- norda_events: kolumna event_date_end (NULLABLE, check constraint >= event_date)
- NordaEvent: property is_multi_day, date_range_display; is_past uwzględnia koniec
- Admin (new/edit): pole "Data zakończenia" w formularzu
- Calendar grid: wydarzenie wielodniowe wyświetla się na każdym dniu zakresu
- Upcoming/past filter: używa COALESCE(end, date) — 2-dniowe zostaje w Upcoming
do swojego ostatniego dnia
- event.html: "Termin" + zakres dla wielodniowych; ICS/Google end date z dateEnd
- Lekki markdown dla opisów: tylko **bold** → <strong> (audyt: tylko event #60)
Zero wpływu na 42 istniejące wydarzenia (NULL == stare zachowanie).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Przed: w widoku rocznym /admin/fees kwadraciki miesięcy były tylko
dekoracyjne (span z tooltipem). Żeby wpisać płatność trzeba było
przełączyć widok na konkretny miesiąc przez dropdown i dopiero wtedy
pojawiał się przycisk „Opłać". Magdalena (kierownik biura) spędziła
8 minut próbując klikać w kwadraciki — nic się nie działo.
Teraz: każdy kwadrat miesiąca jest klikalny, otwiera okienko płatności
dla konkretnej firmy × miesiąca. Jeśli rekord MembershipFee nie istnieje
— backend sam go tworzy z wyliczoną stawką (200/300 zł wg zasad brand).
Zmiany:
- Nowy endpoint /admin/fees/ensure-and-mark-paid — tworzy rekord
jeśli brak, potem mark-paid. Odrzuca firmy-córki (parent_company_id)
z komunikatem „Płatność rejestruj przy firmie matce"
- openPaymentModalSmart() w JS — wybór między /mark-paid (istniejący fee)
a /ensure-and-mark-paid (nowy fee) na podstawie obecności feeId
- Hidden fields company_id, fee_year, fee_month w formularzu modala
- Modal pokazuje teraz osobno „Stawka" (disabled) i „Kwota wpłacona"
(editable) — jeden pole amount zmyliło Magdalenę
- Żółty info-box nad tabelą roczną: „Kliknij kwadrat miesiąca, aby
zarejestrować wpłatę"
- Hover: kwadrat się powiększa, pokazuje cień — afordancja kliknięcia
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Brakował wpis dla 13 kwietnia — 4 user-facing commity (mentions
autocomplete, email+highlight dla @, fix double-submit tematów).
Przenumerowanie: 14.04 z v1.67.0 na v1.68.0, nowe v1.67.0 dla 13.04.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rozszerzenie powiadomień o kolejne typy zdarzeń, z symetrycznymi togglami
e-mail i push w /konto/prywatnosc.
Migracje 103 + 104 — 6 nowych kolumn preferencji e-mail + NordaEvent.reminder_24h_sent_at.
Triggery:
- Forum odpowiedź → push do autora wątku (notify_push_forum_reply)
- Forum cytat (> **Imię** napisał(a):) → push + email do cytowanego
(notify_push/email_forum_quote)
- Admin publikuje aktualność → broadcast push (ON) + email (OFF)
do aktywnych członków (notify_push/email_announcements)
- Board: utworzenie / publikacja programu / publikacja protokołu
→ broadcast push + opt-in email (notify_push/email_board_meetings)
- Nowe wydarzenie w kalendarzu → broadcast push + email (oba ON)
(notify_push/email_event_invites)
- Cron scripts/event_reminders_cron.py co godzinę — wydarzenia za 23-25h,
dla zapisanych (EventAttendee.status != 'declined') push + email,
znacznik NordaEvent.reminder_24h_sent_at żeby nie dublować.
Email defaults dobrane, by nie zalać inbox: broadcast OFF (announcements,
board, forum_reply), personalne/actionable ON (forum_quote, event_invites,
event_reminders).
Wszystkie nowe e-maile mają jednym-kliknięciem unsubscribe (RFC 8058
+ link w stopce) — unsubscribe_tokens.py rozszerzony o nowe typy.
Cron entry do dodania na prod (osobny krok, bo to edycja crontaba):
0 * * * * cd /var/www/nordabiznes && venv/bin/python3 scripts/event_reminders_cron.py
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Każdy e-mail powiadomieniowy ma teraz:
(1) link w stopce "Wyłącz ten typ powiadomień jednym kliknięciem"
(2) nagłówki List-Unsubscribe + List-Unsubscribe-Post dla klientów
pocztowych (Gmail/Apple Mail pokażą natywny przycisk Unsubscribe)
Implementacja:
- utils/unsubscribe_tokens.py: signed token (itsdangerous, SECRET_KEY)
niosący user_id + notification_type, bez wygasania
- blueprints/unsubscribe: GET /unsubscribe?t=TOKEN → strona potwierdzenia,
POST /unsubscribe → faktyczne wyłączenie flagi notify_email_<type>
- email_service.send_email() dostał parametr notification_type. Jeśli
przekazany razem z user_id, footer + headery są doklejane
- Aktualizowane wywołania: message_notification (messages),
classified_question/answer (B2B Q&A), classified_expiry (skrypt cron)
Prefetch safety: GET pokazuje stronę z przyciskiem "Tak, wyłącz",
wyłączenie następuje po POST. RFC 8058 One-Click (POST bez formularza
z Content-Type application/x-www-form-urlencoded + body
"List-Unsubscribe=One-Click") obsługuje klientów pocztowych.
