Każdy e-mail powiadomieniowy ma teraz:
(1) link w stopce "Wyłącz ten typ powiadomień jednym kliknięciem"
(2) nagłówki List-Unsubscribe + List-Unsubscribe-Post dla klientów
pocztowych (Gmail/Apple Mail pokażą natywny przycisk Unsubscribe)
Implementacja:
- utils/unsubscribe_tokens.py: signed token (itsdangerous, SECRET_KEY)
niosący user_id + notification_type, bez wygasania
- blueprints/unsubscribe: GET /unsubscribe?t=TOKEN → strona potwierdzenia,
POST /unsubscribe → faktyczne wyłączenie flagi notify_email_<type>
- email_service.send_email() dostał parametr notification_type. Jeśli
przekazany razem z user_id, footer + headery są doklejane
- Aktualizowane wywołania: message_notification (messages),
classified_question/answer (B2B Q&A), classified_expiry (skrypt cron)
Prefetch safety: GET pokazuje stronę z przyciskiem "Tak, wyłącz",
wyłączenie następuje po POST. RFC 8058 One-Click (POST bez formularza
z Content-Type application/x-www-form-urlencoded + body
"List-Unsubscribe=One-Click") obsługuje klientów pocztowych.
D.2/D.3 dorzucą kolejne notification_type (forum, broadcast, events).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Symetria z push — panel /konto/prywatnosc rozszerzony o 3 dodatkowe
toggle w karcie "Powiadomienia e-mail":
- Pytanie pod moim ogłoszeniem B2B (notify_email_classified_question)
- Odpowiedź pod moim pytaniem B2B (notify_email_classified_answer)
- Ogłoszenie wygasa za 3 dni (notify_email_classified_expiry)
Migracja 102 dodaje kolumny (default TRUE — nie zmienia zachowania
istniejących userów). Endpointy ask_question / answer_question teraz
czytają dedykowaną flagę zamiast notify_email_messages (która zostaje
tylko dla wiadomości prywatnych). Skrypt classified_expiry_notifier.py
pomija userów z wyłączonym notify_email_classified_expiry.
W kolejnych sub-fazach D.2/D.3 symetrycznie dojdą triggery e-mail +
toggle dla forum/broadcast/wydarzeń — z defaults dobranymi tak, by
nie zalać inbox użytkowników (broadcast OFF, personalne ON).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Migracja 101 dodaje 8 nowych kolumn notify_push_* na users (wszystkie
default TRUE). Panel preferencji rozszerzony o kartę "Powiadomienia
push (na urządzeniu)" z 3 podsekcjami (interakcje dot. mnie, aktualności
Izby, wydarzenia) — 9 przełączników. "Nowa wiadomość prywatna" świadomie
jest w obu kartach (e-mail + push) — userzy mogą niezależnie wybrać
oba kanały.
Triggery B2B:
- zainteresowanie ogłoszeniem (ClassifiedInterest) → push do autora
z notify_push_classified_interest
- pytanie do ogłoszenia (ClassifiedQuestion) → push do autora z
notify_push_classified_question
Fazy D.2 (forum + broadcast) i D.3 (wydarzenia + cron) w kolejnych PR.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
B2B ogłoszenia mogły zostać stworzone 3x (user 81 Bormax 14.04.2026
w ciągu 2 sekund) — brak dedup window server-side i disable submit
button. Rozszerzam zabezpieczenie także na announcements i board
meeting form.
- classifieds POST /nowe: odrzuć duplikat z ostatnich 60s (ten sam
author+company+title) → redirect do istniejącego z flash info
- classifieds new.html: disable submitBtn + "Wysyłanie..." po
walidacji; ponowne kliknięcie blokowane event.preventDefault
- announcements_form.html + board/meeting_form.html: jednolity
handler disable wszystkich button[type="submit"] po pierwszym
submit
Forum topic/reply już miały analogiczne zabezpieczenie (bez zmian).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SQLAlchemy ORM tries to UPDATE classified_reads.classified_id = NULL
before deleting the classifieds row, even though the FK has ON DELETE
CASCADE at DB level. The NOT NULL constraint on classified_id then
raises IntegrityError. Same pattern as the forum_reply_reads fix from
2026-02. Manually delete reads, interests, questions, attachments
before db.delete(classified).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Previously when server validation failed (e.g. missing required field),
the whole form re-rendered with all values cleared — user had to retype
everything. Also Quill empty-content showed an alert dialog.
