settings: relabel dry-run, harder PM block, rework users page

- Bewerbungen chip "Trockenmodus" → "nicht abgeschickt" (list + detail view) - Profile form: add an off-screen honeypot (username + password) so Chrome's autofill burns its fill on those instead of the real E-Mail field; switch the visible E-Mail and Immomio-Email to type=text + inputmode=email so the browser heuristic no longer tags them as login emails - Users page: create-form sits on top in its own card (3-column grid with Administrator checkbox inline); full-width list below with Administrator chip, aktiv/deaktiviert chip, "du" marker for the current user, plus disable/activate and a new red "löschen" button (confirm prompt) wired to new POST /actions/users/delete which cascades through the user's data Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-21 14:11:50 +02:00 · 2026-04-21 14:11:50 +02:00 · de3ce19393
commit de3ce19393
parent 931e0bb8b7
6 changed files with 89 additions and 31 deletions
--- a/web/app.py
+++ b/web/app.py
@ -964,6 +964,26 @@ async def action_users_disable(
    return RedirectResponse("/einstellungen/benutzer", status_code=303)
@app.post("/actions/users/delete")
 async def action_users_delete(
    request: Request,
    target_id: int = Form(...),
    csrf: str = Form(...),
    admin=Depends(require_admin),
 ):
    require_csrf(admin["id"], csrf)
    if target_id == admin["id"]:
        raise HTTPException(400, "refusing to delete self")
    target = db.get_user(target_id)
    if not target:
        return RedirectResponse("/einstellungen/benutzer", status_code=303)
    db.delete_user(target_id)
    db.log_audit(admin["username"], "user.deleted",
                 f"target={target_id} username={target['username']}",
                 user_id=admin["id"], ip=client_ip(request))
    return RedirectResponse("/einstellungen/benutzer?deleted=1", status_code=303)
 # ---------------------------------------------------------------------------
 # Internal endpoints
 # ---------------------------------------------------------------------------
--- a/web/db.py
+++ b/web/db.py
@ -304,6 +304,14 @@ def set_user_disabled(user_id: int, disabled: bool) -> None:
        )
 def delete_user(user_id: int) -> None:
    """Remove a user and everything that cascades (profile, filters, notifications,
    preferences, rejections, applications). Audit/error logs stay (user_id column
    is nullable)."""
    with _lock:
        _conn.execute("DELETE FROM users WHERE id = ?", (user_id,))
 # ---------------------------------------------------------------------------
 # User profile / filters / notifications / preferences
 # ---------------------------------------------------------------------------
--- a/web/templates/_settings_profil.html
+++ b/web/templates/_settings_profil.html
@ -3,6 +3,14 @@
 <form method="post" action="/actions/profile" class="grid grid-cols-1 md:grid-cols-2 gap-4"
      autocomplete="off" data-lpignore="true" data-1p-ignore data-form-type="other">
    <input type="hidden" name="csrf" value="{{ csrf }}">
    {# Honeypot: Chrome/Firefox password managers ignore autocomplete="off" but
       autofill the *first* email+password pair they find. These hidden fields
       absorb that autofill so the visible E-Mail/Immomio-Passwort stay clean.
       The server ignores unknown form fields. #}
    <div aria-hidden="true" style="position:absolute; left:-10000px; top:auto; width:1px; height:1px; overflow:hidden;">
        <input type="text" name="_autofill_sink_user" tabindex="-1" autocomplete="username">
        <input type="password" name="_autofill_sink_pass" tabindex="-1" autocomplete="current-password">
    </div>
    <div>
        <label class="block text-xs uppercase text-slate-500 mb-1">Anrede</label>
@ -25,7 +33,8 @@
    <div>
        <label class="block text-xs uppercase text-slate-500 mb-1">E-Mail</label>
-        <input class="input" type="email" name="email" value="{{ profile.email }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
+        <input class="input" type="text" inputmode="email" name="email" value="{{ profile.email }}"
               autocomplete="off" data-lpignore="true" data-1p-ignore>
    </div>
    <div>
        <label class="block text-xs uppercase text-slate-500 mb-1">Telefon</label>
@ -95,7 +104,8 @@
    </div>
    <div>
        <label class="block text-xs uppercase text-slate-500 mb-1">Immomio-Email</label>
-        <input class="input" type="email" name="immomio_email" value="{{ profile.immomio_email }}" autocomplete="off" data-lpignore="true" data-1p-ignore>
+        <input class="input" type="text" inputmode="email" name="immomio_email" value="{{ profile.immomio_email }}"
               autocomplete="off" data-lpignore="true" data-1p-ignore>
    </div>
    <div>
        <label class="block text-xs uppercase text-slate-500 mb-1">Immomio-Passwort</label>
--- a/web/templates/_settings_users.html
+++ b/web/templates/_settings_users.html
@ -1,39 +1,53 @@
 <h2 class="font-semibold mb-4">Benutzer verwalten</h2>
 {% if request.query_params.get('ok') %}<div class="chip chip-ok mb-4">Benutzer angelegt.</div>{% endif %}
 {% if request.query_params.get('deleted') %}<div class="chip chip-ok mb-4">Benutzer gelöscht.</div>{% endif %}
 {% if request.query_params.get('err') == 'exists' %}<div class="chip chip-bad mb-4">Benutzername existiert bereits.</div>{% endif %}
-<div class="grid grid-cols-1 md:grid-cols-2 gap-6">
+<section class="card p-5 mb-6">
-    <div>
+    <h3 class="font-semibold mb-3">Neuen Benutzer anlegen</h3>
-        <h3 class="font-semibold mb-2">Neuen Benutzer anlegen</h3>
+    <form method="post" action="/actions/users/create"
