query.filter(
+			Package.state == PackageState.APPROVED,
+			or_(
+				Package.translation_url.is_not(None),
+				Package.translations.any(PackageTranslation.language_id != "en")
+			))
+
+	has_langs = request.args.getlist("has_lang")
+	for lang in has_langs:
+		query = query.filter(Package.translations.any(PackageTranslation.language_id == lang))
+
+	not_langs = request.args.getlist("not_lang")
+	for lang in not_langs:
+		query = query.filter(~Package.translations.any(PackageTranslation.language_id == lang))
+
+	supports_translation = (query
+			.order_by(Package.translation_url.is_(None), db.desc(Package.score))
+			.all())
+
+	return render_template("translate/index.html",
+			supports_translation=supports_translation, has_langs=has_langs, not_langs=not_langs)
--- a/app/blueprints/users/init.py
+++ b/app/blueprints/users/init.py
@@ -2,4 +2,4 @@ from flask import Blueprint

 bp = Blueprint("users", __name__)

-from . import githublogin, profile
+from . import profile, claim, account, settings
--- a/app/blueprints/users/account.py
+++ b/app/blueprints/users/account.py
@@ -0,0 +1,391 @@
+# ContentDB
+# Copyright (C) 2020  rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import datetime
+
+from flask import redirect, abort, render_template, flash, request, url_for, Response
+from flask_babel import gettext, get_locale, lazy_gettext
+from flask_login import current_user, login_required, logout_user, login_user
+from flask_wtf import FlaskForm
+from sqlalchemy import or_
+from wtforms import StringField, SubmitField, BooleanField, PasswordField, validators
+from wtforms.validators import InputRequired, Length, Regexp, DataRequired, Optional, Email, EqualTo
+
+from app.tasks.emails import send_verify_email, send_anon_email, send_unsubscribe_verify, send_user_email
+from app.utils import random_string, make_flask_login_password, is_safe_url, check_password_hash, add_audit_log, \
+	nonempty_or_none, post_login
+from . import bp
+from app.models import User, AuditSeverity, db, EmailSubscription, UserEmailVerification
+from app.logic.users import create_user
+
+
+class LoginForm(FlaskForm):
+	username = StringField(lazy_gettext("Username or email"), [InputRequired()])
+	password = PasswordField(lazy_gettext("Password"), [InputRequired(), Length(6, 100)])
+	remember_me = BooleanField(lazy_gettext("Remember me"), default=True)
+	submit = SubmitField(lazy_gettext("Sign in"))
+
+
+def handle_login(form):
+	def show_safe_err(err):
+		if "@" in username:
+			flash(gettext("Incorrect email or password"), "danger")
+		else:
+			flash(err, "danger")
+
+	username = form.username.data.strip()
+	user = User.query.filter(or_(User.username == username, User.email == username)).first()
+	if user is None:
+		return show_safe_err(gettext(u"User %(username)s does not exist", username=username))
+
+	if not check_password_hash(user.password, form.password.data):
+		return show_safe_err(gettext(u"Incorrect password. Did you set one?"))
+
+	if not user.is_active:
+		flash(gettext("You need to confirm the registration email"), "danger")
+		return
+
+	add_audit_log(AuditSeverity.USER, user, "Logged in using password",
+				  url_for("users.profile", username=user.username))
+	db.session.commit()
+
+	if not login_user(user, remember=form.remember_me.data):
+		flash(gettext("Login failed"), "danger")
+		return
+
+	return post_login(user, request.args.get("next"))
+
+
+@bp.route("/user/login/", methods=["GET", "POST"])
+def login():
+	next = request.args.get("next")
+	if next and not is_safe_url(next):
+		abort(400)
+
+	if current_user.is_authenticated:
+		return redirect(next or url_for("homepage.home"))
+
+	form = LoginForm(request.form)
+	if form.validate_on_submit():
+		ret = handle_login(form)
+		if ret:
+			return ret
+
+	if request.method == "GET":
+		form.remember_me.data = True
+
+	return render_template("users/login.html", form=form, next=next)
+
+
+@bp.route("/user/logout/", methods=["GET", "POST"])
+def logout():
+	logout_user()
+	return redirect(url_for("homepage.home"))
+
+
+class RegisterForm(FlaskForm):
+	display_name = StringField(lazy_gettext("Display Name"), [Optional(), Length(1, 20)], filters=[nonempty_or_none])
+	username = StringField(lazy_gettext("Username"), [InputRequired(),
+			Regexp("^[a-zA-Z0-9._-]+$", message=lazy_gettext(
+				"Only alphabetic letters (A-Za-z), numbers (0-9), underscores (_), minuses (-), and periods (.) allowed"))])
+	email    = StringField(lazy_gettext("Email"), [InputRequired(), Email()])
+	password = PasswordField(lazy_gettext("Password"), [InputRequired(), Length(12, 100)])
+	question  = StringField(lazy_gettext("What is the result of the above calculation?"), [InputRequired()])
+	first_name = StringField("First name", [])
+	submit   = SubmitField(lazy_gettext("Register"))
+
+
+def handle_register(form):
+	if form.question.data.strip().lower() != "19":
+		flash(gettext("Incorrect captcha answer"), "danger")
+		return
+
+	user = create_user(form.username.data, form.display_name.data, form.email.data)
+	if isinstance(user, Response):
+		return user
+	elif user is None:
+		return
+	elif form.first_name.data != "":
+		abort(500)
+
+	user.password = make_flask_login_password(form.password.data)
+
+	add_audit_log(AuditSeverity.USER, user, "Registered with email, display name=" + user.display_name,
+				  url_for("users.profile", username=user.username))
+
+	token = random_string(32)
+
+	ver = UserEmailVerification()
+	ver.user = user
+	ver.token = token
+	ver.email = form.email.data
+	db.session.add(ver)
+	db.session.commit()
+
+	send_verify_email.delay(form.email.data, token, get_locale().language)
+
+	return redirect(url_for("users.email_sent"))
+
+
+@bp.route("/user/register/", methods=["GET", "POST"])
+def register():
+	form = RegisterForm(request.form)
+	if form.validate_on_submit():
+		ret = handle_register(form)
+		if ret:
+			return ret
+
+	return render_template("users/register.html", form=form)
+
+
+class ForgotPasswordForm(FlaskForm):
+	email = StringField(lazy_gettext("Email"), [InputRequired(), Email()])
+	submit = SubmitField(lazy_gettext("Reset Password"))
+
+
+@bp.route("/user/forgot-password/", methods=["GET", "POST"])
+def forgot_password():
+	form = ForgotPasswordForm(request.form)
+	if form.validate_on_submit():
+		email = form.email.data
+		user = User.query.filter_by(email=email).first()
+		if user:
+			token = random_string(32)
+
+			add_audit_log(AuditSeverity.USER, user, "(Anonymous) requested a password reset",
+						  url_for("users.profile", username=user.username), None)
+
+			ver = UserEmailVerification()
+			ver.user = user
+			ver.token = token
+			ver.email = email
+			ver.is_password_reset = True
+			db.session.add(ver)
+			db.session.commit()
+
+			send_verify_email.delay(form.email.data, token, get_locale().language)
+		else:
+			html = render_template("emails/unable_to_find_account.html")
+			send_anon_email.delay(email, get_locale().language, gettext("Unable to find account"),
+					html, html)
+
+		return redirect(url_for("users.email_sent"))
+
+	return render_template("users/forgot_password.html", form=form)
+
+
+class SetPasswordForm(FlaskForm):
+	email = StringField(lazy_gettext("Email"), [Optional(), Email()])
+	password = PasswordField(lazy_gettext("New password"), [InputRequired(), Length(12, 100)])
+	password2 = PasswordField(lazy_gettext("Verify password"), [InputRequired(), Length(12, 100),
+			EqualTo('password', message=lazy_gettext('Passwords must match'))])
+	submit = SubmitField(lazy_gettext("Save"))
+
+
+class ChangePasswordForm(FlaskForm):
+	old_password = PasswordField(lazy_gettext("Old password"), [InputRequired(), Length(6, 100)])
+	password = PasswordField(lazy_gettext("New password"), [InputRequired(), Length(12, 100)])
+	password2 = PasswordField(lazy_gettext("Verify password"), [InputRequired(), Length(12, 100),
+			validators.EqualTo('password', message=lazy_gettext('Passwords must match'))])
+	submit = SubmitField(lazy_gettext("Save"))
+
+
+def handle_set_password(form):
+	one = form.password.data
+	two = form.password2.data
+	if one != two:
+		flash(gettext("Passwords do not match"), "danger")
+		return
+
+	add_audit_log(AuditSeverity.USER, current_user, "Changed their password", url_for("users.profile", username=current_user.username))
+
+	current_user.password = make_flask_login_password(form.password.data)
+
+	if hasattr(form, "email"):
+		new_email = nonempty_or_none(form.email.data)
+		if new_email and new_email != current_user.email:
+			if EmailSubscription.query.filter_by(email=form.email.data, blacklisted=True).count() > 0:
+				flash(gettext(u"That email address has been unsubscribed/blacklisted, and cannot be used"), "danger")
+				return
+
+			user_by_email = User.query.filter_by(email=form.email.data).first()
+			if user_by_email:
+				send_anon_email.delay(form.email.data, get_locale().language, gettext("Email already in use"),
+					gettext(u"We were unable to create the account as the email is already in use by %(display_name)s. Try a different email address.",
+							display_name=user_by_email.display_name))
+			else:
+				token = random_string(32)
+
+				ver = UserEmailVerification()
+				ver.user = current_user
+				ver.token = token
+				ver.email = new_email
+				db.session.add(ver)
+				db.session.commit()
+
+				send_verify_email.delay(form.email.data, token, get_locale().language)
+
+			flash(gettext("Your password has been changed successfully."), "success")
+			return redirect(url_for("users.email_sent"))
+
+	db.session.commit()
+	flash(gettext("Your password has been changed successfully."), "success")
+	return redirect(url_for("homepage.home"))
+
+
+@bp.route("/user/change-password/", methods=["GET", "POST"])
+@login_required
+def change_password():
+	form = ChangePasswordForm(request.form)
+
+	if form.validate_on_submit():
+		if check_password_hash(current_user.password, form.old_password.data):
+			ret = handle_set_password(form)
+			if ret:
+				return ret
+		else:
+			flash(gettext("Old password is incorrect"), "danger")
+
+	return render_template("users/change_set_password.html", form=form)
+
+
+@bp.route("/user/set-password/", methods=["GET", "POST"])
+@login_required
+def set_password():
+	if current_user.password:
+		return redirect(url_for("users.change_password"))
+
+	form = SetPasswordForm(request.form)
+	if current_user.email is None:
+		form.email.validators = [InputRequired(), Email()]
+
+	if form.validate_on_submit():
+		ret = handle_set_password(form)
+		if ret:
+			return ret
+
+	return render_template("users/change_set_password.html", form=form)
+
+
+@bp.route("/user/verify/")
+def verify_email():
+	token = request.args.get("token")
+	ver: UserEmailVerification = UserEmailVerification.query.filter_by(token=token).first()
+	if ver is None:
+		flash(gettext("Unknown verification token!"), "danger")
+		return redirect(url_for("homepage.home"))
+
+	if ver.is_expired:
+		flash(gettext("Token has expired"), "danger")
+		db.session.delete(ver)
+		db.session.commit()
+		return redirect(url_for("homepage.home"))
+
+	user = ver.user
+
+	add_audit_log(AuditSeverity.USER, user, "Confirmed their email",
+				  url_for("users.profile", username=user.username))
+
+	was_activating = not user.is_active
+
+	if ver.email and user.email != ver.email:
+		if User.query.filter_by(email=ver.email).count() > 0:
+			flash(gettext("Another user is already using that email"), "danger")
+			return redirect(url_for("homepage.home"))
+
+		flash(gettext("Confirmed email change"), "success")
+
+		if user.email:
+			send_user_email.delay(user.email,
+					user.locale or "en",
+					gettext("Email address changed"),
+					gettext("Your email address has changed. If you didn't request this, please contact an administrator."))
+
+	user.is_active = True
+	user.email = ver.email
+
+	db.session.delete(ver)
+	db.session.commit()
+
+	if ver.is_password_reset:
+		login_user(user)
+		user.password = None
+		db.session.commit()
+
+		return redirect(url_for("users.set_password"))
+
+	if current_user.is_authenticated:
+		return redirect(url_for("users.profile", username=current_user.username))
+	elif was_activating:
+		flash(gettext("You may now log in"), "success")
+		return redirect(url_for("users.login"))
+	else:
+		return redirect(url_for("homepage.home"))
+
+
+class UnsubscribeForm(FlaskForm):
+	email = StringField(lazy_gettext("Email"), [InputRequired(), Email()])
+	submit = SubmitField(lazy_gettext("Send"))
+
+
+def unsubscribe_verify():
+	form = UnsubscribeForm(request.form)
+	if form.validate_on_submit():
+		email = form.email.data
+		sub = EmailSubscription.query.filter_by(email=email).first()
+		if not sub:
+			sub = EmailSubscription(email)
+			db.session.add(sub)
+
+		sub.token = random_string(32)
+		db.session.commit()
+		send_unsubscribe_verify.delay(form.email.data, get_locale().language)
+
+		return redirect(url_for("users.email_sent"))
+
+	return render_template("users/unsubscribe.html", form=form)
+
+
+def unsubscribe_manage(sub: EmailSubscription):
+	user = User.query.filter_by(email=sub.email).first()
+
+	if request.method == "POST":
+		if user:
+			user.email = None
+
+		sub.blacklisted = True
+		db.session.commit()
+
+		flash(gettext("That email is now blacklisted. Please contact an admin if you wish to undo this."), "success")
+		return redirect(url_for("homepage.home"))
+
+	return render_template("users/unsubscribe.html", user=user)
+
+
+@bp.route("/unsubscribe/", methods=["GET", "POST"])
+def unsubscribe():
+	token = request.args.get("token")
+	if token:
+		sub = EmailSubscription.query.filter_by(token=token).first()
+		if sub:
+			return unsubscribe_manage(sub)
+
+	return unsubscribe_verify()
+
+
+@bp.route("/email_sent/")
+def email_sent():
+	return render_template("users/email_sent.html")
--- a/app/blueprints/users/claim.py
+++ b/app/blueprints/users/claim.py
@@ -0,0 +1,118 @@
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from flask_babel import gettext
+from flask_login import current_user
+
+from . import bp
+from flask import redirect, render_template, session, request, flash, url_for
+from app.models import db, User, UserRank
+from app.utils import random_string, login_user_set_active
+from app.tasks.forumtasks import check_forum_account
+from app.utils.phpbbparser import get_profile
+
+
+@bp.route("/user/claim/", methods=["GET", "POST"])
+def claim():
+	return render_template("users/claim.html")
+
+
+@bp.route("/user/claim-forums/", methods=["GET", "POST"])
+def claim_forums():
+	if current_user.is_authenticated:
+		return redirect(url_for("homepage.home"))
+
+	username = request.args.get("username")
+	if username is None:
+		username = ""
+	else:
+		method = request.args.get("method")
+
+		user = User.query.filter_by(forums_username=username).first()
+		if user and user.rank.at_least(UserRank.NEW_MEMBER):
+			flash(gettext("User has already been claimed"), "danger")
+			return redirect(url_for("users.claim_forums"))
+		elif method == "github":
+			if user is None or user.github_username is None:
+				flash(gettext("Unable to get GitHub username for user. Make sure the forum account exists."), "danger")
+				return redirect(url_for("users.claim_forums", username=username))
+			else:
+				return redirect(url_for("vcs.github_start"))
+
+	if "forum_token" in session:
+		token = session["forum_token"]
+	else:
+		token = random_string(12)
+		session["forum_token"] = token
+
+	if request.method == "POST":
+		ctype = request.form.get("claim_type")
+		username = request.form.get("username")
+
+		if User.query.filter(User.username == username, User.forums_username.is_(None)).first():
+			flash(gettext("A ContentDB user with that name already exists. Please contact an admin to link to your forum account"), "danger")
+			return redirect(url_for("users.claim_forums"))
+
+		if ctype == "github":
+			task = check_forum_account.delay(username)
+			return redirect(url_for("tasks.check", id=task.id, r=url_for("users.claim_forums", username=username, method="github")))
+		elif ctype == "forum":
+			user = User.query.filter_by(forums_username=username).first()
+			if user is not None and user.rank.at_least(UserRank.NEW_MEMBER):
+				flash(gettext("That user has already been claimed!"), "danger")
+				return redirect(url_for("users.claim_forums"))
+
+			# Get signature
+			try:
+				profile = get_profile("https://forum.luanti.org", username)
+				sig = profile.signature if profile else None
+			except IOError as e:
+				if hasattr(e, 'message'):
+					message = e.message
+				else:
+					message = str(e)
+
+				flash(gettext(u"Error whilst attempting to access forums: %(message)s", message=message), "danger")
+				return redirect(url_for("users.claim_forums", username=username))
+
+			if profile is None:
+				flash(gettext("Unable to get forum signature - does the user exist?"), "danger")
+				return redirect(url_for("users.claim_forums", username=username))
+
+			# Look for key
+			if sig and token in sig:
+				# Try getting again to fix crash
+				user = User.query.filter_by(forums_username=username).first()
+				if user is None:
+					user = User(username)
+					user.forums_username = username
+					db.session.add(user)
+					db.session.commit()
+
+				ret = login_user_set_active(user, remember=True)
+				if ret is None:
+					flash(gettext("Unable to login as user"), "danger")
+					return redirect(url_for("users.claim_forums", username=username))
+
+				return ret
+
+			else:
+				flash(gettext("Could not find the key in your signature!"), "danger")
+				return redirect(url_for("users.claim_forums", username=username))
+		else:
+			flash(gettext("Unknown claim type"), "danger")
+
+	return render_template("users/claim_forums.html", username=username, key="cdb_" + token)
--- a/app/blueprints/users/githublogin.py
+++ b/app/blueprints/users/githublogin.py
@@ -1,74 +0,0 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-
-from flask import *
-from flask_user import *
-from flask_login import login_user, logout_user
-from sqlalchemy import func
-import flask_menu as menu
-from flask_github import GitHub
-from . import bp
-from app import github
-from app.models import *
-from app.utils import loginUser
-
-@bp.route("/user/github/start/")
-def github_signin():
-	return github.authorize("")
-
-@bp.route("/user/github/callback/")
-@github.authorized_handler
-def github_authorized(oauth_token):
-	next_url = request.args.get("next")
-	if oauth_token is None:
-		flash("Authorization failed [err=gh-oauth-login-failed]", "danger")
-		return redirect(url_for("user.login"))
-
-	import requests
-
-	# Get Github username
-	url = "https://api.github.com/user"
-	r = requests.get(url, headers={"Authorization": "token " + oauth_token})
-	username = r.json()["login"]
-
-	# Get user by github username
-	userByGithub = User.query.filter(func.lower(User.github_username) == func.lower(username)).first()
-
-	# If logged in, connect
-	if current_user and current_user.is_authenticated:
-		if userByGithub is None:
-			current_user.github_username = username
-			db.session.commit()
-			flash("Linked github to account", "success")
-			return redirect(url_for("homepage.home"))
-		else:
-			flash("Github account is already associated with another user", "danger")
-			return redirect(url_for("homepage.home"))
-
-	# If not logged in, log in
-	else:
-		if userByGithub is None:
-			flash("Unable to find an account for that Github user", "error")
-			return redirect(url_for("users.claim"))
-		elif loginUser(userByGithub):
-			if current_user.password is None:
-				return redirect(next_url or url_for("users.set_password", optional=True))
-			else:
-				return redirect(next_url or url_for("homepage.home"))
-		else:
-			flash("Authorization failed [err=gh-login-failed]", "danger")
-			return redirect(url_for("user.login"))
--- a/app/blueprints/users/profile.py
+++ b/app/blueprints/users/profile.py
@@ -1,309 +1,287 @@
-# Content DB
-# Copyright (C) 2018  rubenwardy
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
 #
 # This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Affero General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.

+import math
+from typing import Optional, Tuple, List
+
+from flask import redirect, url_for, abort, render_template, request
+from flask_babel import gettext
+from flask_login import current_user, login_required
+from sqlalchemy import func, text
+
+from app.models import User, db, Package, PackageReview, PackageState, PackageType, UserRank, Collection
+from app.utils import get_daterange_options
+from app.tasks.forumtasks import check_forum_account

-from flask import *
-from flask_user import *
-from flask_login import login_user, logout_user
-from app import markdown
 from . import bp
-from app.models import *
-from flask_wtf import FlaskForm
-from wtforms import *
-from wtforms.validators import *
-from app.utils import randomString, loginUser, rank_required
-from app.tasks.forumtasks import checkForumAccount
-from app.tasks.emails import sendVerifyEmail, sendEmailRaw
-from app.tasks.phpbbparser import getProfile
-
-# Define the User profile form
-class UserProfileForm(FlaskForm):
-	display_name = StringField("Display name", [Optional(), Length(2, 20)])
-	email = StringField("Email", [Optional(), Email()], filters = [lambda x: x or None])
-	website_url = StringField("Website URL", [Optional(), URL()], filters = [lambda x: x or None])
-	donate_url = StringField("Donation URL", [Optional(), URL()], filters = [lambda x: x or None])
-	rank = SelectField("Rank", [Optional()], choices=UserRank.choices(), coerce=UserRank.coerce, default=UserRank.NEW_MEMBER)
-	submit = SubmitField("Save")


@bp.route("/users/", methods=["GET"])
 def list_all():
-	users = User.query.order_by(db.desc(User.rank), db.asc(User.display_name)).all()
+	users = db.session.query(User, func.count(Package.id)) \
+			.select_from(User).outerjoin(Package) \
+			.order_by(db.desc(User.rank), db.asc(User.display_name)) \
+			.group_by(User.id).all()
+
 	return render_template("users/list.html", users=users)


-@bp.route("/users/<username>/", methods=["GET", "POST"])
+@bp.route("/user/forum/<username>/")
+def by_forums_username(username):
+	user = User.query.filter_by(forums_username=username).first()
+	if user:
+		return redirect(url_for("users.profile", username=user.username))
+
+	return render_template("users/forums_no_such_user.html", username=username)
+
+
+class Medal:
+	description: str
+	color: Optional[str]
+	icon: str
+	title: Optional[str]
+	progress: Optional[Tuple[int, int]]
+
+	def __init__(self, description: str, **kwargs):
+		self.description = description
+		self.color = kwargs.get("color", "white")
+		self.icon = kwargs.get("icon", None)
+		self.title = kwargs.get("title", None)
+		self.progress = kwargs.get("progress", None)
+
+	@classmethod
+	def make_unlocked(cls, color: str, icon: str, title: str, description: str):
+		return Medal(description=description, color=color, icon=icon, title=title)
+
+	@classmethod
+	def make_locked(cls, description: str, progress: Tuple[int, int]):
+		if progress[0] is None or progress[1] is None:
+			raise Exception("Invalid progress")
+
+		return Medal(description=description, progress=progress)
+
+
+def place_to_color(place: int) -> str:
+	if place == 1:
+		return "gold"
+	elif place == 2:
+		return "#888"
+	elif place == 3:
+		return "#cd7f32"
+	else:
+		return "white"
+
+
+def get_user_medals(user: User) -> Tuple[List[Medal], List[Medal]]:
+	unlocked = []
+	locked = []
+
+	#
+	# REVIEWS
+	#
+
+	users_by_reviews = db.session.query(User.username, func.sum(PackageReview.score).label("karma")) \
+		.select_from(User).join(PackageReview) \
+		.group_by(User.username).order_by(text("karma DESC")).all()
+	try:
+		review_boundary = users_by_reviews[math.floor(len(users_by_reviews) * 0.25)][1] + 1
+	except IndexError:
+		review_boundary = None
+	usernames_by_reviews = [username for username, _ in users_by_reviews]
+
+	review_idx = None
+	review_percent = None
+	review_karma = 0
+	try:
+		review_idx = usernames_by_reviews.index(user.username)
+		review_percent = round(100 * review_idx / len(users_by_reviews), 1)
+		review_karma = max(users_by_reviews[review_idx][1], 0)
+	except ValueError:
+		pass
+
+	if review_percent is not None and review_percent < 25:
+		if review_idx == 0:
+			title = gettext(u"Top reviewer")
+			description = gettext(
+					u"%(display_name)s has written the most helpful reviews on ContentDB.",
+					display_name=user.display_name)
+		elif review_idx <= 2:
+			if review_idx == 1:
+				title = gettext(u"2nd most helpful reviewer")
+			else:
+				title = gettext(u"3rd most helpful reviewer")
+			description = gettext(
+					u"This puts %(display_name)s in the top %(perc)s%%",
+					display_name=user.display_name, perc=review_percent)
+		else:
+			title = gettext(u"Top %(perc)s%% reviewer", perc=review_percent)
+			description = gettext(u"Only %(place)d users have written more helpful reviews.", place=review_idx)
+
+		unlocked.append(Medal.make_unlocked(
+				place_to_color(review_idx + 1), "fa-star-half-alt", title, description))
+	elif review_boundary is not None:
+		description = gettext(u"Consider writing more helpful reviews to get a medal.")
+		if review_idx:
+			description += " " + gettext(u"You are in place %(place)s.", place=review_idx + 1)
+		locked.append(Medal.make_locked(
+				description, (review_karma, review_boundary)))
+
+	#
+	# TOP PACKAGES
+	#
+	all_package_ranks = db.session.query(
+			Package.type,
+			Package.author_id,
+			func.rank().over(
+					order_by=db.desc(Package.score),
+					partition_by=Package.type) \
+				.label("rank")).order_by(db.asc(text("rank"))) \
+		.filter_by(state=PackageState.APPROVED).subquery()
+
+	user_package_ranks = db.session.query(all_package_ranks) \
+		.filter_by(author_id=user.id) \
+		.filter(text("rank <= 30")) \
+		.all()
+
+	user_package_ranks = next(
+			(x for x in user_package_ranks if x[0] == PackageType.MOD or x[2] <= 10),
+			None)
+	if user_package_ranks:
+		top_rank = user_package_ranks[2]
+		top_type = PackageType.coerce(user_package_ranks[0])
+		title = top_type.get_top_ordinal(top_rank)
+		if top_type == PackageType.MOD:
+			icon = "fa-box"
+		elif top_type == PackageType.GAME:
+			icon = "fa-gamepad"
+		else:
+			icon = "fa-paint-brush"
+
+		description = top_type.get_top_ordinal_description(user.display_name, top_rank)
+		unlocked.append(
+				Medal.make_unlocked(place_to_color(top_rank), icon, title, description))
+
+	#
+	# DOWNLOADS
+	#
+	total_downloads = db.session.query(func.sum(Package.downloads)) \
+		.select_from(User) \
+		.join(User.packages) \
+		.filter(User.id == user.id,
+			Package.state == PackageState.APPROVED).scalar()
+	if total_downloads is None:
+		pass
+	elif total_downloads < 50000:
+		description = gettext(u"Your packages have %(downloads)d downloads in total.", downloads=total_downloads)
+		description += " " + gettext(u"First medal is at 50k.")
+		locked.append(Medal.make_locked(description, (total_downloads, 50000)))
+	else:
+		if total_downloads >= 300000:
+			place = 1
+			title = gettext(u">300k downloads")
+		elif total_downloads >= 100000:
+			place = 2
+			title = gettext(u">100k downloads")
+		elif total_downloads >= 75000:
+			place = 3
+			title = gettext(u">75k downloads")
+		else:
+			place = 10
+			title = gettext(u">50k downloads")
+		description = gettext(u"Has received %(downloads)d downloads across all packages.",
+				display_name=user.display_name, downloads=total_downloads)
+		unlocked.append(Medal.make_unlocked(place_to_color(place), "fa-users", title, description))
+
+	return unlocked, locked
+
+
+@bp.route("/users/<username>/")
 def profile(username):
 	user = User.query.filter_by(username=username).first()
 	if not user:
 		abort(404)

-	form = None
-	if user.checkPerm(current_user, Permission.CHANGE_DNAME) or \
-			user.checkPerm(current_user, Permission.CHANGE_EMAIL) or \
-			user.checkPerm(current_user, Permission.CHANGE_RANK):
-		# Initialize form
-		form = UserProfileForm(formdata=request.form, obj=user)
+	if not current_user.is_authenticated or (user != current_user and not current_user.can_access_todo_list()):
+		packages = user.packages.filter_by(state=PackageState.APPROVED)
+		maintained_packages = user.maintained_packages.filter_by(state=PackageState.APPROVED)
+	else:
+		packages = user.packages.filter(Package.state != PackageState.DELETED)
+		maintained_packages = user.maintained_packages.filter(Package.state != PackageState.DELETED)

-		# Process valid POST
-		if request.method=="POST" and form.validate():
-			# Copy form fields to user_profile fields
-			if user.checkPerm(current_user, Permission.CHANGE_DNAME):
-				user.display_name = form["display_name"].data
-				user.website_url  = form["website_url"].data
-				user.donate_url   = form["donate_url"].data
+	packages = packages.order_by(db.asc(Package.title)).all()
+	maintained_packages = maintained_packages \
+		.filter(Package.author != user) \
+		.order_by(db.asc(Package.title)).all()