Now:
- Server-side: form_data + missing_fields passed to template; values
re-populate inputs, missing fields get .field-error class (red border)
- Quill empty: red border on the editor container instead of alert,
cleared as soon as user starts typing
- Other required fields (radio, select, title): same .field-error
treatment plus :invalid CSS for live HTML5 feedback
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace company_id from current_user with active company from session in
the colleagues API endpoint, and autofill guest org from active_company.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Users with multiple companies now see a dropdown to choose which company
a B2B classified ad is posted for. Single-company users get a hidden field.
Server-side validates the selected company_id against user's actual memberships.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Replace textarea with Quill editor in new/edit classified forms
- Sanitize HTML with sanitize_html() on save (XSS prevention)
- Render HTML in classified detail view, strip tags in list view
- New script: classified_expiry_notifier.py sends email 3 days before
expiry with link to extend. Run daily via cron at 8:00.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Expired classifieds show 'Wygasło' badge on list and detail view
- Closed classifieds show 'Zamknięte' badge on list
- Author can extend by 30 days with one click
- Homepage 'Nowe na portalu' excludes expired classifieds
- List shows all classifieds, active first
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
updated_at now refreshes on: edit, new Q&A question, new Q&A answer.
Does NOT refresh on: page views, interest clicks, close.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Removed onupdate from Classified.updated_at, set it manually in edit route.
Ensures toggle_interest, close, and views don't alter the date.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use raw SQL UPDATE for views_count to bypass SQLAlchemy onupdate.
Restore updated_at display in homepage cards - now accurate.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New edit route with form pre-filled with existing data
- Edit existing attachments (mark for deletion) + add new ones
- Edit button visible to classified author on detail view
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New ClassifiedAttachment model with migration
- FileUploadService extended with 'classified' type
- Dropzone with drag & drop, paste, multi-file preview in creation form
- Image gallery with lightbox in classified detail view
- Max 10 files, 5MB each, JPG/PNG/GIF
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Three new notification types:
- New question → author gets in-app + email
- Answer to question → questioner gets in-app + email
- Someone interested → author gets in-app only
Previously the B2B board had zero notifications, so authors never
knew someone asked a question about their listing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
csrf.exempt on the full classifieds blueprint during registration,
same pattern as API blueprint. All classifieds endpoints are behind
@login_required + @member_required so CSRF exemption is safe.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The /tablica/<id>/interest AJAX POST was returning 400 because
Flask-WTF CSRF validation rejected the token despite X-CSRFToken
header being present. Endpoint is protected by @login_required
and @member_required, so CSRF exemption is safe.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Event attendee counts were inconsistent - event detail page showed total
(members + guests = 42) but event list and homepage showed only members (39).
Now all views use total_attendee_count including guests (osoby towarzyszące).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- EventGuest.guest_type: 'member' (member rate) or 'external' (guest rate)
- Dropdown of company colleagues when adding member-type guest
- Manual entry option for members not on portal
- Admin payment panel: "Dodaj osobę" with "Dodaj + opłacone" shortcut
- Migration 064: guest_type column
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add is_paid, price_member, price_guest to NordaEvent. Add payment_status,
payment_amount, payment_confirmed_by/at to EventAttendee and EventGuest.
Auto-assign amounts on RSVP. Admin panel at /admin/kalendarz/<id>/platnosci
for OFFICE_MANAGER to confirm payments. User sees payment status on event page.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When an event has no end time, omit DTEND from the ICS feed instead of
defaulting to start+2h. Per RFC 5545, missing DTEND means zero duration,
so calendar clients show just the start time without a misleading range.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Google Calendar showed UTC instead of Europe/Warsaw because the iCal
feed lacked a VTIMEZONE component. Added full CET/CEST definition.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Google Calendar treats attachment disposition as download instead of
subscription. Remove it so Google properly subscribes to the feed.
Set 1h cache for CDN-friendly serving.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New endpoint /kalendarz/ical returns .ics file with all upcoming events.
Compatible with Google Calendar, iOS Calendar, and Outlook subscription.
