From 2609d3504a0f3397998c9098e1bcddc46766313d Mon Sep 17 00:00:00 2001
From: EiSiMo <mail@moritz.run>
Date: Tue, 21 Apr 2026 14:20:31 +0200
Subject: [PATCH] guard double-apply, hide error msg, wohnungen polish,
 bitwarden block

- /actions/apply now no-ops (returns fresh partial) when a running
  application exists for this user+flat, or when a previous one succeeded.
  The list button was already visually disabled; this closes the direct-POST
  and double-click loopholes
- Drop the one-line error message under flat entries in the list
  (bewerbung_detail still shows the full message + the forensic ZIP report)
- Strip "min morgens" commute chip from the list; alert._flat_payload sends
  an empty connectivity dict so Maps.calculate_score is no longer called on
  every flat. Maps.calculate_score + Flat.connectivity stay in the codebase
  for easy re-enable (one-line swap in _flat_payload)
- List entry shows "vor 23 min" instead of "entdeckt vor 23 min"
- Bitwarden: rename profile email/immomio fields to opaque names
  (contact_addr, immomio_login, immomio_secret) + add data-bwignore across
  every settings form / input. Server-side update_profile maps the new
  field names back to the existing DB columns

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 alert/main.py                              |  6 ++++-
 web/app.py                                 | 16 ++++++++++---
 web/templates/_settings_notifications.html |  6 ++---
 web/templates/_settings_profil.html        | 28 +++++++++++-----------
 web/templates/_settings_users.html         |  4 ++--
 web/templates/_wohnungen_body.html         |  6 +----
 6 files changed, 38 insertions(+), 28 deletions(-)

diff --git a/alert/main.py b/alert/main.py
index d56a357..6dad3a2 100644
--- a/alert/main.py
+++ b/alert/main.py
@@ -31,7 +31,11 @@ class FlatAlerter:
         self.last_response_hash = ""
 
     def _flat_payload(self, flat: Flat) -> dict:
-        c = flat.connectivity
+        # Transit-connectivity is disabled to save Google-Maps quota. The
+        # helper on Flat (flat.connectivity → Maps.calculate_score) is
+        # intentionally kept so it can be re-enabled without re-writing code —
+        # just replace the empty dict with `flat.connectivity` when needed.
+        c: dict = {}
         lat, lng = flat.coords
         return {
             "id": flat.id,
diff --git a/web/app.py b/web/app.py
index 92c763c..dc292de 100644
--- a/web/app.py
+++ b/web/app.py
@@ -544,6 +544,13 @@ async def action_apply(
     flat = db.get_flat(flat_id)
     if not flat:
         raise HTTPException(404, "flat not found")
+    last = db.last_application_for_flat(user["id"], flat_id)
+    if last and last["finished_at"] is None:
+        # Another apply is already running for this user+flat; don't queue a second.
+        return _wohnungen_partial_or_redirect(request, user)
+    if last and last["success"] == 1:
+        # Already successfully applied — no point in re-running.
+        return _wohnungen_partial_or_redirect(request, user)
     db.log_audit(user["username"], "trigger_apply", f"flat_id={flat_id}",
                  user_id=user["id"], ip=client_ip(request))
     _kick_apply(user["id"], flat_id, flat["link"], "user")
@@ -838,11 +845,14 @@ async def action_profile(request: Request, user=Depends(require_user)):
         try: return int(form.get(name) or 0)
         except ValueError: return 0
 
+    # Field names are intentionally opaque ("contact_addr", "immomio_login",
+    # "immomio_secret") to keep password managers — specifically Bitwarden —
+    # from recognising the form as a login/identity form and autofilling.
     db.update_profile(user["id"], {
         "salutation": form.get("salutation", ""),
         "firstname": form.get("firstname", ""),
         "lastname": form.get("lastname", ""),
-        "email": form.get("email", ""),
+        "email": form.get("contact_addr", ""),
         "telephone": form.get("telephone", ""),
         "street": form.get("street", ""),
         "house_number": form.get("house_number", ""),
@@ -855,8 +865,8 @@ async def action_profile(request: Request, user=Depends(require_user)):
         "wbs_adults": _i("wbs_adults"),
         "wbs_children": _i("wbs_children"),
         "is_prio_wbs": 1 if _b("is_prio_wbs") else 0,
-        "immomio_email": form.get("immomio_email", ""),
-        "immomio_password": form.get("immomio_password", ""),
+        "immomio_email": form.get("immomio_login", ""),
+        "immomio_password": form.get("immomio_secret", ""),
     })
     db.log_audit(user["username"], "profile.updated", user_id=user["id"], ip=client_ip(request))
     return RedirectResponse("/einstellungen/profil", status_code=303)
diff --git a/web/templates/_settings_notifications.html b/web/templates/_settings_notifications.html
index 0bd6f2a..23f952e 100644
--- a/web/templates/_settings_notifications.html
+++ b/web/templates/_settings_notifications.html
@@ -4,7 +4,7 @@
 </p>
 
