ifb-schulapp

simon/ifb-schulapp

Fork 0

Commit Graph

Author	SHA1	Message	Date
Simon	0dd915eeb2	fix: harden auth, admin, teacher, and e2ee endpoints - Invalidate JWTs on password change/reset via token_version - Constant-time login compare against dummy hash to prevent user enum - Register validates subject against subjects table + user_subjects link - Last-admin guard on account delete and admin role/status PATCH - purgeUser unlinks teacher_materials storage files - 2FA setup/regenerate require password, setup blocks while enabled - Group sender keys: existing-distributor check + INSERT OR IGNORE - class_events: type whitelist, ISO date regex, end >= start check - Teacher absences DELETE: ownership check (teacher_id) - class_timetable POST: HHMM validation, overlap detection - class_timetable PUT: subject restricted to teacher list, HHMM + overlap - Register VALID_SUBJECTS removed; dynamic subjects from DB - /api/subjects made public (needed by register form)	2026-04-21 13:18:17 +02:00
Simon	5ff616e0d9	chore: remove school-brand impersonation from public pages - Replace "IFB-Berufsfachschule Rosenheim" brand text with neutral "Klassenportal" labels in titles, brand headers, and footers. - Rewrite privacy-policy responsible-party section to clarify this is a private, non-official project (no school/organization affiliation). - Include prior uncommitted work on index.html and app.html. Retain factual audience descriptors ("Nur für IFB-Schüler") and external links to the school website; these reference but do not impersonate.	2026-04-18 01:33:53 +02:00

Author

SHA1

Message

Date

Simon

0dd915eeb2

fix: harden auth, admin, teacher, and e2ee endpoints

- Invalidate JWTs on password change/reset via token_version
- Constant-time login compare against dummy hash to prevent user enum
- Register validates subject against subjects table + user_subjects link
- Last-admin guard on account delete and admin role/status PATCH
- purgeUser unlinks teacher_materials storage files
- 2FA setup/regenerate require password, setup blocks while enabled
- Group sender keys: existing-distributor check + INSERT OR IGNORE
- class_events: type whitelist, ISO date regex, end >= start check
- Teacher absences DELETE: ownership check (teacher_id)
- class_timetable POST: HHMM validation, overlap detection
- class_timetable PUT: subject restricted to teacher list, HHMM + overlap
- Register VALID_SUBJECTS removed; dynamic subjects from DB
- /api/subjects made public (needed by register form)

2026-04-21 13:18:17 +02:00

Simon

5ff616e0d9

chore: remove school-brand impersonation from public pages

- Replace "IFB-Berufsfachschule Rosenheim" brand text with neutral "Klassenportal" labels in titles, brand headers, and footers.
- Rewrite privacy-policy responsible-party section to clarify this is a private, non-official project (no school/organization affiliation).
- Include prior uncommitted work on index.html and app.html.

Retain factual audience descriptors ("Nur für IFB-Schüler") and external links to the school website; these reference but do not impersonate.

2026-04-18 01:33:53 +02:00

2 Commits