D.2/D.3 dorzucą kolejne notification_type (forum, broadcast, events).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Symetria z push — panel /konto/prywatnosc rozszerzony o 3 dodatkowe
toggle w karcie "Powiadomienia e-mail":
- Pytanie pod moim ogłoszeniem B2B (notify_email_classified_question)
- Odpowiedź pod moim pytaniem B2B (notify_email_classified_answer)
- Ogłoszenie wygasa za 3 dni (notify_email_classified_expiry)
Migracja 102 dodaje kolumny (default TRUE — nie zmienia zachowania
istniejących userów). Endpointy ask_question / answer_question teraz
czytają dedykowaną flagę zamiast notify_email_messages (która zostaje
tylko dla wiadomości prywatnych). Skrypt classified_expiry_notifier.py
pomija userów z wyłączonym notify_email_classified_expiry.
W kolejnych sub-fazach D.2/D.3 symetrycznie dojdą triggery e-mail +
toggle dla forum/broadcast/wydarzeń — z defaults dobranymi tak, by
nie zalać inbox użytkowników (broadcast OFF, personalne ON).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Migracja 101 dodaje 8 nowych kolumn notify_push_* na users (wszystkie
default TRUE). Panel preferencji rozszerzony o kartę "Powiadomienia
push (na urządzeniu)" z 3 podsekcjami (interakcje dot. mnie, aktualności
Izby, wydarzenia) — 9 przełączników. "Nowa wiadomość prywatna" świadomie
jest w obu kartach (e-mail + push) — userzy mogą niezależnie wybrać
oba kanały.
Triggery B2B:
- zainteresowanie ogłoszeniem (ClassifiedInterest) → push do autora
z notify_push_classified_interest
- pytanie do ogłoszenia (ClassifiedQuestion) → push do autora z
notify_push_classified_question
Fazy D.2 (forum + broadcast) i D.3 (wydarzenia + cron) w kolejnych PR.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
B2B ogłoszenia mogły zostać stworzone 3x (user 81 Bormax 14.04.2026
w ciągu 2 sekund) — brak dedup window server-side i disable submit
button. Rozszerzam zabezpieczenie także na announcements i board
meeting form.
- classifieds POST /nowe: odrzuć duplikat z ostatnich 60s (ten sam
author+company+title) → redirect do istniejącego z flash info
- classifieds new.html: disable submitBtn + "Wysyłanie..." po
walidacji; ponowne kliknięcie blokowane event.preventDefault
- announcements_form.html + board/meeting_form.html: jednolity
handler disable wszystkich button[type="submit"] po pierwszym
submit
Forum topic/reply już miały analogiczne zabezpieczenie (bez zmian).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SQLAlchemy ORM tries to UPDATE classified_reads.classified_id = NULL
before deleting the classifieds row, even though the FK has ON DELETE
CASCADE at DB level. The NOT NULL constraint on classified_id then
raises IntegrityError. Same pattern as the forum_reply_reads fix from
2026-02. Manually delete reads, interests, questions, attachments
before db.delete(classified).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Previously when server validation failed (e.g. missing required field),
the whole form re-rendered with all values cleared — user had to retype
everything. Also Quill empty-content showed an alert dialog.
Now:
- Server-side: form_data + missing_fields passed to template; values
re-populate inputs, missing fields get .field-error class (red border)
- Quill empty: red border on the editor container instead of alert,
cleared as soon as user starts typing
- Other required fields (radio, select, title): same .field-error
treatment plus :invalid CSS for live HTML5 feedback
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove _send_registration_notification call on registration
- Remove first-activation admin notification on password reset
- Change MAIL_BCC default from maciej.pienczyn@inpi.pl to empty
Admin can still set MAIL_BCC via env if blanket BCC is desired.
All new member and password-reset info is visible in /admin panel.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Backend: reject identical title+content from same author within 60s
(mirrors existing protection on forum_reply)
- Frontend: disable submit button + 'Wysyłanie…' label on first click
Daniel Kochański accidentally created 7 identical 'Local content w praktyce'
topics within 5 seconds. Soft-deleted IDs 25-30 on prod, kept 24.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Admin fees yearly view now shows all active companies (including child brands)
- Child brand rows are indented with striped month cells and "firma córka" badge
- Parent companies show expandable brand list, Stawka column with 200/300 zł logic
- Expected fee per month computed from number of active child brands
- Rate change month shown when brand joins mid-year (e.g. "I-III: 200 zł / od IV: 300 zł")
- Sorting groups children directly under their parent
- Reminder logic skipped for child companies
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Legacy private_messages and group_messages are no longer used.
