moritz/lazyflat
1
0
Fork 0
Code Issues 3 Pull requests Projects Releases Packages Wiki Activity Actions

guard double-apply, hide error msg, wohnungen polish, bitwarden block

Browse source 
- /actions/apply now no-ops (returns fresh partial) when a running
  application exists for this user+flat, or when a previous one succeeded.
  The list button was already visually disabled; this closes the direct-POST
  and double-click loopholes
- Drop the one-line error message under flat entries in the list
  (bewerbung_detail still shows the full message + the forensic ZIP report)
- Strip "min morgens" commute chip from the list; alert._flat_payload sends
  an empty connectivity dict so Maps.calculate_score is no longer called on
  every flat. Maps.calculate_score + Flat.connectivity stay in the codebase
  for easy re-enable (one-line swap in _flat_payload)
- List entry shows "vor 23 min" instead of "entdeckt vor 23 min"
- Bitwarden: rename profile email/immomio fields to opaque names
  (contact_addr, immomio_login, immomio_secret) + add data-bwignore across
  every settings form / input. Server-side update_profile maps the new
  field names back to the existing DB columns

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
EiSiMo 2026-04-21 14:20:31 +02:00
parent de3ce19393
commit 2609d3504a
6 changed files with 38 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

6
alert/main.py
View file

@ -31,7 +31,11 @@ class FlatAlerter:
self.last_response_hash = ""
def _flat_payload(self, flat: Flat) -> dict:
c = flat.connectivity
# Transit-connectivity is disabled to save Google-Maps quota. The
# helper on Flat (flat.connectivity → Maps.calculate_score) is
# intentionally kept so it can be re-enabled without re-writing code —
# just replace the empty dict with `flat.connectivity` when needed.
c: dict = {}
lat, lng = flat.coords
return {
"id": flat.id,

16
web/app.py
View file

@ -544,6 +544,13 @@ async def action_apply(
flat = db.get_flat(flat_id)
if not flat:
raise HTTPException(404, "flat not found")
last = db.last_application_for_flat(user["id"], flat_id)
if last and last["finished_at"] is None:
# Another apply is already running for this user+flat; don't queue a second.
return _wohnungen_partial_or_redirect(request, user)
if last and last["success"] == 1:
# Already successfully applied — no point in re-running.
return _wohnungen_partial_or_redirect(request, user)
db.log_audit(user["username"], "trigger_apply", f"flat_id={flat_id}",
user_id=user["id"], ip=client_ip(request))
_kick_apply(user["id"], flat_id, flat["link"], "user")
@ -838,11 +845,14 @@ async def action_profile(request: Request, user=Depends(require_user)):
try: return int(form.get(name) or 0)
except ValueError: return 0
# Field names are intentionally opaque ("contact_addr", "immomio_login",
# "immomio_secret") to keep password managers — specifically Bitwarden —
# from recognising the form as a login/identity form and autofilling.
db.update_profile(user["id"], {
"salutation": form.get("salutation", ""),
"firstname": form.get("firstname", ""),
"lastname": form.get("lastname", ""),
"email": form.get("email", ""),
"email": form.get("contact_addr", ""),
"telephone": form.get("telephone", ""),
"street": form.get("street", ""),
"house_number": form.get("house_number", ""),
@ -855,8 +865,8 @@ async def action_profile(request: Request, user=Depends(require_user)):
"wbs_adults": _i("wbs_adults"),
"wbs_children": _i("wbs_children"),
"is_prio_wbs": 1 if _b("is_prio_wbs") else 0,
"immomio_email": form.get("immomio_email", ""),
"immomio_password": form.get("immomio_password", ""),
"immomio_email": form.get("immomio_login", ""),
"immomio_password": form.get("immomio_secret", ""),
})
db.log_audit(user["username"], "profile.updated", user_id=user["id"], ip=client_ip(request))
return RedirectResponse("/einstellungen/profil", status_code=303)

6
web/templates/_settings_notifications.html
View file

@ -4,7 +4,7 @@
</p>
<form method="post" action="/actions/notifications" class="space-y-4 max-w-xl"
autocomplete="off" data-lpignore="true" data-1p-ignore data-form-type="other">
autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore data-form-type="other">
<input type="hidden" name="csrf" value="{{ csrf }}">
<div>
@ -18,13 +18,13 @@
<div>
<label class="block text-xs uppercase text-slate-500 mb-1">Telegram Bot-Token</label>
<input class="input" name="telegram_bot_token" value="{{ notifications.telegram_bot_token }}"
placeholder="123456:ABC..." autocomplete="off" data-lpignore="true" data-1p-ignore>
placeholder="123456:ABC..." autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
<p class="text-xs text-slate-500 mt-1">Bot bei @BotFather anlegen, Token hier eintragen.</p>
</div>
<div>
<label class="block text-xs uppercase text-slate-500 mb-1">Telegram Chat-ID</label>
<input class="input" name="telegram_chat_id" value="{{ notifications.telegram_chat_id }}"
placeholder="987654321" autocomplete="off" data-lpignore="true" data-1p-ignore>
placeholder="987654321" autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
</div>
<div class="border-t border-soft pt-4 space-y-2">

