52ee319fd8
Implements issue #7. Adds an "E-Mail an Auswahl" button on /team that sends personalised emails to a filter-narrowed subset of the team. Each recipient gets their own envelope (per-recipient privacy, no shared To: list); From stays on the SMTP infrastructure address with Reply-To set to the human sender so replies route correctly without forging DKIM/SPF. Backend - Migration 057: paliad.email_broadcasts (subject, body, sender_id, template_key, recipient_filter jsonb, recipient_user_ids uuid[], send_report jsonb, sent_at). RLS: senders read own rows, global_admin reads all; inserts must self-attribute. No CHECK-constraint extension to partner_unit_events — broadcasts get their own table per the lock. - BroadcastService (internal/services/broadcast_service.go): validates subject/body/recipient cap (100), enforces project_lead-OR-global_admin, persists audit row, dispatches via 5-deep goroutine pool with 15s per-send timeout. Send report (sent/failed counts + per-recipient errors) is captured back into email_broadcasts.send_report. - markdown.go: minimal Markdown→safe HTML renderer (paragraphs, **bold**, *italic*, `code`, [text](url), bullet lists). Inputs are HTML-escaped first; only whitelisted tags re-emitted. Script tags and javascript: URLs can't slip through. - Placeholder substitution: {{name}}, {{first_name}}, {{role_on_project}} (whitespace tolerated). Unknown {{...}} tokens pass through unchanged. - mail_service.go: buildMIMEWithReplyTo helper layers a Reply-To header on top of the existing multipart/alternative envelope. - TeamService.ListMembershipsIndex: visibility-gated user→project_ids index. Powers the /team project multi-select filter without N round trips per project. - Handlers: POST /api/team/broadcast (gateOnboarded; service enforces authority), GET /api/team/memberships, GET /api/admin/broadcasts (list), GET /api/admin/broadcasts/{id} (detail), GET /admin/broadcasts (page). /admin/broadcasts is gateOnboarded (not adminGate) so leads can see their own sends; the service applies the per-row visibility filter. Frontend - /team gains a project multi-select chip dropdown (visible projects loaded from /api/projects, intersected against the memberships index) alongside the existing office and role filters. - "E-Mail an Auswahl (N)" button appears only when canBroadcast() is true (global_admin always; non-admin needs lead-ship on selected projects, or at least one project when no filter is set). Server still re-checks per send. - Compose modal (broadcast.ts): subject + body textarea + optional template dropdown (loads existing email templates and strips Go-template directives) + recipient preview (first 5 + expand) + send. Hard-blocks empty subject/body and N=0. Shows per-send report on success. - /admin/broadcasts viewer: read-only list with click-row-to-expand detail (subject, body, recipient list, send_report counts). Tests - broadcast_service_test.go: placeholder substitution table-driven, Markdown safe-render incl. XSS guards (<script>, javascript: URLs), validation cases (empty subject/body, recipient cap, invalid email), signature rendering DE/EN. - broadcast_service_live_test.go: end-to-end Send + List + Get + visibility rules (lead can send on own project, member cannot, admin sees all, member can't read lead's row). Skips when TEST_DATABASE_URL is unset. i18n: 60 new keys × 2 langs (broadcast modal labels, error messages, recipient summary, /admin/broadcasts viewer, common.close/loading/forbidden/ load_error).
203 lines
8.2 KiB
Go
203 lines
8.2 KiB
Go
package main
|
|
|
|
import (
|
|
"context"
|
|
"log"
|
|
"net/http"
|
|
"os"
|
|
"os/signal"
|
|
"syscall"
|
|
|
|
// Embed Go's IANA tz database into the binary so time.LoadLocation works
|
|
// without OS tzdata. The runtime image (alpine) doesn't ship /usr/share/
|
|
// zoneinfo — without this import, every reminder timezone lookup fails
|
|
// silently and the hourly reminder slot fires in UTC instead of the
|
|
// user's chosen tz (t-paliad-064 root cause). Adds ~450KB to the binary.
|
|
_ "time/tzdata"
|
|
|
|
"mgit.msbls.de/m/paliad/internal/auth"
|
|
"mgit.msbls.de/m/paliad/internal/branding"
|
|
"mgit.msbls.de/m/paliad/internal/db"
|
|
"mgit.msbls.de/m/paliad/internal/handlers"
|
|
"mgit.msbls.de/m/paliad/internal/services"
|
|
)
|
|
|
|
func main() {
|
|
port := os.Getenv("PORT")
|
|
if port == "" {
|
|
port = "8080"
|
|
}
|
|
|
|
// Surface the firm name in the boot log so a deployer can confirm
|
|
// FIRM_NAME took effect without curl-ing a rendered page.