-			if user.checkPerm(current_user, Permission.CHANGE_RANK):
-				newRank = form["rank"].data
-				if current_user.rank.atLeast(newRank):
-					user.rank = form["rank"].data
-				else:
-					flash("Can't promote a user to a rank higher than yourself!", "error")
-
-			if user.checkPerm(current_user, Permission.CHANGE_EMAIL):
-				newEmail = form["email"].data
-				if newEmail != user.email and newEmail.strip() != "":
-					token = randomString(32)
-
-					ver = UserEmailVerification()
-					ver.user  = user
-					ver.token = token
-					ver.email = newEmail
-					db.session.add(ver)
-					db.session.commit()
-
-					task = sendVerifyEmail.delay(newEmail, token)
-					return redirect(url_for("tasks.check", id=task.id, r=url_for("users.profile", username=username)))
-
-			# Save user_profile
-			db.session.commit()
-
-			# Redirect to home page
-			return redirect(url_for("users.profile", username=username))
-
-	packages = user.packages.filter_by(soft_deleted=False)
-	if not current_user.is_authenticated or (user != current_user and not current_user.canAccessTodoList()):
-		packages = packages.filter_by(approved=True)
-	packages = packages.order_by(db.asc(Package.title))
-
-	topics_to_add = None
-	if current_user == user or user.checkPerm(current_user, Permission.CHANGE_AUTHOR):
-		topics_to_add = ForumTopic.query \
-					.filter_by(author_id=user.id) \
-					.filter(~ db.exists().where(Package.forums==ForumTopic.topic_id)) \
-					.order_by(db.asc(ForumTopic.name), db.asc(ForumTopic.title)) \
-					.all()
+	pinned_collections = user.collections.filter(Collection.private == False,
+			Collection.pinned == True, Collection.packages.any()).all()

+	unlocked, locked = get_user_medals(user)
 	# Process GET or invalid POST
-	return render_template("users/profile.html",
-			user=user, form=form, packages=packages, topics_to_add=topics_to_add)
+	return render_template("users/profile.html", user=user,
+			packages=packages, maintained_packages=maintained_packages,
+			medals_unlocked=unlocked, medals_locked=locked, pinned_collections=pinned_collections)


-@bp.route("/users/<username>/check/", methods=["POST"])
+@bp.route("/users/<username>/check-forums/", methods=["POST"])
@login_required
-def user_check(username):
+def user_check_forums(username):
 	user = User.query.filter_by(username=username).first()
 	if user is None:
 		abort(404)

-	if current_user != user and not current_user.rank.atLeast(UserRank.MODERATOR):
+	if current_user != user and not current_user.rank.at_least(UserRank.MODERATOR):
 		abort(403)

 	if user.forums_username is None:
 		abort(404)

-	task = checkForumAccount.delay(user.forums_username)
+	task = check_forum_account.delay(user.forums_username, force_replace_pic=True)
 	next_url = url_for("users.profile", username=username)

 	return redirect(url_for("tasks.check", id=task.id, r=next_url))


-class SendEmailForm(FlaskForm):
-	subject = StringField("Subject", [InputRequired(), Length(1, 300)])
-	text    = TextAreaField("Message", [InputRequired()])
-	submit  = SubmitField("Send")
+@bp.route("/users/<username>/remove-profile-pic/", methods=["POST"])
+@login_required
+def user_remove_profile_pic(username):
+	user = User.query.filter_by(username=username).one_or_404()
+	if current_user != user and not current_user.rank.at_least(UserRank.MODERATOR):
+		abort(403)
+
+	user.profile_pic = None
+	db.session.commit()
+	return redirect(url_for("users.profile_edit", username=username))


-@bp.route("/users/<username>/email/", methods=["GET", "POST"])
-@rank_required(UserRank.MODERATOR)
-def send_email(username):
+@bp.route("/user/stats/")
+@login_required
+def statistics_redirect():
+	return redirect(url_for("users.statistics", username=current_user.username))
+
+
+@bp.route("/users/<username>/stats/")
+def statistics(username):
 	user = User.query.filter_by(username=username).first()
 	if user is None:
 		abort(404)

-	next_url = url_for("users.profile", username=user.username)
+	downloads = db.session.query(func.sum(Package.downloads)).filter(Package.author==user).one()