- Auto-refreshes every 6 hours (REFRESH-INTERVAL)
- Includes event time, location, description, organizer
- Handles all-day events (no time_start) and timed events
- "Subscribe" button on calendar page with copy-to-clipboard modal
- Instructions for iPhone, Google Calendar, and Outlook
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
External events from partner organizations (ARP, KIG, etc.) can now
be added to the calendar with distinct visual treatment:
- Grey badge "ZEWNĘTRZNE" and muted date box in list view
- Grey color in grid view with border accent
- "Jestem zainteresowany" instead of "Zapisz się" (no commitment)
- Prominent "Przejdź do rejestracji" button linking to external organizer
- "Zainteresowani" section instead of "Uczestnicy"
- Toggle filter "Pokaż zewnętrzne" with localStorage persistence
- Admin form checkbox to mark events as external
New fields: is_external, external_url, external_source on NordaEvent.
Migration: 086_external_events.sql
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Company names like "Portal", "Joker", "Wakat" are also common Polish words
and cause false positive matches in event descriptions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Name linking now handles Polish declensions (Iwonę/Iwoną/Iwony → Iwona)
using stem-based regex matching. ICS and Google Calendar exports now include
full event description, speaker name, and properly formatted newlines.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Changed person linking to use User.id → /profil/<user_id> instead of
requiring Person record (person_id). This makes 57 additional users
linkable as green pill badges in event details and descriptions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fix 500 error: company_detail → company_detail_by_slug (slug-based endpoint).
Add ORGANIZER field to ICS so calendar apps show "Norda Biznes" instead of
the importing user. Include speaker name in ICS description.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Match NordaGPT chat visual style — person names show as green pill badges,
company names as orange pill badges. Enriches event description with
auto-linked companies (not just persons). Speaker name also uses pill badges.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Events with plain text (no <p>, <br>, <div>, <ul> tags) now get
newlines converted to <p>/<br> for proper formatting.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Parse HTML into tags and text nodes, only process text nodes outside
<a> tags. Uses \b word boundary instead of broken lookbehind.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Member names in event description link to person profiles
- URLs auto-linked (nordabiznes.pl, https://... etc)
- Calendar add section: blue gradient card with Google/Outlook buttons
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Norda Biznes logo on featured events
- Speaker name links to person profile
- Google Calendar and ICS/Outlook export buttons
- Update dev banner: official launch April 9, 2026
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add year range validation (2020-2100) on /kalendarz/ to prevent ValueError crash
- Exempt notification/message unread-count endpoints from rate limiting (shared IP via NAT)
- Replace deprecated google.generativeai SDK with google-genai in nordabiz_chat.py
- Remove dead news_service import that logged warnings on every worker startup
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add access_level field to norda_events (public, members_only, rada_only)
- Add is_rada_member field to users table
- Add can_user_view() and can_user_attend() methods to NordaEvent model
- Update calendar routes to filter events by user permissions
- Add access_level dropdown to admin event form
- Rada Izby events only visible to designated board members
- Regular member meetings visible to all NORDA members
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Modules now requiring MEMBER role or higher:
- NordaGPT (/chat) - with dedicated landing page for non-members
- Wiadomości (/wiadomosci) - private messaging
- Tablica B2B (/tablica) - business classifieds
- Kontakty (/kontakty) - member contact information
Non-members see a promotional page explaining the benefits
of NordaGPT membership instead of being simply redirected.
This provides clear value proposition for NORDA membership
while protecting member-exclusive features.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace ~170 manual `if not current_user.is_admin` checks with:
- @role_required(SystemRole.ADMIN) for user management, security, ZOPK
- @role_required(SystemRole.OFFICE_MANAGER) for content management
- current_user.can_access_admin_panel() for admin UI access
- current_user.can_moderate_forum() for forum moderation
- current_user.can_edit_company(id) for company permissions
Add @office_manager_required decorator shortcut.
Add SQL migration to sync existing users' role field.
Role hierarchy: UNAFFILIATED(10) < MEMBER(20) < EMPLOYEE(30) < MANAGER(40) < OFFICE_MANAGER(50) < ADMIN(100)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add ClassifiedInterest model for tracking user interest in listings
- Add ClassifiedQuestion model for public Q&A on listings
- Add context_type/context_id to PrivateMessage for B2B linking
- Add interest toggle button and interests list modal
- Add Q&A section with ask/answer/hide functionality
- Update messages to show B2B context badge
- Create migration 034_classified_interactions.sql
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add ForumTopicRead, ForumReplyRead, ClassifiedRead models
- Add SQL migration for new tables
- Record reads when user views forum topic (topic + all visible replies)
- Record reads when user views B2B classified
- Display "Seen by" avatars in forum topic and B2B detail pages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