-        <form method="post" action="/actions/users/create" class="space-y-3 max-w-md">
+          class="grid grid-cols-1 md:grid-cols-3 gap-3 items-end"
-            <input type="hidden" name="csrf" value="{{ csrf }}">
+          autocomplete="off" data-lpignore="true" data-1p-ignore data-form-type="other">
-            <div>
+        <input type="hidden" name="csrf" value="{{ csrf }}">
-                <label class="block text-xs uppercase text-slate-500 mb-1">Benutzername</label>
+        <div>
-                <input class="input" name="username" required>
+            <label class="block text-xs uppercase text-slate-500 mb-1">Benutzername</label>
-            </div>
+            <input class="input" name="username" required autocomplete="off" data-lpignore="true" data-1p-ignore>
-            <div>
+        </div>
-                <label class="block text-xs uppercase text-slate-500 mb-1">Passwort (≥ 10 Zeichen)</label>
+        <div>
-                <input class="input" type="password" name="password" required>
+            <label class="block text-xs uppercase text-slate-500 mb-1">Passwort (≥ 10 Zeichen)</label>
-            </div>
+            <input class="input" type="password" name="password" required
                   autocomplete="new-password" data-lpignore="true" data-1p-ignore>
        </div>
        <div class="flex items-center gap-4">
            <label class="inline-flex items-center gap-2">
                <input type="checkbox" name="is_admin">
-                <span>Administrator-Rechte</span>
+                <span>Administrator</span>
            </label>
-            <button class="btn btn-primary" type="submit">Anlegen</button>
+            <button class="btn btn-primary ml-auto" type="submit">Anlegen</button>
-        </form>
+        </div>
-    </div>
+    </form>
 </section>
-    <div>
+<section class="card">
-        <h3 class="font-semibold mb-2">Alle Benutzer</h3>
+    <div class="flex items-center justify-between px-4 py-3 border-b border-soft">
-        <div class="card divide-y divide-soft">
+        <h3 class="font-semibold">Alle Benutzer</h3>
-            {% for u in users %}
+        <span class="text-xs text-slate-500">{{ users|length }}</span>
-            <div class="px-3 py-2 flex items-center gap-2 text-sm">
+    </div>
-                <span class="flex-1">{{ u.username }}</span>
+    <div class="divide-y divide-soft">
        {% for u in users %}
        <div class="px-4 py-3 flex items-center gap-3 flex-wrap">
            <div class="flex items-center gap-2 flex-1 min-w-0">
                <span class="font-medium truncate">{{ u.username }}</span>
                {% if u.id == user.id %}<span class="chip chip-info">du</span>{% endif %}
            </div>
            <div class="flex items-center gap-1.5">
                {% if u.is_admin %}<span class="chip chip-info">Administrator</span>{% endif %}
                {% if u.disabled %}<span class="chip chip-bad">deaktiviert</span>
                {% else %}<span class="chip chip-ok">aktiv</span>{% endif %}
-                {% if u.id != user.id %}
+            </div>
            {% if u.id != user.id %}
            <div class="flex items-center gap-2 ml-auto">
                <form method="post" action="/actions/users/disable">
                    <input type="hidden" name="csrf" value="{{ csrf }}">
                    <input type="hidden" name="target_id" value="{{ u.id }}">
@ -42,9 +56,15 @@
                        {% if u.disabled %}aktivieren{% else %}deaktivieren{% endif %}
                    </button>
                </form>
-                {% endif %}
+                <form method="post" action="/actions/users/delete"
                      onsubmit="return confirm('Benutzer „{{ u.username }}“ dauerhaft löschen? Alle Profildaten, Filter, Bewerbungen und Einstellungen gehen verloren.');">
                    <input type="hidden" name="csrf" value="{{ csrf }}">
                    <input type="hidden" name="target_id" value="{{ u.id }}">
                    <button class="btn btn-danger text-xs" type="submit">löschen</button>
                </form>
            </div>
-            {% endfor %}
+            {% endif %}
        </div>
        {% endfor %}
    </div>
-</div>
+</section>
--- a/web/templates/bewerbung_detail.html
+++ b/web/templates/bewerbung_detail.html
@ -11,7 +11,7 @@
        <span class="chip chip-info">{% if application.triggered_by == 'auto' %}automatisch{% else %}manuell{% endif %}</span>
        {% if application.provider %}<span class="chip chip-info">{{ application.provider }}</span>{% endif %}
        {% if application.submit_forms_used %}<span class="chip chip-warn">echt gesendet</span>
-        {% else %}<span class="chip chip-info">Trockenmodus</span>{% endif %}
+        {% else %}<span class="chip chip-info">nicht abgeschickt</span>{% endif %}
        {% if application.success == 0 %}
        <a class="btn btn-danger text-sm ml-auto"
--- a/web/templates/bewerbungen.html
+++ b/web/templates/bewerbungen.html
@ -15,7 +15,7 @@
                <span class="chip chip-info">{% if a.triggered_by == 'auto' %}automatisch{% else %}manuell{% endif %}</span>
                {% if a.provider %}<span class="chip chip-info">{{ a.provider }}</span>{% endif %}
                {% if a.submit_forms_used %}<span class="chip chip-warn">echt gesendet</span>
-                {% else %}<span class="chip chip-info">Trockenmodus</span>{% endif %}
+                {% else %}<span class="chip chip-info">nicht abgeschickt</span>{% endif %}
                <span class="text-slate-500 text-xs ml-auto"
                      title="{{ a.started_at|de_dt }}">{{ a.started_at|de_dt }}</span>
            </div>