|
|
log.Printf("branding: firm=%q (override with FIRM_NAME)", branding.Name)
|
|
|
|
supabaseURL := os.Getenv("SUPABASE_URL")
|
|
supabaseAnonKey := os.Getenv("SUPABASE_ANON_KEY")
|
|
if supabaseURL == "" || supabaseAnonKey == "" {
|
|
log.Fatal("SUPABASE_URL and SUPABASE_ANON_KEY must be set")
|
|
}
|
|
|
|
jwtSecret := os.Getenv("SUPABASE_JWT_SECRET")
|
|
if jwtSecret == "" {
|
|
log.Fatal("SUPABASE_JWT_SECRET must be set — session cookies cannot be trusted without signature verification")
|
|
}
|
|
|
|
client := auth.NewClient(supabaseURL, supabaseAnonKey, []byte(jwtSecret))
|
|
|
|
giteaToken := os.Getenv("GITEA_TOKEN")
|
|
if giteaToken == "" {
|
|
log.Println("GITEA_TOKEN not set — file proxy will not be able to access private repos")
|
|
}
|
|
|
|
// MailService is wired regardless of DB availability — it no-ops when
|
|
// SMTP env vars are unset, so the server stays runnable for knowledge-
|
|
// platform-only deployments. Template-parse errors at boot are fatal.
|
|
mailSvc, err := services.NewMailService()
|
|
if err != nil {
|
|
log.Fatalf("mail service init: %v", err)
|
|
}
|
|
|
|
// Shared context for background goroutines (CalDAV sync + reminder job).
|
|
bgCtx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
|
|
defer stop()
|
|
|
|
// DATABASE_URL is optional during the Phase A → Phase D transition. The
|
|
// existing knowledge-platform features (Kostenrechner, Glossar, etc.) work
|
|
// without a DB. matter-management endpoints return 503 until DATABASE_URL is set.
|
|
dbURL := os.Getenv("DATABASE_URL")
|
|
var svcBundle *handlers.Services
|
|
var caldavSvc *services.CalDAVService
|
|
|
|
if dbURL != "" {
|
|
log.Println("applying database migrations…")
|
|
if err := db.ApplyMigrations(dbURL); err != nil {
|
|
log.Fatalf("migration failed: %v", err)
|
|
}
|
|
log.Println("database migrations applied")
|
|
|
|
pool, err := db.OpenPool(dbURL)
|
|
if err != nil {
|
|
log.Fatalf("open db pool: %v", err)
|
|
}
|
|
|
|
// Refresh paliad.deadline_search whenever migrations run, so
|
|
// search reflects any newly-seeded rule / concept / trigger.
|
|
// Migration 047 created the matview already-populated; this
|
|
// is only a no-op for the boot that introduced it. CONCURRENTLY
|
|
// keeps reads online and stays well under 100 ms at < 1k rows.
|
|
if err := services.RefreshSearchView(bgCtx, pool); err != nil {
|
|
log.Printf("refresh deadline_search: %v", err)
|
|
}
|
|
holidays := services.NewHolidayService(pool)
|
|
courts := services.NewCourtService(pool)
|
|
users := services.NewUserService(pool)
|
|
projectSvc := services.NewProjectService(pool, users)
|
|
teamSvc := services.NewTeamService(pool, projectSvc)
|
|
partnerUnitSvc := services.NewPartnerUnitService(pool, users)
|
|
rules := services.NewDeadlineRuleService(pool)
|
|
|
|
// Phase F: optional CalDAV cipher. If CALDAV_ENCRYPTION_KEY is unset
|
|
// the service exists but Enabled() reports false; handlers return 501.
|
|
// If the env var is malformed, fail fast — silently skipping would
|
|
// leave plaintext-credential bugs hidden.
|
|
cipher, err := services.LoadCalDAVCipher()
|
|
if err != nil {
|
|
log.Fatalf("CALDAV_ENCRYPTION_KEY: %v", err)
|
|
}
|
|
if cipher == nil {
|
|
log.Println("CALDAV_ENCRYPTION_KEY not set — CalDAV endpoints will return 501")
|
|
} else {
|
|
log.Println("CalDAV encryption configured (AES-256-GCM)")
|
|
}
|
|
|
|
appointmentSvc := services.NewAppointmentService(pool, projectSvc)
|
|
caldavSvc = services.NewCalDAVService(pool, cipher, appointmentSvc)
|
|
// Wire the push hook so user-driven mutations sync to the external
|
|
// calendar without waiting for the next 60-second tick.