-	if user.email is None:
-		flash("User has no email address!", "error")
-		return redirect(next_url)
-
-	form = SendEmailForm(request.form)
-	if form.validate_on_submit():
-		text = form.text.data
-		html = markdown(text)
-		task = sendEmailRaw.delay([user.email], form.subject.data, text, html)
-		return redirect(url_for("tasks.check", id=task.id, r=next_url))
-
-	return render_template("users/send_email.html", form=form)
-
-
-
-class SetPasswordForm(FlaskForm):
-	email = StringField("Email", [Optional(), Email()])
-	password = PasswordField("New password", [InputRequired(), Length(2, 100)])
-	password2 = PasswordField("Verify password", [InputRequired(), Length(2, 100)])
-	submit = SubmitField("Save")
-
-@bp.route("/user/set-password/", methods=["GET", "POST"])
-@login_required
-def set_password():
-	if current_user.password is not None:
-		return redirect(url_for("user.change_password"))
-
-	form = SetPasswordForm(request.form)
-	if current_user.email == None:
-		form.email.validators = [InputRequired(), Email()]
-
-	if request.method == "POST" and form.validate():
-		one = form.password.data
-		two = form.password2.data
-		if one == two:
-			# Hash password
-			hashed_password = user_manager.hash_password(form.password.data)
-
-			# Change password
-			user_manager.update_password(current_user, hashed_password)
-
-			# Send 'password_changed' email
-			if user_manager.enable_email and user_manager.send_password_changed_email and current_user.email:
-				emails.send_password_changed_email(current_user)
-
-			# Send password_changed signal
-			signals.user_changed_password.send(current_app._get_current_object(), user=current_user)
-
-			# Prepare one-time system message
-			flash('Your password has been changed successfully.', 'success')
-
-			newEmail = form["email"].data
-			if newEmail != current_user.email and newEmail.strip() != "":
-				token = randomString(32)
-
-				ver = UserEmailVerification()
-				ver.user = current_user
-				ver.token = token
-				ver.email = newEmail
-				db.session.add(ver)
-				db.session.commit()
-
-				task = sendVerifyEmail.delay(newEmail, token)
-				return redirect(url_for("tasks.check", id=task.id, r=url_for("users.profile", username=current_user.username)))
-			else:
-				return redirect(url_for("users.profile", username=current_user.username))
-		else:
-			flash("Passwords do not match", "error")
-
-	return render_template("users/set_password.html", form=form, optional=request.args.get("optional"))
-
-
-@bp.route("/user/claim/", methods=["GET", "POST"])
-def claim():
-	username = request.args.get("username")
-	if username is None:
-		username = ""
-	else:
-		method = request.args.get("method")
-		user = User.query.filter_by(forums_username=username).first()
-		if user and user.rank.atLeast(UserRank.NEW_MEMBER):
-			flash("User has already been claimed", "error")
-			return redirect(url_for("users.claim"))
-		elif user is None and method == "github":
-			flash("Unable to get Github username for user", "error")
-			return redirect(url_for("users.claim"))
-		elif user is None:
-			flash("Unable to find that user", "error")
-			return redirect(url_for("users.claim"))
-
-		if user is not None and method == "github":
-			return redirect(url_for("users.github_signin"))
-
-	token = None
-	if "forum_token" in session:
-		token = session["forum_token"]
-	else:
-		token = randomString(32)
-		session["forum_token"] = token
-
-	if request.method == "POST":
-		ctype	= request.form.get("claim_type")
-		username = request.form.get("username")
-
-		if username is None or len(username.strip()) < 2:
-			flash("Invalid username", "error")
-		elif ctype == "github":
-			task = checkForumAccount.delay(username)
-			return redirect(url_for("tasks.check", id=task.id, r=url_for("users.claim", username=username, method="github")))
-		elif ctype == "forum":
-			user = User.query.filter_by(forums_username=username).first()
-			if user is not None and user.rank.atLeast(UserRank.NEW_MEMBER):
-				flash("That user has already been claimed!", "error")
-				return redirect(url_for("users.claim"))
-
-			# Get signature
-			sig = None
-			try:
-				profile = getProfile("https://forum.minetest.net", username)
-				sig = profile.signature
-			except IOError:
-				flash("Unable to get forum signature - does the user exist?", "error")
-				return redirect(url_for("users.claim", username=username))
-
-			# Look for key
-			if token in sig:
-				if user is None:
-					user = User(username)
-					user.forums_username = username
-					db.session.add(user)
-					db.session.commit()
-
-				if loginUser(user):
-					return redirect(url_for("users.set_password"))
-				else:
-					flash("Unable to login as user", "error")
-					return redirect(url_for("users.claim", username=username))
-
-			else:
-				flash("Could not find the key in your signature!", "error")
-				return redirect(url_for("users.claim", username=username))
-		else:
-			flash("Unknown claim type", "error")
-
-	return render_template("users/claim.html", username=username, key=token)
-
-@bp.route("/users/verify/")
-def verify_email():
-	token = request.args.get("token")
-	ver = UserEmailVerification.query.filter_by(token=token).first()
-	if ver is None:
-		flash("Unknown verification token!", "error")
-	else:
-		ver.user.email = ver.email
-		db.session.delete(ver)
-		db.session.commit()
-
-	if current_user.is_authenticated:
-		return redirect(url_for("users.profile", username=current_user.username))
-	else:
-		return redirect(url_for("homepage.home"))
+	start = request.args.get("start")
+	end = request.args.get("end")
+	return render_template("users/stats.html", user=user, downloads=downloads[0],
+			start=start, end=end, options=get_daterange_options(), noindex=start or end)
--- a/app/blueprints/users/settings.py
+++ b/app/blueprints/users/settings.py
@@ -0,0 +1,472 @@
+# ContentDB
+# Copyright (C) 2023 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from flask import redirect, abort, render_template, request, flash, url_for
+from flask_babel import gettext, get_locale, lazy_gettext
+from flask_login import current_user, login_required, logout_user
+from flask_wtf import FlaskForm
+from kombu import uuid
+from sqlalchemy import or_
+from wtforms import StringField, SubmitField, BooleanField, SelectField
+from wtforms.validators import Length, Optional, Email, URL
+
+from app.models import User, AuditSeverity, db, UserRank, PackageAlias, EmailSubscription, UserNotificationPreferences, \
+	UserEmailVerification, Permission, NotificationType, UserBan
+from app.tasks.emails import send_verify_email
+from app.tasks.usertasks import update_github_user_id
+from app.utils import nonempty_or_none, add_audit_log, random_string, rank_required, has_blocked_domains
+from . import bp
+
+
+def get_setting_tabs(user):
+	ret = [
+		{
+			"id": "edit_profile",
+			"title": gettext("Edit Profile"),
+			"url": url_for("users.profile_edit", username=user.username)
+		},
+		{
+			"id": "account",
+			"title": gettext("Account and Security"),
+			"url": url_for("users.account", username=user.username)
+		},
+		{
+			"id": "notifications",
+			"title": gettext("Email and Notifications"),
+			"url": url_for("users.email_notifications", username=user.username)
+		},
+		{
+			"id": "api_tokens",
+			"title": gettext("API Tokens"),
+			"url": url_for("api.list_tokens", username=user.username)
+		},
+	]
+
+	if user.check_perm(current_user, Permission.CREATE_OAUTH_CLIENT):
+		ret.append({
+			"id": "oauth_clients",
+			"title": gettext("OAuth2 Applications"),
+			"url": url_for("oauth.list_clients", username=user.username)
+		})
+
+	if current_user.rank.at_least(UserRank.MODERATOR):
+		ret.append({
+			"id": "modtools",
+			"title": gettext("Moderator Tools"),
+			"url": url_for("users.modtools", username=user.username)
+		})
+
+	return ret
+
+
+class UserProfileForm(FlaskForm):
+	display_name = StringField(lazy_gettext("Display Name"), [Optional(), Length(1, 20)], filters=[lambda x: nonempty_or_none(x.strip())])
+	website_url = StringField(lazy_gettext("Website URL"), [Optional(), URL()], filters = [lambda x: x or None])
+	donate_url = StringField(lazy_gettext("Donation URL"), [Optional(), URL()], filters = [lambda x: x or None])
+	submit = SubmitField(lazy_gettext("Save"))
+
+
+def handle_profile_edit(form: UserProfileForm, user: User, username: str):
+	severity = AuditSeverity.NORMAL if current_user == user else AuditSeverity.MODERATION
+	add_audit_log(severity, current_user, "Edited {}'s profile".format(user.display_name),
+				  url_for("users.profile", username=username))
+
+	display_name = form.display_name.data or user.username
+	if user.check_perm(current_user, Permission.CHANGE_DISPLAY_NAME) and \
+			user.display_name != display_name:
+
+		if User.query.filter(User.id != user.id,
+				or_(User.username == display_name,
+						User.display_name.ilike(display_name))).count() > 0:
+			flash(gettext("A user already has that name"), "danger")
+			return None
+
+
+		alias_by_name = PackageAlias.query.filter(or_(
+				PackageAlias.author == display_name)).first()
+		if alias_by_name:
+			flash(gettext("A user already has that name"), "danger")
+			return
+
+		user.display_name = display_name
+
+		severity = AuditSeverity.USER if current_user == user else AuditSeverity.MODERATION
+		add_audit_log(severity, current_user, "Changed display name of {} to {}"
+					  .format(user.username, user.display_name),
+					  url_for("users.profile", username=username))
+
+	if user.check_perm(current_user, Permission.CHANGE_PROFILE_URLS):
+		if has_blocked_domains(form.website_url.data, current_user.username, f"{user.username}'s website_url") or \
+				has_blocked_domains(form.donate_url.data, current_user.username, f"{user.username}'s donate_url"):
+			flash(gettext("Linking to blocked sites is not allowed"), "danger")
+			return
+
+		user.website_url = form.website_url.data
+		user.donate_url = form.donate_url.data
+
+	db.session.commit()
+
+	return redirect(url_for("users.profile", username=username))
+
+
+@bp.route("/users/<username>/settings/profile/", methods=["GET", "POST"])
+@login_required
+def profile_edit(username):
+	user : User = User.query.filter_by(username=username).first()
+	if not user:
+		abort(404)
+
+	if not user.can_see_edit_profile(current_user):
+		abort(403)
+
+	form = UserProfileForm(obj=user)
+	if form.validate_on_submit():
+		ret = handle_profile_edit(form, user, username)
+		if ret:
+			return ret
+
+	# Process GET or invalid POST
+	return render_template("users/profile_edit.html", user=user, form=form, tabs=get_setting_tabs(user), current_tab="edit_profile")
+
+
+def make_settings_form():
+	attrs = {
+		"email": StringField(lazy_gettext("Email"), [Optional(), Email()]),
+		"submit": SubmitField(lazy_gettext("Save"))
+	}
+
+	for notificationType in NotificationType:
+		key = "pref_" + notificationType.to_name()
+		attrs[key] = BooleanField("")
+		attrs[key + "_digest"] = BooleanField("")
+
+	return type("SettingsForm", (FlaskForm,), attrs)
+
+SettingsForm = make_settings_form()
+
+
+def handle_email_notifications(user, prefs: UserNotificationPreferences, is_new, form):
+	for notificationType in NotificationType:
+		field_email = getattr(form, "pref_" + notificationType.to_name()).data
+		field_digest = getattr(form, "pref_" + notificationType.to_name() + "_digest").data or field_email
+		prefs.set_can_email(notificationType, field_email)
+		prefs.set_can_digest(notificationType, field_digest)
+
+	if is_new:
+		db.session.add(prefs)
+
+	if user.check_perm(current_user, Permission.CHANGE_EMAIL):
+		newEmail = form.email.data
+		if newEmail and newEmail != user.email and newEmail.strip() != "":
+			if EmailSubscription.query.filter_by(email=form.email.data, blacklisted=True).count() > 0:
+				flash(gettext("That email address has been unsubscribed/blacklisted, and cannot be used"), "danger")
+				return
+
+			token = random_string(32)
+
+			severity = AuditSeverity.NORMAL if current_user == user else AuditSeverity.MODERATION
+
+			msg = "Changed email of {}".format(user.display_name)
+			add_audit_log(severity, current_user, msg, url_for("users.profile", username=user.username))
+
+			ver = UserEmailVerification()
+			ver.user = user
+			ver.token = token
+			ver.email = newEmail
+			db.session.add(ver)
+			db.session.commit()
+
+			send_verify_email.delay(newEmail, token, get_locale().language)
+			return redirect(url_for("users.email_sent"))
+
+	db.session.commit()
+	return redirect(url_for("users.email_notifications", username=user.username))
+
+
+@bp.route("/user/settings/email/")
+@bp.route("/users/<username>/settings/email/", methods=["GET", "POST"])
+@login_required
+def email_notifications(username=None):
+	if username is None:
+		return redirect(url_for("users.email_notifications", username=current_user.username))
+
+	user: User = User.query.filter_by(username=username).first()
+	if not user:
+		abort(404)
+
+	if not user.check_perm(current_user, Permission.CHANGE_EMAIL):
+		abort(403)
+
+	is_new = False
+	prefs = user.notification_preferences
+	if prefs is None:
+		is_new = True
+		prefs = UserNotificationPreferences(user)
+
+	data = {}
+	types = []
+	for notificationType in NotificationType:
+		types.append(notificationType)
+		data["pref_" + notificationType.to_name()] = prefs.get_can_email(notificationType)
+		data["pref_" + notificationType.to_name() + "_digest"] = prefs.get_can_digest(notificationType)
+
+	data["email"] = user.email
+
+	form = SettingsForm(data=data)
+	if form.validate_on_submit():
+		ret = handle_email_notifications(user, prefs, is_new, form)
+		if ret:
+			return ret
+
+	return render_template("users/settings_email.html",
+			form=form, user=user, types=types, is_new=is_new,
+			tabs=get_setting_tabs(user), current_tab="notifications")
+
+
+@bp.route("/users/<username>/settings/account/")
+@login_required
+def account(username):
+	user : User = User.query.filter_by(username=username).first()
+	if not user:
+		abort(404)
+
+	if not user.can_see_edit_profile(current_user):
+		abort(403)
+
+	return render_template("users/account.html", user=user, tabs=get_setting_tabs(user), current_tab="account")
+
+
+@bp.route("/users/<username>/settings/account/disconnect-github/", methods=["POST"])
+def disconnect_github(username: str):
+	user: User = User.query.filter_by(username=username).one_or_404()
+
+	if not user.can_see_edit_profile(current_user):
+		abort(403)
+
+	if user.password and user.email:
+		user.github_user_id = None
+		user.github_username = None
+		db.session.commit()
+
+		flash(gettext("Removed GitHub account"), "success")
+	else:
+		flash(gettext("You need to add an email address and password before you can remove your GitHub account"), "danger")
+
+	return redirect(url_for("users.account", username=username))
+
+
+@bp.route("/users/<username>/delete/", methods=["GET", "POST"])
+@rank_required(UserRank.ADMIN)
+def delete(username):
+	user: User = User.query.filter_by(username=username).first()
+	if not user:
+		abort(404)
+
+	if user.rank.at_least(UserRank.MODERATOR):
+		flash(gettext("Users with moderator rank or above cannot be deleted"), "danger")
+		return redirect(url_for("users.account", username=username))
+
+	if request.method == "GET":
+		return render_template("users/delete.html", user=user, can_delete=user.can_delete())
+
+	if "delete" in request.form and (user.can_delete() or current_user.rank.at_least(UserRank.ADMIN)):
+		msg = "Deleted user {}".format(user.username)
+		flash(msg, "success")
+		add_audit_log(AuditSeverity.MODERATION, current_user, msg, None)
+
+		if current_user.rank.at_least(UserRank.ADMIN):
+			for pkg in user.packages.all():
+				pkg.review_thread = None
+				db.session.delete(pkg)
+
+		db.session.delete(user)
+	elif "deactivate" in request.form:
+		for reply in user.replies.all():
+			db.session.delete(reply)
+		for thread in user.threads.all():
+			db.session.delete(thread)
+		for token in user.tokens.all():
+			db.session.delete(token)
+		user.profile_pic = None
+		user.email = None
+
+		if user.rank != UserRank.BANNED:
+			user.rank = UserRank.NOT_JOINED
+
+		msg = "Deactivated user {}".format(user.username)
+		flash(msg, "success")
+		add_audit_log(AuditSeverity.MODERATION, current_user, msg, None)
+	else:
+		assert False
+
+	db.session.commit()
+
+	if user == current_user:
+		logout_user()
+
+	return redirect(url_for("homepage.home"))
+
+
+class ModToolsForm(FlaskForm):
+	username = StringField(lazy_gettext("Username"), [Optional(), Length(1, 50)])
+	display_name = StringField(lazy_gettext("Display name"), [Optional(), Length(2, 100)])
+	forums_username = StringField(lazy_gettext("Forums Username"), [Optional(), Length(2, 50)])
+	github_username = StringField(lazy_gettext("GitHub Username"), [Optional(), Length(2, 50)])
+	rank = SelectField(lazy_gettext("Rank"), [Optional()], choices=UserRank.choices(), coerce=UserRank.coerce,
+			default=UserRank.NEW_MEMBER)
+	submit = SubmitField(lazy_gettext("Save"))
+
+
+@bp.route("/users/<username>/modtools/", methods=["GET", "POST"])
+@rank_required(UserRank.MODERATOR)
+def modtools(username):
+	user: User = User.query.filter_by(username=username).first()
+	if not user:
+		abort(404)
+
+	if not user.check_perm(current_user, Permission.CHANGE_EMAIL):
+		abort(403)
+
+	form = ModToolsForm(obj=user)
+	if form.validate_on_submit():
+		severity = AuditSeverity.NORMAL if current_user == user else AuditSeverity.MODERATION
+		add_audit_log(severity, current_user, "Edited {}'s account".format(user.display_name),
+					  url_for("users.profile", username=username))
+
+		redirect_target = url_for("users.modtools", username=username)
+
+		# Copy form fields to user_profile fields
+		if user.check_perm(current_user, Permission.CHANGE_USERNAMES):
+			if user.username != form.username.data:
+				for package in user.packages:
+					alias = PackageAlias(user.username, package.name)
+					package.aliases.append(alias)
+					db.session.add(alias)
+
+				user.username = form.username.data
+
+			user.display_name = form.display_name.data
+			user.forums_username = nonempty_or_none(form.forums_username.data)
+			github_username = nonempty_or_none(form.github_username.data)
+			if github_username is None:
+				user.github_username = None
+				user.github_user_id = None
+			else:
+				task_id = uuid()
+				update_github_user_id.apply_async((user.id, github_username), task_id=task_id)
+				redirect_target = url_for("tasks.check", id=task_id, r=redirect_target)
+
+		if user.check_perm(current_user, Permission.CHANGE_RANK):
+			new_rank = form.rank.data
+			if current_user.rank.at_least(new_rank):
+				if new_rank != user.rank:
+					user.rank = form.rank.data
+					msg = "Set rank of {} to {}".format(user.display_name, user.rank.title)
+					add_audit_log(AuditSeverity.MODERATION, current_user, msg,
+								  url_for("users.profile", username=username))
+			else:
+				flash(gettext("Can't promote a user to a rank higher than yourself!"), "danger")
+
+		db.session.commit()
+
+		return redirect(redirect_target)
+
+	return render_template("users/modtools.html", user=user, form=form, tabs=get_setting_tabs(user), current_tab="modtools")
+
+
+@bp.route("/users/<username>/modtools/set-email/", methods=["POST"])
+@rank_required(UserRank.MODERATOR)
+def modtools_set_email(username):
+	user: User = User.query.filter_by(username=username).first()
+	if not user:
+		abort(404)
+
+	if not user.check_perm(current_user, Permission.CHANGE_EMAIL):
+		abort(403)
+
+	user.email = request.form["email"]
+	user.is_active = False
+
+	token = random_string(32)
+	add_audit_log(AuditSeverity.MODERATION, current_user, f"Set email and sent a password reset on {user.username}",
+				  url_for("users.profile", username=user.username), None)
+
+	ver = UserEmailVerification()
+	ver.user = user
+	ver.token = token
+	ver.email = user.email
+	ver.is_password_reset = True
+	db.session.add(ver)
+	db.session.commit()
+
+	send_verify_email.delay(user.email, token, user.locale or "en")
+
+	flash(f"Set email and sent a password reset on {user.username}", "success")
+	return redirect(url_for("users.modtools", username=username))
+
+
+@bp.route("/users/<username>/modtools/ban/", methods=["POST"])
+@rank_required(UserRank.MODERATOR)
+def modtools_ban(username):
+	user: User = User.query.filter_by(username=username).first()
+	if not user:
+		abort(404)
+
+	if not user.check_perm(current_user, Permission.CHANGE_RANK):
+		abort(403)
+
+	message = request.form["message"]
+	expires_at = request.form.get("expires_at")
+
+	user.ban = UserBan()
+	user.ban.banned_by = current_user
+	user.ban.message = message
+
+	if expires_at and expires_at != "":
+		user.ban.expires_at = expires_at
+	else:
+		user.rank = UserRank.BANNED
+
+	add_audit_log(AuditSeverity.MODERATION, current_user, f"Banned {user.username}, expires {user.ban.expires_at or '-'}, message: {message}",
+				  url_for("users.profile", username=user.username), None)
+	db.session.commit()
+
+	flash(f"Banned {user.username}", "success")
+	return redirect(url_for("users.modtools", username=username))
+
+
+@bp.route("/users/<username>/modtools/unban/", methods=["POST"])
+@rank_required(UserRank.MODERATOR)
+def modtools_unban(username):
+	user: User = User.query.filter_by(username=username).first()
+	if not user:
+		abort(404)
+
+	if not user.check_perm(current_user, Permission.CHANGE_RANK):
+		abort(403)
+
+	if user.ban:
+		db.session.delete(user.ban)
+
+	if user.rank == UserRank.BANNED:
+		user.rank = UserRank.MEMBER
+
+	add_audit_log(AuditSeverity.MODERATION, current_user, f"Unbanned {user.username}",
+				  url_for("users.profile", username=user.username), None)
+	db.session.commit()
+
+	flash(f"Unbanned {user.username}", "success")
+	return redirect(url_for("users.modtools", username=username))
--- a/app/blueprints/vcs/init.py
+++ b/app/blueprints/vcs/init.py
@@ -0,0 +1,22 @@
+# ContentDB
+# Copyright (C) 2024 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+
+from flask import Blueprint
+
+bp = Blueprint("vcs", __name__)
+
+from . import github, gitlab
--- a/app/blueprints/vcs/common.py
+++ b/app/blueprints/vcs/common.py
@@ -0,0 +1,43 @@
+# ContentDB
+# Copyright (C) 2024  rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+
+from app.blueprints.api.support import error
+from app.models import Package, APIToken, Permission, PackageState
+
+
+def get_packages_for_vcs_and_token(token: APIToken, repo_url: str) -> list[Package]:
+	repo_url = repo_url.replace("https://", "").replace("http://", "").lower()
+	if token.package:
+		packages = [token.package]
+		if not token.package.check_perm(token.owner, Permission.APPROVE_RELEASE):
+			return error(403, "You do not have the permission to approve releases")
+
+		actual_repo_url: str = token.package.repo or ""
+		if repo_url not in actual_repo_url.lower():
+			return error(400, "Repo URL does not match the API token's package")
+	else:
+		# Get package
+		packages = Package.query.filter(
+			Package.repo.ilike("%{}%".format(repo_url)), Package.state != PackageState.DELETED).all()
+		if len(packages) == 0:
+			return error(400,
+					"Could not find package, did you set the VCS repo in CDB correctly? Expected {}".format(repo_url))
+		packages = [x for x in packages if x.check_perm(token.owner, Permission.APPROVE_RELEASE)]
+		if len(packages) == 0:
+			return error(403, "You do not have the permission to approve releases")
+
+	return packages
--- a/app/blueprints/vcs/github.py
+++ b/app/blueprints/vcs/github.py
@@ -0,0 +1,200 @@
+# ContentDB
+# Copyright (C) 2018-24 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import datetime
+import hmac
+
+import requests
+from flask import abort, Response
+from flask import redirect, url_for, request, flash, jsonify, current_app
+from flask_babel import gettext
+from flask_login import current_user
+
+from app import github, csrf
+from app.blueprints.api.support import error, api_create_vcs_release
+from app.logic.users import create_user
+from app.models import db, User, APIToken, AuditSeverity
+from app.utils import abs_url_for, add_audit_log, login_user_set_active, is_safe_url
+from . import bp
+from .common import get_packages_for_vcs_and_token
+
+
+@bp.route("/github/start/")
+def github_start():
+	next = request.args.get("next")
+	if next and not is_safe_url(next):
+		abort(400)
+
+	return github.authorize("", redirect_uri=abs_url_for("vcs.github_callback", next=next))
+
+
+@bp.route("/github/view/")
+def github_view_permissions():
+	url = "https://github.com/settings/connections/applications/" + \
+			current_app.config["GITHUB_CLIENT_ID"]
+	return redirect(url)
+
+
+@bp.route("/github/callback/")
+@github.authorized_handler
+def github_callback(oauth_token):
+	if oauth_token is None:
+		flash(gettext("Authorization failed [err=gh-oauth-login-failed]"), "danger")
+		return redirect(url_for("users.login"))
+
+	next = request.args.get("next")
+	if next and not is_safe_url(next):
+		abort(400)
+
+	redirect_to = next
+	if redirect_to is None:
+		redirect_to = url_for("homepage.home")
+
+	# Get GitGub username
+	url = "https://api.github.com/user"
+	r = requests.get(url, headers={"Authorization": "token " + oauth_token})
+	json = r.json()
+	user_id = json["id"]
+	github_username = json["login"]
+	if type(user_id) is not int:
+		abort(400)
+
+	# Get user by GitHub user ID
+	user_by_github = User.query.filter(User.github_user_id == user_id).one_or_none()
+
+	# If logged in, connect
+	if current_user and current_user.is_authenticated:
+		if user_by_github is None:
+			current_user.github_username = github_username
+			current_user.github_user_id = user_id
+			db.session.commit()
+			flash(gettext("Linked GitHub to account"), "success")
+			return redirect(redirect_to)
+		elif user_by_github == current_user:
+			return redirect(redirect_to)
+		else:
+			flash(gettext("GitHub account is already associated with another user: %(username)s",
+					username=user_by_github.username), "danger")
+			return redirect(redirect_to)
+
+	# Log in to existing account
+	elif user_by_github:
+		ret = login_user_set_active(user_by_github, next, remember=True)
+		if ret is None:
+			flash(gettext("Authorization failed [err=gh-login-failed]"), "danger")
+			return redirect(url_for("users.login"))
+
+		user_by_github.github_username = github_username
+		add_audit_log(AuditSeverity.USER, user_by_github, "Logged in using GitHub OAuth",
+				url_for("users.profile", username=user_by_github.username))
+		db.session.commit()
+		return ret
+
+	# Sign up
+	else:
+		user = create_user(github_username, github_username, None, "GitHub")
+		if isinstance(user, Response):
+			return user
+		elif user is None:
+			return redirect(url_for("users.login"))
+
+		user.github_username = github_username
+		user.github_user_id = user_id
+
+		add_audit_log(AuditSeverity.USER, user, "Registered with GitHub, display name=" + user.display_name,
+				url_for("users.profile", username=user.username))
+
+		db.session.commit()
+
+		ret = login_user_set_active(user, next, remember=True)
+		if ret is None:
+			flash(gettext("Authorization failed [err=gh-login-failed]"), "danger")
+			return redirect(url_for("users.login"))
+
+		return ret
+
+
+def _find_api_token(header_signature: str) -> APIToken:
+	sha_name, signature = header_signature.split('=')
+	if sha_name != 'sha1':
+		error(403, "Expected SHA1 payload signature")
+
+	for token in APIToken.query.all():
+		mac = hmac.new(token.access_token.encode("utf-8"), msg=request.data, digestmod='sha1')
+
+		if hmac.compare_digest(str(mac.hexdigest()), signature):
+			return token
+
+	error(401, "Invalid authentication, couldn't validate API token")
+
+
+@bp.route("/github/webhook/", methods=["POST"])
+@csrf.exempt
+def github_webhook():
+	json = request.json
+
+	header_signature = request.headers.get('X-Hub-Signature')
+	if header_signature is None:
+		return error(403, "Expected payload signature")
+
+	token = _find_api_token(header_signature)
+	packages = get_packages_for_vcs_and_token(token, "github.com/" + json["repository"]["full_name"])
+
+	for package in packages:
+		#
+		# Check event
+		#
+		event = request.headers.get("X-GitHub-Event")
+		if event == "push":
+			ref = json["after"]
+			title = datetime.datetime.utcnow().strftime("%Y-%m-%d") + " " + ref[:5]
+			branch = json["ref"].replace("refs/heads/", "")
+			if package.update_config and package.update_config.ref:
+				if branch != package.update_config.ref:
+					continue
+			elif branch not in ["master", "main"]:
+				continue
+
+		elif event == "create":
+			ref_type = json.get("ref_type")
+			if ref_type != "tag":
+				return jsonify({
+					"success": False,
+					"message": "Webhook ignored, as it's a non-tag create event. ref_type='{}'.".format(ref_type)
+				})
+
+			ref = json["ref"]
+			title = ref
+
+		elif event == "ping":
+			return jsonify({"success": True, "message": "Ping successful"})
+
+		else:
+			return error(400, "Unsupported event: '{}'. Only 'push', 'create:tag', and 'ping' are supported."
+					.format(event or "null"))
+
+		#
+		# Perform release
+		#
+		if package.releases.filter_by(commit_hash=ref).count() > 0:
+			return
+
+		return api_create_vcs_release(token, package, title, title, None, ref, reason="Webhook")
+
+	return jsonify({
+		"success": False,
+		"message": "No release made. Either the release already exists or the event was filtered based on the branch"
+	})
--- a/app/blueprints/vcs/gitlab.py
+++ b/app/blueprints/vcs/gitlab.py
@@ -0,0 +1,86 @@
+# ContentDB
+# Copyright (C) 2020-24  rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import datetime
+
+from flask import request, jsonify
+
+from app import csrf
+from app.blueprints.api.support import error, api_create_vcs_release
+from app.models import APIToken
+
+from . import bp
+from .common import get_packages_for_vcs_and_token
+
+
+def webhook_impl():
+	json = request.json
+
+	# Get all tokens for package
+	secret = request.headers.get("X-Gitlab-Token")
+	if secret is None:
+		return error(403, "Token required")
+
+	token: APIToken = APIToken.query.filter_by(access_token=secret).first()
+	if token is None:
+		return error(403, "Invalid authentication")
+
+	packages = get_packages_for_vcs_and_token(token, json["project"]["web_url"])
+	for package in packages:
+		#
+		# Check event
+		#
+		event = json["event_name"]
+		if event == "push":
+			ref = json["after"]
+			title = datetime.datetime.utcnow().strftime("%Y-%m-%d") + " " + ref[:5]
+			branch = json["ref"].replace("refs/heads/", "")
+			if package.update_config and package.update_config.ref:
+				if branch != package.update_config.ref:
+					continue
+			elif branch not in ["master", "main"]:
+				continue
+
+		elif event == "tag_push":
+			ref = json["ref"]
+			title = ref.replace("refs/tags/", "")
+
+		else:
+			return error(400, "Unsupported event: '{}'. Only 'push', 'create:tag', and 'ping' are supported."
+					.format(event or "null"))
+
+		#
+		# Perform release
+		#
+		if package.releases.filter_by(commit_hash=ref).count() > 0:
+			continue
+
+		return api_create_vcs_release(token, package, title, title, None, ref, reason="Webhook")
+
+	return jsonify({
+		"success": False,
+		"message": "No release made. Either the release already exists or the event was filtered based on the branch"
+	})
+
+
+
+@bp.route("/gitlab/webhook/", methods=["POST"])
+@csrf.exempt
+def gitlab_webhook():
+	try:
+		return webhook_impl()
+	except KeyError as err:
+		return error(400, "Missing field: {}".format(err.args[0]))
--- a/app/blueprints/zipgrep/init.py
+++ b/app/blueprints/zipgrep/init.py
@@ -0,0 +1,70 @@
+# ContentDB
+# Copyright (C) 2022 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from celery import uuid
+from flask import Blueprint, render_template, redirect, request, abort, url_for
+from flask_babel import lazy_gettext
+from flask_wtf import FlaskForm
+from wtforms import StringField, BooleanField, SubmitField, SelectMultipleField
+from wtforms.validators import InputRequired, Length, Optional
+
+from app.tasks import celery
+from app.utils import rank_required
+
+bp = Blueprint("zipgrep", __name__)
+
+from app.models import UserRank, Package, PackageType
+from app.tasks.zipgrep import search_in_releases
+
+
+class SearchForm(FlaskForm):
+	query = StringField(lazy_gettext("Text to find (regex)"), [InputRequired(), Length(1, 100)])
+	file_filter = StringField(lazy_gettext("File filter"), [InputRequired(), Length(1, 100)], default="*.lua")
+	type = SelectMultipleField(lazy_gettext("Type"), [Optional()],
+			choices=PackageType.choices(), coerce=PackageType.coerce)
+	submit = SubmitField(lazy_gettext("Search"))
+
+
+@bp.route("/zipgrep/", methods=["GET", "POST"])
+@rank_required(UserRank.EDITOR)
+def zipgrep_search():
+	form = SearchForm(request.form)
+	if form.validate_on_submit():
+		task_id = uuid()
+		search_in_releases.apply_async((form.query.data, form.file_filter.data, [x.name for x in form.type.data]), task_id=task_id)
+		result_url = url_for("zipgrep.view_results", id=task_id)
+		return redirect(url_for("tasks.check", id=task_id, r=result_url))
+
+	return render_template("zipgrep/search.html", form=form)
+
+
+@bp.route("/zipgrep/<id>/")
+def view_results(id):
+	result = celery.AsyncResult(id)
+	if result.status == "PENDING":
+		abort(404)
+
+	if result.status != "SUCCESS" or isinstance(result.result, Exception):
+		result_url = url_for("zipgrep.view_results", id=id)
+		return redirect(url_for("tasks.check", id=id, r=result_url))
+
+	matches = result.result["matches"]
+	for match in matches:
+		match["package"] = Package.query.filter(
+				Package.name == match["package"]["name"],
+				Package.author.has(username=match["package"]["author"])).one()
+
+	return render_template("zipgrep/view_results.html", query=result.result["query"], matches=matches)
--- a/app/default_data.py
+++ b/app/default_data.py
@@ -0,0 +1,414 @@
+# ContentDB
+# Copyright (C) rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import datetime
+
+from .models import User, UserRank, LuantiRelease, Tag, License, Notification, NotificationType, Package, \
+	PackageState, PackageType, PackageRelease, MetaPackage, Dependency
+from .utils import make_flask_login_password
+
+
+def populate(session):
+	admin_user = User("rubenwardy")
+	admin_user.is_active = True
+	admin_user.password = make_flask_login_password("tuckfrump")
+	admin_user.github_username = "rubenwardy"
+	admin_user.forums_username = "rubenwardy"
+	admin_user.rank = UserRank.ADMIN
+	session.add(admin_user)
+
+	system_user = User("ContentDB", active=False)
+	system_user.email_confirmed_at = datetime.datetime.now() - datetime.timedelta(days=6000)
+	system_user.rank = UserRank.BOT
+	session.add(system_user)
+
+	session.add(LuantiRelease("None", 0))
+	session.add(LuantiRelease("0.4.16/17", 32))
+	session.add(LuantiRelease("5.0", 37))
+	session.add(LuantiRelease("5.1", 38))
+	session.add(LuantiRelease("5.2", 39))
+	session.add(LuantiRelease("5.3", 39))
+
+	tags = {}
+	for tag in ["Inventory", "Mapgen", "Building",
+			"Mobs and NPCs", "Tools", "Player effects",
+			"Environment", "Transport", "Maintenance", "Plants and farming",
+			"PvP", "PvE", "Survival", "Creative", "Puzzle", "Multiplayer", "Singleplayer"]:
+		row = Tag(tag)
+		tags[row.name] = row
+		session.add(row)
+
+	licenses = {}
+	for license in ["GPLv2.1", "GPLv3", "LGPLv2.1", "LGPLv3", "AGPLv2.1", "AGPLv3",
+			"Apache", "BSD 3-Clause", "BSD 2-Clause", "CC0", "CC-BY-SA",
+			"CC-BY", "MIT", "ZLib", "Other (Free)"]:
+		row = License(license)
+		licenses[row.name] = row
+		session.add(row)
+
+	for license in ["CC-BY-NC-SA", "Other (Non-free)"]:
+		row = License(license, False)
+		licenses[row.name] = row
+		session.add(row)
+
+
+def populate_test_data(session):
+	licenses = { x.name : x for x in License.query.all() }
+	tags = { x.name : x for x in Tag.query.all() }
+	admin_user = User.query.filter_by(rank=UserRank.ADMIN).first()
+	v4 = LuantiRelease.query.filter_by(protocol=32).first()
+	v51 = LuantiRelease.query.filter_by(protocol=38).first()
+
+	ez = User("Shara")
+	ez.github_username = "Ezhh"
+	ez.forums_username = "Shara"
+	ez.rank = UserRank.EDITOR
+	session.add(ez)
+
+	not1 = Notification(admin_user, ez, NotificationType.PACKAGE_APPROVAL, "Awards approved", "/packages/rubenwardy/awards/")
+	session.add(not1)
+
+	jeija = User("Jeija")
+	jeija.github_username = "Jeija"
+	jeija.forums_username = "Jeija"
+	session.add(jeija)
+
+	mod = Package()
+	mod.state = PackageState.APPROVED
+	mod.name = "alpha"
+	mod.title = "Alpha Test"
+	mod.license = licenses["MIT"]
+	mod.media_license = licenses["MIT"]
+	mod.type = PackageType.MOD
+	mod.author = admin_user
+	mod.tags.append(tags["mapgen"])
+	mod.tags.append(tags["environment"])
+	mod.repo = "https://github.com/ezhh/other_worlds"
+	mod.issueTracker = "https://github.com/ezhh/other_worlds/issues"
+	mod.forums = 16015
+	mod.short_desc = "The content library should not be used yet as it is still in alpha"
+	mod.desc = "This is the long desc"
+	session.add(mod)
+
+	rel = PackageRelease()
+	rel.package = mod
+	rel.name = "v1.0.0"
+	rel.title = "v1.0.0"
+	rel.url = "https://github.com/ezhh/handholds/archive/master.zip"
+	rel.approved = True
+	session.add(rel)
+
+	mod1 = Package()
+	mod1.state = PackageState.APPROVED
+	mod1.name = "awards"
+	mod1.title = "Awards"
+	mod1.license = licenses["LGPLv2.1"]
+	mod1.media_license = licenses["MIT"]
+	mod1.type = PackageType.MOD
+	mod1.author = admin_user
+	mod1.tags.append(tags["player_effects"])
+	mod1.repo = "https://github.com/rubenwardy/awards"
+	mod1.issueTracker = "https://github.com/rubenwardy/awards/issues"
+	mod1.forums = 4870
+	mod1.short_desc = "Adds achievements and an API to register new ones."
+	mod1.desc = """
+Majority of awards are back ported from Calinou's old fork in Carbone, under same license.
+
+```lua
+awards.register_achievement("award_mesefind",{
+    title = "First Mese Find",
+    description = "Found some Mese!",
+    trigger = {
+        type   = "dig",          -- award is given when
+        node   = "default:mese", -- this type of node has been dug
+        target = 1,              -- this number of times
+    },
+})
+```
+"""
+
+	rel = PackageRelease()
+	rel.package = mod1
+	rel.min_rel = v51
+	rel.name = "v1.0.0"
+	rel.title = "v1.0.0"
+	rel.url = "https://github.com/rubenwardy/awards/archive/master.zip"
+	rel.approved = True
+	session.add(rel)
+
+	mod2 = Package()
+	mod2.state = PackageState.APPROVED
+	mod2.name = "mesecons"
+	mod2.title = "Mesecons"
+	mod2.tags.append(tags["tools"])
+	mod2.type = PackageType.MOD
+	mod2.license = licenses["LGPLv3"]
+	mod2.media_license = licenses["MIT"]
+	mod2.author = jeija
+	mod2.repo = "https://github.com/minetest-mods/mesecons/"
+	mod2.issueTracker = "https://github.com/minetest-mods/mesecons/issues"
+	mod2.forums = 628
+	mod2.short_desc = "Mesecons adds everything digital, from all kinds of sensors, switches, solar panels, detectors, pistons, lamps, sound blocks to advanced digital circuitry like logic gates and programmable blocks."
+	mod2.desc = """
+MESECONS by Jeija and contributors
+
+Mezzee-what?
+------------
+[Mesecons](http://mesecons.net/)! They're yellow, they're conductive, and they'll add a whole new dimension to Minetest's gameplay.
+
+Mesecons is a mod for [Minetest](http://minetest.net/) that implements a ton of items related to digital circuitry, such as wires, buttons, lights, and even programmable controllers. Among other things, there are also pistons, solar panels, pressure plates, and note blocks.
+
+Mesecons has a similar goal to Redstone in Minecraft, but works in its own way, with different rules and mechanics.
+
+OK, I want in.
+--------------
+Go get it!
+
+[DOWNLOAD IT NOW](https://github.com/minetest-mods/mesecons/archive/master.zip)
+
+Now go ahead and install it like any other Minetest mod. Don't know how? Check out [the wonderful page about it](http://wiki.minetest.com/wiki/Mods) over at the Minetest Wiki. For your convenience, here's a quick summary:
+
+1. If Mesecons is still in a ZIP file, extract the folder inside to somewhere on the computer.
+2. Make sure that when you open the folder, you can directly find `README.md` in the listing. If you just see another folder, move that folder up one level and delete the old one.
+3. Open up the Minetest mods folder - usually `/mods/`. If you see the `minetest` or folder inside of that, that is your mod folder instead.
+4. Copy the Mesecons folder into the mods folder.
+
+Don't like some parts of Mesecons? Open up the Mesecons folder and delete the subfolder containing the mod you don't want. If you didn't want movestones, for example, all you have to do is delete the `mesecons_movestones` folder and they will no longer be available.
+
+There are no dependencies - it will work right after installing!
+
+How do I use this thing?
+------------------------
+How about a [quick overview video](https://www.youtube.com/watch?v=6kmeQj6iW5k)?
+
+Or maybe a [comprehensive reference](http://mesecons.net/items.html) is your style?
+
+An overview for the very newest of new beginners? How does [this one](http://uberi.mesecons.net/projects/MeseconsBasics/index.html) look?
+
+Want to get more into building? Why not check out the [Mesecons Laboratory](http://uberi.mesecons.net/), a website dedicated to advanced Mesecons builders?
+
+Want to contribute to Mesecons itself? Check out the [source code](https://github.com/minetest-mods/mesecons)!
+
+Who wrote it anyways?
+---------------------
+These awesome people made Mesecons possible!
+
+| Contributor     | Contribution                     |
+| --------------- | -------------------------------- |
+| Hawk777         | Code for VoxelManip caching      |
+| Jat15           | Various tweaks.                  |
+| Jeija           | **Main developer! Everything.**  |
+| Jordach         | Noteblock sounds.                |
+| khonkhortistan  | Code, recipes, textures.         |
+| Kotolegokot     | Nodeboxes for items.             |
+| minerd247       | Textures.                        |
+| Nore/Novatux    | Code.                            |
+| RealBadAngel    | Fixes, improvements.             |
+| sfan5           | Code, recipes, textures.         |
+| suzenako        | Piston sounds.                   |
+| Uberi/Temperest | Code, textures, documentation.   |
+| VanessaE        | Code, recipes, textures, design. |
+| Whiskers75      | Logic gates implementation.      |
+
+There are also a whole bunch of other people helping with everything from code to testing and feedback. Mesecons would also not be possible without their help!
+
+Alright, how can I use it?
+--------------------------
+All textures in this project are licensed under the CC-BY-SA 3.0 (Creative Commons Attribution-ShareAlike 3.0 Generic). That means you can distribute and remix them as much as you want to, under the condition that you give credit to the authors and the project, and that if you remix and release them, they must be under the same or similar license to this one.
+
+All code in this project is licensed under the LGPL version 3 or later. That means you have unlimited freedom to distribute and modify the work however you see fit, provided that if you decide to distribute it or any modified versions of it, you must also use the same license. The LGPL also grants the additional freedom to write extensions for the software and distribute them without the extensions being subject to the terms of the LGPL, although the software itself retains its license.
+
+No warranty is provided, express or implied, for any part of the project.
+
+"""
+
+	session.add(mod1)
+	session.add(mod2)
+
+	mod = Package()
+	mod.state = PackageState.APPROVED
+	mod.name = "handholds"
+	mod.title = "Handholds"
+	mod.license = licenses["MIT"]
+	mod.media_license = licenses["MIT"]
+	mod.type = PackageType.MOD
+	mod.author = ez
+	mod.tags.append(tags["player_effects"])
+	mod.repo = "https://github.com/ezhh/handholds"
+	mod.issueTracker = "https://github.com/ezhh/handholds/issues"
+	mod.forums = 17069
+	mod.short_desc = "Adds hand holds and climbing thingies"
+	mod.desc = "This is the long desc"
+	session.add(mod)
+
+	rel = PackageRelease()
+	rel.package = mod
+	rel.name = "v1.0.0"
+	rel.title = "v1.0.0"
+	rel.max_rel = v4
+	rel.url = "https://github.com/ezhh/handholds/archive/master.zip"
+	rel.approved = True
+	session.add(rel)
+
+	mod = Package()
+	mod.state = PackageState.APPROVED
+	mod.name = "other_worlds"
+	mod.title = "Other Worlds"
+	mod.license = licenses["MIT"]
+	mod.media_license = licenses["MIT"]
+	mod.type = PackageType.MOD
+	mod.author = ez
+	mod.tags.append(tags["mapgen"])
+	mod.tags.append(tags["environment"])
+	mod.repo = "https://github.com/ezhh/other_worlds"
+	mod.issueTracker = "https://github.com/ezhh/other_worlds/issues"
+	mod.forums = 16015
+	mod.short_desc = "Adds space with asteroids and comets"
+	mod.desc = "This is the long desc"
+	session.add(mod)
+
+	mod = Package()
+	mod.state = PackageState.APPROVED
+	mod.name = "food"
+	mod.title = "Food"
+	mod.license = licenses["LGPLv2.1"]
+	mod.media_license = licenses["MIT"]
+	mod.type = PackageType.MOD
+	mod.author = admin_user
+	mod.tags.append(tags["player_effects"])
+	mod.repo = "https://github.com/rubenwardy/food/"
+	mod.issueTracker = "https://github.com/rubenwardy/food/issues/"
+	mod.forums = 2960
+	mod.short_desc = "Adds lots of food and an API to manage ingredients"
+	mod.desc = "This is the long desc"
+	session.add(mod)
+
+	mod = Package()
+	mod.state = PackageState.APPROVED
+	mod.name = "food_sweet"
+	mod.title = "Sweet Foods"
+	mod.license = licenses["CC0"]
+	mod.media_license = licenses["MIT"]
+	mod.type = PackageType.MOD
+	mod.author = admin_user
+	mod.tags.append(tags["player_effects"])
+	mod.repo = "https://github.com/rubenwardy/food_sweet/"
+	mod.issueTracker = "https://github.com/rubenwardy/food_sweet/issues/"
+	mod.forums = 9039
+	mod.short_desc = "Adds sweet food"
+	mod.desc = "This is the long desc"
+	food_sweet = mod
+	session.add(mod)
+
+	game1 = Package()
+	game1.state = PackageState.APPROVED
+	game1.name = "capturetheflag"
+	game1.title = "Capture The Flag"
+	game1.type = PackageType.GAME
+	game1.license = licenses["LGPLv2.1"]
+	game1.media_license = licenses["MIT"]
+	game1.author = admin_user
+	game1.tags.append(tags["pvp"])
+	game1.tags.append(tags["survival"])
+	game1.tags.append(tags["multiplayer"])
+	game1.repo = "https://github.com/rubenwardy/capturetheflag"
+	game1.issueTracker = "https://github.com/rubenwardy/capturetheflag/issues"
+	game1.forums = 12835
+	game1.short_desc = "Two teams battle to snatch and return the enemy's flag, before the enemy takes their own!"
+	game1.desc = """
+As seen on the Capture the Flag server (minetest.rubenwardy.com:30000)
+
+` `[`javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/`](javascript:/*--%3E%3C/title%3E%3C/style%3E%3C/textarea%3E%3C/script%3E%3C/xmp%3E%3Csvg/onload='+/%22/+/onmouseover=1/+/)`[*/[]/+alert(1)//'>`
+
+<IMG SRC="javascript:alert('XSS');">
+
+<IMG SRC=javascript:alert(&amp;quot;XSS&amp;quot;)>
+
+``<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>``
+
+\<a onmouseover="alert(document.cookie)"\>xxs link\</a\>
+
+\<a onmouseover=alert(document.cookie)\>xxs link\</a\>
+
+<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
+
+<script>alert("hello");</script>
+
+<SCRIPT SRC=`[`http://xss.rocks/xss.js></SCRIPT>`](http://xss.rocks/xss.js%3E%3C/SCRIPT%3E)`;`
+
+`<IMG \"\"\">`
+
+<SCRIPT>
+
+alert("XSS")
+
+</SCRIPT>
+
+<IMG SRC= onmouseover="alert('xxs')">
+
+<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">
+
+"\>
+
+Uses the CTF PvP Engine.
+"""
+
+	session.add(game1)
+
+	rel = PackageRelease()
+	rel.package = game1
+	rel.name = "v1.0.0"
+	rel.title = "v1.0.0"
+	rel.url = "https://github.com/rubenwardy/capturetheflag/archive/master.zip"
+	rel.approved = True
+	session.add(rel)
+
+
+	mod = Package()
+	mod.state = PackageState.APPROVED
+	mod.name = "pixelbox"
+	mod.title = "PixelBOX Reloaded"
+	mod.license = licenses["CC0"]
+	mod.media_license = licenses["CC0"]
+	mod.type = PackageType.TXP
+	mod.author = admin_user
+	mod.forums = 14132
+	mod.short_desc = "This is an update of the original PixelBOX texture pack by the brillant artist Gambit"
+	mod.desc = "This is the long desc"
+	session.add(mod)
+
+	rel = PackageRelease()
+	rel.package = mod
+	rel.name = "v1.0.0"
+	rel.title = "v1.0.0"
+	rel.url = "http://mamadou3.free.fr/Minetest/PixelBOX.zip"
+	rel.approved = True
+	session.add(rel)
+
+	session.commit()
+
+	metas = {}
+	for package in Package.query.filter_by(type=PackageType.MOD).all():
+		try:
+			meta = metas[package.name]
+		except KeyError:
+			meta = MetaPackage(package.name)
+			session.add(meta)
+			metas[package.name] = meta
+		package.provides.append(meta)
+
+	dep = Dependency(food_sweet, meta=metas["food"])
+	session.add(dep)
--- a/app/flatpages/about.md
+++ b/app/flatpages/about.md
@@ -0,0 +1,49 @@
+title: About ContentDB
+description: Information about ContentDB's development, history, and more
+toc: False
+
+## Development
+
+ContentDB was created by [rubenwardy](https://rubenwardy.com/) in 2018, he was lucky enough to have the time available
+as it was submitted as university coursework. To learn about the history and development of ContentDB,
+[see the blog post](https://blog.rubenwardy.com/2022/03/24/contentdb/).
+
+ContentDB is open source software, licensed under AGPLv3.0.
+
+<a href="https://github.com/luanti-org/contentdb/" class="btn btn-primary me-1">Source code</a>
+<a href="https://github.com/luanti-org/contentdb/issues/" class="btn btn-secondary me-1">Issue tracker</a>
+<a href="{{ admin_contact_url }}" class="btn btn-secondary me-1">Contact admin</a>
+{% if monitoring_url -%}
+<a href="{{ monitoring_url }}" class="btn btn-secondary">Stats / monitoring</a>
+{%- endif %}
+
+## Why was ContentDB created?
+
+Before ContentDB, users had to manually install mods and games by unzipping their files into a directory. This is
+poor user experience, especially for first-time users.
+
+ContentDB isn't just about supporting the in-game content downloader; it's common for technical users to find
+and review packages using the ContentDB website, but install using Git rather than the in-game installer.
+**ContentDB's purpose is to be a well-formatted source of information about mods, games,
+and texture packs for Luanti**.
+
+## How do I learn how to make mods and games for Luanti?
+
+You should read
+[the official Luanti Modding Book](https://rubenwardy.com/minetest_modding_book/)
+for a guide to making mods and games using Luanti.
+
+
+<h2 id="donate">How can I support / donate to ContentDB?</h2>
+
+You can donate to rubenwardy to cover ContentDB's costs and support future development.
+
+For more information about the cost of ContentDB and what rubenwardy does, see his donation page:
+
+<a href="https://rubenwardy.com/donate/" class="btn btn-primary me-1">Donate</a>
+<a href="/donate/" class="btn btn-secondary">Support Creators</a>
+
+## Sponsorships
+
+Luanti and ContentDB are sponsored by <a href="https://sentry.io/" rel="nofollow">sentry.io</a>.
+This provides us with improved error logging and performance insights.
--- a/app/flatpages/help.md
+++ b/app/flatpages/help.md
@@ -1,6 +1,42 @@
 title: Help
+toc: False