28
web/templates/_settings_profil.html
View file

@ -1,7 +1,7 @@
<h2 class="font-semibold mb-4">Bewerbungsdaten</h2>
<form method="post" action="/actions/profile" class="grid grid-cols-1 md:grid-cols-2 gap-4"
autocomplete="off" data-lpignore="true" data-1p-ignore data-form-type="other">
autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore data-form-type="other">
<input type="hidden" name="csrf" value="{{ csrf }}">
{# Honeypot: Chrome/Firefox password managers ignore autocomplete="off" but
autofill the *first* email+password pair they find. These hidden fields
@ -24,39 +24,39 @@
<div>
<label class="block text-xs uppercase text-slate-500 mb-1">Vorname</label>
<input class="input" name="firstname" value="{{ profile.firstname }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
<input class="input" name="firstname" value="{{ profile.firstname }}" autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
</div>
<div>
<label class="block text-xs uppercase text-slate-500 mb-1">Nachname</label>
<input class="input" name="lastname" value="{{ profile.lastname }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
<input class="input" name="lastname" value="{{ profile.lastname }}" autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
</div>
<div>
<label class="block text-xs uppercase text-slate-500 mb-1">E-Mail</label>
<input class="input" type="text" inputmode="email" name="email" value="{{ profile.email }}"
autocomplete="off" data-lpignore="true" data-1p-ignore>
<input class="input" type="text" inputmode="email" name="contact_addr" value="{{ profile.email }}"
autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
</div>
<div>
<label class="block text-xs uppercase text-slate-500 mb-1">Telefon</label>
<input class="input" name="telephone" value="{{ profile.telephone }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
<input class="input" name="telephone" value="{{ profile.telephone }}" autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
</div>
<div>
<label class="block text-xs uppercase text-slate-500 mb-1">Straße</label>
<input class="input" name="street" value="{{ profile.street }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
<input class="input" name="street" value="{{ profile.street }}" autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
</div>
<div>
<label class="block text-xs uppercase text-slate-500 mb-1">Hausnummer</label>
<input class="input" name="house_number" value="{{ profile.house_number }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
<input class="input" name="house_number" value="{{ profile.house_number }}" autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
</div>
<div>
<label class="block text-xs uppercase text-slate-500 mb-1">PLZ</label>
<input class="input" name="postcode" value="{{ profile.postcode }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
<input class="input" name="postcode" value="{{ profile.postcode }}" autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
</div>
<div>
<label class="block text-xs uppercase text-slate-500 mb-1">Stadt</label>
<input class="input" name="city" value="{{ profile.city }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
<input class="input" name="city" value="{{ profile.city }}" autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
</div>
<div class="col-span-1 md:col-span-2 mt-4 border-t border-soft pt-4">
@ -104,14 +104,14 @@
</div>
<div>
<label class="block text-xs uppercase text-slate-500 mb-1">Immomio-Email</label>
<input class="input" type="text" inputmode="email" name="immomio_email" value="{{ profile.immomio_email }}"
autocomplete="off" data-lpignore="true" data-1p-ignore>
<input class="input" type="text" inputmode="email" name="immomio_login" value="{{ profile.immomio_email }}"
autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
</div>
<div>
<label class="block text-xs uppercase text-slate-500 mb-1">Immomio-Passwort</label>
<input class="input" type="password" name="immomio_password" value="{{ profile.immomio_password }}"
<input class="input" type="password" name="immomio_secret" value="{{ profile.immomio_password }}"
placeholder="(unverändert lassen = leer)"
autocomplete="new-password" data-lpignore="true" data-1p-ignore>
autocomplete="new-password" data-lpignore="true" data-1p-ignore data-bwignore>
</div>
<div class="col-span-1 md:col-span-2">

4
web/templates/_settings_users.html
View file

@ -8,11 +8,11 @@
<h3 class="font-semibold mb-3">Neuen Benutzer anlegen</h3>
<form method="post" action="/actions/users/create"
class="grid grid-cols-1 md:grid-cols-3 gap-3 items-end"
autocomplete="off" data-lpignore="true" data-1p-ignore data-form-type="other">
autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore data-form-type="other">
<input type="hidden" name="csrf" value="{{ csrf }}">
<div>
<label class="block text-xs uppercase text-slate-500 mb-1">Benutzername</label>
<input class="input" name="username" required autocomplete="off" data-lpignore="true" data-1p-ignore>
<input class="input" name="username" required autocomplete="off" data-lpignore="true" data-1p-ignore data-bwignore>
</div>
<div>
<label class="block text-xs uppercase text-slate-500 mb-1">Passwort (≥ 10 Zeichen)</label>

6
web/templates/_wohnungen_body.html
View file

@ -125,13 +125,9 @@
{% if f.rooms %}{{ "%.1f"|format(f.rooms) }} Z{% endif %}
{% if f.size %} · {{ "%.0f"|format(f.size) }} m²{% endif %}
{% if f.total_rent %} · {{ "%.0f"|format(f.total_rent) }} €{% endif %}
{% if f.connectivity_morning_time %} · {{ "%.0f"|format(f.connectivity_morning_time) }} min morgens{% endif %}
{% if f.wbs %} · WBS: {{ f.wbs }}{% endif %}
· entdeckt <span data-rel-utc="{{ f.discovered_at|iso_utc }}" title="{{ f.discovered_at|de_dt }}"></span>
· <span data-rel-utc="{{ f.discovered_at|iso_utc }}" title="{{ f.discovered_at|de_dt }}"></span>
</div>
{% if item.last and item.last.message %}
<div class="text-xs text-slate-500 mt-1 truncate">↳ {{ item.last.message }}</div>
{% endif %}
</div>
<div class="flex gap-2">
{% if apply_allowed and not (item.last and item.last.success == 1) %}