Singleton Redis client module with graceful fallback when Redis is
unavailable. Provides pub/sub (SSE events) and presence tracking
(online status, last_seen) for the messaging redesign.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
URLs in messages are now automatically converted to clickable links
opening in a new tab. Works for both old plain-text and new Quill
HTML messages. Uses linkify Jinja2 filter that only processes text
nodes outside existing <a>/<img> tags.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The actual analytics code in app.py had no bot filtering — all sessions
(including scanners, crawlers, empty UAs) were saved as is_bot=False.
Added the same 25+ pattern bot filter that was in utils/analytics.py.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
utils/analytics.py and utils/middleware.py are not used for page tracking.
The real analytics code is in app.py:get_or_create_analytics_session().
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Parses emoji-sectioned text (ZARZĄD, WSPÓLNICY, DANE REJESTROWE,
DANE FINANSOWE, PROFIL) into card-based layout with icons, lists,
and highlighted key-value pairs. Plain text gets newline conversion.
HTML from Quill editor passes through unchanged.
Affects 45 companies with emoji format, 63 with plain text.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Short user sessions (<5min) never triggered the flush, leaving
page_views_count at 0 for most users despite actual browsing activity.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
before_request middleware refreshes last_login in session-throttled
manner (max once per 5 minutes) to avoid showing stale activity.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove in-memory log viewer (DebugLogHandler, 5 routes, template,
menu links, endpoint aliases). Logs available via journalctl on server.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add year range validation (2020-2100) on /kalendarz/ to prevent ValueError crash
- Exempt notification/message unread-count endpoints from rate limiting (shared IP via NAT)
- Replace deprecated google.generativeai SDK with google-genai in nordabiz_chat.py
- Remove dead news_service import that logged warnings on every worker startup
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add email, image, priceRange, openingHoursSpecification to LocalBusiness JSON-LD
- Add Google Maps embed with address section on landing page
- Add local keywords (Wejherowo, Kaszuby) in visible text
- Add frame-src CSP directive for Google Maps iframe
- Responsive layout for map section on mobile
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add missing SEO elements to improve audit score from 89 to 95+:
- Canonical URL and dynamic meta description blocks in base.html
- Open Graph tags (og:title, og:description, og:image, og:url, og:locale)
- JSON-LD structured data (Organization + WebSite schemas)
- robots.txt route with proper Disallow rules
- sitemap.xml route with homepage and release-notes
- LocalBusiness JSON-LD schema on landing page for Local SEO
- Last-Modified header for freshness signals
- Preload critical image for LCP optimization
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
user_loader was closing the SQLAlchemy session after loading User,
causing lazy-load of company_associations to fail when dashboard template
calls can_edit_company(). Eagerly load associations in user_loader.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Audits (SEO, IT, GBP, Social Media) are now visible only to the
designated audit owner (maciej.pienczyn@inpi.pl). All other users,
including admins, see 404 for audit routes and no audit links in
navigation. KRS Audit and Digital Maturity remain unchanged.
Adds /admin/access-overview panel showing the access matrix.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Switch primary model from flash-lite (2.5) to 3-flash (Gemini 3 Flash Preview)
for better reasoning and thinking mode across all AI features
- Add _is_retryable() method to handle 503 UNAVAILABLE (server overload)
in addition to existing 429 rate limit fallback
- Fallback chain: 3-flash → 2.5-flash-lite → 2.5-flash
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Switch primary model to flash-lite (1000 RPD) with automatic fallback
to 3-flash-preview (20 RPD) and flash (20 RPD) on RESOURCE_EXHAUSTED,
giving 1040 req/day on free tier instead of 20.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- HIGH: Fix SQL injection in ZOPK knowledge service (3 functions) — replace f-strings with parameterized queries
- MEDIUM: Sanitize tsquery/LIKE input in SearchService to prevent injection
- MEDIUM: Add @login_required + @role_required(ADMIN) to /health/full endpoint
- MEDIUM: Add @role_required(ADMIN) to ZOPK knowledge search API
- MEDIUM: Add bleach HTML sanitization on write for announcements, events, board proceedings (stored XSS via |safe)
- MEDIUM: Remove partial API key from Gemini service logs
- MEDIUM: Remove @csrf.exempt from chat endpoints, add X-CSRFToken headers in JS
- MEDIUM: Add missing CSRF tokens to 3 POST forms (data_request, benefits_form, benefits_list)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add @role_required to 2 missing routes (krs_api PDF download, zopk milestones)
- Add role-based menu visibility in admin bar (hide Users, Security, Benefits,
Model Comparison, Debug from OFFICE_MANAGER users)
- Inject SystemRole into Jinja2 context processor for template role checks
- Replace is_admin checkbox with role select dropdown in user creation form
- Migrate routes.py and routes_users_api.py from is_admin to SystemRole-based
role assignment via set_role()
- Add deprecation notice to is_admin database column
- Add 23 RBAC unit tests (hierarchy, has_role, set_role, permissions)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace ~20 remaining is_admin references across backend, templates and scripts
with proper SystemRole checks. Column is_admin stays as deprecated (synced by
set_role()) until DB migration removes it.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Both agenda and protocol publish forms were missing CSRF tokens,
causing 'CSRF Token is missing' raw error. Adds hidden csrf_token
inputs and a global CSRFError handler that shows a friendly flash
message instead of raw system error.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds staging-only UI elements: environment banner, TEST badges on nav
items, and floating test panel with feature checklist. Controlled by
STAGING=true env var — zero impact on production.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace ~170 manual `if not current_user.is_admin` checks with:
- @role_required(SystemRole.ADMIN) for user management, security, ZOPK
- @role_required(SystemRole.OFFICE_MANAGER) for content management
- current_user.can_access_admin_panel() for admin UI access
- current_user.can_moderate_forum() for forum moderation
- current_user.can_edit_company(id) for company permissions
Add @office_manager_required decorator shortcut.