Badge now only counts from conv_messages table.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Shows expected fee per company (200 zł for 1 brand, 300 zł for 2+)
- Child companies shown with striped "nie dotyczy" tiles
- Rate change month displayed (e.g., "I-III: 200 zł, od IV: 300 zł")
- Expandable brand list under parent company name
- Children grouped after their parent in the table
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add sort keys and data-sort-value attributes to 'Upr. firmowe' and 'Rola' columns
- Add filter tabs for MANAGER, OFFICE_MANAGER, company-role NONE and MANAGER
- Add data-company-role attribute to user rows for JS filtering
- Grant OFFICE_MANAGER access to admin_users, assign-company, reset-password, change-role, get-roles endpoints
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The badge endpoint api_unread_count only counted legacy private_messages
and group_messages. Now also counts unread conv_messages from the new
conversations system, fixing phantom unread counts for users.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace company_id from current_user with active company from session in
the colleagues API endpoint, and autofill guest org from active_company.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Users with multiple companies now see a dropdown to choose which company
a B2B classified ad is posted for. Single-company users get a hidden field.
Server-side validates the selected company_id against user's actual memberships.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add helpers/company_context.py with get_active_company_id() fallback logic
- Add inject_company_context() context processor to app.py (user_companies, active_company, has_multiple_companies)
- Add /api/switch-company/<id> POST endpoint in public blueprint
- Set session['active_company_id'] on login (both standard and 2FA paths)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Replace textarea with Quill editor in new/edit classified forms
- Sanitize HTML with sanitize_html() on save (XSS prevention)
- Render HTML in classified detail view, strip tags in list view
- New script: classified_expiry_notifier.py sends email 3 days before
expiry with link to extend. Run daily via cron at 8:00.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Added to GeoIP tab:
- Last 20 blocked requests with IP, country, path, timestamp
- Top 10 most targeted URL paths with hit counts
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Expired classifieds show 'Wygasło' badge on list and detail view
- Closed classifieds show 'Zamknięte' badge on list
- Author can extend by 30 days with one click
- Homepage 'Nowe na portalu' excludes expired classifieds
- List shows all classifieds, active first
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
updated_at now refreshes on: edit, new Q&A question, new Q&A answer.
Does NOT refresh on: page views, interest clicks, close.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Removed onupdate from Classified.updated_at, set it manually in edit route.
Ensures toggle_interest, close, and views don't alter the date.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use raw SQL UPDATE for views_count to bypass SQLAlchemy onupdate.
Restore updated_at display in homepage cards - now accurate.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
updated_at was being triggered by views_count increment on every page
view, making dates misleading. Reverted to created_at for display and sort.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Forum cards now show date of latest reply (not topic creation).
B2B cards show updated_at (not created_at), sorted by most recent activity.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace 'Najnowszy wpis na forum' (duplicate with Nowe na portalu)
with 'Nowi użytkownicy portalu' showing 4 latest registered users
with avatars, names, dates and company names.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Shows 2 latest forum topics + 2 latest B2B classifieds in a 4-column
grid between events and NordaGPT banner. Responsive 2-col on mobile.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New edit route with form pre-filled with existing data
- Edit existing attachments (mark for deletion) + add new ones
- Edit button visible to classified author on detail view
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New ClassifiedAttachment model with migration
- FileUploadService extended with 'classified' type
- Dropzone with drag & drop, paste, multi-file preview in creation form
- Image gallery with lightbox in classified detail view
- Max 10 files, 5MB each, JPG/PNG/GIF
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Three new notification types:
- New question → author gets in-app + email
- Answer to question → questioner gets in-app + email
- Someone interested → author gets in-app only
Previously the B2B board had zero notifications, so authors never
knew someone asked a question about their listing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The interest endpoint was returning 400 because fetch sent
Content-Type:application/json with an empty body, causing Flask
to fail JSON parsing. Removed the header since no JSON body is
sent. Also reverted unnecessary CSRF blueprint exemption.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
csrf.exempt on the full classifieds blueprint during registration,
same pattern as API blueprint. All classifieds endpoints are behind
@login_required + @member_required so CSRF exemption is safe.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The /tablica/<id>/interest AJAX POST was returning 400 because
Flask-WTF CSRF validation rejected the token despite X-CSRFToken
header being present. Endpoint is protected by @login_required
and @member_required, so CSRF exemption is safe.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
MessageUploadService.__init__() requires app_root but was called
without arguments, causing send_message errors and double-sending
due to JS retry. Now uses current_app.root_path.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New roadmap item: automated procurement/tender aggregation from
BIP, e-Zamówienia, TED, municipal websites. Requested by Daniel
Kochański (Stalpunkt). Priority: high.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Email notifications for forum replies were linking to /forum/ID
without the #reply-XX anchor. Now includes reply_id in the URL
so the email "Zobacz odpowiedź" button scrolls directly to the
new reply instead of the top of the topic.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New /admin/roadmap page showing feature requests from members in
three columns: Planned, In Progress, Done. Cards expand on click
to show implementation details. First item: multi-location support
requested by Daniel Kochański (Stalpunkt).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
JDG companies don't have board members or shareholders. When CEIDG
returns data for a company, automatically remove company_people
records sourced from ekrs.ms.gov.pl.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