 <form method="post" action="/actions/notifications" class="space-y-4 max-w-xl"
-      autocomplete="off" data-lpignore="true" data-1p-ignore data-form-type="other">
+      autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore data-form-type="other">
     <input type="hidden" name="csrf" value="{{ csrf }}">
 
     <div>
@@ -18,13 +18,13 @@
     <div>
         <label class="block text-xs uppercase text-slate-500 mb-1">Telegram Bot-Token</label>
         <input class="input" name="telegram_bot_token" value="{{ notifications.telegram_bot_token }}"
-               placeholder="123456:ABC..." autocomplete="off" data-lpignore="true" data-1p-ignore>
+               placeholder="123456:ABC..." autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
         <p class="text-xs text-slate-500 mt-1">Bot bei @BotFather anlegen, Token hier eintragen.</p>
     </div>
     <div>
         <label class="block text-xs uppercase text-slate-500 mb-1">Telegram Chat-ID</label>
         <input class="input" name="telegram_chat_id" value="{{ notifications.telegram_chat_id }}"
-               placeholder="987654321" autocomplete="off" data-lpignore="true" data-1p-ignore>
+               placeholder="987654321" autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
     </div>
 
     <div class="border-t border-soft pt-4 space-y-2">
diff --git a/web/templates/_settings_profil.html b/web/templates/_settings_profil.html
index e604feb..03486a8 100644
--- a/web/templates/_settings_profil.html
+++ b/web/templates/_settings_profil.html
@@ -1,7 +1,7 @@
 <h2 class="font-semibold mb-4">Bewerbungsdaten</h2>
 
 <form method="post" action="/actions/profile" class="grid grid-cols-1 md:grid-cols-2 gap-4"
-      autocomplete="off" data-lpignore="true" data-1p-ignore data-form-type="other">
+      autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore data-form-type="other">
     <input type="hidden" name="csrf" value="{{ csrf }}">
     {# Honeypot: Chrome/Firefox password managers ignore autocomplete="off" but
        autofill the *first* email+password pair they find. These hidden fields
@@ -24,39 +24,39 @@
 
     <div>
         <label class="block text-xs uppercase text-slate-500 mb-1">Vorname</label>
-        <input class="input" name="firstname" value="{{ profile.firstname }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
+        <input class="input" name="firstname" value="{{ profile.firstname }}" autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
     </div>
     <div>
         <label class="block text-xs uppercase text-slate-500 mb-1">Nachname</label>
-        <input class="input" name="lastname" value="{{ profile.lastname }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
+        <input class="input" name="lastname" value="{{ profile.lastname }}" autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
     </div>
 
     <div>
         <label class="block text-xs uppercase text-slate-500 mb-1">E-Mail</label>
-        <input class="input" type="text" inputmode="email" name="email" value="{{ profile.email }}"
-               autocomplete="off" data-lpignore="true" data-1p-ignore>
+        <input class="input" type="text" inputmode="email" name="contact_addr" value="{{ profile.email }}"
+               autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
     </div>
     <div>
         <label class="block text-xs uppercase text-slate-500 mb-1">Telefon</label>
-        <input class="input" name="telephone" value="{{ profile.telephone }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
+        <input class="input" name="telephone" value="{{ profile.telephone }}" autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
     </div>
 
     <div>
         <label class="block text-xs uppercase text-slate-500 mb-1">Straße</label>
-        <input class="input" name="street" value="{{ profile.street }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
+        <input class="input" name="street" value="{{ profile.street }}" autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
     </div>
     <div>
         <label class="block text-xs uppercase text-slate-500 mb-1">Hausnummer</label>
-        <input class="input" name="house_number" value="{{ profile.house_number }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
+        <input class="input" name="house_number" value="{{ profile.house_number }}" autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
     </div>
 