-* [Package Tags](package_tags)
-* [Ranks and Permissions](ranks_permissions)
-* [Content Ratings and Flags](content_flags)
-* [Reporting Content](reporting)
+
+## Rules
+
+* [Terms of Service](/terms/)
+* [Package Inclusion Policy and Guidance](/policy_and_guidance/)
+
+## General Help
+
+* [Frequently Asked Questions](faq/)
+* [Installing content](installing/)
+* [Content Ratings and Flags](content_flags/)
+* [Non-free Licenses](non_free/)
+* [Why WTFPL is a terrible license](wtfpl/)
+* [Ranks and Permissions](ranks_permissions/)
+* [Contact Us](contact_us/)
+* [Top Packages Algorithm](top_packages/)
+* [Featured Packages](featured/)
+* [Feeds](feeds/)
+
+## Help for Package Authors
+
+* [Package Inclusion Policy and Guidance](/policy_and_guidance/)
+* [Copyright Guide](copyright/)
+* [Git Update Detection](update_config/)
+* [Creating Releases using Webhooks](release_webhooks/)
+* [Package Configuration and Releases Guide](package_config/)
+* [Supported Games](game_support/)
+* [Creating an appealing ContentDB page](appealing_page/)
+
+
+## Help for Specific User Ranks
+
+* [Editors](editors/)
+
+## APIs
+
+* [API](api/)
+* [OAuth2 Applications](oauth/)
+* [Prometheus Metrics](metrics/)
--- a/app/flatpages/help/api.md
+++ b/app/flatpages/help/api.md
@@ -0,0 +1,592 @@
+title: API
+
+
+## Resources
+
+* [How the Luanti client uses the API](https://github.com/luanti-org/contentdb/blob/master/docs/luanti_client.md)
+
+
+## Responses and Error Handling
+
+If there is an error, the response will be JSON similar to the following with a non-200 status code:
+
+```json
+{
+    "success": false,
+    "error": "The error message"
+}
+```
+
+Successful GET requests will return the resource's information directly as a JSON response.
+
+Other successful results will return a dictionary with `success` equaling true, and
+often other keys with information. For example:
+
+```js
+{
+    "success": true,
+    "release": {
+        /* same as returned by a GET */
+    }
+}
+```
+
+
+### Paginated Results
+
+Some API endpoints returns results in pages. The page number is specified using the `page` query argument, and
+the number of items is specified using `num`
+
+The response will be a dictionary with the following keys:
+
+* `page`: page number, integer from 1 to max
+* `per_page`: number of items per page, same as `n`
+* `page_count`: number of pages
+* `total`: total number of results
+* `urls`: dictionary containing
+    * `next`: url to next page
+    * `previous`: url to previous page
+* `items`: array of items
+
+
+## Authentication
+
+Not all endpoints require authentication, but it is done using Bearer tokens:
+
+```bash
+curl https://content.luanti.org/api/whoami/ \
+    -H "Authorization: Bearer YOURTOKEN"
+```
+
+Tokens can be attained by visiting [Settings > API Tokens](/user/tokens/).
+
+* GET `/api/whoami/`:  JSON dictionary with the following keys:
+    * `is_authenticated`:  True on successful API authentication
+    * `username`:  Username of the user authenticated as, null otherwise.
+    * 4xx status codes will be thrown on unsupported authentication type, invalid access token, or other errors.
+* DELETE `/api/delete-token/`: Deletes the currently used token.
+
+```bash
+# Logout
+curl -X DELETE https://content.luanti.org/api/delete-token/ \
+    -H "Authorization: Bearer YOURTOKEN"
+```
+
+
+## Packages
+
+* GET `/api/packages/` (List)
+    * See [Package Queries](#package-queries)
+* GET `/api/packages/<username>/<name>/` (Read)
+    * Redirects a JSON object with the keys documented by the PUT endpoint, below.
+    * Plus:
+        * `forum_url`: String or null. 
+* PUT `/api/packages/<author>/<name>/` (Update)
+    * Requires authentication.
+    * JSON object with any of these keys (all are optional, null to delete Nullables):
+        * `type`: One of `GAME`, `MOD`, `TXP`.
+        * `title`: Human-readable title.
+        * `name`: Technical name (needs permission if already approved).
+        * `short_description`
+        * `dev_state`: One of `WIP`, `BETA`, `ACTIVELY_DEVELOPED`, `MAINTENANCE_ONLY`, `AS_IS`, `DEPRECATED`,
+            `LOOKING_FOR_MAINTAINER`.
+        * `tags`: List of [tag](#tags) names.
+        * `content_warnings`: List of [content warning](#content-warnings) names.
+        * `license`: A [license](#licenses) name.
+        * `media_license`: A [license](#licenses) name.
+        * `long_description`: Long markdown description.
+        * `repo`: Source repository (eg: Git)
+        * `website`: Website URL.
+        * `issue_tracker`: Issue tracker URL.
+        * `forums`: forum topic ID.
+        * `video_url`: URL to a video.
+        * `donate_url`: URL to a donation page.
+        * `translation_url`: URL to send users interested in translating your package.
+        * `game_support`: Array of game support information objects. Not currently documented,
+    * Returns a JSON object with:
+        * `success`
+        * `package`: updated package
+        * `was_modified`: bool, whether anything changed
+* GET `/api/packages/<username>/<name>/for-client/`
+    * Similar to the read endpoint, but optimised for the Luanti client
+    * `long_description` is given as a hypertext object, see `/hypertext/` below.
+    * `info_hypertext` is the info sidebar as a hypertext object.
+    * Query arguments
+        * `formspec_version`: Required. See /hypertext/ below.
+        * `include_images`: Optional, defaults to true. If true, images use `<img>`. If false, they're linked.
+        * `protocol_version`: Optional, used to get the correct release.
+        * `engine_version`: Optional, used to get the correct release. Ex: `5.3.0`.
+* GET `/api/packages/<username>/<name>/for-client/reviews/`
+    * Returns hypertext representing the package's reviews
+    * Query arguments
+        * `formspec_version`: Required. See /hypertext/ below.
+    * Returns JSON dictionary with following keys:
+        * `head`: markup for suggested styling and custom tags, prepend to the body before displaying.
+        * `body`: markup for long description.
+        * `links`: dictionary of anchor name to link URL.
+        * `images`: dictionary of img name to image URL.
+        * `image_tooltips`: dictionary of img name to tooltip text.
+    * The hypertext body contains some placeholders that should be replaced client-side:
+        * `<thumbsup>` with a thumbs up icon. 
+        * `<neutral>` with a thumbs up icon. 
+        * `<thumbsdown>` with a thumbs up icon. 
+* GET `/api/packages/<author>/<name>/hypertext/`
+    * Converts the long description to [Luanti Markup Language](https://github.com/luanti-org/luanti/blob/master/doc/lua_api.md#markup-language)
+      to be used in a `hypertext` formspec element.
+    * Query arguments:
+        * `formspec_version`: Required, maximum supported formspec version.
+        * `include_images`: Optional, defaults to true. If true, images use `<img>`. If false, they're linked.
+    * Returns JSON dictionary with following keys:
+        * `head`: markup for suggested styling and custom tags, prepend to the body before displaying.
+        * `body`: markup for long description.
+        * `links`: dictionary of anchor name to link URL.
+        * `images`: dictionary of img name to image URL.
+        * `image_tooltips`: dictionary of img name to tooltip text.
+* GET `/api/packages/<username>/<name>/dependencies/`
+    * Returns dependencies, with suggested candidates
+    * If query argument `only_hard` is present, only hard deps will be returned.
+* GET `/api/dependencies/`
+    * Returns `provides` and raw dependencies for all packages.
+    * Supports [Package Queries](#package-queries)
+    * [Paginated result](#paginated-results), max 300 results per page
+    * Each item in `items` will be a dictionary with the following keys:
+        * `type`: One of `GAME`, `MOD`, `TXP`.
+        * `author`: Username of the package author.
+        * `name`: Package name.
+        * `provides`: List of technical mod names inside the package.
+        * `depends`: List of hard dependencies.
+            * Each dep will either be a modname dependency (`name`), or a
+                package dependency (`author/name`).
+        * `optional_depends`: list of optional dependencies
+            * Same as above.
+* GET `/api/packages/<username>/<name>/stats/`
+    * Returns daily stats for package, or null if there is no data.
+    * Daily date is done based on the UTC timezone.
+    * EXPERIMENTAL. This API may change without warning.
+    * Query args:
+        * `start`: start date, inclusive. Optional. Default: 2022-10-01. UTC.
+        * `end`: end date, inclusive. Optional. Default: today. UTC.
+    * An object with the following keys:
+        * `start`: start date, inclusive. Ex: 2022-10-22. M
+        * `end`: end date, inclusive. Ex: 2022-11-05.
+        * `platform_minetest`: list of integers per day.
+        * `platform_other`: list of integers per day.
+        * `reason_new`: list of integers per day.
+        * `reason_dependency`: list of integers per day.
+        * `reason_update`: list of integers per day.
+* GET `/api/package_stats/`
+    * Returns last 30 days of daily stats for _all_ packages.
+    * An object with the following keys:
+        * `start`: start date, inclusive. Ex: 2022-10-22.
+        * `end`: end date, inclusive. Ex: 2022-11-05.
+        * `package_downloads`: map from package key to list of download integers.
+
+You can download a package by building one of the two URLs:
+
+```
+https://content.luanti.org/packages/${author}/${name}/download/`
+https://content.luanti.org/packages/${author}/${name}/releases/${release}/download/`
+```
+
+Examples:
+
+```bash
+# Edit package
+curl -X PUT https://content.luanti.org/api/packages/username/name/ \
+    -H "Authorization: Bearer YOURTOKEN" -H "Content-Type: application/json" \
+    -d '{ "title": "Foo bar", "tags": ["pvp", "survival"], "license": "MIT" }'
+
+# Remove website URL
+curl -X PUT https://content.luanti.org/api/packages/username/name/ \
+    -H "Authorization: Bearer YOURTOKEN" -H "Content-Type: application/json" \
+    -d '{ "website": null }'
+```
+
+### Package Queries
+
+Example:
+
+    /api/packages/?type=mod&type=game&q=mobs+fun&hide=nonfree&hide=gore
+
+Filter query parameters:
+
+* `type`: Filter by package type (`mod`, `game`, `txp`). Multiple types are OR-ed together.
+* `q`:  Query string.
+* `author`:  Filter by author.
+* `tag`:  Filter by tags. Multiple tags are AND-ed together.
+* `flag`: Filter to show packages with [Content Flags](/help/content_flags/).
+* `hide`:  Hide content based on tags or [Content Flags](/help/content_flags/).
+* `license`: Filter by [license name](#licenses). Multiple licenses are OR-ed together, ie: `&license=MIT&license=LGPL-2.1-only`
+* `game`: Filter by [Game Support](/help/game_support/), ex: `Warr1024/nodecore`. (experimental, doesn't show items that support every game currently).
+* `lang`: Filter by translation support, eg: `en`/`de`/`ja`/`zh_TW`.
+* `protocol_version`:  Only show packages supported by this Luanti protocol version.
+* `engine_version`:  Only show packages supported by this Luanti engine version, eg: `5.3.0`.
+
+Sorting query parameters:
+
+* `sort`:  Sort by (`name`, `title`, `score`, `reviews`, `downloads`, `created_at`, `approved_at`, `last_release`).
+* `order`:  Sort ascending (`asc`) or descending (`desc`).
+* `random`:  When present, enable random ordering and ignore `sort`.
+
+Format query parameters:
+
+* `limit`:  Return at most `limit` packages.
+* `fmt`:  How the response is formatted.
+    * `keys`:  author/name only.
+    * `short`:  stuff needed for the Luanti client.
+    * `vcs`: `short` but with `repo`.
+
+
+### Releases
+
+* GET `/api/releases/` (List)
+    * Limited to 30 most recent releases.
+    * Optional arguments:
+        * `author`: Filter by author
+        * `maintainer`: Filter by maintainer
+    * Returns array of release dictionaries with keys:
+        * `id`: release ID
+        * `name`: short release name
+        * `title`: human-readable title
+        * `release_notes`: string or null, what's new in this release. Markdown.
+        * `release_date`: Date released
+        * `url`: download URL
+        * `commit`: commit hash or null
+        * `downloads`: number of downloads
+        * `min_minetest_version`: dict or null, minimum supported Luanti version (inclusive).
+        * `max_minetest_version`: dict or null, minimum supported Luanti version (inclusive).
+        * `size`: size of zip file, in bytes.
+        * `package`
+            * `author`: author username
+            * `name`: technical name
+            * `type`: `mod`, `game`, or `txp`
+* GET `/api/updates/` (Look-up table)
+    * Returns a look-up table from package key (`author/name`) to latest release id
+    * Query arguments
+        * `protocol_version`:  Only show packages supported by this Luanti protocol version.
+        * `engine_version`:  Only show packages supported by this Luanti engine version, eg: `5.3.0`.
+* GET `/api/packages/<username>/<name>/releases/` (List)
+    * Returns array of release dictionaries, see above, but without package info.
+* GET `/api/packages/<username>/<name>/releases/<id>/` (Read)
+* POST `/api/packages/<username>/<name>/releases/new/` (Create)
+    * Requires authentication.
+    * Body can be JSON or multipart form data. Zip uploads must be multipart form data.
+    * `title`: human-readable name of the release.
+    * `release_notes`: string or null, what's new in this release.
+    * For Git release creation:
+        * `method`: must be `git`.
+        * `ref`: (Optional) git reference, eg: `master`.
+    * For zip upload release creation:
+        * `file`: multipart file to upload, like `<input type="file" name="file">`.
+        * `commit`: (Optional) Source Git commit hash, for informational purposes.
+    * You can set min and max Luanti Versions [using the content's .conf file](/help/package_config/).
+* DELETE `/api/packages/<username>/<name>/releases/<id>/` (Delete)
+    * Requires authentication.
+    * Deletes release.
+
+Examples:
+
+```bash
+# Create release from Git
+curl -X POST https://content.luanti.org/api/packages/username/name/releases/new/ \
+    -H "Authorization: Bearer YOURTOKEN" -H "Content-Type: application/json" \
+    -d '{
+        "method": "git",
+        "name": "1.2.3",
+        "title": "My Release",
+        "ref": "master",
+        "release_notes": "some\nrelease\nnotes\n"
+    }'
+
+# Create release from zip upload
+curl -X POST https://content.luanti.org/api/packages/username/name/releases/new/ \
+    -H "Authorization: Bearer YOURTOKEN" \
+    -F title="My Release" -F file=@path/to/file.zip
+
+# Create release from zip upload with commit hash
+curl -X POST https://content.luanti.org/api/packages/username/name/releases/new/ \
+    -H "Authorization: Bearer YOURTOKEN" \
+    -F title="My Release" -F commit="8ef74deec170a8ce789f6055a59d43876d16a7ea" -F file=@path/to/file.zip
+
+# Delete release
+curl -X DELETE https://content.luanti.org/api/packages/username/name/releases/3/ \
+    -H "Authorization: Bearer YOURTOKEN"
+```
+
+
+### Screenshots
+
+* GET `/api/packages/<username>/<name>/screenshots/` (List)
+    * Returns array of screenshot dictionaries with keys:
+        * `id`: screenshot ID
+        * `approved`: true if approved and visible.
+        * `title`: human-readable name for the screenshot, shown as a caption and alt text.
+        * `url`: absolute URL to screenshot.
+        * `created_at`: ISO time.
+        * `order`: Number used in ordering.
+        * `is_cover_image`: true for cover image.
+* GET `/api/packages/<username>/<name>/screenshots/<id>/` (Read)
+    * Returns screenshot dictionary like above.
+* POST `/api/packages/<username>/<name>/screenshots/new/` (Create)
+    * Requires authentication.
+    * Body is multipart form data.
+    * `title`: human-readable name for the screenshot, shown as a caption and alt text.
+    * `file`: multipart file to upload, like `<input type=file>`.
+    * `is_cover_image`: set cover image to this.
+* DELETE `/api/packages/<username>/<name>/screenshots/<id>/` (Delete)
+    * Requires authentication.
+    * Deletes screenshot.
+* POST `/api/packages/<username>/<name>/screenshots/order/`
+    * Requires authentication.
+    * Body is a JSON array containing the screenshot IDs in their order.
+* POST `/api/packages/<username>/<name>/screenshots/cover-image/`
+    * Requires authentication.
+    * Body is a JSON dictionary with "cover_image" containing the screenshot ID.
+
+Currently, to get a different size of thumbnail you can replace the number in `/thumbnails/1/` with any number from 1-3.
+The resolutions returned may change in the future, and we may move to a more capable thumbnail generation.
+
+Examples:
+
+```bash
+# Create screenshot
+curl -X POST https://content.luanti.org/api/packages/username/name/screenshots/new/ \
+    -H "Authorization: Bearer YOURTOKEN" \
+    -F title="My Release" -F file=@path/to/screnshot.png
+
+# Create screenshot and set it as the cover image
+curl -X POST https://content.luanti.org/api/packages/username/name/screenshots/new/ \
+    -H "Authorization: Bearer YOURTOKEN" \
+    -F title="My Release" -F file=@path/to/screnshot.png -F is_cover_image="true"
+
+# Delete screenshot
+curl -X DELETE https://content.luanti.org/api/packages/username/name/screenshots/3/ \
+    -H "Authorization: Bearer YOURTOKEN"
+
+# Reorder screenshots
+curl -X POST https://content.luanti.org/api/packages/username/name/screenshots/order/ \
+    -H "Authorization: Bearer YOURTOKEN" -H "Content-Type: application/json" \
+    -d "[13, 2, 5, 7]"
+
+# Set cover image
+curl -X POST https://content.luanti.org/api/packages/username/name/screenshots/cover-image/ \
+    -H "Authorization: Bearer YOURTOKEN" -H "Content-Type: application/json" \
+    -d "{ 'cover_image': 123 }"
+```
+
+
+### Reviews
+
+* GET `/api/packages/<username>/<name>/reviews/` (List)
+    * Returns array of review dictionaries with keys:
+        * `user`: dictionary with `display_name` and `username`.
+        * `title`: review title
+        * `comment`: the text
+        * `rating`: 1 for negative, 3 for neutral, 5 for positive
+        * `is_positive`: boolean
+        * `created_at`: iso timestamp
+        * `votes`: dictionary with `helpful` and `unhelpful`,
+* GET `/api/reviews/` (List)
+    * Returns a paginated response. This is a dictionary with `page`, `url`, and `items`.
+        * [Paginated result](#paginated-results)
+        * `items`: array of review dictionaries, like above
+            * Each review also has a `package` dictionary with `type`, `author` and `name`
+        * Ordered by created at, newest to oldest.
+    * Query arguments:
+        * `page`: page number, integer from 1 to max
+        * `n`: number of results per page, max 200
+        * `author`: filter by review author username
+        * `for_user`: filter by package author
+        * `rating`: 1 for negative, 3 for neutral, 5 for positive
+        * `is_positive`: true or false. Default: null
+        * `q`: filter by title (case-insensitive, no fulltext search)
+
+Example:
+
+```json
+[
+  {
+    "comment": "This is a really good mod!",
+    "created_at": "2021-11-24T16:18:33.764084",
+    "is_positive": true,
+    "title": "Really good",
+    "user": {
+      "display_name": "rubenwardy",
+      "username": "rubenwardy"
+    },
+    "votes": {
+      "helpful": 0,
+      "unhelpful": 0
+    }
+  }
+]
+```
+
+
+## Users
+
+* GET `/api/users/<username>/`
+    * `username`
+    * `display_name`: human-readable name to be displayed in GUIs.
+    * `rank`: ContentDB [rank](/help/ranks_permissions/).
+    * `profile_pic_url`: URL to profile picture, or null.
+    * `website_url`: URL to website, or null.
+    * `donate_url`: URL to donate page, or null.
+    * `connections`: object
+        * `github`: GitHub username, or null.
+        * `forums`: forums username, or null.
+    * `links`: object
+        * `api_packages`: URL to API to list this user's packages.
+        * `profile`: URL to the HTML profile page.
+* GET `/api/users/<username>/stats/`
+    * Returns daily stats for the user's packages, or null if there is no data.
+    * Daily date is done based on the UTC timezone.
+    * EXPERIMENTAL. This API may change without warning.
+    * Query args:
+        * `start`: start date, inclusive. Optional. Default: 2022-10-01. UTC.
+        * `end`: end date, inclusive. Optional. Default: today. UTC.
+    * A table with the following keys:
+        * `from`: start date, inclusive. Ex: 2022-10-22.
+        * `end`: end date, inclusive. Ex: 2022-11-05.
+        * `package_downloads`: map of package title to list of integers per day.
+        * `platform_minetest`: list of integers per day.
+        * `platform_other`: list of integers per day.
+        * `reason_new`: list of integers per day.
+        * `reason_dependency`: list of integers per day.
+        * `reason_update`: list of integers per day.
+
+
+## Topics
+
+* GET `/api/topics/` ([View](/api/topics/))
+    * See [Topic Queries](#topic-queries)
+
+### Topic Queries
+
+Example:
+
+    /api/topics/?q=mobs&type=mod&type=game
+
+Supported query parameters:
+
+* `q`:  Query string.
+* `type`:  Package types (`mod`, `game`, `txp`).
+* `sort`:  Sort by (`name`, `views`, `created_at`).
+* `show_added`:  Show topics that have an existing package.
+* `limit`:  Return at most `limit` topics.
+
+
+## Collections
+
+* GET `/api/collections/`
+    * Query args:
+        * `author`: collection author username.
+        * `package`: collections that contain the package.
+    * Returns JSON array of collection entries:
+        * `author`: author username.
+        * `name`: collection name.
+        * `title`
+        * `short_description`
+        * `created_at`: creation time in iso format.
+        * `private`: whether collection is private, boolean.
+        * `package_count`: number of packages, integer.
+* GET `/api/collections/<username>/<name>/`
+    * Returns JSON object for collection:
+        * `author`: author username.
+        * `name`: collection name.
+        * `title`
+        * `short_description`
+        * `long_description`
+        * `created_at`: creation time in iso format.
+        * `private`: whether collection is private, boolean.
+        * `items`: array of item objects:
+            * `package`: short info about the package.
+            * `description`: custom short description.
+            * `created_at`: when the package was added to the collection.
+            * `order`: integer.
+
+## Types
+
+### Tags
+
+* GET `/api/tags/` ([View](/api/tags/))
+    * List of objects with:
+        * `name`:  technical name.
+        * `title`:  human-readable title.
+        * `description`:  tag description or null.
+        * `views`: number of views of this tag.
+
+### Content Warnings
+
+* GET `/api/content_warnings/` ([View](/api/content_warnings/))
+    * List of objects with
+        * `name`:  technical name
+        * `title`:  human-readable title
+        * `description`:  tag description or null
+
+### Licenses
+
+* GET `/api/licenses/` ([View](/api/licenses/))
+    * List of objects with:
+        * `name`
+        * `is_foss`: whether the license is foss
+
+### Luanti Versions
+
+* GET `/api/minetest_versions/` ([View](/api/minetest_versions/))
+    * List of objects with:
+        * `name`: Version name.
+        * `is_dev`: boolean, is dev version.
+        * `protocol_version`: protocol version number.
+
+### Languages
+
+* GET `/api/languages/` ([View](/api/languages/))
+    * List of objects with:
+        * `id`: language code.
+        * `title`: native language name.
+        * `has_contentdb_translation`: whether ContentDB has been translated into this language.
+
+
+## Misc
+
+* GET `/api/scores/` ([View](/api/scores/))
+    * See [Top Packages Algorithm](/help/top_packages/).
+    * Supports [Package Queries](#package-queries).
+    * Returns list of:
+        * `author`: package author name.
+        * `name`: package technical name.
+        * `downloads`: number of downloads.
+        * `score`: total package score.
+        * `score_reviews`: score from reviews.
+        * `score_downloads`: score from downloads.
+        * `reviews`: a dictionary of
+          * `positive`: int, number of positive reviews.
+          * `neutral`: int, number of neutral reviews.
+          * `negative`: int, number of negative reviews.
+* GET `/api/homepage/` ([View](/api/homepage/)) - get contents of homepage.
+    * `count`:  number of packages
+    * `downloads`:  get number of downloads
+    * `new`:  new packages
+    * `updated`:  recently updated packages
+    * `pop_mod`:  popular mods
+    * `pop_txp`:  popular textures
+    * `pop_game`:  popular games
+    * `high_reviewed`:  highest reviewed
+* GET `/api/cdb_schema/` ([View](/api/cdb_schema/))
+    * Get JSON Schema of `.cdb.json`, including licenses, tags and content warnings.
+    * See [JSON Schema Reference](https://json-schema.org/).
+* POST `/api/hypertext/`
+    * Converts HTML or Markdown to [Luanti Markup Language](https://github.com/luanti-org/luanti/blob/master/doc/lua_api.md#markup-language)
+      to be used in a `hypertext` formspec element.
+    * Post data: HTML or Markdown as plain text.
+    * Content-Type: `text/html` or `text/markdown`.
+    * Query arguments:
+        * `formspec_version`: Required, maximum supported formspec version. Ie: 6
+        * `include_images`: Optional, defaults to true. If true, images use `<img>`. If false, they're linked.
+    * Returns JSON dictionary with following key:
+        * `head`: markup for suggested styling and custom tags, prepend to the body before displaying.
+        * `body`: markup for long description.
+        * `links`: dictionary of anchor name to link URL.
+        * `images`: dictionary of img name to image URL
+        * `image_tooltips`: dictionary of img name to tooltip text.
--- a/app/flatpages/help/appealing_page.md
+++ b/app/flatpages/help/appealing_page.md
@@ -0,0 +1,74 @@
+title: Creating an appealing ContentDB page
+
+## Title and short description
+
+Make sure that your package's title is unique, short, and descriptive.
+
+Expand on the title with the short description. You have a limited number
+of characters, use them wisely!
+
+```ini
+# Bad, we know this is a mod for Luanti. Doesn't give much information other than "food"
+description = The food mod for Luanti
+# Much better, says what is actually in this mod!
+description = Adds soup, cakes, bakes and juices
+```
+
+## Thumbnail
+
+A good thumbnail goes a long way to making a package more appealing. It's one of the few things
+a user sees before clicking on your package. Make sure it's possible to tell what a
+thumbnail is when it's small.
+
+For a preview of what your package will look like inside Luanti, see
+Edit Package > Screenshots.
+
+## Screenshots
+
+Upload a good selection of screenshots that show what is possible with your packages.
+You may wish to focus on a different key feature in each of your screenshots.
+
+A lot of users won't bother reading text, and will just look at screenshots.
+
+## Long description
+
+The target audience of your package page is end users.
+The long description should explain what your package is about,
+why the user should choose it, and how to use it if they download it.
+
+[NodeCore](https://content.luanti.org/packages/Warr1024/nodecore/) is a good
+example of what to do. For inspiration, you might want to look at how games on
+Steam write their descriptions.
+
+Your long description might contain:
+
+* What does the package contain/have? ie: list of high-level features.
+* What makes it special? Why should users choose this over another package?
+* How can you use it?
+
+The following are redundant and should probably not be included:
+
+* A heading with the title of the package
+* The short description
+* Links to a Git repository, the forum topic, the package's ContentDB page (ContentDB has fields for this)
+* License (unless you need to give more information than ContentDB's license fields)
+* API reference (unless your mod is a library only)
+* Development instructions for your package (this should be in the repo's README)
+* Screenshots that are already uploaded (unless you want to embed a recipe image in a specific place)
+    * Note: you should avoid images in the long description as they won't be visible inside Luanti,
+      when support for showing the long description is added.
+
+## Localize / Translate your package
+
+According to Google Play, 64% of Luanti Android users don't have English as their main language.
+Adding translation support to your package increases accessibility. Using content translation, you
+can also translate your ContentDB page. See Edit Package > Translation for more information.
+
+<p>
+    <a class="btn btn-primary me-2" href="https://rubenwardy.com/minetest_modding_book/en/quality/translations.html">
+        {{ _("Translation - Luanti Modding Book") }}
+    </a>
+    <a class="btn btn-primary" href="https://api.luanti.org/translations/#translating-content-meta">
+        {{ _("Translating content meta - lua_api.md") }}
+    </a>
+</p>
--- a/app/flatpages/help/contact_us.md
+++ b/app/flatpages/help/contact_us.md
@@ -0,0 +1,14 @@
+title: Contact Us
+
+## Reports
+
+Please let us know if anything on the ContentDB violates our rules or any applicable
+laws.
+
+We take copyright violation and other offenses very seriously.
+
+<a href="/report/" class="btn btn-primary">Report</a>
+
+## Other
+
+<a href="{{ admin_contact_url }}" class="btn btn-primary">Contact the admin</a>
--- a/app/flatpages/help/content_flags.md
+++ b/app/flatpages/help/content_flags.md
@@ -6,21 +6,36 @@ your client to use new flags.

 ## Flags

-* `nonfree` - can be used to hide packages which do not qualify as
-	'free software', as defined by the Free Software Foundation.
-* A content rating, given below.
+Luanti allows you to specify a comma-separated list of flags to hide in the
+client:

+```
+contentdb_flag_blacklist = nonfree, bad_language, drugs
+```

-## Ratings
+A flag can be:

-Content ratings aren't currently supported by ContentDB.
-Instead, mature content isn't allowed at all for now.
+* `nonfree`: can be used to hide packages which do not qualify as
+    'free software', as defined by the Free Software Foundation.
+* `wip`: packages marked as Work in Progress
+* `deprecated`: packages marked as Deprecated
+* A content warning, given below.
+* `*`: hides all content warnings.

-In the future, more mature content will be allowed but labelled with
-content ratings which may contain the following:
+There are also two meta-flags, which are designed so that we can change how different platforms filter the package list
+without making a release.

