pgz-sport

damir/pgz-sport

Fork 0

Commit Graph

Author	SHA1	Message	Date
Damir Radulić	8dce58c5f9	CC3: Unified sidebar with external portal links + collapsible icon mode Shared module: - /static/shared/sidebar.css ← unified CSS (#pgz-sb, .pgz-collapsed, mobile overlay, tooltip) - /static/shared/sidebar.js ← auto-mounting JS shell + PGZSidebar API * Auto-renders #pgz-sb na <body> start (data-inline=1 to opt out) * NAV_EXTERNAL: Prijava, Aplikacija, Administracija, CRM, ERP, KPI, Audit, Public portal * Toggle (≡) -> localStorage 'sidebarCollapsed' (perzistira preko SVIH stranica) * Mobile <768px: ≡ burger + ✕ close, body backdrop * Loads /api/auth/me u footer (avatar/username/uloga); ⎋ logout briše JWT i ide na /login * data-active="<key>" highlight aktivnog portala Page integration: - sport2.html ← inline NAV_EXTERNAL u buildNav() + "Portali" separator (zadrži postojeći sidebar) - app.html ← inline NAV_EXTERNAL u buildNav() (zadrži role-based interni nav, dopuni Portalima) - admin.html ← Portali stavke u <aside class="sidebar"> (matching .nav-item style) - erp.html ← Portali stavke u <aside class="sidebar"> (matching .nav-item style) - crm.html ← include shared sidebar.css + sidebar.js data-active="crm" - audit.html ← include shared sidebar.css + sidebar.js data-active="audit" - kpi.html ← include shared sidebar.css + sidebar.js data-active="kpi" - login.html ← include shared sidebar.css + sidebar.js data-active="login" Backups: _backups/{.cc3_pre_unified_sidebar.} Live verified: 8 pages serve HTTP 200; sidebar.css/js HTTP 200; portal markers per page OK. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-05 01:11:24 +02:00
Damir Radulić	f5c6570d47	CC2 R4 #2+#5: remove legacy unauth /api/admin/users — close 401 gap The bare @app.get/post('/api/admin/users') decorators in pgz_sport_api.py were registered before app.include_router(admin_users_router) and shadowed the JWT-protected M2 routes, leaking user list to anyone. Removed all three: GET /api/admin/users, POST /api/admin/users, POST /api/admin/users/{uid}/toggle. The auth.admin_users router now owns this prefix exclusively and gates every method with require_user. Verified: no-auth → 401, invalid token → 401, valid Bearer → 200.	2026-05-05 00:44:50 +02:00

Author

SHA1

Message

Date

Damir Radulić

8dce58c5f9

CC3: Unified sidebar with external portal links + collapsible icon mode

Shared module:
- /static/shared/sidebar.css   ← unified CSS (#pgz-sb, .pgz-collapsed, mobile overlay, tooltip)
- /static/shared/sidebar.js    ← auto-mounting JS shell + PGZSidebar API
   * Auto-renders #pgz-sb na <body> start (data-inline=1 to opt out)
   * NAV_EXTERNAL: Prijava, Aplikacija, Administracija, CRM, ERP, KPI, Audit, Public portal
   * Toggle (≡) -> localStorage 'sidebarCollapsed' (perzistira preko SVIH stranica)
   * Mobile <768px: ≡ burger + ✕ close, body backdrop
   * Loads /api/auth/me u footer (avatar/username/uloga); ⎋ logout briše JWT i ide na /login
   * data-active="<key>" highlight aktivnog portala

Page integration:
- sport2.html  ← inline NAV_EXTERNAL u buildNav() + "Portali" separator (zadrži postojeći sidebar)
- app.html     ← inline NAV_EXTERNAL u buildNav() (zadrži role-based interni nav, dopuni Portalima)
- admin.html   ← Portali stavke u <aside class="sidebar"> (matching .nav-item style)
- erp.html     ← Portali stavke u <aside class="sidebar"> (matching .nav-item style)
- crm.html     ← include shared sidebar.css + sidebar.js  data-active="crm"
- audit.html   ← include shared sidebar.css + sidebar.js  data-active="audit"
- kpi.html     ← include shared sidebar.css + sidebar.js  data-active="kpi"
- login.html   ← include shared sidebar.css + sidebar.js  data-active="login"

Backups: _backups/{*.cc3_pre_unified_sidebar.*}

Live verified: 8 pages serve HTTP 200; sidebar.css/js HTTP 200; portal markers per page OK.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-05 01:11:24 +02:00

Damir Radulić

f5c6570d47

CC2 R4 #2+#5: remove legacy unauth /api/admin/users — close 401 gap

The bare @app.get/post('/api/admin/users') decorators in pgz_sport_api.py
were registered before app.include_router(admin_users_router) and shadowed
the JWT-protected M2 routes, leaking user list to anyone.

Removed all three: GET /api/admin/users, POST /api/admin/users,
POST /api/admin/users/{uid}/toggle. The auth.admin_users router now owns
this prefix exclusively and gates every method with require_user.

Verified: no-auth → 401, invalid token → 401, valid Bearer → 200.

2026-05-05 00:44:50 +02:00

2 Commits