     <div>
         <label class="block text-xs uppercase text-slate-500 mb-1">PLZ</label>
-        <input class="input" name="postcode" value="{{ profile.postcode }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
+        <input class="input" name="postcode" value="{{ profile.postcode }}" autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
     </div>
     <div>
         <label class="block text-xs uppercase text-slate-500 mb-1">Stadt</label>
-        <input class="input" name="city" value="{{ profile.city }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
+        <input class="input" name="city" value="{{ profile.city }}" autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
     </div>
 
     <div class="col-span-1 md:col-span-2 mt-4 border-t border-soft pt-4">
@@ -104,14 +104,14 @@
     </div>
     <div>
         <label class="block text-xs uppercase text-slate-500 mb-1">Immomio-Email</label>
-        <input class="input" type="text" inputmode="email" name="immomio_email" value="{{ profile.immomio_email }}"
-               autocomplete="off" data-lpignore="true" data-1p-ignore>
+        <input class="input" type="text" inputmode="email" name="immomio_login" value="{{ profile.immomio_email }}"
+               autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
     </div>
     <div>
         <label class="block text-xs uppercase text-slate-500 mb-1">Immomio-Passwort</label>
-        <input class="input" type="password" name="immomio_password" value="{{ profile.immomio_password }}"
+        <input class="input" type="password" name="immomio_secret" value="{{ profile.immomio_password }}"
                placeholder="(unverändert lassen = leer)"
-               autocomplete="new-password" data-lpignore="true" data-1p-ignore>
+               autocomplete="new-password" data-lpignore="true" data-1p-ignore data-bwignore>
     </div>
 
     <div class="col-span-1 md:col-span-2">
diff --git a/web/templates/_settings_users.html b/web/templates/_settings_users.html
index ac261f5..b4e9517 100644
--- a/web/templates/_settings_users.html
+++ b/web/templates/_settings_users.html
@@ -8,11 +8,11 @@
     <h3 class="font-semibold mb-3">Neuen Benutzer anlegen</h3>
     <form method="post" action="/actions/users/create"
           class="grid grid-cols-1 md:grid-cols-3 gap-3 items-end"
-          autocomplete="off" data-lpignore="true" data-1p-ignore data-form-type="other">
+          autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore data-form-type="other">
         <input type="hidden" name="csrf" value="{{ csrf }}">
         <div>
             <label class="block text-xs uppercase text-slate-500 mb-1">Benutzername</label>
-            <input class="input" name="username" required autocomplete="off" data-lpignore="true" data-1p-ignore>
+            <input class="input" name="username" required autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
         </div>
         <div>
             <label class="block text-xs uppercase text-slate-500 mb-1">Passwort (≥ 10 Zeichen)</label>
diff --git a/web/templates/_wohnungen_body.html b/web/templates/_wohnungen_body.html
index 128f213..f733845 100644
--- a/web/templates/_wohnungen_body.html
+++ b/web/templates/_wohnungen_body.html
@@ -125,13 +125,9 @@
                     {% if f.rooms %}{{ "%.1f"|format(f.rooms) }} Z{% endif %}
                     {% if f.size %} · {{ "%.0f"|format(f.size) }} m²{% endif %}
                     {% if f.total_rent %} · {{ "%.0f"|format(f.total_rent) }} €{% endif %}
-                    {% if f.connectivity_morning_time %} · {{ "%.0f"|format(f.connectivity_morning_time) }} min morgens{% endif %}
                     {% if f.wbs %} · WBS: {{ f.wbs }}{% endif %}
-                    · entdeckt <span data-rel-utc="{{ f.discovered_at|iso_utc }}" title="{{ f.discovered_at|de_dt }}">…</span>
+                    · <span data-rel-utc="{{ f.discovered_at|iso_utc }}" title="{{ f.discovered_at|de_dt }}">…</span>
                 </div>
-                {% if item.last and item.last.message %}
-                    <div class="text-xs text-slate-500 mt-1 truncate">↳ {{ item.last.message }}</div>
-                {% endif %}
             </div>
             <div class="flex gap-2">
                 {% if apply_allowed and not (item.last and item.last.success == 1) %}