-* android_default - meta-rating which includes gore and drugs.
-* desktop_default - meta-rating which won't include anything for now.
-* gore - more than just blood
-* drugs
-* swearing
+* `android_default`: currently same as `*, deprecated`. Hides all content warnings and deprecated packages
+* `desktop_default`: currently same as `deprecated`. Hides deprecated packages
+
+## Content Warnings
+
+Packages with mature content will be tagged with a content warning based
+on the content type.
+
+* `alcohol_tobacco`: alcohol or tobacco.
+* `bad_language`: swearing.
+* `gambling`
+* `gore`: blood, etc.
+* `horror`: shocking and scary content.
+* `violence`: non-cartoon violence.
--- a/app/flatpages/help/copyright.md
+++ b/app/flatpages/help/copyright.md
@@ -0,0 +1,147 @@
+title: Copyright Guide
+
+## Why should I care?
+
+Falling foul of copyright law can put you and ContentDB into legal trouble. Receiving a Cease and Desist, DMCA notice,
+or a Court Summons isn't pleasant for anyone, and can turn out to be very expensive. This page contains some
+guidance on how to ensure your content is clearly licensed and attributed to avoid these issues.
+
+Additionally, ContentDB and the forums both have some
+[requirements on the licenses](/policy_and_guidance/#41-allowed-licenses) you are allowed to use. Both require
+[free distribution and modification](/help/non_free/), allowing us to remain an open community where people can fork
+and remix each other's content. To this end, you need to make sure your content is clearly licensed.
+
+**As always, we are not lawyers and this does not constitute legal advice.**
+
+
+## What do I need to do?
+
+### Follow the licenses
+
+Make sure you understand the licenses for anything you copy into your content.
+[TL;DR Legal](https://tldrlegal.com/license/mit-license) is a good resource for quickly understanding
+licenses, although you should actually read the text as well.
+
+If you use code from other sources (such as mods or games), you'll need to make sure you follow
+their license. A common one is attribution, you should do this by adding a comment next to the
+code and crediting the author in your LICENSE file.
+
+It's sometimes fine to copy trivial/small amounts of code under fair use, but this
+is a bit of a grey area. It's better to understand the solution and rewrite it yourself.
+
+### List the sources of your media
+
+It's a good idea to create a list of all the media you used in your package, as it allows
+you to keep track of where the media came from. Media includes textures, 3d models,
+sounds, and more.
+
+You should have the following information:
+
+* File name (as found in your package)
+* Author name
+* License
+* Source (URL to the webpage, mod name, website name)
+
+It's common to do this in README.md or LICENSE.md like so:
+
+```md
+* conquer_arrow_*.png from [Simple Shooter](https://github.com/stujones11/shooter) by Stuart Jones, CC0 1.0.
+* conquer_arrow.b3d from [Simple Shooter](https://github.com/stujones11/shooter) by Stuart Jones, CC-BY-SA 3.0.
+* conquer_arrow_head.png from MTG, CC-BY-SA 3.0.
+* health_*.png from [Gauges](https://content.luanti.org/packages/Calinou/gauges/) by Calinou, CC0.
+```
+
+if you have a lot of media, then you can split it up by author like so:
+
+```md
+[Kenney](https://www.kenney.nl/assets/voxel-pack), CC0:
+
+* mymod_fence.png
+
+John Green, CC BY-SA 4.0 from [OpenGameArt](https://opengameart.org/content/tiny-16-basic):
+
+* mymod_texture.png
+* mymod_another.png
+
+Your Name, CC BY-SA 4.0:
+
+* mymod_texture_i_made.png
+```
+
+
+## Where can I get freely licensed media?
+
+* [OpenGameArt](https://opengameart.org/) - everything
+* [Kenney game assets](https://www.kenney.nl/assets) - everything
+* [Free Sound](https://freesound.org/) - sounds
+* [PolyHaven](https://polyhaven.com/) - 3d models and textures.
+* Other Luanti mods/games
+
+    Don't assume the author has correctly licensed their work.
+    Make sure they have clearly indicated the source in a list [like above](#list-the-sources-of-your-media).
+    If they didn't make it, then go to the actual source to check the license.
+
+
+## Common Situations
+
+### I made it myself, using X as a guide
+
+Copying by hand is still copying, the law doesn't distinguish this from copy+paste.
+Make your own art without copying colors or patterns from existing games/art.
+
+If you need a good set of colors, see [LOSPEC](https://lospec.com/palette-list).
+
+### I got it from Google Images / Search / the Internet
+
+You do not have permission to use things unless you are given permission to do so by the author.
+No license is exactly the same as "Copyright &copy; All Rights Reserved".
+To use on ContentDB or the forums, you must also be given a clear license.
+
+Try searching with "creative commons" in the search term, and then clicking through to the page
+and looking for a license. Make sure the source looks trustworthy, as there are a lot of websites
+that rip off art and give an incorrect license. But it might be better to use a trusted source directly, see
+[the section above](#where-can-i-get-freely-licensed-media) for a list.
+
+### I have permission from the author
+
+You'll also need to make sure that the author gives you an explicit license for it, such as CC BY-SA 4.0.
+Permission for *you* to use it doesn't mean that *everyone* has permission to use it. A license outlines the terms of
+the permission, making things clearer and less vague.
+
+### The author said it's free for anyone to use, is that enough?
+
+No, you need an explicit license like CC0 or CC BY-SA 4.0. ContentDB does not allow custom licenses
+or public domain.
+
+### I used an AI
+
+Errrr. This is a legally untested area, we highly recommend that **you don't use AI art/code** in packages
+for that reason.
+
+For now, we haven't banned AI art/code from ContentDB. Make sure to clearly include it in your package's
+credit list (include the name of the AI tool used).
+
+Check the tools terms and conditions to see if there are any constraints on use. It looks
+like AI-generated art and code isn't copyrightable by itself, but the tool's T&Cs may still
+impose conditions.
+
+AI art/code may regurgitate copyrighted things. Make sure that you don't include the
+names of any copyrighted materials in your AI prompts, such as names of games or artists.
+
+## What does ContentDB do?
+
+The package authors and maintainers are responsible for the licenses and copyright of packages on ContentDB.
+ContentDB editors will check packages to make sure the package page's license matches up with the list of licenses
+inside the package download, but do not investigate each piece of media or line of code.
+
+If a copyright violation is reported to us, we will unlist the package and contact the author/maintainers.
+Once the problem has been fixed, the package can be restored. Repeated copyright infringement may lead to
+permanent bans.
+
+
+## Where can I get help?
+
+[Join](https://www.luanti.org/get-involved/) IRC, Matrix, or Discord to ask for help.
+In Discord, there are the #assets or #contentdb channels. In IRC or Matrix, you can just ask in the main channels.
+
+If your package is already on ContentDB, you can open a thread.
--- a/app/flatpages/help/editors.md
+++ b/app/flatpages/help/editors.md
@@ -0,0 +1,56 @@
+title: Editors
+
+## What should editors do?
+
+Editors are users of rank Editor or above.
+They are responsible for ensuring that the package listings of ContentDB are useful.
+For this purpose, they can/will:
+
+* Review and approve packages.
+* Edit any package - including tags, releases, screenshots, and maintainers.
+* Create packages on behalf of authors who aren't present.
+
+Editors should make sure they are familiar with the
+[Package Inclusion Policy and Guidance](/policy_and_guidance/).
+
+## ContentDB is not a curated platform
+
+It's important to note that ContentDB isn't a curated platform - a mod doesn't need to be good
+to be accepted, but there are some minimum requirements when it comes to usefulness and other things.
+See 2.2 in the [Policy and Guidance](/policy_and_guidance/).
+
+## Editor Work Queue
+
+The [Editor Work Queue](/todo/) and related pages contain useful information for editors, such as:
+
+* The package, release, and screenshot approval queues.
+* Packages which are outdated or are missing tags.
+* A list of forum topics without packages.
+
+## Editor Notifications
+
+Editors currently receive notifications for any new thread opened on a package, so that they
+know when a user is asking for help. These notifications are shown separately in the notifications
+interface, and can be configured separately in Emails and Notifications.
+
+## Crash Course to being an Editor
+
+The [Package Inclusion Policy and Guidance](/policy_and_guidance/) is our go-to resource for making decisions in 
+changes needed, similar to how lua_api.txt is the doc for modders to consult.
+
+In the [Editor console](/todo/), the two most important tabs are the Editor Work Queue and the Forum 
+Topics tab. Primarily you will be focusing on the Editor Work Queue tab, where a list of packages to review is.
+
+When you have some free time, feel free to scroll through the Forum Topics page and import mods into ContentDB.
+But don't import a mod if it's broken, outdated, not that useful, or not worth importing - click Discard instead.
+
+A simplified process for reviewing a package is as follows:
+
+1. scan the package image if present for any obvious closed source assets.
+2. if right to a name warning is present, check its validity and if the package meets 
+   the exceptions.
+3. if the forums topic missing warning is present, feel free to check it, but it's 
+   usually incorrect.
+4. check source, etc links to make sure they work and are correct.
+5. verify that the package has license file that matches what is on the contentdb fields
+6. if the above steps pass, approve the package, else request changes needed from the author
--- a/app/flatpages/help/faq.md
+++ b/app/flatpages/help/faq.md
@@ -0,0 +1,68 @@
+title: Frequently Asked Questions
+description: FAQ about using ContentDB
+
+## Users and Logins
+
+### How do I create an account?
+
+How you create an account depends on whether you have a forum account.
+
+If you have a forum account, then you'll need to prove that you are the owner of the account. This can
+be done using a GitHub account or a random string in your forum account signature.
+
+If you don't, then you can just sign up using an email address and password.
+
+GitHub can only be used to log in, not to register.
+
+<a class="btn btn-primary" href="/user/claim/">Register</a>
+
+
+### My verification email never arrived
+
+There are a number of reasons this may have happened:
+
+* Incorrect email address entered.
+* Temporary problem with ContentDB.
+* Email has been unsubscribed.
+
+**When creating an account by email:**
+If the email doesn't arrive after registering by email, then you'll need to
+try registering again in 12 hours. Unconfirmed accounts are deleted after 12 hours.
+
+**When changing your email (or it was set after a forum-based registration)**:
+then you can just set a new email in
+[Settings > Email and Notifications](/user/settings/email/).
+
+If you have previously unsubscribed this email, then ContentDB is completely prevented from sending emails to that
+address. You'll need to use a different email address, or [contact the admin]({{ admin_contact_url }}) to
+remove your email from the blacklist.
+
+
+## Packages
+
+### How can I create releases automatically?
+
+There are a number of methods:
+
+* [Git Update Detection](/help/update_config/): ContentDB will check your Git repo daily, and create updates or send you notifications.
+* [Webhooks](/help/release_webhooks/): you can configure your Git host to send a webhook to ContentDB, and create an update immediately.
+* the [API](/help/api/): This is especially powerful when combined with CI/CD and other API endpoints.
+
+### How do I learn how to make mods and games for Luanti?
+
+You should read
+[the official Luanti Modding Book](https://rubenwardy.com/minetest_modding_book/)
+for a guide to making mods and games using Luanti.
+
+### How do I install something from here?
+
+See [Installing content](/help/installing/).
+
+### How can my package get more downloads?
+
+See [Creating an appealing ContentDB page](/help/appealing_page/).
+
+
+## How do I get help?
+
+Please [contact rubenwardy](https://rubenwardy.com/contact/).
--- a/app/flatpages/help/featured.md
+++ b/app/flatpages/help/featured.md
@@ -0,0 +1,137 @@
+title: Featured Packages
+
+<p class="alert alert-warning">
+	<b>Note:</b> This is a draft, and is likely to change
+</p>
+
+## What are Featured Packages?
+
+Featured Packages are shown at the top of the ContentDB homepage. In the future,
+featured packages may be shown inside the Luanti client.
+
+The purpose is to promote content that demonstrates a high quality of what is
+possible in Luanti. The selection should be varied, and should vary over time.
+The featured content should be content that we are comfortable recommending to
+a first time player.
+
+## How are the packages chosen?
+
+Before a package can be considered, it must fulfil the criteria in the below lists.
+There are three types of criteria:
+
+* "MUST": These must absolutely be fulfilled, no exceptions!
+* "SHOULD": Most of them should be fulfilled, if possible. Some of them can be
+  left out if there's a reason.
+* "CAN": Can be fulfilled for bonus points, they are entirely optional.
+
+For a chance to get featured, a package must fulfil all "MUST" criteria and
+ideally as many "SHOULD" criteria as possible. The more, the better. Thankfully,
+many criteria are trivial to fulfil. Note that ticking off all the boxes is not
+enough: Just because a package completes the checklist does not make it good.
+Other aspects of the package should be rated as well. See this list as a
+starting point, not as an exhaustive quality control.
+
+Editors are responsible for maintaining the list of featured packages. Authors
+can request that their package be considered by opening a thread titled
+"Feature Package" on their package. To speed things up, they should justify
+why they meet (or don't meet) the below criteria. Editors must abstain from
+voting on packages where they have a conflict of interest.
+
+A package being featured does not mean that it will be featured forever. A
+package may be unfeatured if it no longer meets the criteria, to make space for
+other packages to be featured, or for another reason.
+
+## General Requirements
+
+### General
+
+* MUST: Be 100% free and open source (as marked as Free on ContentDB).
+* MUST: Work out-of-the-box (no weird setup or settings required).
+* MUST: Be compatible with the latest stable Luanti release.
+* SHOULD: Use public source control (such as Git).
+* SHOULD: Have at least 3 reviews, and be largely positive.
+
+### Stability
+
+* MUST: Be well maintained (author is present and active).
+* MUST: Be reasonably stable, with no game-breaking or major bugs.
+* MUST: The author does not consider the package to be in an
+  experimental/development/alpha state. Beta and "unfinished" packages are fine.
+* MUST: No error messages from the engine (e.g. missing textures).
+* SHOULD: No major map breakages (including unknown nodes, corruption, loss of inventories).
+  Map breakages are a sign that the package isn't sufficiently stable.
+
+Note: Any map breakage will be excused if "disaster relief" (i.e. tools to repair the damage)
+is available.
+
+### Meta and packaging
+
+* MUST: `screenshot.png` is present and up-to-date, with a correct aspect ratio (3:2, at least 300x200).
+* MUST: Have a high resolution cover image on ContentDB (at least 1280x720 pixels).
+  It may be shown cropped to 16:9 aspect ratio, or shorter.
+* MUST: mod.conf/game.conf/texture_pack.conf present with:
+    * name (if mod or game)
+    * description
+    * dependencies (if relevant)
+    * `min_minetest_version` and `max_minetest_version` (if relevant)
+* MUST: Contain a README file and a LICENSE file. These may be `.md` or `.txt`.
+    * README files typically contain helpful links (download, manual, bugtracker, etc), and other
+      information that players or (potential) contributors may need.
+* SHOULD: All important settings are in settingtypes.txt with description.
+
+## Game-specific Requirements
+
+### Meta and packaging
+
+* MUST: Have a main menu icon and header image.
+
+### Stability
+
+* MUST: If any major setting (like `enable_damage`) is unsupported, the game must disable it
+  using `disabled_settings` in the `game.conf`, and deal with it appropriately in the code
+  (e.g. force-disable the setting, as the user may still set the setting in `minetest.conf`)
+
+### Usability
+
+* MUST: Unsupported mapgens are disabled in game.conf.
+* SHOULD: Passes the Beginner Test: A newbie to the game (but not Luanti) wouldn't get completely
+  stuck within the first 5 minutes of playing.
+* SHOULD: Have good documentation. This may include one or more of:
+    * A craftguide, or other in-game learning system
+    * A manual
+    * A wiki
+    * Something else
+
+### Gameplay
+
+* CAN: Passes the Six Hour Test (only applies to sandbox games): The game doesn't run out of new
+  content before the first 6 hours of playing.
+* CAN: Players don't feel that something in the game is "lacking".
+
+### Audiovisuals
+
+* MUST: Audiovisual design should be of good quality.
+* MUST: No obvious GUI/HUD breakages.
+* MUST: Sounds have no obvious artifacts like clicks or unintentional noise.
+* SHOULD: Graphical design is mostly consistent.
+* SHOULD: Sounds are used.
+* SHOULD: Sounds are normalized (more or less).
+
+### Quality Assurance
+
+* MUST: No flooding the console/log file with warnings.
+* MUST: No duplicate crafting recipes.
+* MUST: Highly experimental game features are disabled by default.
+* MUST: Experimental game features are clearly marked as such.
+* SHOULD: No unknown nodes/items/objects appear.
+* SHOULD: No dependency on legacy API calls.
+* SHOULD: No console warnings.
+
+### Writing
+
+* MUST: All items that can be obtained in normal gameplay have `description` set (whether in the definition or meta).
+* MUST: Game is not littered with typos or bad grammar (a few typos are OK but should be fixed, when found).
+* SHOULD: All items have unique names (items which disguise themselves as another item are exempt).
+* SHOULD: The writing style of all item names is grammatical and consistent.
+* SHOULD: Descriptions of things convey useful and meaningful information (if applicable).
+* CAN: Text is written in clear and (if possible) simple language.
--- a/app/flatpages/help/feeds.md
+++ b/app/flatpages/help/feeds.md
@@ -0,0 +1,16 @@
+title: Feeds
+
+You can follow updates from ContentDB in your RSS feed reader. If in doubt, copy the Atom URL.
+
+* All events: [Atom]({{ url_for('feeds.all_atom') }}) | [JSONFeed]({{ url_for('feeds.all_json') }})
+* New packages: [Atom]({{ url_for('feeds.packages_all_atom') }}) | [JSONFeed]({{ url_for('feeds.packages_all_json') }})
+* New releases: [Atom]({{ url_for('feeds.releases_all_atom') }}) | [JSONFeed]({{ url_for('feeds.releases_all_json') }})
+
+## Package feeds
+
+Follow new releases for a package:
+
+```
+https://content.luanti.org/packages/AUTHOR/NAME/releases_feed.atom
+https://content.luanti.org/packages/AUTHOR/NAME/releases_feed.json
+```
--- a/app/flatpages/help/game_support.md
+++ b/app/flatpages/help/game_support.md
@@ -0,0 +1,52 @@
+title: Supported Games
+
+## Why?
+
+The supported/compatible games feature allows mods to specify the games that
+they work with, which improves user experience.
+
+
+## Support sources
+
+### mod.conf / texture_pack.conf
+
+You can use `supported_games` to specify games that your mod/modpack/texture
+pack is compatible with.
+
+You can use `unsupported_games` to specify games that your package doesn't work
+with, which is useful for overriding ContentDB's automatic detection.
+
+Both of these are comma-separated lists of game technical ids. Any `_game`
+suffixes are ignored, just like in Luanti.
+
+    supported_games = minetest_game, repixture
+    unsupported_games = lordofthetest, nodecore, whynot
+
+If your package supports all games by default, you can put "*" in
+supported_games. You can still use unsupported_games to mark games as
+unsupported. You can also specify games that you've tested in supported_games.
+
+    # Should work with all games but I've only tested using Minetest Game:
+    supported_games = *, minetest_game
+
+    # But doesn't work in capturetheflag
+    unsupported_game = capturetheflag
+
+### Dependencies
+
+ContentDB will analyse hard dependencies and work out which games a mod
+supports.
+
+This uses a recursive algorithm that works out whether a dependency can be
+installed independently, or if it requires a certain game.
+
+### On ContentDB
+
+You can define supported games on ContentDB, but using .conf is recommended
+instead.
+
+
+## Combining all the sources
+
+.conf will override anything ContentDB detects. The manual override on ContentDB
+overrides .conf and dependencies.
--- a/app/flatpages/help/installing.md
+++ b/app/flatpages/help/installing.md
@@ -0,0 +1,89 @@
+title: How to install mods, games, and texture packs
+description: A guide to installing mods, games, and texture packs in Luanti.
+
+## Installing from the main menu (recommended)
+
+### Install
+
+1. Open the mainmenu
+2. Go to the Content tab and click "Browse online content".
+   If you don't see this, then you need to update Luanti to v5.
+3. Search for the package you want to install, and click "Install".
+4. When installing a mod, you may be shown a dialog about dependencies here.
+   Make sure the base game dropdown box is correct, and then click "Install".
+
+<div class="row mt-5">
+  <div class="col-md-6">
+    <figure>
+      <a href="/static/installing_content_tab.png">
+        <img class="w-100" src="/static/installing_content_tab.png" alt="Screenshot of the content tab in Luanti">
+      </a>
+      <figcaption class="text-muted ps-1">
+        1. Click Browser Online Content in the content tab.
+      </figcaption>
+    </figure>
+  </div>
+  <div class="col-md-6">
+    <figure>
+      <a href="/static/installing_cdb_dialog.png">
+        <img class="w-100" src="/static/installing_cdb_dialog.png" alt="Screenshot of the content tab in Luanti">
+      </a>
+      <figcaption class="text-muted ps-1">
+        2. Search for the package and click "Install".
+      </figcaption>
+    </figure>
+  </div>
+</div>
+
+Troubleshooting:
+
+* I can't find it in the ContentDB dialog (Browse online content)
+    * Make sure that you're on the latest version of Luanti.
+    * Are you using Android? Packages with content warnings are hidden by default on android,
+      you can show them by removing `android_default` from the `contentdb_flag_blacklist` setting.
+    * Does the webpage show "Non-free" warnings? Non-free content is hidden by default from all clients,
+      you can show them by removing `nonfree` from the `contentdb_flag_blacklist` setting.
+* It says "required dependencies could not be found"
+    * Make sure you're using the correct "Base Game". A lot of packages only work with certain games, you can look
+      at "Compatible Games" on the web page to see which.
+
+### Enable in Select Mods
+
+1. Mods: Enable the content using "Select Mods" when selecting a world.
+2. Games: choose a game when making a world.
+3. Texture packs: Content > Select pack > Click enable.
+
+
+<div class="row mt-5">
+  <div class="col-md-6">
+    <figure>
+      <a href="/static/installing_select_mods.png">
+        <img class="w-100" src="/static/installing_select_mods.png" alt="Screenshot of Select Mods in Luanti">
+      </a>
+      <figcaption class="text-muted ps-1">
+        Enable mods using the Select Mods dialog.
+      </figcaption>
+    </figure>
+  </div>
+</div>
+
+## Installing using the command line
+
+### Git clone
+
+1. Install git
+2. Find the package on ContentDB and copy "source" link.
+3. Find the user data directory.
+   In 5.4.0 and above, you can click "Open user data directory" in the Credits tab.
+   Otherwise:
+     * Windows: wherever you extracted or installed Luanti to.
+     * Linux: usually `~/.minetest/`
+4. Open or create the folder for the type of content (`mods`, `games`, or `textures`)
+5. Git clone there
+6. For mods, make sure to install any required dependencies.
+
+### Enable
+
+* Mods: Edit world.mt in the world's folder to contain `load_file_MODNAME = true`
+* Games: Use `--game` or edit game_id in world.mt.
+* Texture packs: change the `texture_path` setting to the texture pack absolute path.
--- a/app/flatpages/help/metrics.md
+++ b/app/flatpages/help/metrics.md
@@ -0,0 +1,25 @@
+title: Prometheus Metrics
+
+## What is Prometheus?
+
+[Prometheus](https://prometheus.io) is an "open-source monitoring system with a
+dimensional data model, flexible query language, efficient time series database
+and modern alerting approach".
+
+Prometheus Metrics can be accessed at [/metrics](/metrics), or you can view them
+on the Grafana instance below.
+
+{% if monitoring_url %}
+<p>
+    <a class="btn btn-primary" href="{{ monitoring_url }}">
+        View ContentDB on Grafana
+    </a>
+</p>
+{% endif %}
+
+## Metrics
+
+* `contentdb_packages` - Total packages (counter).
+* `contentdb_users` - Number of registered users (counter).
+* `contentdb_downloads` - Total downloads (counter).
+* `contentdb_score` - Total package score (gauge).
--- a/app/flatpages/help/non_free.md
+++ b/app/flatpages/help/non_free.md
@@ -0,0 +1,83 @@
+title: Non-free Licenses
+
+## What are Non-Free, Free, and Open Source licenses?
+
+A non-free license is one that does not meet the
+[Free Software Definition](https://www.gnu.org/philosophy/free-sw.en.html)
+or the [Open Source Definition](https://opensource.org/osd).
+ContentDB will clearly label any packages with non-free licenses,
+and they will be subject to limited promotion.
+
+## How does ContentDB deal with Non-Free Licenses?
+
+**ContentDB does not allow certain non-free licenses, and will limit the promotion
+of packages with non-free licenses.**
+
+Luanti is free and open source software, and is only as big as it is now
+because of this. It's pretty amazing you can take nearly any published mod and modify it
+to how you like - add some features, maybe fix some bugs - and then share those
+modifications without the worry of legal issues. The project, itself, relies on open
+source contributions to survive - if it were non-free, then it would have died
+when celeron55 lost interest.
+
+If you have played nearly any game with a large modding scene, you will find
+that most mods are legally ambiguous. A lot of them don't even provide the
+source code to allow you to bug fix or extend as you need.
+
+Limiting the promotion of problematic licenses helps Luanti avoid ending up in
+such a state. Licenses that prohibit redistribution or modification are
+completely banned from ContentDB and the Luanti forums. Other non-free licenses
+will be subject to limited promotion - they won't be shown by default in
+the client.
+
+Not providing full promotion on ContentDB, or not allowing your package at all,
+doesn't mean you can't make such content - it just means we're not going to help
+you spread it.
+
+## What's so bad about licenses that forbid commercial use?
+
+Please read [reasons not to use a Creative Commons -NC license](https://freedomdefined.org/Licenses/NC).
+Here's a quick summary related to Luanti content:
+
+1. They make your work incompatible with a growing body of free content, even if
+   you do want to allow derivative works or combinations.
+   This means that it can cause problems when another modder wishes to include your
+   work in a modpack or game.
+2. They may rule out other basic and beneficial uses that you want to allow.
+   For example, CC -NC will forbid showing your content in a monetised YouTube
+   video.
+3. They are unlikely to increase the potential profit from your work, and a
+   share-alike license serves the goal to protect your work from unethical
+   exploitation equally well.
+
+## How can I show non-free packages in the client?
+
+Non-free packages are hidden in the client by default, partly in order to comply
+with the rules of various Linux distributions.
+
+Users can opt in to showing non-free software, if they wish:
+
+1. In the main menu, go to Settings > All settings
+2. Search for "ContentDB Flag Blacklist".
+3. Edit that setting to remove `nonfree, `.
+
+<figure class="figure my-4">
+	<img class="figure-img img-fluid rounded" src="/static/contentdb_flag_blacklist.png" alt="Screenshot of the ContentDB Flag Blacklist setting">
+	<figcaption class="figure-caption">Screenshot of the ContentDB Flag Blacklist setting</figcaption>
+</figure>
+
+The [`platform_default` flag](/help/content_flags/) is used to control what content
+each platforms shows. It doesn't hide anything on Desktop, but hides all mature
+content on Android. You may wish to remove all text from that setting completely,
+leaving it blank. See [Content Warnings](/help/content_flags/#content-warnings)
+for information on mature content.
+
+## How can I hide non-free packages on the website?
+
+Clicking "Hide non-free packages" in the footer of ContentDB will hide non-free packages from search results.
+It will not hide non-free packages from user profiles.
+
+## See also
+
+* [List of non-free packages](/packages/?flag=nonfree)
+* [Copyright Guide](/help/copyright)
--- a/app/flatpages/help/oauth.md
+++ b/app/flatpages/help/oauth.md
@@ -0,0 +1,103 @@
+title: OAuth2 API
+
+<p class="alert alert-warning">
+    The OAuth2 applications API is currently experimental, and may break without notice.
+</p>
+
+ContentDB allows you to create an OAuth2 Application and obtain access tokens
+for users.
+
+
+## Scopes
+
+OAuth2 applications can currently only access public user data, using the whoami API.
+
+
+## Create an OAuth2 Client
+
+Go to Settings > [OAuth2 Applications](/user/apps/) > Create
+
+
+## Obtaining access tokens
+
+ContentDB supports the Authorization Code OAuth2 method.
+
+### Authorize
+
+Get the user to open the following URL in a web browser:
+
+```
+https://content.luanti.org/oauth/authorize/
+    ?response_type=code
+    &client_id={CLIENT_ID}
+    &redirect_uri={REDIRECT_URL}
+```
+
+The redirect_url must much the value set in your oauth client. Make sure to URL encode it.
+ContentDB also supports `state`.
+
+Afterwards, the user will be redirected to your callback URL.
+If the user accepts the authorization, you'll receive an authorization code (`code`).
+Otherwise, the redirect_url will not be modified.
+
+For example, with `REDIRECT_URL` set as `https://example.com/callback/`:
+
+* If the user accepts: `https://example.com/callback/?code=abcdef`
+* If the user cancels: `https://example.com/callback/`
+
+### Exchange auth code for access token
+
+Next, you'll need to exchange the auth for an access token.
+
+Do this by making a POST request to the `/oauth/token/` API:
+
+```bash
+curl -X POST https://content.luanti.org/oauth/token/ \
+    -F grant_type=authorization_code \
+    -F client_id="CLIENT_ID" \
+    -F client_secret="CLIENT_SECRET" \
+    -F code="abcdef" 
+```
+
+<p class="alert alert-warning">
+    <i class="fas fa-exclamation-circle me-2"></i>
+    You should make this request on a server to prevent the user
+    from getting access to your client secret.
+</p>
+
+If successful, you'll receive:
+
+```json
+{
+    "success": true,
+    "access_token": "access_token",
+    "token_type": "Bearer"
+}
+```
+
+If there's an error, you'll receive a standard API error message:
+
+```json
+{
+    "success": false,
+    "error": "The error message"
+}
+```
+
+Possible errors:
+
+* Unsupported grant_type, only authorization_code is supported
+* Missing client_id
+* Missing client_secret
+* Missing code
+* client_id and/or client_secret is incorrect
+* Incorrect code. It may have already been redeemed
+
+### Check access token
+
+Next, you should check the access token works by getting the user information:
+
+```bash
+curl https://content.luanti.org/api/whoami/ \
+    -H "Authorization: Bearer YOURTOKEN"
+```
--- a/app/flatpages/help/package_config.md
+++ b/app/flatpages/help/package_config.md
@@ -0,0 +1,143 @@
+title: Package Configuration and Releases Guide
+
+## Introduction
+
+ContentDB will read configuration files in your package when doing several
+tasks, including package and release creation. This page details how you can use
+this to your advantage.
+
+## .conf files
+
+### What is a content .conf file?
+
+Every type of content can have a `.conf` file that contains the metadata.
+
+The filename of the `.conf` file depends on the content type:
+
+* `mod.conf` for mods.
+* `modpack.conf` for mod packs.
+* `game.conf` for games.
+* `texture_pack.conf` for texture packs.
+
+The `.conf` uses a key-value format, separated using equals.
+
+Here's a simple example of `mod.conf`, `modpack.conf`, or `texture_pack.conf`:
+
+	name = mymod
+	title = My Mod
+	description = A short description to show in the client.
+
+Here's a simple example of `game.conf`:
+
+	title = My Game
+	description = A short description to show in the client.
+
+Note that you should not specify `name` in game.conf.
+
+### Understood values
+
+ContentDB understands the following information:
+
+* `title` - A human-readable title.
+* `description` - A short description to show in the client.
+* `depends` - Comma-separated hard dependencies.
+* `optional_depends` - Comma-separated soft dependencies.
+* `min_minetest_version` - The minimum Luanti version this runs on, see [Min and Max Luanti Versions](#min_max_versions).
+* `max_minetest_version` - The maximum Luanti version this runs on, see [Min and Max Luanti Versions](#min_max_versions).
+
+and for mods only:
+
+* `name` - the mod technical name.
+* `supported_games` - List of supported game technical names.
+* `unsupported_games` - List of not supported game technical names. Useful to override game support detection.
+
+
+## .cdb.json
+
+You can include a `.cdb.json` file in the root of your content directory (ie: next to a .conf)
+to update the package meta.
+
+It should be a JSON dictionary with one or more of the following optional keys:
+
+* `type`: One of `GAME`, `MOD`, `TXP`.
+* `title`: Human-readable title.
+* `name`: Technical name (needs permission if already approved).
+* `short_description`
+* `dev_state`: One of `WIP`, `BETA`, `ACTIVELY_DEVELOPED`, `MAINTENANCE_ONLY`, `AS_IS`, `DEPRECATED`,
+    `LOOKING_FOR_MAINTAINER`.
+* `tags`: List of tag names, see [/api/tags/](/api/tags/).
+* `content_warnings`: List of content warning names, see [/api/content_warnings/](/api/content_warnings/).
+* `license`: A license name, see [/api/licenses/](/api/licenses/).
+* `media_license`: A license name.
+* `long_description`: Long markdown description.
+* `repo`: Source repository (eg: Git).
+* `website`: Website URL.
+* `issue_tracker`: Issue tracker URL.
+* `forums`: forum topic ID.
+* `video_url`: URL to a video.
+* `donate_url`: URL to a donation page.
+* `translation_url`: URL to send users interested in translating your package.
+
+Use `null` or `[]` to unset fields where relevant.
+
+Example:
+
+```json
+{
+    "title": "Foo bar",
+    "tags": ["pvp", "survival"],
+    "license": "MIT",
+    "website": null
+}
+```
+
+## Controlling Release Creation
+
+### Git-based Releases and Submodules
+
+ContentDB can create releases from a Git repository.
+It will include submodules in the resulting archive.
+Simply set VCS Repository in the package's meta to a Git repository, and then
+choose Git as the method when creating a release.
+
+### Automatic Release Creation
+
+See [Git Update Detection](/help/update_config/).
+You can also use [GitLab/GitHub webhooks](/help/release_webhooks/) or the [API](/help/api/)
+to create releases.
+
+### Min and Max Luanti Versions
+
+<a name="min_max_versions" />
+
+When creating a release, the `.conf` file will be read to determine what Luanti
+versions the release supports. If the `.conf` doesn't specify, then it is assumed
+that it supports all versions.
+
+This happens when you create a release via the ContentDB web interface, the
+[API](/help/api/), or using a [GitLab/GitHub webhook](/help/release_webhooks/).
+
+Here's an example config:
+
+	name = mymod
+	min_minetest_version = 5.0
+	max_minetest_version = 5.3
+
+Leaving out min or max to have them set as "None".
+
+### Excluding files
+
+When using Git to create releases,
+you can exclude files from a release by using [gitattributes](https://git-scm.com/docs/gitattributes):
+
+
+	.*		export-ignore
+	sources		export-ignore
+	*.zip		export-ignore
+
+
+This will prevent any files from being included if they:
+
+* Beginning with `.`
+* or are named `sources` or are inside any directory named `sources`.
+* or have an extension of "zip".
--- a/app/flatpages/help/package_tags.md
+++ b/app/flatpages/help/package_tags.md
@@ -1,33 +0,0 @@
-title: Package Tags
-
-## Overview
-
-Tags should be added to packages to enable easy identification of different types of mods, games and texture packs. 
-
-They are only beneficial when applied correctly, so please use the following guidelines.
-
-## Tag Usage
-
-* **Building** - For mods that focus on adding new materials or nodes to build with.
-* **Education** - For mods or games created for educational purposes.
-* **Environment** - For mods that add environmental effects, including ambient sound and weather effects.
-* **Inventory** - For mods that add new inventory systems or new inventory pages.
-* **Machines and Electronics** - For mods that include placeable machinery or electronic components which interact to complete tasks.
-* **Maintenance** - For mods that assist with world or player maintenance. This includes large-scale map manipulation, area protection and other administrative tools.
-* **Mapgen** - For mods that add new biomes, new mapgen decorations, or any other mapgen elements.
-* **Mobs and NPCs** - For mods that add mobs or NPCs, or provide tools that assist with mob and NPC creation or manipulation.
-* **Plants and Farming** - For mods that add new plants or other farmable resources. 
-* **Player effects/Food** - For mods that change player effects, for example speed, jump height or gravity, and food.
-* **Tools** - For mods that add new tools or new features for existing tools.
-* **Transport** - For mods that add transportation methods. This includes teleportation, vehicles and ridable mobs.
-* **Survival** - For mods written specifically for survival games. For example, these mods might focus on game-balance or increase the difficulty level. This tag should also be used for games with a heavy survival focus.
-* **Creative** - For mods written specifically (and often exclusively) for use in creative mode. For example, these mods may add a large amount of decorative content, or content without crafting recipes. This tag should also be used for games with a heavy creative focus.
-* **Multiplayer-focused** - For games that can be played with other players.
-* **Singleplayer-focused** - For games that can be played alone.
-* **PvP** - For games designed to be played competitively against other players.
-* **PvE** - For games designed for one or multiple players which focus on combat against mobs or NPCs.
-* **Puzzle** - For mods and games with a focus on puzzle solving instead of combat.
-* **16px** - For 16px texture packs.
-* **32px** - For 32px texture packs.
-* **64px** - For 64px texture packs.
-* **128px+** - For 128px or higher texture packs.
--- a/app/flatpages/help/ranks_permissions.md
+++ b/app/flatpages/help/ranks_permissions.md
@@ -2,25 +2,27 @@ title: Ranks and Permissions

