fix: nil-pointer in DeleteMediaUI, restricted delete-check in tenant handler, SCHEMA fix

- HandleDeleteMediaUI: check err after media.Get before using asset (prevents nil-pointer panic) - HandleTenantDeleteMedia: add restricted-user ownership check (K3) - HandleTenantDashboard: filter media list by ownerUserID for restricted users - SCHEMA.md: correct created_by_user_id to 'text null ... on delete set null' Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
docs: media_assets.created_by_user_id + Berechtigungslogik dokumentiert
2026-03-28 09:18:12 +01:00 · 2026-03-28 09:14:35 +01:00 · 2026-03-28 09:13:07 +01:00 · 2026-03-28 09:11:16 +01:00 · 2026-03-28 09:09:59 +01:00 · 2026-03-28 09:07:13 +01:00
11 changed files with 1171 additions and 51 deletions
--- a/docs/API-ENDPOINTS.md
+++ b/docs/API-ENDPOINTS.md
@ -428,6 +428,10 @@ default_duration_seconds=25

 Listet alle Medien-Assets eines Tenants auf.

+**Rolle `restricted`:** Gibt nur Medien zurück, die der eingeloggte User selbst hochgeladen hat (`created_by_user_id = user.id`).
+
+**Alle anderen Rollen (`admin_user`, `screen_user`):** Alle Medien des Tenants. Response-Felder `owner_is_restricted` und `owner_username` sind befüllt, wenn das Medium von einem Restricted-User hochgeladen wurde.
+
 **Response:**
 ```json
 [
@ -444,7 +448,9 @@ Listet alle Medien-Assets eines Tenants auf.
    "size_bytes": 102400,
    "enabled": true,
    "created_at": "2026-03-22T16:00:00Z",
-    "updated_at": "2026-03-22T16:00:00Z"
+    "updated_at": "2026-03-22T16:00:00Z",
+    "owner_is_restricted": false,
+    "owner_username": "admin"
  },
  {
    "id": "uuid...",
@ -455,7 +461,9 @@ Listet alle Medien-Assets eines Tenants auf.
    "original_url": "http://example.com",
    "storage_path": null,
    "enabled": true,
-    "created_at": "2026-03-22T16:00:00Z"
+    "created_at": "2026-03-22T16:00:00Z",
+    "owner_is_restricted": true,
+    "owner_username": "teacher01"
  }
 ]
 ```
@ -471,7 +479,7 @@ Wenn keine Assets vorhanden sind, wird eine leere Liste zurückgegeben.

 ### POST /api/v1/tenants/{tenantSlug}/media

-Registriert ein neues Medien-Asset (Datei-Upload oder externe URL).
+Registriert ein neues Medien-Asset (Datei-Upload oder externe URL). Setzt `created_by_user_id` auf die ID des eingeloggten Users.

 **Request-Typ A: Datei-Upload (Multipart)**
 ```
@ -503,7 +511,9 @@ url: http://example.com
  "mime_type": "image/jpeg",
  "size_bytes": 102400,
  "enabled": true,
-  "created_at": "2026-03-22T16:00:00Z"
+  "created_at": "2026-03-22T16:00:00Z",
+  "owner_is_restricted": false,
+  "owner_username": "teacher01"
 }
 ```

@ -519,8 +529,14 @@ url: http://example.com

 Löscht ein Medien-Asset (und physische Datei falls lokal gespeichert).

+**Berechtigungen:**
+- **admin_user:** Immer erlaubt
+- **screen_user:** Erlaubt, wenn `asset.tenant_id == user.tenant_id`
+- **restricted:** Erlaubt nur wenn `asset.created_by_user_id == user.id` (eigenes Medium)
+
 **Status:**
 - `204 No Content` — Erfolgreich gelöscht
+- `403 Forbidden` — User hat nicht die erforderliche Berechtigung
 - `404 Not Found` — Asset nicht vorhanden
 - `500 Internal Server Error` — DB-Fehler

