Rozszerzenie powiadomień o kolejne typy zdarzeń, z symetrycznymi togglami
e-mail i push w /konto/prywatnosc.
Migracje 103 + 104 — 6 nowych kolumn preferencji e-mail + NordaEvent.reminder_24h_sent_at.
Triggery:
- Forum odpowiedź → push do autora wątku (notify_push_forum_reply)
- Forum cytat (> **Imię** napisał(a):) → push + email do cytowanego
(notify_push/email_forum_quote)
- Admin publikuje aktualność → broadcast push (ON) + email (OFF)
do aktywnych członków (notify_push/email_announcements)
- Board: utworzenie / publikacja programu / publikacja protokołu
→ broadcast push + opt-in email (notify_push/email_board_meetings)
- Nowe wydarzenie w kalendarzu → broadcast push + email (oba ON)
(notify_push/email_event_invites)
- Cron scripts/event_reminders_cron.py co godzinę — wydarzenia za 23-25h,
dla zapisanych (EventAttendee.status != 'declined') push + email,
znacznik NordaEvent.reminder_24h_sent_at żeby nie dublować.
Email defaults dobrane, by nie zalać inbox: broadcast OFF (announcements,
board, forum_reply), personalne/actionable ON (forum_quote, event_invites,
event_reminders).
Wszystkie nowe e-maile mają jednym-kliknięciem unsubscribe (RFC 8058
+ link w stopce) — unsubscribe_tokens.py rozszerzony o nowe typy.
Cron entry do dodania na prod (osobny krok, bo to edycja crontaba):
0 * * * * cd /var/www/nordabiznes && venv/bin/python3 scripts/event_reminders_cron.py
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Admin fees yearly view now shows all active companies (including child brands)
- Child brand rows are indented with striped month cells and "firma córka" badge
- Parent companies show expandable brand list, Stawka column with 200/300 zł logic
- Expected fee per month computed from number of active child brands
- Rate change month shown when brand joins mid-year (e.g. "I-III: 200 zł / od IV: 300 zł")
- Sorting groups children directly under their parent
- Reminder logic skipped for child companies
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add sort keys and data-sort-value attributes to 'Upr. firmowe' and 'Rola' columns
- Add filter tabs for MANAGER, OFFICE_MANAGER, company-role NONE and MANAGER
- Add data-company-role attribute to user rows for JS filtering
- Grant OFFICE_MANAGER access to admin_users, assign-company, reset-password, change-role, get-roles endpoints
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Route GET/POST /admin/kalendarz/<id>/edytuj
- Reuses admin_new.html template with pre-filled fields in edit mode
- Edit button on event detail page and admin calendar list
- Supports all fields including paid event settings and attachments
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- EventGuest.guest_type: 'member' (member rate) or 'external' (guest rate)
- Dropdown of company colleagues when adding member-type guest
- Manual entry option for members not on portal
- Admin payment panel: "Dodaj osobę" with "Dodaj + opłacone" shortcut
- Migration 064: guest_type column
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add is_paid, price_member, price_guest to NordaEvent. Add payment_status,
payment_amount, payment_confirmed_by/at to EventAttendee and EventGuest.
