Session 2026-04-23: Security, Content-Schutz, Wiki-Temperament-Migration

Security (9 Fixes): - JWT_SECRET Pflicht-Check beim Start (Production) - Rate-Limit: Login (10/5min), Register (5/h), KI-Training (10/h), Giftköder (3/h) - KI-Training-Endpoint: Auth-Pflicht hinzugefügt - Private Profile aus Freunde-Suche gefiltert - OG-Tags XSS mit html.escape() gesichert - Globales File-Upload-Limit 20 MB (Middleware) - E-Mail-Maskierung für Moderatoren im Admin-Panel - IP-Blocklist in ratelimit.py Content-Schutz (4 Schichten): - robots.txt: /api/ komplett Disallow, SSR-Seiten Allow - Rate-Limit auf /api/wiki/rassen (60/min) + Detail (30/min) - Honeypot /api/wiki/trap + unsichtbarer Link in index.html - Wasserzeichen in KI-Enricher-Prompt Wiki Temperament-Migration: - 60-Wort Übersetzungsmap EN→DE - Datenmüll-Filter (hunderasse, dog breed etc.) - translate_existing_temperaments() + Admin-Button - SW by-v318, APP_VER 306
2026-04-23 18:34:05 +02:00 · 2026-04-23 18:34:05 +02:00 · 15f854d96c
commit 15f854d96c
parent 0f5f1c4c30
15 changed files with 284 additions and 53 deletions
--- a/backend/routes/admin.py
+++ b/backend/routes/admin.py
@ -206,8 +206,11 @@ async def list_users(
            where += " AND u.rolle = ?"
            params.append(rolle)

+        # E-Mail nur für Admins; Moderatoren sehen maskierte Version
+        _email_col = "u.email" if user["rolle"] == "admin" else \
+                     "SUBSTR(u.email,1,2)||'***@'||SUBSTR(u.email,INSTR(u.email,'@')+1) AS email"
        rows = conn.execute(f"""
-            SELECT u.id, u.name, u.email, u.rolle, u.is_premium,
+            SELECT u.id, u.name, {_email_col}, u.rolle, u.is_premium,
                   u.is_moderator, u.is_banned, u.ban_reason,
                   u.created_at, u.last_login,
                   (SELECT COUNT(*) FROM dogs d WHERE d.user_id=u.id) AS dog_count,
@ -587,6 +590,16 @@ async def wiki_enrich(data: WikiEnrichBody, user=Depends(require_mod)):
    return {"enriched": enriched, "remaining": remaining}


+# ------------------------------------------------------------------
+# POST /api/admin/wiki/translate-temperament — einmalige Migration
+# ------------------------------------------------------------------
+@router.post("/wiki/translate-temperament")
+async def wiki_translate_temperament(user=Depends(require_mod)):
+    from scraper.breed_enricher import translate_existing_temperaments
+    updated = translate_existing_temperaments()
+    return {"updated": updated}
+
+
 # ------------------------------------------------------------------
 # DELETE /api/admin/wiki/zuchter/{id} — Züchter-Eintrag löschen (Admin/Mod)
 # ------------------------------------------------------------------