 ## Overview

-* **New Members** - mostly untrusted, cannot change package meta data or publish releases without approval.
-* **Members** - Trusted to change the meta data of their own packages', but cannot publish releases.
-* **Trusted Members** - Same as above, but can approve their own releases and packages.
-* **Editors** - Trusted to change the meta data of any package, and also make and publish releases.
+* **New Members** - mostly untrusted, cannot change package metadata or publish releases without approval.
+* **Members** - Trusted to change the metadata of their own packages', but cannot approve their own packages.
+* **Trusted Members** - Same as above, but can approve their own releases.
+* **Approvers** - Responsible for approving new packages, screenshots, and releases.
+* **Editors** - Same as above, and can edit any package or release.
 * **Moderators** - Same as above, but can manage users.
 * **Admins** - Full access.

 ## Breakdown

-<table class="fancyTable">
+<table class="table table-striped ranks-table">
 	<thead>
 		<tr>
 			<th>Rank</th>
-			<th colspan=2>New Member</th>
-			<th colspan=2>Member</th>
-			<th colspan=2>Trusted Member</th>
-			<th colspan=2>Editor</th>
-			<th colspan=2>Moderator</th>
-			<th colspan=2>Admin</th>
+			<th colspan=2 class="NEW_MEMBER">New Member</th>
+			<th colspan=2 class="MEMBER">Member</th>
+			<th colspan=2 class="TRUSTED_MEMBER">Trusted</th>
+            <th colspan=2 class="APPROVER">Approver</th>
+			<th colspan=2 class="EDITOR">Editor</th>
+			<th colspan=2 class="MODERATOR">Moderator</th>
+			<th colspan=2 class="ADMIN">Admin</th>
 		</tr>
 		<tr>
 			<th>Owner of thing</th>
@@ -36,208 +38,269 @@ title: Ranks and Permissions
 			<th>N</th>
 			<th>Y</th>
 			<th>N</th>
+			<th>Y</th>
+			<th>N</th>
 		</tr>
 	</thead>
 	<tbody>
 		<tr>
 			<td>Create Package</td>
-			<th>✓</th> <!-- new -->
-			<th></th>
-			<th>✓</th> <!-- member -->
-			<th></th>
-			<th>✓</th> <!-- trusted member -->
-			<th></th>
-			<th>✓</th> <!-- editor -->
-			<th>✓</th>
-			<th>✓</th> <!-- moderator -->
-			<th>✓</th>
-			<th>✓</th> <!-- admin -->
-			<th>✓</th>
+			<td>✓</td> <!-- new -->
+			<td></td>
+			<td>✓</td> <!-- member -->
+			<td></td>
+			<td>✓</td> <!-- trusted member -->
+			<td></td>
+			<td>✓</td> <!-- approver -->
+			<td></td>
+			<td>✓</td> <!-- editor -->
+			<td>✓</td>
+			<td>✓</td> <!-- moderator -->
+			<td>✓</td>
+			<td>✓</td> <!-- admin -->
+			<td>✓</td>
 		</tr>
 		<tr>
 			<td>Approve Package</td>
-			<th></th> <!-- new -->
-			<th></th>
-			<th></th> <!-- member -->
-			<th></th>
-			<th></th> <!-- trusted member -->
-			<th></th>
-			<th>✓</th> <!-- editor -->
-			<th>✓</th>
-			<th>✓</th> <!-- moderator -->
-			<th>✓</th>
-			<th>✓</th> <!-- admin -->
-			<th>✓</th>
+			<td></td> <!-- new -->
+			<td></td>
+			<td></td> <!-- member -->
+			<td></td>
+			<td></td> <!-- trusted member -->
+			<td></td>
+			<td>✓</td> <!-- approver -->
+			<td>✓</td>
+			<td>✓</td> <!-- editor -->
+			<td>✓</td>
+			<td>✓</td> <!-- moderator -->
+			<td>✓</td>
+			<td>✓</td> <!-- admin -->
+			<td>✓</td>
+		</tr>
+		<tr>
+			<td>Delete Package</td>
+			<td></td> <!-- new -->
+			<td></td>
+			<td>✓</td> <!-- member -->
+			<td></td>
+			<td>✓</td> <!-- trusted member -->
+			<td></td>
+			<td>✓</td> <!-- approver -->
+			<td>✓</td>
+			<td>✓</td> <!-- editor -->
+			<td>✓</td>
+			<td>✓</td> <!-- moderator -->
+			<td>✓</td>
+			<td>✓</td> <!-- admin -->
+			<td>✓</td>
 		</tr>
 		<tr>
 			<td>Edit Package</td>
-			<th></th> <!-- new -->
-			<th></th>
-			<th>✓</th> <!-- member -->
-			<th></th>
-			<th>✓</th> <!-- trusted member -->
-			<th></th>
-			<th>✓</th> <!-- editor -->
-			<th>✓</th>
-			<th>✓</th> <!-- moderator -->
-			<th>✓</th>
-			<th>✓</th> <!-- admin -->
-			<th>✓</th>
+			<td></td> <!-- new -->
+			<td></td>
+			<td>✓</td> <!-- member -->
+			<td></td>
+			<td>✓</td> <!-- trusted member -->
+			<td></td>
+			<td>✓</td> <!-- approver -->
+			<td></td>
+			<td>✓</td> <!-- editor -->
+			<td>✓</td>
+			<td>✓</td> <!-- moderator -->
+			<td>✓</td>
+			<td>✓</td> <!-- admin -->
+			<td>✓</td>
+		</tr>
+		<tr>
+			<td>Edit Maintainers</td>
+			<td>✓</td> <!-- new -->
+			<td></td>
+			<td>✓</td> <!-- member -->
+			<td></td>
+			<td>✓</td> <!-- trusted member -->
+			<td></td>
+			<td>✓</td> <!-- approver -->
+			<td></td>
+			<td>✓</td> <!-- editor -->
+			<td>✓</td>
+			<td>✓</td> <!-- moderator -->
+			<td>✓</td>
+			<td>✓</td> <!-- admin -->
+			<td>✓</td>
 		</tr>
 		<tr>
 			<td>Add/Delete Screenshot</td>
-			<th>✓</th> <!-- new -->
-			<th></th>
-			<th>✓</th> <!-- member -->
-			<th></th>
-			<th>✓</th> <!-- trusted member -->
-			<th></th>
-			<th>✓</th> <!-- editor -->
-			<th>✓</th>
-			<th>✓</th> <!-- moderator -->
-			<th>✓</th>
-			<th>✓</th> <!-- admin -->
-			<th>✓</th>
+			<td>✓</td> <!-- new -->
+			<td></td>
+			<td>✓</td> <!-- member -->
+			<td></td>
+			<td>✓</td> <!-- trusted member -->
+			<td></td>
+			<td>✓</td> <!-- approver -->
+			<td></td>
+			<td>✓</td> <!-- editor -->
+			<td>✓</td>
+			<td>✓</td> <!-- moderator -->
+			<td>✓</td>
+			<td>✓</td> <!-- admin -->
+			<td>✓</td>
 		</tr>
 		<tr>
 			<td>Approve Screenshot</td>
-			<th></th> <!-- new -->
-			<th></th>
-			<th></th> <!-- member -->
-			<th></th>
-			<th>✓</th> <!-- trusted member -->
-			<th></th>
-			<th>✓</th> <!-- editor -->
-			<th>✓</th>
-			<th>✓</th> <!-- moderator -->
-			<th>✓</th>
-			<th>✓</th> <!-- admin -->
-			<th>✓</th>
-		</tr>
-		<tr>
-			<td>Approve EditRequest</td>
-			<th></th> <!-- new -->
-			<th></th>
-			<th>✓</th> <!-- member -->
-			<th></th>
-			<th>✓</th> <!-- trusted member -->
-			<th></th>
-			<th>✓</th> <!-- editor -->
-			<th>✓</th>
-			<th>✓</th> <!-- moderator -->
-			<th>✓</th>
-			<th>✓</th> <!-- admin -->
-			<th>✓</th>
-		</tr>
-		<tr>
-			<td>Edit EditRequest</td>
-			<th>✓<sup>1</sup></th> <!-- new -->
-			<th></th>
-			<th>✓</th> <!-- member -->
-			<th></th>
-			<th>✓</th> <!-- trusted member -->
-			<th></th>
-			<th>✓</th> <!-- editor -->
-			<th>✓</th>
-			<th>✓</th> <!-- moderator -->
-			<th>✓</th>
-			<th>✓</th> <!-- admin -->
-			<th>✓</th>
+			<td></td> <!-- new -->
+			<td></td>
+			<td></td> <!-- member -->
+			<td></td>
+			<td>✓</td> <!-- trusted member -->
+			<td></td>
+			<td>✓</td> <!-- approver -->
+			<td>✓</td>
+			<td>✓</td> <!-- editor -->
+			<td>✓</td>
+			<td>✓</td> <!-- moderator -->
+			<td>✓</td>
+			<td>✓</td> <!-- admin -->
+			<td>✓</td>
 		</tr>
 		<tr>
 			<td>Make Release</td>
-			<th>✓</th> <!-- new -->
-			<th></th>
-			<th>✓</th> <!-- member -->
-			<th></th>
-			<th>✓</th> <!-- trusted member -->
-			<th></th>
-			<th>✓</th> <!-- editor -->
-			<th>✓</th>
-			<th>✓</th> <!-- moderator -->
-			<th>✓</th>
-			<th>✓</th> <!-- admin -->
-			<th>✓</th>
+			<td>✓</td> <!-- new -->
+			<td></td>
+			<td>✓</td> <!-- member -->
+			<td></td>
+			<td>✓</td> <!-- trusted member -->
+			<td></td>
+			<td>✓</td> <!-- approver -->
+			<td></td>
+			<td>✓</td> <!-- editor -->
+			<td>✓</td>
+			<td>✓</td> <!-- moderator -->
+			<td>✓</td>
+			<td>✓</td> <!-- admin -->
+			<td>✓</td>
 		</tr>
 		<tr>
 			<td>Approve Release</td>
-			<th></th> <!-- new -->
-			<th></th>
-			<th></th> <!-- member -->
-			<th></th>
-			<th>✓</th> <!-- trusted member -->
-			<th></th>
-			<th>✓</th> <!-- editor -->
-			<th>✓</th>
-			<th>✓</th> <!-- moderator -->
-			<th>✓</th>
-			<th>✓</th> <!-- admin -->
-			<th>✓</th>
+			<td></td> <!-- new -->
+			<td></td>
+			<td>✓</td> <!-- member -->
+			<td></td>
+			<td>✓</td> <!-- trusted member -->
+			<td></td>
+			<td>✓</td> <!-- approver -->
+			<td>✓</td>
+			<td>✓</td> <!-- editor -->
+			<td>✓</td>
+			<td>✓</td> <!-- moderator -->
+			<td>✓</td>
+			<td>✓</td> <!-- admin -->
+			<td>✓</td>
 		</tr>
 		<tr>
 			<td>Change Release URL</td>
-			<th></th> <!-- new -->
-			<th></th>
-			<th></th> <!-- member -->
-			<th></th>
-			<th></th> <!-- trusted member -->
-			<th></th>
-			<th></th> <!-- editor -->
-			<th></th>
-			<th></th> <!-- moderator -->
-			<th></th>
-			<th>✓</th> <!-- admin -->
-			<th>✓</th>
+			<td></td> <!-- new -->
+			<td></td>
+			<td></td> <!-- member -->
+			<td></td>
+			<td></td> <!-- trusted member -->
+			<td></td>
+			<td></td> <!-- approver -->
+			<td></td>
+			<td></td> <!-- editor -->
+			<td></td>
+			<td></td> <!-- moderator -->
+			<td></td>
+			<td>✓</td> <!-- admin -->
+			<td>✓</td>
 		</tr>
 		<tr>
 			<td>See Private Thread</td>
-			<th>✓</th> <!-- new -->
-			<th></th>
-			<th>✓</th> <!-- member -->
-			<th></th>
-			<th>✓</th> <!-- trusted member -->
-			<th></th>
-			<th>✓</th> <!-- editor -->
-			<th>✓</th>
-			<th>✓</th> <!-- moderator -->
-			<th>✓</th>
-			<th>✓</th> <!-- admin -->
-			<th>✓</th>
+			<td>✓</td> <!-- new -->
+			<td></td>
+			<td>✓</td> <!-- member -->
+			<td></td>
+			<td>✓</td> <!-- trusted member -->
+			<td></td>
+			<td>✓</td> <!-- approver -->
+			<td>✓</td>
+			<td>✓</td> <!-- editor -->
+			<td>✓</td>
+			<td>✓</td> <!-- moderator -->
+			<td>✓</td>
+			<td>✓</td> <!-- admin -->
+			<td>✓</td>
+		</tr>
+		<tr>
+			<td>Edit Comments</td>
+			<td></td> <!-- new -->
+			<td></td>
+			<td>✓</td> <!-- member -->
+			<td></td>
+			<td>✓</td> <!-- trusted member -->
+			<td></td>
+			<td>✓</td> <!-- approver -->
+			<td></td>
+			<td>✓</td> <!-- editor -->
+			<td></td>
+			<td>✓</td> <!-- moderator -->
+			<td></td>
+			<td>✓</td> <!-- admin -->
+			<td></td>
 		</tr>
 		<tr>
 			<td>Set Email</td>
-			<th>✓</th> <!-- new -->
-			<th></th>
-			<th>✓</th> <!-- member -->
-			<th></th>
-			<th>✓</th> <!-- trusted member -->
-			<th></th>
-			<th>✓</th> <!-- editor -->
-			<th></th>
-			<th>✓</th> <!-- moderator -->
+			<td>✓</td> <!-- new -->
+			<td></td>
+			<td>✓</td> <!-- member -->
+			<td></td>
+			<td>✓</td> <!-- trusted member -->
+			<td></td>
+			<td>✓</td> <!-- approver -->
+			<td></td>
+			<td>✓</td> <!-- editor -->
+			<td></td>
+			<td>✓</td> <!-- moderator -->
 			<th>✓<sup>2</sup></th>
-			<th>✓</th> <!-- admin -->
-			<th>✓</th>
+			<td>✓</td> <!-- admin -->
+			<td>✓</td>
+		</tr>
+		<tr>
+			<td>Create Token</td>
+			<td>✓</td> <!-- new -->
+			<td></td>
+			<td>✓</td> <!-- member -->
+			<td></td>
+			<td>✓</td> <!-- trusted member -->
+			<td></td>
+			<td>✓</td> <!-- approver -->
+			<td></td>
+			<td>✓</td> <!-- editor -->
+			<td></td>
+			<td>✓</td> <!-- moderator -->
+			<th>✓<sup>2</sup></th>
+			<td>✓</td> <!-- admin -->
+			<td>✓</td>
 		</tr>
 		<tr>
 			<td>Set Rank</td>
-			<th></th> <!-- new -->
-			<th></th>
-			<th></th> <!-- member -->
-			<th></th>
-			<th></th> <!-- trusted member -->
-			<th></th>
-			<th></th> <!-- editor -->
-			<th></th>
-			<th>✓<sup>3</sup></th> <!-- moderator -->
-			<th>✓<sup>2</sup><sup>3</sup></th>
-			<th>✓</th> <!-- admin -->
-			<th>✓</th>
+			<td></td> <!-- new -->
+			<td></td>
+			<td></td> <!-- member -->
+			<td></td>
+			<td></td> <!-- trusted member -->
+			<td></td>
+			<td></td> <!-- approver -->
+			<td></td>
+			<td></td> <!-- editor -->
+			<td></td>
+			<th>✓<sup>2</sup></th> <!-- moderator -->
+			<th>✓<sup>1</sup><sup>2</sup></th>
+			<td>✓</td> <!-- admin -->
+			<td>✓</td>
 		</tr>
 	</tbody>
 </table>


-1. User must be the author of the EditRequest.
-2. Target user cannot be an admin.
-3. Cannot set user to a higher rank than themselves.
+1. Target user cannot be an admin.
+2 Cannot set user to a higher rank than themselves.
--- a/app/flatpages/help/release_webhooks.md
+++ b/app/flatpages/help/release_webhooks.md
@@ -0,0 +1,71 @@
+title: Creating Releases using Webhooks
+
+## What does this mean?
+
+A webhook is a notification from one service to another. Put simply, a webhook
+is used to notify ContentDB that the git repository has changed.
+
+ContentDB offers the ability to automatically create releases using webhooks
+from either GitHub or GitLab. If you're not using either of those services,
+you can also use the [API](../api) to create releases.
+
+ContentDB also offers the ability to poll a Git repo and check for updates
+without any web hooks, this is limited to once a day.
+See [Git Update Detection](/help/update_config/).
+
+The process is as follows:
+
+1. The user creates an API Token and a webhook to use it.
+2. The user pushes a commit to the git host (GitLab or GitHub).
+3. The git host posts a webhook notification to ContentDB, using the API token assigned to it.
+4. ContentDB checks the API token and issues a new release.
+    * If multiple packages match, then only the first will have a release created.
+
+### Branch filtering
+
+By default, "New commit" or "push" based webhooks will only work on "master"/"main" branches.
+You can configure the branch used by changing "Branch name" in [Git update detection](update_config).
+
+For example, to support production and beta packages you can have multiple packages with the same VCS repo URL
+but different [Git update detection](update_config) branch names.
+
+Tag-based webhooks are accepted on any branch.
+
+
+## Setting up
+
+### GitHub
+
+1. Create a ContentDB API Token at [Profile > API Tokens: Manage](/user/tokens/).
+2. Copy the access token that was generated.
+3. Go to the GitLab repository's settings > Webhooks > Add Webhook.
+4. Set the payload URL to `https://content.luanti.org/github/webhook/`
+5. Set the content type to JSON.
+6. Set the secret to the access token that you copied.
+7. Set the events
+    * If you want a rolling release, choose "just the push event".
+    * Or if you want a stable release cycle based on tags, choose "Let me select" > Branch or tag creation.
+8. Create.
+9. If desired, change [Git update detection](update_config) > Branch name to configure the [branch filtering](#branch-filtering).
+
+### GitLab
+
+1. Create a ContentDB API Token at [Profile > API Tokens: Manage](/user/tokens/).
+2. Copy the access token that was generated.
+3. Go to the GitLab repository's settings > Webhooks.
+4. Set the URL to `https://content.luanti.org/gitlab/webhook/`
+6. Set the secret token to the ContentDB access token that you copied.
+7. Set the events
+    * If you want a rolling release, choose "Push events".
+    * Or if you want a stable release cycle based on tags,
+      choose "Tag push events".
+8. Add webhook.
+9. If desired, change [Git update detection](update_config) > Branch name to configure the [branch filtering](#branch-filtering).
+
+## Configuring Release Creation
+
+See the [Package Configuration and Releases Guide](/help/package_config/) for
+documentation on configuring the release creation.
+
+From the Git repository, you can set the min/max Luanti versions, which files are included,
+and update the package meta.
--- a/app/flatpages/help/reporting.md
+++ b/app/flatpages/help/reporting.md
@@ -1,8 +0,0 @@
-title: Reporting Content
-
-Please let us know if anything on the ContentDB violates our rules or any applicable
-laws.
-
-We take copyright violation and other offenses very seriously.
-
-<a href="https://rubenwardy.com/contact/" class="btn btn-success">Contact</a>
--- a/app/flatpages/help/top_packages.md
+++ b/app/flatpages/help/top_packages.md
@@ -0,0 +1,36 @@
+title: Top Packages Algorithm
+
+## Package Score
+
+Each package is given a `score`, which is used when ordering them in the
+"Top Games/Mods/Texture Packs" lists. The intention of this feature is
+to make it easier for new users to find good packages.
+
+A package's score is equal to a rolling average of recent downloads,
+plus the sum of the score given by reviews.
+
+A review score is 100 if positive, -100 if negative.
+
+```c
+reviews_sum = sum(100 * (positive ? 1 : -1));
+score       = avg_downloads + reviews_sum;
+```
+
+## Pseudo rolling average of downloads
+
+Each package adds 1 to `avg_downloads` for each unique download,
+and then loses 6.66% (=1/15) of the value every day.
+
+This is called a [Frecency](https://en.wikipedia.org/wiki/Frecency) heuristic,
+a measure which combines both frequency and recency.
+
+"Unique download" is counted per IP per package.
+Downloading an update won't increase the download count if it's already been
+downloaded from that IP.
+
+## Transparency and Feedback
+
+You can see all scores using the [scores REST API](/api/scores/), or by
+using the [Prometheus metrics](/help/metrics/) endpoint.
+
+Consider [suggesting improvements](https://github.com/luanti-org/contentdb/issues/new?assignees=&labels=Policy&template=policy.md&title=).
--- a/app/flatpages/help/update_config.md
+++ b/app/flatpages/help/update_config.md
@@ -0,0 +1,43 @@
+title: Git Update Detection
+
+## Introduction
+
+When you push a change to your Git repository, ContentDB can create a new release automatically or
+send you a reminder. ContentDB will check your Git repository one per day, but you can use
+webhooks or the API for faster updates.
+
+Git Update Detection is clever enough to not create a release again if you've already created
+it manually or using webhooks/the API.
+
+## Setting up
+
+* Set "VCS Repository URL" in your package.
+* Open the "Configure Git Update Detection" page:
+    * Go to the Create Release page and click "Set up" on the banner.
+    * If the "How do you want to create releases?" wizard appears, choose "Automatic".
+* Choose a trigger:
+    * **New Commit** - this will trigger for each pushed commit on the default branch, or the branch you specify.
+    * **New Tag** - this will trigger when a New Tag is created.
+* Choose action to occur when the trigger happens:
+    * **Notification** - All maintainers receive a notification under the Bot category, and the package
+      will appear under "Outdated Packages" in [your to do list](/user/todo/).
+    * **Create Release** - A new release is created.
+      If New Commit, the title will be the iso date (eg: 2021-02-01).
+      If New Tag, the title will the tag name.
+
+## Marking a package as up-to-date
+
+Git Update Detection shouldn't erroneously mark packages as outdated if it is configured currently,
+so the first thing you should do is make sure the Update Settings are set correctly.
+
+There are some situations where the settings are correct, but you want to mark a package as
+up-to-date - for example, if you don't want to make a release for a particular tag.
+Clicking "Save" on "Update Settings" will mark a package as up-to-date.
+
+## Configuring Release Creation
+
+See the [Package Configuration and Releases Guide](/help/package_config/) for
+documentation on configuring the release creation.
+
+From the Git repository, you can set the min/max Luanti versions, which files are included,
+and update the package meta.
--- a/app/flatpages/help/wtfpl.md
+++ b/app/flatpages/help/wtfpl.md
@@ -1,26 +1,5 @@
 title: WTFPL is a terrible license
-no_h1: true
-
-<div id="warning" class="alert alert-warning">
-	<span class="icon_message"></span>
-
-	Please reconsider the choice of WTFPL as a license.
-
-	<script src="/static/jquery.min.js"></script>
-	<script>
-		// @author rubenwardy
-		// @license magnet:?xt=urn:btih:1f739d935676111cfff4b4693e3816e664797050&dn=gpl-3.0.txt GPL-v3-or-Later
-
-		var params = new URLSearchParams(location.search);
-		var r      = params.get("r");
-		if (r)
-			document.write("<a class='alert_right button' href='" + r + "'>Okay</a>");
-		else
-			$("#warning").hide();
-	</script>
-</div>
-
-# WTFPL is a terrible license
+toc: False

 The use of WTFPL as a license is discouraged for multiple reasons.

@@ -39,4 +18,4 @@ license, saying:<sup>[3]</sup>

 1. [WTFPL is harmful to software developers](https://cubicspot.blogspot.com/2017/04/wtfpl-is-harmful-to-software-developers.html)
 2. [FSF](https://www.gnu.org/licenses/license-list.en.html)
-3. [OSI](https://opensource.org/minutes20090304)
+3. [OSI](https://opensource.org/meeting-minutes/minutes20090304)
--- a/app/flatpages/policy_and_guidance.md
+++ b/app/flatpages/policy_and_guidance.md
@@ -1,69 +1,66 @@
 title: Package Inclusion Policy and Guidance

-<div class="alert alert-warning">
-	<b>Note:</b> This is a draft
-</div>
-
-## 0. Overview
-
-ContentDB is for the community, and as such listings should be useful to the
-community. To help with this, there are a few rules to improve the quality of
-the listings and to combat abuse.
-
-* No inappropriate content. <sup>2.1</sup>
-* Content must be playable/useful, but not necessarily finished. <sup>2.2</sup>
-* Don't use the name of another mod unless your mod is a fork or reimplementation. <sup>3</sup>
-* Licenses must allow derivatives, redistribution, and must not discriminate. <sup>4</sup>
-* Don't put promotions or advertisements in package listings, except for
-  donation and personal website links which are permitted in the
-  long description. <sup>5</sup>
-* The ContentDB admin reserves the right to remove packages for any reason,
-  including ones not covered by this document, and to ban users who abuse
-  this service. <sup>1</sup>
-

 ## 1. General

 The ContentDB admin reserves the right to remove packages for any reason,
 including ones not covered by this document, and to ban users who abuse this service.

-Also see the [help page on tags](/help/package_tags/).
-

 ## 2. Accepted Content

-### 2.1. Acceptable Content
+### 2.1. Mature Content

-Sexually-orientated content is not permitted.
+See the [Terms of Service](/terms/) for a full list of prohibited content.

-Mature content, including that relating to drugs, excessive gore, violence, or
-excessive horror, is not currently permitted - but will be in the future.
+Other mature content is permitted providing that it is labelled with the applicable
+[content warning](/help/content_flags/).

