- norda_events: kolumna event_date_end (NULLABLE, check constraint >= event_date)
- NordaEvent: property is_multi_day, date_range_display; is_past uwzględnia koniec
- Admin (new/edit): pole "Data zakończenia" w formularzu
- Calendar grid: wydarzenie wielodniowe wyświetla się na każdym dniu zakresu
- Upcoming/past filter: używa COALESCE(end, date) — 2-dniowe zostaje w Upcoming
do swojego ostatniego dnia
- event.html: "Termin" + zakres dla wielodniowych; ICS/Google end date z dateEnd
- Lekki markdown dla opisów: tylko **bold** → <strong> (audyt: tylko event #60)
Zero wpływu na 42 istniejące wydarzenia (NULL == stare zachowanie).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Przed: w widoku rocznym /admin/fees kwadraciki miesięcy były tylko
dekoracyjne (span z tooltipem). Żeby wpisać płatność trzeba było
przełączyć widok na konkretny miesiąc przez dropdown i dopiero wtedy
pojawiał się przycisk „Opłać". Magdalena (kierownik biura) spędziła
8 minut próbując klikać w kwadraciki — nic się nie działo.
Teraz: każdy kwadrat miesiąca jest klikalny, otwiera okienko płatności
dla konkretnej firmy × miesiąca. Jeśli rekord MembershipFee nie istnieje
— backend sam go tworzy z wyliczoną stawką (200/300 zł wg zasad brand).
Zmiany:
- Nowy endpoint /admin/fees/ensure-and-mark-paid — tworzy rekord
jeśli brak, potem mark-paid. Odrzuca firmy-córki (parent_company_id)
z komunikatem „Płatność rejestruj przy firmie matce"
- openPaymentModalSmart() w JS — wybór między /mark-paid (istniejący fee)
a /ensure-and-mark-paid (nowy fee) na podstawie obecności feeId
- Hidden fields company_id, fee_year, fee_month w formularzu modala
- Modal pokazuje teraz osobno „Stawka" (disabled) i „Kwota wpłacona"
(editable) — jeden pole amount zmyliło Magdalenę
- Żółty info-box nad tabelą roczną: „Kliknij kwadrat miesiąca, aby
zarejestrować wpłatę"
- Hover: kwadrat się powiększa, pokazuje cień — afordancja kliknięcia
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rozszerzenie powiadomień o kolejne typy zdarzeń, z symetrycznymi togglami
e-mail i push w /konto/prywatnosc.
Migracje 103 + 104 — 6 nowych kolumn preferencji e-mail + NordaEvent.reminder_24h_sent_at.
Triggery:
- Forum odpowiedź → push do autora wątku (notify_push_forum_reply)
- Forum cytat (> **Imię** napisał(a):) → push + email do cytowanego
(notify_push/email_forum_quote)
- Admin publikuje aktualność → broadcast push (ON) + email (OFF)
do aktywnych członków (notify_push/email_announcements)
- Board: utworzenie / publikacja programu / publikacja protokołu
→ broadcast push + opt-in email (notify_push/email_board_meetings)
- Nowe wydarzenie w kalendarzu → broadcast push + email (oba ON)
(notify_push/email_event_invites)
- Cron scripts/event_reminders_cron.py co godzinę — wydarzenia za 23-25h,
dla zapisanych (EventAttendee.status != 'declined') push + email,
znacznik NordaEvent.reminder_24h_sent_at żeby nie dublować.
Email defaults dobrane, by nie zalać inbox: broadcast OFF (announcements,
board, forum_reply), personalne/actionable ON (forum_quote, event_invites,
event_reminders).
Wszystkie nowe e-maile mają jednym-kliknięciem unsubscribe (RFC 8058
+ link w stopce) — unsubscribe_tokens.py rozszerzony o nowe typy.
Cron entry do dodania na prod (osobny krok, bo to edycja crontaba):
0 * * * * cd /var/www/nordabiznes && venv/bin/python3 scripts/event_reminders_cron.py
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Admin fees yearly view now shows all active companies (including child brands)
- Child brand rows are indented with striped month cells and "firma córka" badge
- Parent companies show expandable brand list, Stawka column with 200/300 zł logic
- Expected fee per month computed from number of active child brands
- Rate change month shown when brand joins mid-year (e.g. "I-III: 200 zł / od IV: 300 zł")
- Sorting groups children directly under their parent
- Reminder logic skipped for child companies
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add sort keys and data-sort-value attributes to 'Upr. firmowe' and 'Rola' columns
- Add filter tabs for MANAGER, OFFICE_MANAGER, company-role NONE and MANAGER
- Add data-company-role attribute to user rows for JS filtering
- Grant OFFICE_MANAGER access to admin_users, assign-company, reset-password, change-role, get-roles endpoints
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Route GET/POST /admin/kalendarz/<id>/edytuj
- Reuses admin_new.html template with pre-filled fields in edit mode
- Edit button on event detail page and admin calendar list
- Supports all fields including paid event settings and attachments
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- EventGuest.guest_type: 'member' (member rate) or 'external' (guest rate)
- Dropdown of company colleagues when adding member-type guest
- Manual entry option for members not on portal
- Admin payment panel: "Dodaj osobę" with "Dodaj + opłacone" shortcut
- Migration 064: guest_type column
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add is_paid, price_member, price_guest to NordaEvent. Add payment_status,
payment_amount, payment_confirmed_by/at to EventAttendee and EventGuest.
