pgz-sport

Author	SHA1	Message	Date
Damir Radulić	a0db65fc31	CC2 R4 #4 : /api/users/me/gdpr-export alias - New auth.gdpr.me_router prefix /api/users/me with: - GET/POST /gdpr-export → Art.20 JSON download with Content-Disposition - POST /gdpr-erase → Art.17 erasure request - GET /gdpr-consent → consent history for caller - jsonable_encoder fixes datetime serialisation in JSONResponse - admin_users.html: 'Izvezi moje podatke' now POSTs to alias and uses filename from Content-Disposition header - 401 enforced on no-auth, 200 on valid Bearer (verified live)	2026-05-05 00:47:22 +02:00
Damir Radulić	f5c6570d47	CC2 R4 #2+#5: remove legacy unauth /api/admin/users — close 401 gap The bare @app.get/post('/api/admin/users') decorators in pgz_sport_api.py were registered before app.include_router(admin_users_router) and shadowed the JWT-protected M2 routes, leaking user list to anyone. Removed all three: GET /api/admin/users, POST /api/admin/users, POST /api/admin/users/{uid}/toggle. The auth.admin_users router now owns this prefix exclusively and gates every method with require_user. Verified: no-auth → 401, invalid token → 401, valid Bearer → 200.	2026-05-05 00:44:50 +02:00
Damir Radulić	8fe2478b84	CC2 R3 frontend: login.html + admin_users.html (M1+M2+M10 UI) - static/login.html: dark Palantir-style login with PGŽ branding, Prijava se / Zaboravljena lozinka, demo account quick-fills, GDPR cookie banner, autostore tokens (local/session) - static/admin_users.html: full user-management admin panel: - Collapsible left sidebar (Pregled, Korisnici, Tenanti, Audit log, Sigurnost, GDPR, links to ERP/CRM) - Users table with filters (q, tenant, role, status, limit) - + Dodaj korisnika modal (CRUD via /api/admin/users/*) - Suspend / unsuspend / reset-password / delete actions - Audit log viewer + Security KPIs + GDPR queue - Self-service: change pwd, export data (Art. 20), erasure request (Art. 17) - pgz_sport_api.py: /login and /admin/users URL routes - auth/seed_demo.py: added tajnik@atletski.pgz.hr/Atl2026!, admin@ak-kvarner.hr/Kvarner2026! demo users 5/5 live tests pass: login JWT, /me, /admin/users, /gdpr/consent, /gdpr/export Note: existing admin.html (CC4 ERP/OCR work) preserved intact; admin_users.html is dedicated user-mgmt page linked from sidebar.	2026-05-05 00:20:03 +02:00
Damir Radulić	492c8fdd87	M1+M2+M10 (CC2 R3): JWT auth + admin users + GDPR backend - auth/auth_v2.py: JWT login/refresh/logout/me + bcrypt + tenant_id/role/tier claims - auth/admin_users.py: /api/admin/users CRUD + invite/role/suspend + bulk CSV - auth/gdpr.py: cookie consent + Art.20 export + Art.17 erasure + admin queue - auth/seed_demo.py: 3 demo tenants + 4 users (damir@pgz.hr / PGZ2026!) - Removed legacy /api/auth/login + /api/auth/me from pgz_sport_api.py - Wired auth/admin/gdpr routers into FastAPI 5/5 live curl tests pass: damir@pgz.hr login → JWT with tenant_id=1, role=pgz_admin, tier=0	2026-05-05 00:09:09 +02:00
CC4-PGZ-Sport	834b7bf89f	M5.1 OCR upload + parse + invoices CRUD (ERP) - erp/ocr.py: FastAPI router under /api/erp/* - POST /ocr/upload: file → pgz_sport.invoice_uploads (sha256, mime, klub_id, tenant_id) - POST /ocr/parse: Tesseract+pdftotext OCR + DeepSeek V3 LLM extraction - GET/POST/PUT /invoices, /invoices/{id}/pay, uploads list - Wired into pgz_sport_api.py - HR invoice regex (OIB, IBAN, datum DD.MM.YYYY i ISO, ukupno/PDV) - DeepSeek V3 returns JSON object {izdavatelj_, kupac_, iznos_neto/pdv/brutto, stavke[], vrsta_troska...} Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 23:53:22 +02:00

5 Commits