Add SQL migration to sync existing users' role field.
Role hierarchy: UNAFFILIATED(10) < MEMBER(20) < EMPLOYEE(30) < MANAGER(40) < OFFICE_MANAGER(50) < ADMIN(100)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Removed 33 dead functions that were left behind after migration to blueprints.
These were prefixed with _old_ and no longer referenced.
app.py: 4756 → 1523 lines (-3233, -68%)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Created blueprints/api/routes_seo_audit.py with 3 routes:
- /api/seo/audit (GET)
- /api/seo/audit/<slug> (GET)
- /api/seo/audit (POST - trigger)
- Includes helper functions for building audit responses
- Removed ~420 lines from app.py (6770 -> 6348)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Created blueprints/api/routes_contacts.py with 2 routes:
- /api/contacts/ai-parse (POST)
- /api/contacts/bulk-create (POST)
- Includes AI prompts for contact parsing
- Removed ~300 lines from app.py (7063 -> 6764)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Created blueprints/admin/routes_krs_api.py with 3 routes:
- /admin/krs-api/audit (POST)
- /admin/krs-api/audit/batch (POST)
- /admin/krs-api/pdf/<company_id>
- Updated templates to use new URL paths
- Added endpoint aliases for backward compatibility
- Removed ~420 lines from app.py (8150 -> 7729)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Created blueprints/public/routes_zopk.py with 3 public routes:
- /zopk (zopk_index)
- /zopk/projekty/<slug> (zopk_project_detail)
- /zopk/aktualnosci (zopk_news_list)
- Added endpoint aliases for backward compatibility
- Removed ZOPK public routes from app.py
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Templates use url_for('admin_zopk') but blueprint endpoints are
'admin.admin_zopk'. Added aliases in blueprints/__init__.py.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Created routes_model_comparison.py with model comparison functionality
- Updated base.html to use full blueprint name
- Added aliases for backward compatibility
- Commented old routes in app.py with _old_ prefix
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added admin_ai_usage and admin_ai_usage_user to routes_analytics.py
- Updated templates to use full blueprint names (admin.admin_ai_usage)
- Added aliases for backward compatibility
- Commented old routes in app.py with _old_ prefix
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create new blueprints/admin/routes_analytics.py (~350 lines)
- Move admin_analytics and admin_analytics_export routes
- Update templates to use full blueprint names
- Add endpoint aliases for backward compatibility
Phase 6.2b - Analytics dashboard
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add api_ai_learning_status and api_chat_stats to routes_insights.py
- Update chat_analytics template to use new API path
- Add endpoint aliases for backward compatibility
Phase 6.2b - AI API routes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create new blueprints/admin/routes_insights.py
- Move 5 insights routes (dashboard + API endpoints)
- Update template to use new /admin/insights-api/* paths
- Add endpoint aliases for backward compatibility
Phase 6.2b - Insights routes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create new blueprints/admin/routes_announcements.py
- Move 6 announcements routes to blueprint
- Update templates to use full blueprint names
- Add endpoint aliases for backward compatibility
Phase 6.2d - Announcements routes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move IT audit dashboard route to blueprints/admin/routes_audits.py
- Add ITAudit, ITCollaborationMatch imports
- Update base.html template to use full blueprint name
- Add endpoint alias for backward compatibility
Phase 6.2f continued
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move routes from app.py to blueprints/admin/routes_audits.py
- Add endpoint aliases for backward compatibility
- Update base.html template to use full blueprint names
- Comment old routes in app.py with _old_ prefix
Phase 6.2f of blueprint migration
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Przeniesiono 2 trasy do blueprints/admin/routes_social.py:
- admin_social_media (analytics dashboard)
- admin_social_audit (audit dashboard)
Zaktualizowano szablony:
- base.html, dashboard.html, social_audit_dashboard.html
Dodano aliasy dla kompatybilności wstecznej.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