Auto-assign amounts on RSVP. Admin panel at /admin/kalendarz/<id>/platnosci
for OFFICE_MANAGER to confirm payments. User sees payment status on event page.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Self-referential FK with lazy='joined' causes DetachedInstanceError after
db.close(). Build a simple dict lookup in the route instead.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add created_by_id FK to users table (NULL = self-registration)
- Set created_by_id in admin create, bulk create, and team add routes
- Show "samorejestracja" or "dodał: [name]" in admin users panel
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Dodano kolumnę "Blokada" w /admin/users pokazującą:
- status blokady z pozostałym czasem w minutach
- liczbę nieudanych prób logowania
- przycisk "Odblokuj" do natychmiastowego odblokowania konta
- filtr "Zablokowane" w zakładkach
Nowy endpoint POST /admin/users/<id>/unlock dla adminów.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Dodano pole previous_years_debt w modelu Company. Kolumna widoczna w widoku
rocznym składek — kliknięcie kwoty otwiera pole edycji. Legenda zaktualizowana.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Zamiast mylących "mają nieopłacone" vs "częściowo opłacone":
- Opłacone za cały rok
- Częściowo opłacone (mix opłaconych/nieopłaconych + niepełne wpłaty)
- Brak wpłat (żaden miesiąc nie opłacony)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New "Przypomnienie" column in yearly fee view shows:
- Empty: no reminder sent yet → button "Przypomnij"
- "✉ Wysłano 20.03": sent but not read → button "Ponów"
- "✓ Odczytano 20.03": sent and read → button "Ponów"
Status derived from last PrivateMessage with "przypomnienie o składce".
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Checkboxes for each available email (company, contacts, users)
- Multiple emails can be selected simultaneously
- Additional manual email input field
- Backend sends to all selected addresses in one email
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Portal recipient: dropdown with all users linked to company + role
- Email: dropdown with company email, contacts, user emails
- Editable email field for manual override
- Roles shown: Właściciel, Zarządzający, Pracownik
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Admin can click "Przypomnij" next to any company with unpaid fees.
Opens modal with full message preview including:
- Amount due and period
- Bank account details (KBS Wejherowo)
- Auto-generated transfer title
Admin reviews the message before sending. Sends as portal private
message + optional email to company contact.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Companies with fee records shown first, then a separator row
"Firmy bez danych o składkach", then companies without data
shown in muted style.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Companies with monthly rate above standard 200 PLN get a small blue
badge next to their name showing the actual rate (e.g. "300 zł").
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Stat cards: smaller font and padding
- Amounts displayed as whole PLN (no decimals)
- Status filter works in yearly view: "Uregulowane cały rok",
"Oczekujące", "Częściowo opłacone"
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Filter selects now auto-submit on change (no "Filtruj" button needed).
Year range extended from 2022 to current+1.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ICS export, RSS feed, and admin creation now correctly use
external_source (e.g. "Agencja Rozwoju Pomorza") as the organizer
instead of defaulting to "Norda Biznes" for external events.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
External events from partner organizations (ARP, KIG, etc.) can now
be added to the calendar with distinct visual treatment:
- Grey badge "ZEWNĘTRZNE" and muted date box in list view
- Grey color in grid view with border accent
- "Jestem zainteresowany" instead of "Zapisz się" (no commitment)
- Prominent "Przejdź do rejestracji" button linking to external organizer
- "Zainteresowani" section instead of "Uczestnicy"
- Toggle filter "Pokaż zewnętrzne" with localStorage persistence
- Admin form checkbox to mark events as external
New fields: is_external, external_url, external_source on NordaEvent.
Migration: 086_external_events.sql
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds file attachment capability to NordaEvent model (attachment_filename,
attachment_path columns). Admin can upload PDF/DOCX when creating events.
Users see a download link on the event detail page.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Admin-sent reset emails now say "Administrator portalu wygenerował
link do ustawienia hasła" instead of generic "zażądano resetowania".