|
|
appointmentSvc.SetCalDAVPusher(caldavSvc)
|
|
|
|
baseURL := os.Getenv("PALIAD_BASE_URL")
|
|
inviteSvc := services.NewInviteService(pool, mailSvc, handlers.AllowedEmailDomains, baseURL)
|
|
reminderSvc := services.NewReminderService(pool, mailSvc, users, baseURL)
|
|
|
|
// Wire EmailTemplateService onto the MailService so DB-backed admin
|
|
// edits propagate without a process restart. The constructor is split
|
|
// from MailService creation because the DB pool isn't available yet
|
|
// at the point we build mailSvc above.
|
|
emailTemplateSvc := services.NewEmailTemplateService(pool)
|
|
mailSvc.SetTemplateService(emailTemplateSvc)
|
|
|
|
eventTypeSvc := services.NewEventTypeService(pool, users)
|
|
deadlineSvc := services.NewDeadlineService(pool, projectSvc, eventTypeSvc)
|
|
svcBundle = &handlers.Services{
|
|
Project: projectSvc,
|
|
Team: teamSvc,
|
|
PartnerUnit: partnerUnitSvc,
|
|
Party: services.NewPartyService(pool, projectSvc),
|
|
Deadline: deadlineSvc,
|
|
Appointment: appointmentSvc,
|
|
CalDAV: caldavSvc,
|
|
Rules: rules,
|
|
Calculator: services.NewDeadlineCalculator(holidays),
|
|
Users: users,
|
|
Fristenrechner: services.NewFristenrechnerService(rules, holidays, courts),
|
|
EventDeadline: services.NewEventDeadlineService(pool, services.NewDeadlineCalculator(holidays), holidays, courts),
|
|
Courts: courts,
|
|
DeadlineSearch: services.NewDeadlineSearchService(pool),
|
|
EventCategory: nil, // wired below; cross-link order matters
|
|
EventType: eventTypeSvc,
|
|
Dashboard: services.NewDashboardService(pool, users),
|
|
Note: services.NewNoteService(pool, projectSvc, appointmentSvc),
|
|
ChecklistInst: services.NewChecklistInstanceService(pool, projectSvc),
|
|
Mail: mailSvc,
|
|
Invite: inviteSvc,
|
|
Agenda: services.NewAgendaService(pool, users, eventTypeSvc),
|
|
Audit: services.NewAuditService(pool),
|
|
EmailTemplate: emailTemplateSvc,
|
|
Link: services.NewLinkService(pool),
|
|
Event: services.NewEventService(pool, deadlineSvc, appointmentSvc),
|
|
Approval: services.NewApprovalService(pool, users),
|
|
Derivation: services.NewDerivationService(pool, projectSvc, partnerUnitSvc),
|
|
UserView: services.NewUserViewService(pool),
|
|
Broadcast: services.NewBroadcastService(pool, mailSvc, users, teamSvc, emailTemplateSvc),
|
|
}
|
|
// Wire ApprovalService into the entity services so Create / Update /
|
|
// Complete / Delete consult paliad.approval_policies (t-paliad-138).
|
|
// Without this wiring, the policies and request tables exist but no
|
|
// mutation path consults them — paliad behaves as before.
|
|
deadlineSvc.SetApprovalService(svcBundle.Approval)
|
|
appointmentSvc.SetApprovalService(svcBundle.Approval)
|
|
// v3 (t-paliad-133): wire EventCategoryService and cross-link
|
|
// it into DeadlineSearchService so ?event_category_slug= can
|
|
// resolve to a concept-id allow-list during search.
|
|
eventCategorySvc := services.NewEventCategoryService(pool)
|
|
svcBundle.EventCategory = eventCategorySvc
|
|
svcBundle.DeadlineSearch.SetEventCategoryService(eventCategorySvc)
|
|
log.Println("Phase B services initialised")
|
|
|
|
// Spawn background goroutines: CalDAV sync (one per enabled user)
|
|
// and the hourly reminder scanner. Both live for the process
|
|
// lifetime; the signal-scoped context cleans them up on SIGTERM.
|
|
if err := caldavSvc.Start(bgCtx); err != nil {
|
|
log.Printf("CalDAV start: %v", err)
|
|
}
|
|
reminderSvc.Start(bgCtx)
|
|
go func() {
|
|
<-bgCtx.Done()
|
|
log.Println("background services: shutdown signal received")
|
|
caldavSvc.Stop()
|
|
}()
|
|
} else {
|
|
log.Println("DATABASE_URL not set — matter-management endpoints will return 503")
|
|
}
|
|
|
|
mux := http.NewServeMux()
|
|
handlers.Register(mux, client, giteaToken, svcBundle)
|
|
|
|
log.Printf("paliad server starting on :%s", port)
|
|
if err := http.ListenAndServe(":"+port, mux); err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
}
|