--- a/docs/SCHEMA.md
+++ b/docs/SCHEMA.md
@ -269,7 +269,7 @@ mime_type text null
 checksum text null
 size_bytes bigint null
 enabled boolean not null default true
-created_by_user_id uuid not null references users(id) on delete restrict
+created_by_user_id text null references users(id) on delete set null
 created_at timestamptz not null
 updated_at timestamptz not null
 ```
@ -653,6 +653,7 @@ Empfohlen mindestens:
 ```sql
 create index idx_screens_tenant_id on screens(tenant_id);
 create index idx_media_assets_tenant_id on media_assets(tenant_id);
+create index idx_media_assets_created_by_user_id on media_assets(created_by_user_id);
 create index idx_playlists_screen_id on playlists(screen_id);
 create index idx_playlist_items_playlist_id_order on playlist_items(playlist_id, order_index);
 create index idx_campaigns_active_validity on campaigns(active, valid_from, valid_until);
--- a/docs/superpowers/plans/2026-03-28-user-spezifische-medien.md
+++ b/docs/superpowers/plans/2026-03-28-user-spezifische-medien.md
@ -0,0 +1,784 @@
+# User-spezifische Medien für Restricted Users — Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Restricted Users sehen und verwalten nur eigene Medien; Admins/screen_users sehen alle Medien mit Toggle zum Ein-/Ausblenden von Restricted-Medien.
+
+**Architecture:** Ownership-Feld in DB, Filter im Store-Layer (LEFT JOIN für owner-Info), Rolle-basierte Handler-Logik, clientseitiger JS-Toggle. Neue Hilfsfunktion `canDeleteMedia` für isoliert testbare Berechtigungslogik.
+
+**Tech Stack:** Go (pgx, net/http), PostgreSQL, Go-Templates, Vanilla JS, Bulma CSS
+
+---
+
+## Betroffene Dateien
+
+| Datei | Art |
+|---|---|
+| `server/backend/db/migrations/007_media_owner.sql` | Neu |
+| `server/backend/internal/store/store.go` | Modify — MediaAsset, scanMedia, scanMediaFull, List, Create, Get |
+| `server/backend/internal/httpapi/manage/media.go` | Modify — canDeleteMedia + Handler |
+| `server/backend/internal/httpapi/manage/media_test.go` | Neu — Tests |
+| `server/backend/internal/httpapi/manage/ui.go` | Modify — HandleManageUI, HandleUploadMediaUI, HandleDeleteMediaUI |
+| `server/backend/internal/httpapi/tenant/tenant.go` | Modify — HandleTenantDashboard, HandleTenantUpload |
+| `server/backend/internal/httpapi/manage/templates.go` | Modify — Badge, Toggle, JS |
+| `docs/SCHEMA.md` | Modify |
+| `docs/API-ENDPOINTS.md` | Modify |
+
+---
+
+### Task 1: DB Migration — `created_by_user_id`
+
+**Files:**
+- Create: `server/backend/db/migrations/007_media_owner.sql`
+
+- [ ] **Step 1: Migrationsdatei anlegen**
+
+```sql
+-- 007_media_owner.sql
+-- Fügt Besitzer-Referenz zu media_assets hinzu.
+-- ON DELETE SET NULL: Medium bleibt erhalten wenn User gelöscht wird.
+
+ALTER TABLE media_assets
+  ADD COLUMN created_by_user_id text NULL
+  REFERENCES users(id) ON DELETE SET NULL;
+
+CREATE INDEX idx_media_assets_created_by_user_id
+  ON media_assets(created_by_user_id);
+```
+
+- [ ] **Step 2: Migration ausführen (lokal gegen Dev-DB)**
+
+```bash
+docker compose -f compose/server-stack.yml exec -T db \
+  psql -U morz -d morz -f /dev/stdin < server/backend/db/migrations/007_media_owner.sql
+```
+
+Erwartet: `ALTER TABLE`, `CREATE INDEX`, kein ERROR.
+
+- [ ] **Step 3: Commit**
+
+```bash
+git add server/backend/db/migrations/007_media_owner.sql
+git commit -m "feat(db): created_by_user_id zu media_assets hinzufügen"
+```
+
+---
+
+### Task 2: Store-Layer — Struct, Scan, List, Create, Get
+
+**Files:**
+- Modify: `server/backend/internal/store/store.go`
+
+Kontext: `MediaAsset` liegt bei ca. Zeile 52. `scanMedia` bei Zeile 416, `List` bei 370, `Create` bei 400, `Get` bei 391.
+
+- [ ] **Step 1: `MediaAsset`-Struct erweitern**
+
+Aktuelles Struct (Zeilen 52–63) ersetzen durch:
+
+```go
+type MediaAsset struct {
+	ID                string    `json:"id"`
+	TenantID          string    `json:"tenant_id"`
+	Title             string    `json:"title"`
+	Type              string    `json:"type"` // image | video | pdf | web
+	StoragePath       string    `json:"storage_path,omitempty"`
+	OriginalURL       string    `json:"original_url,omitempty"`
+	MimeType          string    `json:"mime_type,omitempty"`
+	SizeBytes         int64     `json:"size_bytes,omitempty"`
+	Enabled           bool      `json:"enabled"`
+	CreatedAt         time.Time `json:"created_at"`
+	CreatedByUserID   string    `json:"created_by_user_id,omitempty"`
+	OwnerIsRestricted bool      `json:"owner_is_restricted,omitempty"`
+	OwnerUsername     string    `json:"owner_username,omitempty"`
+}
+```
+
+- [ ] **Step 2: `scanMedia` aktualisieren (11 Felder, +`created_by_user_id`)**
+
+```go
+func scanMedia(row interface {
+	Scan(dest ...any) error
+}) (*MediaAsset, error) {
+	var m MediaAsset
+	err := row.Scan(&m.ID, &m.TenantID, &m.Title, &m.Type,
+		&m.StoragePath, &m.OriginalURL, &m.MimeType, &m.SizeBytes,
+		&m.Enabled, &m.CreatedAt, &m.CreatedByUserID)
+	if err != nil {
+		return nil, fmt.Errorf("scan media: %w", err)
+	}
+	return &m, nil
+}
+```
+
+- [ ] **Step 3: Neue Funktion `scanMediaFull` direkt nach `scanMedia` einfügen (13 Felder)**
+
+```go
+func scanMediaFull(row interface {
+	Scan(dest ...any) error
+}) (*MediaAsset, error) {
+	var m MediaAsset
+	var ownerRole string
+	err := row.Scan(&m.ID, &m.TenantID, &m.Title, &m.Type,
+		&m.StoragePath, &m.OriginalURL, &m.MimeType, &m.SizeBytes,
+		&m.Enabled, &m.CreatedAt, &m.CreatedByUserID,
+		&ownerRole, &m.OwnerUsername)
+	if err != nil {
+		return nil, fmt.Errorf("scan media full: %w", err)
+	}
+	m.OwnerIsRestricted = ownerRole == "restricted"
+	return &m, nil
+}
+```
+
+- [ ] **Step 4: `MediaStore.List` ersetzen — neue Signatur + LEFT JOIN**
+
+```go
+func (s *MediaStore) List(ctx context.Context, tenantID, ownerUserID string) ([]*MediaAsset, error) {
+	const base = `
+		SELECT m.id, m.tenant_id, m.title, m.type,
+		       coalesce(m.storage_path,''), coalesce(m.original_url,''),
+		       coalesce(m.mime_type,''), coalesce(m.size_bytes,0),
+		       m.enabled, m.created_at, coalesce(m.created_by_user_id,''),
+		       coalesce(u.role,''), coalesce(u.username,'')
+		  FROM media_assets m
+		  LEFT JOIN users u ON m.created_by_user_id = u.id
+		 WHERE m.tenant_id=$1`
+
+	var rows pgx.Rows
+	var err error
+	if ownerUserID != "" {
+		rows, err = s.pool.Query(ctx, base+` AND m.created_by_user_id=$2 ORDER BY m.created_at DESC`, tenantID, ownerUserID)
+	} else {
+		rows, err = s.pool.Query(ctx, base+` ORDER BY m.created_at DESC`, tenantID)
+	}
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var out []*MediaAsset
+	for rows.Next() {
+		m, err := scanMediaFull(rows)
+		if err != nil {
+			return nil, err
+		}
+		out = append(out, m)
+	}
+	return out, rows.Err()
+}
+```
+
+- [ ] **Step 5: `MediaStore.Create` — `createdByUserID` Parameter hinzufügen**
+
+```go
+func (s *MediaStore) Create(ctx context.Context, tenantID, title, assetType, storagePath, originalURL, mimeType, createdByUserID string, sizeBytes int64) (*MediaAsset, error) {
+	row := s.pool.QueryRow(ctx,
+		`INSERT INTO media_assets(tenant_id, title, type, storage_path, original_url, mime_type, size_bytes, created_by_user_id)
+		 VALUES($1,$2,$3,nullif($4,''),nullif($5,''),nullif($6,''),nullif($7,0),nullif($8,''))
+		 RETURNING id, tenant_id, title, type, coalesce(storage_path,''),
+		           coalesce(original_url,''), coalesce(mime_type,''), coalesce(size_bytes,0),
+		           enabled, created_at, coalesce(created_by_user_id,'')`,
