settings: relabel dry-run, harder PM block, rework users page

- Bewerbungen chip "Trockenmodus" → "nicht abgeschickt" (list + detail view) - Profile form: add an off-screen honeypot (username + password) so Chrome's autofill burns its fill on those instead of the real E-Mail field; switch the visible E-Mail and Immomio-Email to type=text + inputmode=email so the browser heuristic no longer tags them as login emails - Users page: create-form sits on top in its own card (3-column grid with Administrator checkbox inline); full-width list below with Administrator chip, aktiv/deaktiviert chip, "du" marker for the current user, plus disable/activate and a new red "löschen" button (confirm prompt) wired to new POST /actions/users/delete which cascades through the user's data Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-21 14:11:50 +02:00 · 2026-04-21 14:11:50 +02:00 · de3ce19393
commit de3ce19393
parent 931e0bb8b7
6 changed files with 89 additions and 31 deletions
--- a/web/templates/_settings_profil.html
+++ b/web/templates/_settings_profil.html
@ -3,6 +3,14 @@
 <form method="post" action="/actions/profile" class="grid grid-cols-1 md:grid-cols-2 gap-4"
      autocomplete="off" data-lpignore="true" data-1p-ignore data-form-type="other">
    <input type="hidden" name="csrf" value="{{ csrf }}">
+    {# Honeypot: Chrome/Firefox password managers ignore autocomplete="off" but
+       autofill the *first* email+password pair they find. These hidden fields
+       absorb that autofill so the visible E-Mail/Immomio-Passwort stay clean.
+       The server ignores unknown form fields. #}
+    <div aria-hidden="true" style="position:absolute; left:-10000px; top:auto; width:1px; height:1px; overflow:hidden;">
+        <input type="text" name="_autofill_sink_user" tabindex="-1" autocomplete="username">
+        <input type="password" name="_autofill_sink_pass" tabindex="-1" autocomplete="current-password">
+    </div>

    <div>
        <label class="block text-xs uppercase text-slate-500 mb-1">Anrede</label>
@ -25,7 +33,8 @@

    <div>
        <label class="block text-xs uppercase text-slate-500 mb-1">E-Mail</label>
-        <input class="input" type="email" name="email" value="{{ profile.email }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
+        <input class="input" type="text" inputmode="email" name="email" value="{{ profile.email }}"
+               autocomplete="off" data-lpignore="true" data-1p-ignore>
    </div>
    <div>
        <label class="block text-xs uppercase text-slate-500 mb-1">Telefon</label>
@ -95,7 +104,8 @@
    </div>
    <div>
        <label class="block text-xs uppercase text-slate-500 mb-1">Immomio-Email</label>
-        <input class="input" type="email" name="immomio_email" value="{{ profile.immomio_email }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
+        <input class="input" type="text" inputmode="email" name="immomio_email" value="{{ profile.immomio_email }}"
+               autocomplete="off" data-lpignore="true" data-1p-ignore>
    </div>
    <div>
        <label class="block text-xs uppercase text-slate-500 mb-1">Immomio-Passwort</label>