-The submission of malware is strictly prohibited. This includes software which
-does not do as it advertises, for example if it posts telemetry without stating
-clearly that it does in the package meta.
+### 2.2. Useful Content / State of Completion

-### 2.2. State of Completion
+ContentDB is for playable and useful content - content which is sufficiently
+complete to be useful to end-users.

-ContentDB should only currently contain playable content - content which is
-sufficiently complete to be useful to end users. It's fine to add stuff which
-is still a work in progress (WIP) as long as it adds sufficient value -
-MineClone 2 is a good example of a WIP package which may break between releases
-but still has value. Note that this doesn't mean that you should add a thing
-you started working on yesterday, it's worth adding all the basic stuff to
-make your package useful.
+It's fine to add stuff which is still a Work in Progress (WIP) as long as it
+adds sufficient value. You must make sure to mark Work in Progress stuff as
+such in the "maintenance status" dropdown, as this will help advise players.

-Adding non-player facing mods, such as libraries and server tools, is perfectly fine
-and encouraged. ContentDB isn't just for player-facing things, and adding
-libraries allows them to be installed when a mod depends on it.
+Adding non-player facing mods, such as libraries and server tools, is perfectly
+fine and encouraged. ContentDB isn't just for player-facing things and adding
+libraries allows Luanti to automatically install dependencies.
+
+### 2.3. Language
+
+We require packages to be in English with (optional) client-side translations for
+other languages. This is because Luanti currently requires English as the base language
+([Issue to change this](https://github.com/luanti-org/luanti/issues/6503)).
+
+Your package's title and short description must be in English. You can use client-side
+translations to [translate content meta](https://api.luanti.org/translations/#translating-content-meta).
+
+### 2.4. Attempt to contribute before forking
+
+You should attempt to contribute upstream before forking a package. If you choose
+to fork, you should have a justification (different objectives, maintainer is unavailable, etc).
+You should use a different title and make it clear in the long description what the
+benefit of your fork is over the original package.
+
+### 2.5. Copyright and trademarks
+
+Your package must not violate copyright or trademarks. You should avoid the use of
+trademarks in the package's title or short description. If you do use a trademark,
+ensure that you phrase it in a way that does not imply official association or
+endorsement.


 ## 3. Technical Names

-### 3.1 Right to a name
+### 3.1. Right to a Name
+
+A package uses a name when it has that name or contains a mod that uses that name.

 The first package to use a name based on the creation of its forum topic or
-contentdb submission has the right to the technical name. The use of a package
+ContentDB submission has the right to the technical name. The use of a package
 on a server or in private doesn't reserve its name. No other packages of the same
 type may use the same name, except for the exception given by 3.2.

@@ -76,47 +73,75 @@ to change the name of the package, or your package won't be accepted.

 We reserve the right to issue exceptions for this where we feel necessary.

-### 3.2 Mod Forks and Reimplementations
+### 3.2. Forks and Reimplementations

 An exception to the above is that mods are allowed to have the same name as a
-mod if its a fork of that mod (or a close reimplementation). In real terms, it
-should be possible to use the new mod as a drop-in replacement.
+mod if it's a fork of that mod (or a close reimplementation). In real terms, it
+must be possible to use the new mod as a drop-in replacement.

 We reserve the right to decide whether a mod counts as a fork or
 reimplementation of the mod that owns the name.

+### 3.3. Game Mod Namespacing
+
+New mods introduced by a game must have a unique common prefix to avoid conflicts with
+other games and standalone mods. For example, the NodeCore game's first-party mods all
+start with `nc_`: `nc_api`, `nc_doors`.
+
+You may include existing or standard mods in your game without renaming them to use the
+namespace. For example, NodeCore could include the `awards` mod without needing to rename it.
+
+Standalone mods may not use a game's namespace unless they have been given permission by
+the game's author.
+
+The exception given by 3.2 also applies to game namespaces - you may use another game's
+prefix if your game is a fork.
+

 ## 4. Licenses

-### 4.1 Allowed Licenses
+### 4.1. License file

+You must have a LICENSE, LICENSE.txt, or LICENSE.md file describing the licensing of your package.
 Please ensure that you correctly credit any resources (code, assets, or otherwise)
 that you have used in your package.

-**The use of licenses which do not allow derivatives or redistribution is not
+You may use lowercase or include a suffix in the filename (ie: `license-code.txt`). If
+you are making a game or modpack, your top level license file may just be a summary or
+refer to the license files of individual components.
+
+For help on doing copyright correctly, see the [Copyright help page](/help/copyright/).
+
+### 4.2. Allowed Licenses
+
+**The use of licenses that do not allow derivatives or redistribution is not
 permitted. This includes CC-ND (No-Derivatives) and lots of closed source licenses.
-The use of licenses which discriminate between groups of people or forbid the use
+The use of licenses that discriminate between groups of people or forbid the use
 of the content on servers or singleplayer is also not permitted.**

 However, closed sourced licenses are allowed if they allow the above.

 If the license you use is not on the list then please select "Other", and we'll
-get around to adding it.
+get around to adding it. We reject custom/untested licenses and reserve the right
+to decide whether a license should be included.

 Please note that the definitions of "free" and "non-free" is the same as that
 of the [Free Software Foundation](https://www.gnu.org/philosophy/free-sw.en.html).

-### 4.2 Recommended Licenses
+### 4.3. Recommended Licenses

-It is highly recommended that you use a free and open source software license.
-FOSS licenses result in a sharing community and will increase the number of potential users your package has.
-Using a closed source license will result in your package being massively penalised in the search results and package lists.
+It is highly recommended that you use a Free and Open Source software (FOSS)
+license. FOSS licenses result in a sharing community and will increase the
+number of potential users your package has. Using a closed source license will
+result in your package not being shown in Luanti by default. See the help page
+on [non-free licenses](/help/non_free/) for more information.

 It is recommended that you use a proper license for code with a warranty
 disclaimer, such as the (L)GPL or MIT. You should also use a proper media license
 for media, such as a Creative Commons license.

-The use of WTFPL is discouraged as it doesn't contain a [valid warranty disclaimer](https://cubicspot.blogspot.com/2017/04/wtfpl-is-harmful-to-software-developers.html),
+The use of WTFPL is discouraged as it doesn't contain a
+[valid warranty disclaimer](https://cubicspot.blogspot.com/2017/04/wtfpl-is-harmful-to-software-developers.html),
 and also includes swearing which prevents settings like schools from using your content.
 [Read more](/help/wtfpl/).

@@ -125,8 +150,8 @@ Public domain is not a valid license in many countries, please use CC0 or MIT in

 ## 5. Promotions and Advertisements (inc. asking for donations)

-You may note place any promotions or advertisements in any meta data including
-screensthos. This includes asking for donations, promoting online shops,
+You may not place any promotions or advertisements in any metadata including
+screenshots. This includes asking for donations, promoting online shops,
 or linking to personal websites and social media. Please instead use the
 fields provided on your user profile page to place links to websites and
 donation pages.
@@ -135,6 +160,61 @@ ContentDB is for the community. We may remove any promotions if we feel that
 they're inappropriate.