Auto-assign amounts on RSVP. Admin panel at /admin/kalendarz/<id>/platnosci
for OFFICE_MANAGER to confirm payments. User sees payment status on event page.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Self-referential FK with lazy='joined' causes DetachedInstanceError after
db.close(). Build a simple dict lookup in the route instead.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add created_by_id FK to users table (NULL = self-registration)
- Set created_by_id in admin create, bulk create, and team add routes
- Show "samorejestracja" or "dodał: [name]" in admin users panel
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Dodano kolumnę "Blokada" w /admin/users pokazującą:
- status blokady z pozostałym czasem w minutach
- liczbę nieudanych prób logowania
- przycisk "Odblokuj" do natychmiastowego odblokowania konta
- filtr "Zablokowane" w zakładkach
Nowy endpoint POST /admin/users/<id>/unlock dla adminów.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Dodano pole previous_years_debt w modelu Company. Kolumna widoczna w widoku
rocznym składek — kliknięcie kwoty otwiera pole edycji. Legenda zaktualizowana.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Zamiast mylących "mają nieopłacone" vs "częściowo opłacone":
- Opłacone za cały rok
- Częściowo opłacone (mix opłaconych/nieopłaconych + niepełne wpłaty)
- Brak wpłat (żaden miesiąc nie opłacony)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New "Przypomnienie" column in yearly fee view shows:
- Empty: no reminder sent yet → button "Przypomnij"
- "✉ Wysłano 20.03": sent but not read → button "Ponów"
- "✓ Odczytano 20.03": sent and read → button "Ponów"
Status derived from last PrivateMessage with "przypomnienie o składce".
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Checkboxes for each available email (company, contacts, users)
- Multiple emails can be selected simultaneously
- Additional manual email input field
- Backend sends to all selected addresses in one email
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Portal recipient: dropdown with all users linked to company + role
- Email: dropdown with company email, contacts, user emails
- Editable email field for manual override
- Roles shown: Właściciel, Zarządzający, Pracownik
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Admin can click "Przypomnij" next to any company with unpaid fees.
Opens modal with full message preview including:
- Amount due and period
- Bank account details (KBS Wejherowo)
- Auto-generated transfer title
Admin reviews the message before sending. Sends as portal private
message + optional email to company contact.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Companies with fee records shown first, then a separator row
"Firmy bez danych o składkach", then companies without data
shown in muted style.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Companies with monthly rate above standard 200 PLN get a small blue
badge next to their name showing the actual rate (e.g. "300 zł").
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Stat cards: smaller font and padding
- Amounts displayed as whole PLN (no decimals)
- Status filter works in yearly view: "Uregulowane cały rok",
"Oczekujące", "Częściowo opłacone"
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Filter selects now auto-submit on change (no "Filtruj" button needed).
Year range extended from 2022 to current+1.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ICS export, RSS feed, and admin creation now correctly use
external_source (e.g. "Agencja Rozwoju Pomorza") as the organizer
instead of defaulting to "Norda Biznes" for external events.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
External events from partner organizations (ARP, KIG, etc.) can now
be added to the calendar with distinct visual treatment:
- Grey badge "ZEWNĘTRZNE" and muted date box in list view
- Grey color in grid view with border accent
- "Jestem zainteresowany" instead of "Zapisz się" (no commitment)
- Prominent "Przejdź do rejestracji" button linking to external organizer
- "Zainteresowani" section instead of "Uczestnicy"
- Toggle filter "Pokaż zewnętrzne" with localStorage persistence
- Admin form checkbox to mark events as external
New fields: is_external, external_url, external_source on NordaEvent.
Migration: 086_external_events.sql
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds file attachment capability to NordaEvent model (attachment_filename,
attachment_path columns). Admin can upload PDF/DOCX when creating events.
Users see a download link on the event detail page.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Admin-sent reset emails now say "Administrator portalu wygenerował
link do ustawienia hasła" instead of generic "zażądano resetowania".
Validity period shown correctly: 24h for admin, 1h for self-service.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The admin reset-password endpoint used datetime.utcnow() while the
validation used datetime.now(), causing tokens to appear expired
immediately on CET servers. Changed to datetime.now() and extended
admin-initiated resets to 24 hours validity.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Admin can now send a password reset email directly from /admin/users
instead of manually copying and sharing the reset link.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Set is_norda_member=True when admin assigns active company to user
- Clear is_norda_member=False when last active company is removed
- Covers admin edit route and admin API add/remove company routes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Registration now assigns company_role=NONE instead of VIEWER - users
with a company NIP must be approved by admin/office manager before
getting any company dashboard access. Admin panel shows yellow alert
banner and "Oczekujący" filter tab when users are pending approval.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Admin can now set passwords directly via modal with generator (crypto.getRandomValues),
replacing the confirm-dialog flow with a tabbed modal (set password / reset link).