+		tenantID, title, assetType, storagePath, originalURL, mimeType, sizeBytes, createdByUserID)
+	return scanMedia(row)
+}
+```
+
+- [ ] **Step 6: `MediaStore.Get` — `created_by_user_id` zur Query hinzufügen**
+
+```go
+func (s *MediaStore) Get(ctx context.Context, id string) (*MediaAsset, error) {
+	row := s.pool.QueryRow(ctx,
+		`SELECT id, tenant_id, title, type, coalesce(storage_path,''),
+		        coalesce(original_url,''), coalesce(mime_type,''), coalesce(size_bytes,0),
+		        enabled, created_at, coalesce(created_by_user_id,'')
+		   FROM media_assets WHERE id=$1`, id)
+	return scanMedia(row)
+}
+```
+
+- [ ] **Step 7: Build prüfen**
+
+```bash
+cd server/backend && go build ./...
+```
+
+Erwartet: keine Fehler. Compilerfehler zeigen alle Call-Sites die noch auf alte Signaturen zeigen.
+
+- [ ] **Step 8: Commit**
+
+```bash
+git add server/backend/internal/store/store.go
+git commit -m "feat(store): MediaAsset-Ownership — List/Create/Get mit created_by_user_id"
+```
+
+---
+
+### Task 3: `manage/media.go` — Handler + `canDeleteMedia` + Tests
+
+**Files:**
+- Modify: `server/backend/internal/httpapi/manage/media.go`
+- Create: `server/backend/internal/httpapi/manage/media_test.go`
+
+- [ ] **Step 1: `canDeleteMedia` Hilfsfunktion am Ende von `media.go` hinzufügen**
+
+```go
+// canDeleteMedia prüft ob User u das Medium asset löschen darf.
+// admin:       immer erlaubt
+// screen_user: Tenant-Match reicht
+// restricted:  Tenant-Match UND Besitzer-Match
+func canDeleteMedia(u *store.User, asset *store.MediaAsset) bool {
+	if u.Role == "admin" {
+		return true
+	}
+	if u.TenantID != asset.TenantID {
+		return false
+	}
+	if u.Role == "restricted" {
+		return asset.CreatedByUserID == u.ID
+	}
+	return true
+}
+```
+
+- [ ] **Step 2: Testdatei anlegen und failing Tests schreiben**
+
+`server/backend/internal/httpapi/manage/media_test.go`:
+
+```go
+package manage
+
+import (
+	"testing"
+
+	"git.az-it.net/az/morz-infoboard/server/backend/internal/store"
+)
+
+func TestCanDeleteMedia(t *testing.T) {
+	asset := &store.MediaAsset{TenantID: "t1", CreatedByUserID: "u1"}
+
+	tests := []struct {
+		name    string
+		user    *store.User
+		allowed bool
+	}{
+		{
+			name:    "admin darf immer",
+			user:    &store.User{Role: "admin", TenantID: "t2", ID: "x"},
+			allowed: true,
+		},
+		{
+			name:    "screen_user eigener Tenant",
+			user:    &store.User{Role: "screen_user", TenantID: "t1", ID: "x"},
+			allowed: true,
+		},
+		{
+			name:    "screen_user fremder Tenant",
+			user:    &store.User{Role: "screen_user", TenantID: "t2", ID: "x"},
+			allowed: false,
+		},
+		{
+			name:    "restricted eigenes Medium",
+			user:    &store.User{Role: "restricted", TenantID: "t1", ID: "u1"},
+			allowed: true,
+		},
+		{
+			name:    "restricted fremdes Medium gleicher Tenant",
+			user:    &store.User{Role: "restricted", TenantID: "t1", ID: "u2"},
+			allowed: false,
+		},
+		{
+			name:    "restricted fremder Tenant",
+			user:    &store.User{Role: "restricted", TenantID: "t2", ID: "u1"},
+			allowed: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := canDeleteMedia(tt.user, asset)
+			if got != tt.allowed {
+				t.Errorf("canDeleteMedia() = %v, want %v", got, tt.allowed)
+			}
+		})
+	}
+}
+```
+
+- [ ] **Step 3: Tests ausführen — müssen FAIL wegen fehlendem `canDeleteMedia`**
+
+```bash
+cd server/backend && go test ./internal/httpapi/manage/... -run TestCanDeleteMedia -v
+```
+
+Erwartet: FAIL (undefined: canDeleteMedia) oder compile error.
+
+- [ ] **Step 4: `canDeleteMedia` ist bereits in Step 1 geschrieben — Tests nochmal ausführen**
+
+```bash
+cd server/backend && go test ./internal/httpapi/manage/... -run TestCanDeleteMedia -v
+```
+
+Erwartet: 6/6 PASS.
+
+- [ ] **Step 5: `HandleListMedia` aktualisieren — ownerUserID nach Rolle setzen**