-## 6. Reporting Violations
+## 6. Reviews and Package Score

-See the [Reporting Content](/help/reporting/) page.
+You may invite players to review your package(s). One way to do this is by sharing the link found in the
+"Share and Badges" page of the package's settings.
+
+You must not require anyone to review a package. You must not promise or provide incentives for reviewing a package,
+including but not limited to monetary rewards, in-game items, features, and/or privileges.
+You may give a cosmetic-only role or badge to those who review your package - this must not be tied to the content or
+rating of the review.
+
+You must not attempt to unfairly manipulate your package's ranking, whether by reviews or any other method.
+Doing so may result in temporary or permanent suspension from ContentDB.
+
+
+## 7. Screenshots
+
+1.  We require all packages to have at least one screenshot. For packages without visual
+    content, we recommend making a symbolic image with icons, graphics, or text to depict
+    the package.
+
+2.  **Screenshots must not violate copyright.** This means don't just copy images
+    from Google search, see [the copyright guide](/help/copyright/).
+
+3.  **Screenshots must depict the actual content of the package in some way, and
+    not be misleading.**
+
+    Do not use idealized mockups or blender concept renders if they do not
+    accurately reflect in-game appearance.
+
+    Content in screenshots that is prominently displayed or "focal" should be
+    either present in, or interact with, the package in some way. These can
+    include things in other packages if they have a dependency relationship
+    (either way), or if the submitted package in some way enhances, extends, or
+    alters that content.
+
+    Unrelated package content can be allowed to show what the package content
+    will look like in a typical/realistic game scene, but should be "in the
+    background" only as far as possible.
+
+4.  **Screenshots must only contain content appropriate for the Content Warnings of
+    the package.**
+
+
+## 8. Security
+
+The submission of malware is strictly prohibited. This includes software that
+does not do as it advertises, for example, if it posts telemetry without stating
+clearly that it does in the package meta.
+
+Packages must not ask that users disable mod security (`secure.enable_security`).
+Instead, they should use the insecure environment API.
+
+Packages must not contain obfuscated code.
+
+
+## 9. Reporting Violations
+
+Please click "Report" on the package page.
--- a/app/flatpages/privacy_policy.md
+++ b/app/flatpages/privacy_policy.md
@@ -0,0 +1,118 @@
+title: Privacy Policy
+---
+
+Last Updated: 2024-04-30
+([View updates](https://github.com/luanti-org/contentdb/commits/master/app/flatpages/privacy_policy.md))
+
+## What Information is Collected
+
+**All users:**
+
+* HTTP requests are logged, with the following information:
+	* Time
+	* IP address
+	* Page URL
+	* Platform and Operating System
+* Preferred language/locale. This defaults to the browser's locale, but can be changed by the user
+* Whether an IP address has downloaded a particular package in the last 14 days
+
+**With an account:**
+
+* Email address
+* Passwords (hashed and salted using BCrypt)
+* Profile information, such as website URLs and donation URLs
+* Comments, threads, and reviews
+* Audit log actions (such as edits and logins) and their time stamps
+
+ContentDB collects usernames of content creators from the forums,
+as this is required to index forum topics.
+
+Packages, including releases, screenshots, and any meta information,
+are not considered personal information.
+
+Please avoid giving other personal information as we do not want it.
+
+## How this information is used
+
+* Logged HTTP requests may be used for debugging ContentDB and combating abuse.
+* Email addresses are used to:
+    * Provide essential system messages, such as password resets and privacy policy updates.
+    * Send notifications - the user may configure this to their needs, including opting out.
+    * The admin may use ContentDB to send emails when they need to contact a user.
+* Passwords are used to authenticate the user.
+* The audit log is used to record actions that may be harmful.
+* Preferred language/locale is used to translate emails and the ContentDB interface.
+* Requests (such as downloads) are used for aggregated statistics and for
+  calculating the popularity of packages. For example, download counts are shown
+  for each package and release and there are also download graphs available for
+  each package.
+* Whether an IP address has downloaded a package or release is cached to prevent
+  downloads from being counted multiple times per IP address, but this
+  information is deleted after 14 days.
+* IP addresses are used to monitor and combat abuse.
+* Other information is displayed as part of ContentDB's service.
+
+## Who has access
+
+* Only the admin has access to the HTTP requests.
+  The logs may be shared with others to aid in debugging, but care will be taken to remove any personal information.
+* Encrypted backups may be shared with selected Luanti staff members (moderators + core devs).
+  The keys and the backups themselves are given to different people,
+  requiring at least two staff members to read a backup.
+* Email addresses are visible to moderators and the admin.
+  They have access to assist users, and they are not permitted to share email addresses.
+* Hashing protects passwords from being read whilst stored in the database or in backups.
+* Profile information is public, including URLs and linked accounts.
+* The visibility of comments depends on the visibility of threads.
+  They are either public, or visible only to the package author and editors.
+* The complete audit log is visible to moderators.
+  Users may see their own audit log actions on their account settings page.
+  Owners, maintainers, and editors can see the actions on a package.
+* Preferred language can only be viewed by those with access to the database or a backup.
+* We may be required to share information with law enforcement.
+
+## Third-parties
+
+We do not share any personal information with third parties.
+
+We use <a href="https://sentry.io/">Sentry.io</a> for error logging and performance monitoring.
+
+## Location
+
+The ContentDB production server is currently located in Germany.
+Backups are stored in the UK.
+Encrypted backups may be stored in other countries, such as the US or EU.
+
+By using this service, you give permission for the data to be moved within the
+United Kingdom and/or EU.
+
+## Period of Retention
+
+Logged HTTP requests are automatically deleted within 2 weeks.
+
+Usernames may be kept indefinitely, but other user information will be deleted
+if requested. See below.
+
+Whether an IP address has downloaded a package or release is deleted after 14 days.
+
+## Removal Requests
+
+Please [raise a report](/report/?anon=0) if you wish to remove your personal
+information.
+
+ContentDB keeps a record of each username and forum topic on the forums, for use
+in indexing mod/game topics. ContentDB also requires the use of a username to
+uniquely identify a package. Therefore, an author cannot be removed completely
+from ContentDB if they have any packages or mod/game topics on the forum.
+
+If we are unable to remove your account for one of the above reasons, your user
+account will instead be wiped and deactivated, ending up exactly like an author
+who has not yet joined ContentDB. All personal information will be removed from
+the profile, and any comments or threads will be deleted.
+
+## Future Changes to Privacy Policy
+
+We will alert any future changes to the privacy policy via notices on the
+ContentDB website.
+
+By continuing to use this service, you agree to the privacy policy.
--- a/app/flatpages/terms.md
+++ b/app/flatpages/terms.md
@@ -0,0 +1,133 @@
+title: Terms of Service
+
+Also see the [Package Inclusion Policy](/policy_and_guidance/).
+
+## Content
+
+### Prohibited content
+
+You must not post/transmit anything which is illegal under the laws in any part of the United Kingdom.
+
+You must not (or use the service to) facilitate or commit any offence under the laws in any part of the United Kingdom.
+
+This includes, in particular, terrorism content (as set out in Schedule 5, Online Safety Act 2023),
+child sexual exploitation and abuse content (as set out in Schedule 6, Online Safety Act 2023), and
+content that amounts to an offence specified in Schedule 7, Online Safety Act 2023.
+
+Prohibited content includes:
+
+* Pornographic content. This includes content of such a nature that it is reasonable to assume that it was produced
+  solely or principally for the purpose of sexual arousal.
+* Content which encourages, promotes or provides instructions for suicide
+* Content which encourages, promotes or provides instructions for an act of deliberate self-injury
+* Content which encourages, promotes or provides instructions for an eating disorder or behaviours associated with an eating disorder
+* Content which is abusive and which targets any of the following characteristics: race, religion, sex,
+  sexual orientation, disability, gender reassignment.
+* Content which incites hatred against people:
+    * of a particular race, religion, sex or sexual orientation
+    * who have a disability
+    * who have the characteristic of gender reassignment
+* Content which encourages, promotes or provides instructions for an act of serious violence against a person
+* Bullying content
+* Content which:
+    * depicts real or realistic serious violence against a person
+    * depicts the real or realistic serious injury of a person in graphic detail
+* Content which:
+    * depicts real or realistic serious violence against an animal
+    * depicts the real or realistic serious injury of an animal in graphic detail
+    * realistically depicts serious violence against a fictional creature or the serious injury of a fictional
+      creature in graphic detail
+* Content which encourages, promotes or provides instructions for a challenge or stunt highly likely to result in
+  serious injury to the person who does it or to someone else
+* Content which encourages a person to ingest, inject, inhale or in any other way self-administer:
+    * a physically harmful substance
+    * a substance in such a quantity as to be physically harmful
+
+### Protecting users from illegal content
+
+We provide this service free of charge, and on the basis that we may:
+
+* take down, or restrict access to, anything that you generate, upload or share; and
+* suspend or ban you from using all or part of the service
+
+if we think that this is reasonable to protect you, other users, the service, or us. This applies, in particular,
+to prohibited content.
+
+If we are alerted by a person to the presence of any illegal content, or we become aware of it in any other way, 
+we will swiftly take down that content.
+
+To minimise the length of time for which any illegal content within the scope of the Online Safety Act 2023 is present:
+
+* in respect of terrorism content, we offer an easy-to-access and use reporting function and will swiftly remove such content when we become aware of it.
+* in respect of child sexual exploitation or abuse content, we offer an easy-to-access and use reporting function and will swiftly remove such content when we become aware of it.
+* in respect of other content that amounts to an offence specified in Schedule 7, Online Safety Act 2023, we offer an easy-to-access and use reporting function and will swiftly remove such content when we become aware of it.
+
+### Protecting children
+
+We protect all children from the kinds of content listed in "Prohibited Content" by:
+
+* prohibiting that type of content from our service; and
+* swiftly taking down that content, if we are alerted by a person to its presence, or we become aware of it in any other way.
+
+### Proactive technology
+
+We do not use proactive technology to detect illegal content.
+
+
+## Limitation of Liability
+
+THE SERVICE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
+THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL WE BE LIABLE
+FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
+OR IN CONNECTION WITH THE SERVICE OR THE USE OR OTHER DEALINGS IN THE SERVICE.
+
+We reserve the right to ban or suspend your account, or take down your content, for any reason.
+
+
+## Jurisdiction and Governing Law
+
+This service is subject to the jurisdiction of the United Kingdom.
+
+
+## Complaints
+
+### Reporting content
+
+You may report content by clicking the report flag next to a comment or "Report" on the page containing the content.
+
+You can also make reports by [contacting the admin]({{ admin_contact_url }}).
+
+### Complaints and Appeals
+
+You may send a complaint / request an appeal by [contacting the admin]({{ admin_contact_url }}). 
+
+### Your right to bring a claim
+
+This clause applies only to users within the United Kingdom.
+
+The Online Safety Act 2023 says that you have a right to bring a claim for breach of contract if:
+
+* anything that you generate, upload or share is taken down, or access to it is restricted, in breach of the terms of service, or
+* you are suspended or banned from using the service in breach of the terms of service.
+
+This does not apply to emails, SMS messages, MMS messages, one-to-one live aural communications,
+comments and reviews (together with any further comments on such comments or reviews), or content which identifies
+you as a user (e.g. a user name or profile picture).
+
+Whether or not a contract exists between you and us is a question of fact. If we do not have a contractual
+relationship with you in respect of the service, there can be no breach of contract and, as such, this cannot apply.
+
+It is for a court to determine:
+
+- if there is a contract between you and us and, if so, its terms
+- if there has been a breach by us of that contract
+- if that breach has caused you any recoverable loss
+- the size (e.g. value) of your loss
+
+This clause is subject to "Limitation of liability" and "Jurisdiction".
+
+
+## Acknowledgements
+    
+This terms of service was written based on [a template](https://onlinesafetyact.co.uk/online_safety_act_terms/)
+created by Neil Brown, CC BY-SA 4.0.
--- a/app/logic/LogicError.py
+++ b/app/logic/LogicError.py
@@ -0,0 +1,24 @@
+# ContentDB
+# Copyright (C) 2021 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+
+class LogicError(Exception):
+	def __init__(self, code, message):
+		self.code = code
+		self.message = message
+
+	def __str__(self):
+		return repr("LogicError {}: {}".format(self.code, self.message))
--- a/app/logic/init.py
+++ b/app/logic/init.py
--- a/app/logic/approval_stats.py
+++ b/app/logic/approval_stats.py
@@ -0,0 +1,148 @@
+# ContentDB
+# Copyright (C) 2024  rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import datetime
+from collections import namedtuple, defaultdict
+from typing import Dict, Optional
+from sqlalchemy import or_
+
+from app.models import AuditLogEntry, db, PackageState
+
+
+class PackageInfo:
+	state: Optional[PackageState]
+	first_submitted: Optional[datetime.datetime]
+	last_change: Optional[datetime.datetime]
+	approved_at: Optional[datetime.datetime]
+	wait_time: int
+	total_approval_time: int
+	is_in_range: bool
+	events: list[tuple[str, str, str]]
+
+	def __init__(self):
+		self.state = None
+		self.first_submitted = None
+		self.last_change = None
+		self.approved_at = None
+		self.wait_time = 0
+		self.total_approval_time = -1
+		self.is_in_range = False
+		self.events = []
+
+	def __lt__(self, other):
+		return self.wait_time < other.wait_time
+
+	def __dict__(self):
+		return {
+			"first_submitted": self.first_submitted.isoformat(),
+			"last_change": self.last_change.isoformat(),
+			"approved_at": self.approved_at.isoformat() if self.approved_at else None,
+			"wait_time": self.wait_time,
+			"total_approval_time": self.total_approval_time if self.total_approval_time >= 0 else None,
+			"events": [ { "date": x[0], "by": x[1], "title": x[2] } for x in self.events ],
+		}
+
+	def add_event(self, created_at: datetime.datetime, causer: str, title: str):
+		self.events.append((created_at.isoformat(), causer, title))
+
+
+def get_state(title: str):
+	if title.startswith("Approved "):
+		return PackageState.APPROVED
+
+	assert title.startswith("Marked ")
+
+	for state in PackageState:
+		if state.value in title:
+			return state
+
+	if "Work in Progress" in title:
+		return PackageState.WIP
+
+	raise Exception(f"Unable to get state for title {title}")
+
+
+Result = namedtuple("Result", "editor_approvals packages_info avg_turnaround_time max_turnaround_time")
+
+
+def _get_approval_statistics(entries: list[AuditLogEntry], start_date: Optional[datetime.datetime] = None, end_date: Optional[datetime.datetime] = None) -> Result:
+	editor_approvals = defaultdict(int)
+	package_info: Dict[str, PackageInfo] = {}
+	ignored_packages = set()
+	turnaround_times: list[int] = []
+
+	for entry in entries:
+		package_id = str(entry.package.get_id())
+		if package_id in ignored_packages:
+			continue
+
+		info = package_info.get(package_id, PackageInfo())
+		package_info[package_id] = info
+
+		is_in_range = (((start_date is None or entry.created_at >= start_date) and
+				(end_date is None or entry.created_at <= end_date)))
+		info.is_in_range = info.is_in_range or is_in_range
+
+		new_state = get_state(entry.title.replace("…", "") + (entry.description or ""))
+		if new_state == info.state:
+			continue
+
+		info.add_event(entry.created_at, entry.causer.username if entry.causer else None, new_state.value)
+
+		if info.state == PackageState.READY_FOR_REVIEW:
+			seconds = int((entry.created_at - info.last_change).total_seconds())
+			info.wait_time += seconds
+			if is_in_range:
+				turnaround_times.append(seconds)
+
+		if new_state == PackageState.APPROVED:
+			ignored_packages.add(package_id)
+			info.approved_at = entry.created_at
+			if is_in_range:
+				editor_approvals[entry.causer.username] += 1
+			if info.first_submitted is not None:
+				info.total_approval_time = int((entry.created_at - info.first_submitted).total_seconds())
+		elif new_state == PackageState.READY_FOR_REVIEW:
+			if info.first_submitted is None:
+				info.first_submitted = entry.created_at
+
+		info.state = new_state
+		info.last_change = entry.created_at
+
+	packages_info_2 = {}
+	package_count = 0
+	for package_id, info in package_info.items():
+		if info.first_submitted and info.is_in_range:
+			package_count += 1
+			packages_info_2[package_id] = info
+
+	if len(turnaround_times) > 0:
+		avg_turnaround_time = sum(turnaround_times) / len(turnaround_times)
+		max_turnaround_time = max(turnaround_times)
+	else:
+		avg_turnaround_time = 0
+		max_turnaround_time = 0
+
+	return Result(editor_approvals, packages_info_2, avg_turnaround_time, max_turnaround_time)
+
+
+def get_approval_statistics(start_date: Optional[datetime.datetime] = None, end_date: Optional[datetime.datetime] = None) -> Result:
+	entries = AuditLogEntry.query.filter(AuditLogEntry.package).filter(or_(
+		AuditLogEntry.title.like("Approved %"),
+		AuditLogEntry.title.like("Marked %"))
+	).order_by(db.asc(AuditLogEntry.created_at)).all()
+
+	return _get_approval_statistics(entries, start_date, end_date)
--- a/app/logic/game_support.py
+++ b/app/logic/game_support.py
@@ -0,0 +1,361 @@
+# ContentDB
+# Copyright (C) rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from typing import List, Dict, Optional, Tuple
+
+import sqlalchemy
+
+from app.models import PackageType, Package, PackageState, PackageGameSupport
+from app.utils import post_bot_message
+
+
+minetest_game_mods = {
+	"beds", "boats", "bucket", "carts", "default", "dungeon_loot", "env_sounds", "fire", "flowers",
+	"give_initial_stuff", "map", "player_api", "sethome", "spawn", "tnt", "walls", "wool",
+	"binoculars", "bones", "butterflies", "creative", "doors", "dye", "farming", "fireflies", "game_commands",
+	"keys", "mtg_craftguide", "screwdriver", "sfinv", "stairs", "vessels", "weather", "xpanes",
+}
+
+
+mtg_mod_blacklist = {
+	"pacman", "tutorial", "runorfall", "realtest_mt5", "mevo", "xaenvironment",
+	"survivethedays", "holidayhorrors",
+}
+
+
+class GSPackage:
+	author: str
+	name: str
+	type: PackageType
+
+	provides: set[str]
+	depends: set[str]
+
+	user_supported_games: set[str]
+	user_unsupported_games: set[str]
+	detected_supported_games: set[str]
+	supports_all_games: bool
+
+	detection_disabled: bool
+
+	is_confirmed: bool
+	errors: set[str]
+
+	def __init__(self, author: str, name: str, type: PackageType, provides: set[str]):
+		self.author = author
+		self.name = name
+		self.type = type
+		self.provides = provides
+		self.depends = set()
+		self.user_supported_games = set()
+		self.user_unsupported_games = set()
+		self.detected_supported_games = set()
+		self.supports_all_games = False
+		self.detection_disabled = False
+		self.is_confirmed = type == PackageType.GAME
+		self.errors = set()
+
+		# For dodgy games, discard MTG mods
+		if self.type == PackageType.GAME and self.name in mtg_mod_blacklist:
+			self.provides.difference_update(minetest_game_mods)
+
+	@property
+	def id_(self) -> str:
+		return f"{self.author}/{self.name}"
+
+	@property
+	def supported_games(self) -> set[str]:
+		ret = set()
+		ret.update(self.user_supported_games)
+		if not self.detection_disabled:
+			ret.update(self.detected_supported_games)
+		ret.difference_update(self.user_unsupported_games)
+		return ret
+
+	@property
+	def unsupported_games(self) -> set[str]:
+		return self.user_unsupported_games
+
+	def add_error(self, error: str):
+		return self.errors.add(error)
+
+
+class GameSupport:
+	packages: Dict[str, GSPackage]
+	modified_packages: set[GSPackage]
+
+	def __init__(self):
+		self.packages = {}
+		self.modified_packages = set()
+
+	@property
+	def all_confirmed(self):
+		return all([x.is_confirmed for x in self.packages.values()])
+
+	@property
+	def has_errors(self):
+		return any([len(x.errors) > 0 for x in self.packages.values()])
+
+	@property
+	def error_count(self):
+		return sum([len(x.errors) for x in self.packages.values()])
+
+	@property
+	def all_errors(self) -> set[str]:
+		errors = set()
+		for package in self.packages.values():
+			for err in package.errors:
+				errors.add(package.id_ + ": " + err)
+		return errors
+
+	def add(self, package: GSPackage) -> GSPackage:
+		self.packages[package.id_] = package
+		return package
+
+	def get(self, id_: str) -> Optional[GSPackage]:
+		return self.packages.get(id_)
+
+	def get_all_that_provide(self, modname: str) -> List[GSPackage]:
+		return [package for package in self.packages.values() if modname in package.provides]
+
+	def get_all_that_depend_on(self, modname: str) -> List[GSPackage]:
+		return [package for package in self.packages.values() if modname in package.depends]
+
+	def _get_supported_games_for_modname(self, depend: str, visited: list[str]):
+		dep_supports_all = False
+		for_dep = set()
+		for provider in self.get_all_that_provide(depend):
+			found_in = self._get_supported_games(provider, visited)
+			if found_in is None:
+				# Unsupported, keep going
+				pass
+			elif len(found_in) == 0:
+				dep_supports_all = True
+				break
+			else:
+				for_dep.update(found_in)
+
+		return dep_supports_all, for_dep
+
+	def _get_supported_games_for_deps(self, package: GSPackage, visited: list[str]) -> Optional[set[str]]:
+		ret = set()
+
+		for depend in package.depends:
+			dep_supports_all, for_dep = self._get_supported_games_for_modname(depend, visited)
+
+			if dep_supports_all:
+				# Dep is game independent
+				pass
+			elif len(for_dep) == 0:
+				package.add_error(f"Unable to fulfill dependency {depend}")
+				return None
+			elif len(ret) == 0:
+				ret = for_dep
+			else:
+				ret.intersection_update(for_dep)
+				if len(ret) == 0:
+					package.add_error("Game support conflict, unable to install package on any games")
+					return None
+
+		return ret
+
+	def _get_supported_games(self, package: GSPackage, visited: list[str]) -> Optional[set[str]]:
+		if package.id_ in visited:
+			return None
+
+		if package.type == PackageType.GAME:
+			return {package.name}
+		elif package.is_confirmed:
+			return package.supported_games
+
+		visited = visited.copy()
+		visited.append(package.id_)
+
+		ret = self._get_supported_games_for_deps(package, visited)
+		if ret is None:
+			assert len(package.errors) > 0
+			return None
+
+		ret = ret.copy()
+		ret.difference_update(package.user_unsupported_games)
+		package.detected_supported_games = ret
+		self.modified_packages.add(package)
+
+		if len(ret) > 0:
+			for supported in package.user_supported_games:
+				if supported not in ret:
+					package.add_error(f"`{supported}` is specified in supported_games but it is impossible to run {package.name} in that game. " +
+							f"Its dependencies can only be fulfilled in {', '.join([f'`{x}`' for x in ret])}. " +
+							"Check your hard dependencies.")
+
+			if package.supports_all_games:
+				package.add_error(
+						"This package cannot support all games as some dependencies require specific game(s): " +
+						", ".join([f'`{x}`' for x in ret]))
+
+		package.is_confirmed = True
+		return package.supported_games
+
+	def on_update(self, package: GSPackage, old_provides: Optional[set[str]] = None):
+		to_update = {package}
+		checked = set()
+
+		while len(to_update) > 0:
+			current_package = to_update.pop()
+			if current_package.id_ in self.packages and current_package.type != PackageType.GAME:
+				self._get_supported_games(current_package, [])
+
+			provides = current_package.provides
+			if current_package == package and old_provides is not None:
+				provides = provides.union(old_provides)
+
+			for modname in provides:
+				for depending_package in self.get_all_that_depend_on(modname):
+					if depending_package not in checked:
+						if depending_package.id_ in self.packages and depending_package.type != PackageType.GAME:
+							depending_package.is_confirmed = False
+							depending_package.detected_supported_games = []
+
+						to_update.add(depending_package)
+						checked.add(depending_package)
+
+	def on_remove(self, package: GSPackage):
+		del self.packages[package.id_]
+		self.on_update(package)
+
+	def on_first_run(self):
+		for package in self.packages.values():
+			if not package.is_confirmed:
+				self.on_update(package)
+
+
+def _convert_package(support: GameSupport, package: Package) -> GSPackage:
+	# Unapproved packages shouldn't be considered to fulfill anything
+	provides = set()
+	if package.state == PackageState.APPROVED:
+		provides = set([x.name for x in package.provides])
+
+	gs_package = GSPackage(package.author.username, package.name, package.type, provides)
+	gs_package.depends = set([x.meta_package.name for x in package.dependencies if not x.optional])
+	gs_package.detection_disabled = not package.enable_game_support_detection
+	gs_package.supports_all_games = package.supports_all_games
+
+	existing_game_support = (package.supported_games
+			.filter(PackageGameSupport.game.has(state=PackageState.APPROVED),
+					PackageGameSupport.confidence > 5)
+			.all())
+	if not package.supports_all_games:
+		gs_package.user_supported_games = [x.game.name for x in existing_game_support if x.supports]
+	gs_package.user_unsupported_games = [x.game.name for x in existing_game_support if not x.supports]
+	return support.add(gs_package)
+
+
+def _create_instance(session: sqlalchemy.orm.Session) -> GameSupport:
+	support = GameSupport()
+
+	packages: List[Package] = (session.query(Package)
+			.filter(Package.state == PackageState.APPROVED, Package.type.in_([PackageType.GAME, PackageType.MOD]))
+			.all())
+
+	for package in packages:
+		_convert_package(support, package)
+
+	return support
+
+
+def _persist(session: sqlalchemy.orm.Session, support: GameSupport):
+	for gs_package in support.packages.values():
+		if len(gs_package.errors) != 0:
+			msg = "\n".join([f"- {x}" for x in gs_package.errors])
+			package = session.query(Package).filter(
+					Package.author.has(username=gs_package.author),
+					Package.name == gs_package.name).one()
+			post_bot_message(package, "Error when checking game support", msg, session)
+
+	for gs_package in support.modified_packages:
+		if not gs_package.detection_disabled:
+			package = session.query(Package).filter(
+					Package.author.has(username=gs_package.author),
+					Package.name == gs_package.name).one()
+
+			# Clear existing
+			session.query(PackageGameSupport) \
+				.filter_by(package=package, confidence=1) \
+				.delete()
+
+			# Add new
+			supported_games = gs_package.supported_games \
+				.difference(gs_package.user_supported_games)
+			for game_name in supported_games:
+				game_id = session.query(Package.id) \
+					.filter(Package.type == PackageType.GAME, Package.name == game_name, Package.state == PackageState.APPROVED) \
+					.one()[0]
+
+				new_support = PackageGameSupport()
+				new_support.package = package
+				new_support.game_id = game_id
+				new_support.confidence = 1
+				new_support.supports = True
+				session.add(new_support)
+
+
+def game_support_update(session: sqlalchemy.orm.Session, package: Package, old_provides: Optional[set[str]]) -> set[str]:
+	support = _create_instance(session)
+	gs_package = support.get(package.get_id())
+	if gs_package is None:
+		gs_package = _convert_package(support, package)
+	support.on_update(gs_package, old_provides)
+	_persist(session, support)
+	return gs_package.errors
+
+
+def game_support_update_all(session: sqlalchemy.orm.Session):
+	support = _create_instance(session)
+	support.on_first_run()
+	_persist(session, support)
+
+
+def game_support_remove(session: sqlalchemy.orm.Session, package: Package):
+	support = _create_instance(session)
+	gs_package = support.get(package.get_id())
+	if gs_package is None:
+		gs_package = _convert_package(support, package)
+	support.on_remove(gs_package)
+	_persist(session, support)
+
+
+def game_support_set(session, package: Package, game_is_supported: Dict[int, bool], confidence: int):
+	previous_supported: Dict[int, PackageGameSupport] = {}
+	for support in package.supported_games.all():
+		previous_supported[support.game.id] = support
+
+	for game_id, supports in game_is_supported.items():
+		game = session.query(Package).get(game_id)
+		lookup = previous_supported.pop(game_id, None)
+		if lookup is None:
+			support = PackageGameSupport()
+			support.package = package
+			support.game = game
+			support.confidence = confidence
+			support.supports = supports
+			session.add(support)
+		elif lookup.confidence <= confidence:
+			lookup.supports = supports
+			lookup.confidence = confidence
+
+	for game, support in previous_supported.items():
+		if support.confidence == confidence:
+			session.delete(support)
--- a/app/logic/graphs.py
+++ b/app/logic/graphs.py
@@ -0,0 +1,166 @@
+# ContentDB
+# Copyright (C) rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import datetime
+from datetime import timedelta
+from typing import Optional
+
+from app.models import User, Package, PackageDailyStats, db, PackageState
+from sqlalchemy import func
+
+
+def daterange(start_date, end_date):
+	for n in range(int((end_date - start_date).days) + 1):
+		yield start_date + timedelta(n)
+
+
+keys = ["platform_minetest", "platform_other", "reason_new",
+		"reason_dependency", "reason_update"]
+
+
+def flatten_data(stats):
+	start_date = stats[0].date
+	end_date = stats[-1].date
+	result = {
+		"start": start_date.isoformat(),
+		"end": end_date.isoformat(),
+	}
+
+	for key in keys:
+		result[key] = []
+
+	i = 0
+	for date in daterange(start_date, end_date):
+		stat = stats[i]
+		if stat.date == date:
+			for key in keys:
+				result[key].append(getattr(stat, key))
+
+			i += 1
+		else:
+			for key in keys:
+				result[key].append(0)
+
+	return result
+
+
+def get_package_stats(package: Package, start_date: Optional[datetime.date], end_date: Optional[datetime.date]):
+	query = package.daily_stats.order_by(db.asc(PackageDailyStats.date))
+	if start_date:
+		query = query.filter(PackageDailyStats.date >= start_date)
+	if end_date:
+		query = query.filter(PackageDailyStats.date <= end_date)
+
+	stats = query.all()
+	if len(stats) == 0:
+		return None
+
+	return flatten_data(stats)
+
+
+def get_package_stats_for_user(user: User, start_date: Optional[datetime.date], end_date: Optional[datetime.date]):
+	query = db.session \
+		.query(PackageDailyStats.date,
+			func.sum(PackageDailyStats.platform_minetest).label("platform_minetest"),
+			func.sum(PackageDailyStats.platform_other).label("platform_other"),
+			func.sum(PackageDailyStats.reason_new).label("reason_new"),
+			func.sum(PackageDailyStats.reason_dependency).label("reason_dependency"),
+			func.sum(PackageDailyStats.reason_update).label("reason_update")) \
+		.filter(PackageDailyStats.package.has(author_id=user.id))
+
+	if start_date:
+		query = query.filter(PackageDailyStats.date >= start_date)
+	if end_date:
+		query = query.filter(PackageDailyStats.date <= end_date)
+
+	stats = query.order_by(db.asc(PackageDailyStats.date)) \
+		.group_by(PackageDailyStats.date) \
+		.all()
+	if len(stats) == 0:
+		return None
+
+	results = flatten_data(stats)
+	results["package_downloads"] = get_package_overview_for_user(user, stats[0].date, stats[-1].date)
+
+	return results
+
+
+def get_package_overview_for_user(user: Optional[User], start_date: datetime.date, end_date: datetime.date):
+	query = db.session \
+		.query(PackageDailyStats.package_id, PackageDailyStats.date,
+			(PackageDailyStats.platform_minetest + PackageDailyStats.platform_other).label("downloads"))
+
+	if user:
+		query = query.filter(PackageDailyStats.package.has(author_id=user.id))
+
+	all_stats = query \
+		.filter(PackageDailyStats.package.has(state=PackageState.APPROVED),
+				PackageDailyStats.date >= start_date, PackageDailyStats.date <= end_date) \
+		.order_by(db.asc(PackageDailyStats.package_id), db.asc(PackageDailyStats.date)) \
+		.all()
+
+	stats_by_package = {}
+	for stat in all_stats:
+		bucket = stats_by_package.get(stat.package_id, [])
+		stats_by_package[stat.package_id] = bucket
+
+		bucket.append(stat)
+
+	package_title_by_id = {}
+	pkg_query = user.packages if user else Package.query
+	for package in pkg_query.filter_by(state=PackageState.APPROVED).all():
+		if user:
+			package_title_by_id[package.id] = package.title
+		else:
+			package_title_by_id[package.id] = package.get_id()
+
+	result = {}
+
+	for package_id, stats in stats_by_package.items():
+		i = 0
+		row = []
+		result[package_title_by_id[package_id]] = row
+		for date in daterange(start_date, end_date):
+			if i >= len(stats):
+				row.append(0)
+				continue
+
+			stat = stats[i]
+			if stat.date == date:
+				row.append(stat.downloads)
+				i += 1
+			elif stat.date > date:
+				row.append(0)
+			else:
+				raise Exception(f"Invalid logic, expected stat {stat.date} to be later than {date}")
+
+	return result
+
+
+def get_all_package_stats(start_date: Optional[datetime.date] = None, end_date: Optional[datetime.date] = None):
+	now_date = datetime.datetime.utcnow().date()
+	if end_date is None or end_date > now_date:
+		end_date = now_date
+
+	min_start_date = (datetime.datetime.utcnow() - datetime.timedelta(days=29)).date()
+	if start_date is None or start_date < min_start_date:
+		start_date = min_start_date
+
+	return {
+		"start": start_date.isoformat(),
+		"end": end_date.isoformat(),
+		"package_downloads": get_package_overview_for_user(None, start_date, end_date),
+	}
--- a/app/logic/package_approval.py
+++ b/app/logic/package_approval.py
@@ -0,0 +1,204 @@
+# ContentDB
+# Copyright (C) rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+from typing import List, Tuple, Union, Optional
+
+from flask_babel import lazy_gettext, LazyString
+from sqlalchemy import and_, or_
+
+from app.models import Package, PackageType, PackageState, PackageRelease, db, MetaPackage, ForumTopic, User, \
+	Permission, UserRank
+
+
+class PackageValidationNote:
+	# level is danger, warning, or info
+	level: str
+	message: LazyString
+	buttons: List[Tuple[str, LazyString]]
+
+	# False to prevent "Approve"
+	allow_approval: bool
+
+	# False to prevent "Submit for Approval"
+	allow_submit: bool
+
+	def __init__(self, level: str, message: LazyString, allow_approval: bool, allow_submit: bool):
+		self.level = level
+		self.message = message
+		self.buttons = []
+		self.allow_approval = allow_approval
+		self.allow_submit = allow_submit
+
+	def add_button(self, url: str, label: LazyString) -> "PackageValidationNote":
+		self.buttons.append((url, label))
+		return self
+
+	def __repr__(self):
+		return str(self.message)
+
+
+def is_package_name_taken(normalised_name: str) -> bool:
+	return Package.query.filter(
+		and_(Package.state == PackageState.APPROVED,
+			 or_(Package.name == normalised_name,
+				 Package.name == normalised_name + "_game"))).count() > 0
+
+
+def get_conflicting_mod_names(package: Package) -> set[str]:
+	conflicting_modnames = (db.session.query(MetaPackage.name)
+			.filter(MetaPackage.id.in_([mp.id for mp in package.provides]))
+			.filter(MetaPackage.packages.any(and_(Package.id != package.id, Package.state == PackageState.APPROVED)))
+			.all())
+	conflicting_modnames += (db.session.query(ForumTopic.name)
+			.filter(ForumTopic.name.in_([mp.name for mp in package.provides]))
+			.filter(ForumTopic.topic_id != package.forums)
+			.filter(~ db.exists().where(Package.forums == ForumTopic.topic_id))
+			.order_by(db.asc(ForumTopic.name), db.asc(ForumTopic.title))
+			.all())
+	return set([x[0] for x in conflicting_modnames])
+
+
+def count_packages_with_forum_topic(topic_id: int) -> int:
+	return Package.query.filter(Package.forums == topic_id, Package.state != PackageState.DELETED).count() > 1
+
+
+def get_forum_topic(topic_id: int) -> Optional[ForumTopic]:
+	return ForumTopic.query.get(topic_id)
+
+
+def validate_package_for_approval(package: Package) -> List[PackageValidationNote]:
+	retval: List[PackageValidationNote] = []
+
+	def template(level: str, allow_approval: bool, allow_submit: bool):
+		def inner(msg: LazyString):
+			note = PackageValidationNote(level, msg, allow_approval, allow_submit)
+			retval.append(note)
+			return note
+
+		return inner
+
+	danger = template("danger", allow_approval=False, allow_submit=False)
+	warning = template("warning", allow_approval=True, allow_submit=True)
+	info = template("info", allow_approval=False, allow_submit=True)
+
+	if package.type != PackageType.MOD and is_package_name_taken(package.normalised_name):
+		danger(lazy_gettext("A package already exists with this name. Please see Policy and Guidance 3"))
+
+	if package.releases.filter(PackageRelease.task_id.is_(None)).count() == 0:
+		if package.releases.count() == 0:
+			message = lazy_gettext("You need to create a release before this package can be approved.")
+		else:
+			message = lazy_gettext("Release is still importing, or has an error.")
+
+		danger(message) \
+			.add_button(package.get_url("packages.create_release"), lazy_gettext("Create release")) \
+			.add_button(package.get_url("packages.setup_releases"), lazy_gettext("Set up releases"))
+
+		# Don't bother validating any more until we have a release
+		return retval
+
+	if package.screenshots.count() == 0:
+		danger(lazy_gettext("You need to add at least one screenshot."))
+
+	missing_deps = package.get_missing_hard_dependencies_query().all()
+	if len(missing_deps) > 0:
+		missing_deps = ", ".join([ x.name for x in missing_deps])
+		danger(lazy_gettext(
+			"The following hard dependencies need to be added to ContentDB first: %(deps)s", deps=missing_deps))
+
+	if package.type != PackageType.GAME and not package.supports_all_games and package.supported_games.count() == 0:
+		danger(lazy_gettext(
+			"What games does your package support? Please specify on the supported games page", deps=missing_deps)) \
+			.add_button(package.get_url("packages.game_support"), lazy_gettext("Supported Games"))
+
+	if "Other" in package.license.name or "Other" in package.media_license.name:
+		info(lazy_gettext("Please wait for the license to be added to CDB."))
+
+	# Check similar mod name
+	conflicting_modnames = set()
+	if package.type != PackageType.TXP:
+		conflicting_modnames = get_conflicting_mod_names(package)
+
+	if len(conflicting_modnames) > 4:
+		warning(lazy_gettext("Please make sure that this package has the right to the names it uses."))
+	elif len(conflicting_modnames) > 0:
+		names_list = list(conflicting_modnames)
+		names_list.sort()
+		warning(lazy_gettext("Please make sure that this package has the right to the names %(names)s",
+				names=", ".join(names_list))) \
+			.add_button(package.get_url('packages.similar'), lazy_gettext("See more"))
+
+	# Check forum topic
+	if package.state != PackageState.APPROVED and package.forums is not None:
+		if count_packages_with_forum_topic(package.forums) > 1:
+			danger("<b>" + lazy_gettext("Error: Another package already uses this forum topic!") + "</b>")
+
+		topic = get_forum_topic(package.forums)
+		if topic is not None:
+			if topic.author != package.author:
+				danger("<b>" + lazy_gettext("Error: Forum topic author doesn't match package author.") + "</b>")
+		elif package.type != PackageType.TXP:
+			warning(lazy_gettext("Warning: Forum topic not found. The topic may have been created since the last forum crawl."))
+
+	return retval
+
+
+PACKAGE_STATE_FLOW = {
+	PackageState.WIP: {PackageState.READY_FOR_REVIEW},
+	PackageState.CHANGES_NEEDED: {PackageState.READY_FOR_REVIEW},
+	PackageState.READY_FOR_REVIEW: {PackageState.WIP, PackageState.CHANGES_NEEDED, PackageState.APPROVED},
+	PackageState.APPROVED: {PackageState.CHANGES_NEEDED},
+	PackageState.DELETED: {PackageState.READY_FOR_REVIEW},
+}
+
+
+def can_move_to_state(package: Package, user: User, new_state: Union[str, PackageState]) -> bool:
+	if not user.is_authenticated:
+		return False
+
+	if type(new_state) == str:
+		new_state = PackageState[new_state]
+	elif type(new_state) != PackageState:
+		raise Exception("Unknown state given to can_move_to_state()")
+
+	if new_state not in PACKAGE_STATE_FLOW[package.state]:
+		return False
+
+	if new_state == PackageState.READY_FOR_REVIEW or new_state == PackageState.APPROVED:
+		# Can the user approve?
+		if new_state == PackageState.APPROVED and not package.check_perm(user, Permission.APPROVE_NEW):
+			return False
+
+		# Must be able to edit or approve package to change its state
+		if not (package.check_perm(user, Permission.APPROVE_NEW) or package.check_perm(user, Permission.EDIT_PACKAGE)):
+			return False
+
+		# Are there any validation warnings?
+		validation_notes = validate_package_for_approval(package)
+		for note in validation_notes:
+			if not note.allow_submit or (new_state == PackageState.APPROVED and not note.allow_approval):
+				return False
+
+		return True
+
+	elif new_state == PackageState.CHANGES_NEEDED:
+		return package.check_perm(user, Permission.APPROVE_NEW)
+
+	elif new_state == PackageState.WIP:
+		return package.check_perm(user, Permission.EDIT_PACKAGE) and \
+			(user in package.maintainers or user.rank.at_least(UserRank.ADMIN))
+
+	return True
--- a/app/logic/packages.py
+++ b/app/logic/packages.py
@@ -0,0 +1,236 @@
+# ContentDB
+# Copyright (C) 2021 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import json
+import re
+import typing
+
+import validators
+from flask_babel import lazy_gettext, LazyString
+
+from app.logic.LogicError import LogicError
+from app.models import User, Package, PackageType, MetaPackage, Tag, ContentWarning, db, Permission, AuditSeverity, \
+	License, PackageDevState, PackageState
+from app.utils import add_audit_log, has_blocked_domains, diff_dictionaries, describe_difference, normalize_line_endings
+from app.utils.url import clean_youtube_url
+
+
+def check(cond: bool, msg: typing.Union[str, LazyString]):
+	if not cond:
+		raise LogicError(400, msg)
+
+
+def get_license(name):
+	if type(name) == License:
+		return name
+
+	license = License.query.filter(License.name.ilike(name)).first()
+	if license is None:
+		raise LogicError(400, "Unknown license " + name)
+	return license
+
+
+name_re = re.compile("^[a-z0-9_]+$")
+
+AnyType = "?"
+ALLOWED_FIELDS = {
+	"type": AnyType,
+	"title": str,
+	"name": str,
+	"short_description": str,
+	"short_desc": str,
+	"dev_state": AnyType,
+	"tags": list,
+	"content_warnings": list,
+	"license": AnyType,
+	"media_license": AnyType,
+	"long_description": str,
+	"desc": str,
+	"repo": str,
+	"website": str,
+	"issue_tracker": str,
+	"issueTracker": str,
+	"forums": int,
+	"video_url": str,
+	"donate_url": str,
+	"translation_url": str,
+}
+
+NULLABLE = {
+	"tags",
+	"content_warnings",
+	"repo",
+	"website",
+	"issue_tracker",
+	"issueTracker",
+	"forums",
+	"video_url",
+	"donate_url",
+	"translation_url",
+}
+
+ALIASES = {
+	"short_description": "short_desc",
+	"issue_tracker": "issueTracker",
+	"long_description": "desc"
+}
+
+
+def is_int(val):
+	try:
+		int(val)
+		return True
+	except ValueError:
+		return False
+
+
+def validate(data: dict):
+	for key, value in data.items():
+		if value is None:
+			check(key in NULLABLE, f"{key} must not be null")
+		else:
+			typ = ALLOWED_FIELDS.get(key)
+			check(typ is not None, f"{key} is not a known field")
+			if typ != AnyType:
+				check(isinstance(value, typ), f"{key} must be a " + typ.__name__)
+
+	if "name" in data:
+		name = data["name"]
+		check(isinstance(name, str), "Name must be a string")
+		check(bool(name_re.match(name)),
+			lazy_gettext("Name can only contain lower case letters (a-z), digits (0-9), and underscores (_)"))
+
+	for key in ["repo", "website", "issue_tracker", "issueTracker"]:
+		value = data.get(key)
+		if value is not None:
+			check(value.startswith("http://") or value.startswith("https://"),
+					f"{key} must start with http:// or https://")
+			check(validators.url(value), f"{key} must be a valid URL")
+
+
+def do_edit_package(user: User, package: Package, was_new: bool, was_web: bool, data: dict,
+		reason: str = None) -> bool:
+	if not package.check_perm(user, Permission.EDIT_PACKAGE):
+		raise LogicError(403, lazy_gettext("You don't have permission to edit this package"))
+
+	if "name" in data and package.name != data["name"] and \
+			not package.check_perm(user, Permission.CHANGE_NAME):
+		raise LogicError(403, lazy_gettext("You don't have permission to change the package name"))
+
+	before_dict = None
+	if not was_new:
+		before_dict = package.as_dict("/")
+
+	for alias, to in ALIASES.items():
+		if alias in data:
+			if to in data and data[to] != data[alias]:
+				raise LogicError(403, f"Aliased field ({alias}) does not match new field ({to})")
+
+			data[to] = data[alias]
+
+	validate(data)
+
+	for field in ["short_desc", "desc", "website", "issueTracker", "repo", "video_url", "donate_url", "translation_url"]:
+		if field in data and has_blocked_domains(data[field], user.username,
+					f"{field} of {package.get_id()}"):
+			raise LogicError(403, lazy_gettext("Linking to blocked sites is not allowed"))
+
+	if "type" in data:
+		new_type = PackageType.coerce(data["type"])
+		if new_type == package.type:
+			pass
+		elif package.state != PackageState.APPROVED:
+			package.type = new_type
+		else:
+			raise LogicError(403, lazy_gettext("You cannot change package type once approved"))
+
+	if "dev_state" in data:
+		data["dev_state"] = PackageDevState.coerce(data["dev_state"])
+
+	if "license" in data:
+		data["license"] = get_license(data["license"])
+
+	if "media_license" in data:
+		data["media_license"] = get_license(data["media_license"])
+
+	if "desc" in data:
+		data["desc"] = normalize_line_endings(data["desc"])
+
+	if "video_url" in data and data["video_url"] is not None:
+		data["video_url"] = clean_youtube_url(data["video_url"]) or data["video_url"]
+		if "dQw4w9WgXcQ" in data["video_url"]:
+			raise LogicError(403, "Never gonna give you up / Never gonna let you down / Never gonna run around and desert you")
+
+	for key in ["name", "title", "short_desc", "desc", "dev_state", "license", "media_license",
+			"repo", "website", "issueTracker", "forums", "video_url", "donate_url", "translation_url"]:
+		if key in data:
+			setattr(package, key, data[key])
+
+	if package.type == PackageType.TXP:
+		package.license = package.media_license
+
+	if was_new and package.type == PackageType.MOD:
+		m = MetaPackage.GetOrCreate(package.name, {})
+		package.provides.append(m)
+
+	if "tags" in data:
+		package.tags.clear()
+		for tag_id in (data["tags"] or []):
+			if is_int(tag_id):
+				tag = Tag.query.get(tag_id)
+			else:
+				tag = Tag.query.filter_by(name=tag_id).first()
+				if tag is None:
+					raise LogicError(400, "Unknown tag: " + tag_id)
+
+			package.tags.append(tag)
+
+	if "content_warnings" in data:
+		package.content_warnings.clear()
+		for warning_id in (data["content_warnings"] or []):
+			if is_int(warning_id):
+				package.content_warnings.append(ContentWarning.query.get(warning_id))
+			else:
+				warning = ContentWarning.query.filter_by(name=warning_id).first()
+				if warning is None:
+					raise LogicError(400, "Unknown warning: " + warning_id)
+				package.content_warnings.append(warning)
+
+	was_modified = was_new
+	if was_new:
+		msg = f"Created package {package.author.username}/{package.name}"
+		add_audit_log(AuditSeverity.NORMAL, user, msg, package.get_url("packages.view"), package)
+	else:
+		after_dict = package.as_dict("/")
+		diff = diff_dictionaries(before_dict, after_dict)
+		was_modified = len(diff) > 0
+
+		if reason is None:
+			msg = "Edited {}".format(package.title)
+		else:
+			msg = "Edited {} ({})".format(package.title, reason)
+
+		diff_desc = describe_difference(diff, 100 - len(msg) - 3) if diff else None
+		if diff_desc:
+			msg += " [" + diff_desc + "]"
+
+		severity = AuditSeverity.NORMAL if user in package.maintainers else AuditSeverity.EDITOR
+		add_audit_log(severity, user, msg, package.get_url("packages.view"), package, json.dumps(diff, indent=4))
+
+	if was_modified:
+		db.session.commit()
+
+	return was_modified
--- a/app/logic/releases.py
+++ b/app/logic/releases.py
@@ -0,0 +1,106 @@
+# ContentDB
+# Copyright (C) 2018-21 rubenwardy
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import datetime
+import re
+from typing import Optional
+
+from celery import uuid
+from flask_babel import lazy_gettext
+
+from app.logic.LogicError import LogicError
+from app.logic.uploads import upload_file
+from app.models import PackageRelease, db, Permission, User, Package, LuantiRelease
+from app.tasks.importtasks import make_vcs_release, check_zip_release
+from app.utils import AuditSeverity, add_audit_log, nonempty_or_none, normalize_line_endings
+
+
+def check_can_create_release(user: User, package: Package, name: str):
+	if not package.check_perm(user, Permission.MAKE_RELEASE):
+		raise LogicError(403, lazy_gettext("You don't have permission to make releases"))
+
+	five_minutes_ago = datetime.datetime.now() - datetime.timedelta(minutes=5)
+	count = package.releases.filter(PackageRelease.created_at > five_minutes_ago).count()
+	if count >= 5:
+		raise LogicError(429, lazy_gettext("You've created too many releases for this package in the last 5 minutes, please wait before trying again"))
+
+	if PackageRelease.query.filter_by(package_id=package.id, name=name).count() > 0:
+		raise LogicError(403, lazy_gettext("A release with this name already exists"))
+
+
+def do_create_vcs_release(user: User, package: Package, name: str, title: Optional[str], release_notes: Optional[str], ref: str,
+		min_v: LuantiRelease = None, max_v: LuantiRelease = None, reason: str = None):
+	check_can_create_release(user, package, name)
+
+	rel = PackageRelease()
+	rel.package = package
+	rel.name    = name
+	rel.title   = title or name
+	rel.release_notes = normalize_line_endings(release_notes)
+	rel.url     = ""
+	rel.task_id = uuid()
+	rel.min_rel = min_v
+	rel.max_rel = max_v
+	db.session.add(rel)
+
+	if reason is None:
+		msg = "Created release {}".format(rel.title)
+	else:
+		msg = "Created release {} ({})".format(rel.title, reason)
+	add_audit_log(AuditSeverity.NORMAL, user, msg, package.get_url("packages.view"), package)
+
+	db.session.commit()
+
+	make_vcs_release.apply_async((rel.id, nonempty_or_none(ref)), task_id=rel.task_id)
+
+	return rel
+
+
+def do_create_zip_release(user: User, package: Package, name: str, title: Optional[str], release_notes: Optional[str], file,
+		min_v: LuantiRelease = None, max_v: LuantiRelease = None, reason: str = None,
+		commit_hash: str = None):
+	check_can_create_release(user, package, name)
+
+	if commit_hash:
+		commit_hash = commit_hash.lower()
+		if not (len(commit_hash) == 40 and re.match(r"^[0-9a-f]+$", commit_hash)):
+			raise LogicError(400, lazy_gettext("Invalid commit hash; it must be a 40 character long base16 string"))
+
+	uploaded_url, uploaded_path = upload_file(file, "zip", "a zip file")
+
+	rel = PackageRelease()
+	rel.package = package
+	rel.name    = name
+	rel.title   = title or name
+	rel.release_notes = normalize_line_endings(release_notes)
+	rel.url     = uploaded_url
+	rel.task_id = uuid()
+	rel.commit_hash = commit_hash
+	rel.min_rel = min_v
+	rel.max_rel = max_v
+	db.session.add(rel)
+
+	if reason is None:
+		msg = "Created release {}".format(rel.title)
+	else:
+		msg = "Created release {} ({})".format(rel.title, reason)
+	add_audit_log(AuditSeverity.NORMAL, user, msg, package.get_url("packages.view"), package)
+
+	db.session.commit()
+
+	check_zip_release.apply_async((rel.id, uploaded_path), task_id=rel.task_id)
+
+	return rel
--- a/Show More
+++ b/Show More