Validity period shown correctly: 24h for admin, 1h for self-service.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The admin reset-password endpoint used datetime.utcnow() while the
validation used datetime.now(), causing tokens to appear expired
immediately on CET servers. Changed to datetime.now() and extended
admin-initiated resets to 24 hours validity.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Admin can now send a password reset email directly from /admin/users
instead of manually copying and sharing the reset link.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Set is_norda_member=True when admin assigns active company to user
- Clear is_norda_member=False when last active company is removed
- Covers admin edit route and admin API add/remove company routes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Registration now assigns company_role=NONE instead of VIEWER - users
with a company NIP must be approved by admin/office manager before
getting any company dashboard access. Admin panel shows yellow alert
banner and "Oczekujący" filter tab when users are pending approval.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Admin can now set passwords directly via modal with generator (crypto.getRandomValues),
replacing the confirm-dialog flow with a tabbed modal (set password / reset link).
Custom CSS tooltips replace native title="" for instant hover display.
New "Ostatnie logowanie" column shows last_login timestamps.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add "Users" button and modal in companies table to view/assign/unassign users
- New endpoint POST /admin/companies/<id>/unassign-user to detach user from company
- New endpoint GET /admin/users/list-all for user dropdown in assignment modal
- Modal shows assigned users with "Unpin" button and dropdown for adding new ones
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- HIGH: Fix SQL injection in ZOPK knowledge service (3 functions) — replace f-strings with parameterized queries
- MEDIUM: Sanitize tsquery/LIKE input in SearchService to prevent injection
- MEDIUM: Add @login_required + @role_required(ADMIN) to /health/full endpoint
- MEDIUM: Add @role_required(ADMIN) to ZOPK knowledge search API
- MEDIUM: Add bleach HTML sanitization on write for announcements, events, board proceedings (stored XSS via |safe)
- MEDIUM: Remove partial API key from Gemini service logs
- MEDIUM: Remove @csrf.exempt from chat endpoints, add X-CSRFToken headers in JS
- MEDIUM: Add missing CSRF tokens to 3 POST forms (data_request, benefits_form, benefits_list)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add @role_required to 2 missing routes (krs_api PDF download, zopk milestones)
- Add role-based menu visibility in admin bar (hide Users, Security, Benefits,
Model Comparison, Debug from OFFICE_MANAGER users)
- Inject SystemRole into Jinja2 context processor for template role checks
- Replace is_admin checkbox with role select dropdown in user creation form
- Migrate routes.py and routes_users_api.py from is_admin to SystemRole-based
role assignment via set_role()
- Add deprecation notice to is_admin database column
- Add 23 RBAC unit tests (hierarchy, has_role, set_role, permissions)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace ~20 remaining is_admin references across backend, templates and scripts
with proper SystemRole checks. Column is_admin stays as deprecated (synced by
set_role()) until DB migration removes it.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Expunge user from ORM session and use raw SQL DELETE to prevent
SQLAlchemy from trying to SET NULL on backref relationships.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Clean up FK references with NO ACTION before user deletion:
- SET NULL for nullable FK columns (30+ tables)
- DELETE records for NOT NULL FK columns without CASCADE
Prevents IntegrityError on user_notifications and other tables.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add @rada_member_required decorator for access control
- Add BoardDocument model for storing protocols and documents
- Create document upload service (PDF, DOCX, DOC up to 50MB)
- Add /rada/ blueprint with list, upload, download endpoints
- Add "Rada" link in navigation (visible only for board members)
- Add "Rada" badge and toggle button in admin user management
- Create SQL migration to set up board_documents table and assign
is_rada_member=True to 16 board members by email
Storage: /data/board-docs/ (outside webroot for security)
Access: is_rada_member=True OR role >= OFFICE_MANAGER
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add access_level field to norda_events (public, members_only, rada_only)
- Add is_rada_member field to users table
- Add can_user_view() and can_user_attend() methods to NordaEvent model
- Update calendar routes to filter events by user permissions
- Add access_level dropdown to admin event form
- Rada Izby events only visible to designated board members
- Regular member meetings visible to all NORDA members
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace ~170 manual `if not current_user.is_admin` checks with:
- @role_required(SystemRole.ADMIN) for user management, security, ZOPK
- @role_required(SystemRole.OFFICE_MANAGER) for content management
- current_user.can_access_admin_panel() for admin UI access
- current_user.can_moderate_forum() for forum moderation
- current_user.can_edit_company(id) for company permissions
Add @office_manager_required decorator shortcut.
Add SQL migration to sync existing users' role field.
Role hierarchy: UNAFFILIATED(10) < MEMBER(20) < EMPLOYEE(30) < MANAGER(40) < OFFICE_MANAGER(50) < ADMIN(100)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