Custom CSS tooltips replace native title="" for instant hover display.
New "Ostatnie logowanie" column shows last_login timestamps.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add "Users" button and modal in companies table to view/assign/unassign users
- New endpoint POST /admin/companies/<id>/unassign-user to detach user from company
- New endpoint GET /admin/users/list-all for user dropdown in assignment modal
- Modal shows assigned users with "Unpin" button and dropdown for adding new ones
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- HIGH: Fix SQL injection in ZOPK knowledge service (3 functions) — replace f-strings with parameterized queries
- MEDIUM: Sanitize tsquery/LIKE input in SearchService to prevent injection
- MEDIUM: Add @login_required + @role_required(ADMIN) to /health/full endpoint
- MEDIUM: Add @role_required(ADMIN) to ZOPK knowledge search API
- MEDIUM: Add bleach HTML sanitization on write for announcements, events, board proceedings (stored XSS via |safe)
- MEDIUM: Remove partial API key from Gemini service logs
- MEDIUM: Remove @csrf.exempt from chat endpoints, add X-CSRFToken headers in JS
- MEDIUM: Add missing CSRF tokens to 3 POST forms (data_request, benefits_form, benefits_list)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add @role_required to 2 missing routes (krs_api PDF download, zopk milestones)
- Add role-based menu visibility in admin bar (hide Users, Security, Benefits,
Model Comparison, Debug from OFFICE_MANAGER users)
- Inject SystemRole into Jinja2 context processor for template role checks
- Replace is_admin checkbox with role select dropdown in user creation form
- Migrate routes.py and routes_users_api.py from is_admin to SystemRole-based
role assignment via set_role()
- Add deprecation notice to is_admin database column
- Add 23 RBAC unit tests (hierarchy, has_role, set_role, permissions)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace ~20 remaining is_admin references across backend, templates and scripts
with proper SystemRole checks. Column is_admin stays as deprecated (synced by
set_role()) until DB migration removes it.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Expunge user from ORM session and use raw SQL DELETE to prevent
SQLAlchemy from trying to SET NULL on backref relationships.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Clean up FK references with NO ACTION before user deletion:
- SET NULL for nullable FK columns (30+ tables)
- DELETE records for NOT NULL FK columns without CASCADE
Prevents IntegrityError on user_notifications and other tables.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add @rada_member_required decorator for access control
- Add BoardDocument model for storing protocols and documents
- Create document upload service (PDF, DOCX, DOC up to 50MB)
- Add /rada/ blueprint with list, upload, download endpoints
- Add "Rada" link in navigation (visible only for board members)
- Add "Rada" badge and toggle button in admin user management
- Create SQL migration to set up board_documents table and assign
is_rada_member=True to 16 board members by email
Storage: /data/board-docs/ (outside webroot for security)
Access: is_rada_member=True OR role >= OFFICE_MANAGER
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add access_level field to norda_events (public, members_only, rada_only)
- Add is_rada_member field to users table
- Add can_user_view() and can_user_attend() methods to NordaEvent model
- Update calendar routes to filter events by user permissions
- Add access_level dropdown to admin event form
- Rada Izby events only visible to designated board members
- Regular member meetings visible to all NORDA members
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace ~170 manual `if not current_user.is_admin` checks with:
- @role_required(SystemRole.ADMIN) for user management, security, ZOPK
- @role_required(SystemRole.OFFICE_MANAGER) for content management
- current_user.can_access_admin_panel() for admin UI access
- current_user.can_moderate_forum() for forum moderation
- current_user.can_edit_company(id) for company permissions
Add @office_manager_required decorator shortcut.
Add SQL migration to sync existing users' role field.
Role hierarchy: UNAFFILIATED(10) < MEMBER(20) < EMPLOYEE(30) < MANAGER(40) < OFFICE_MANAGER(50) < ADMIN(100)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