+
+```go
+func HandleListMedia(tenants *store.TenantStore, media *store.MediaStore) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		tenant, err := tenants.Get(r.Context(), r.PathValue("tenantSlug"))
+		if err != nil {
+			http.Error(w, "tenant not found", http.StatusNotFound)
+			return
+		}
+		u := reqcontext.UserFromContext(r.Context())
+		ownerUserID := ""
+		if u != nil && u.Role == "restricted" {
+			ownerUserID = u.ID
+		}
+		assets, err := media.List(r.Context(), tenant.ID, ownerUserID)
+		if err != nil {
+			http.Error(w, "db error", http.StatusInternalServerError)
+			return
+		}
+		if assets == nil {
+			assets = []*store.MediaAsset{}
+		}
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(assets) //nolint:errcheck
+	}
+}
+```
+
+- [ ] **Step 6: `HandleUploadMedia` aktualisieren — user.ID an Create übergeben**
+
+Beide `media.Create`-Aufrufe in der Funktion müssen `createdByUserID` erhalten. Den User am Anfang der Funktion extrahieren, dann an beide Create-Calls anhängen:
+
+```go
+func HandleUploadMedia(tenants *store.TenantStore, media *store.MediaStore, uploadDir string) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		tenant, err := tenants.Get(r.Context(), r.PathValue("tenantSlug"))
+		if err != nil {
+			http.Error(w, "tenant not found", http.StatusNotFound)
+			return
+		}
+		tenantID := tenant.ID
+
+		u := reqcontext.UserFromContext(r.Context())
+		createdByUserID := ""
+		if u != nil {
+			createdByUserID = u.ID
+		}
+
+		// W3: MaxBytesReader begrenzt den gesamten Request-Body auf maxUploadSize.
+		r.Body = http.MaxBytesReader(w, r.Body, maxUploadSize)
+		if err := r.ParseMultipartForm(maxUploadSize); err != nil {
+			http.Error(w, "request too large or not multipart", http.StatusBadRequest)
+			return
+		}
+
+		assetType := strings.TrimSpace(r.FormValue("type"))
+		title := strings.TrimSpace(r.FormValue("title"))
+
+		switch assetType {
+		case "web":
+			url := strings.TrimSpace(r.FormValue("url"))
+			if url == "" {
+				http.Error(w, "url required for type=web", http.StatusBadRequest)
+				return
+			}
+			if title == "" {
+				title = url
+			}
+			asset, err := media.Create(r.Context(), tenantID, title, "web", "", url, "", createdByUserID, 0)
+			if err != nil {
+				http.Error(w, "db error", http.StatusInternalServerError)
+				return
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			json.NewEncoder(w).Encode(asset) //nolint:errcheck
+			return
+
+		case "image", "video", "pdf":
+			file, header, err := r.FormFile("file")
+			if err != nil {
+				http.Error(w, "file required for type="+assetType, http.StatusBadRequest)
+				return
+			}
+			defer file.Close()
+
+			mimeType := header.Header.Get("Content-Type")
+			if detectedType := mimeToAssetType(mimeType); detectedType != "" {
+				assetType = detectedType
+			}
+			if title == "" {
+				title = strings.TrimSuffix(header.Filename, filepath.Ext(header.Filename))
+			}
+
+			storagePath, size, err := fileutil.SaveUploadedFile(file, header.Filename, title, uploadDir, r.PathValue("tenantSlug"))
+			if err != nil {
+				http.Error(w, "storage error", http.StatusInternalServerError)
+				return
+			}
+
+			asset, err := media.Create(r.Context(), tenantID, title, assetType, storagePath, "", mimeType, createdByUserID, size)
+			if err != nil {
+				http.Error(w, "db error", http.StatusInternalServerError)
+				return
+			}
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusCreated)
+			json.NewEncoder(w).Encode(asset) //nolint:errcheck
+
+		default:
+			http.Error(w, "type must be one of: image, video, pdf, web", http.StatusBadRequest)
+		}
+	}
+}
+```
+
+- [ ] **Step 7: `HandleDeleteMedia` aktualisieren — `canDeleteMedia` verwenden**
+
+Den aktuellen K3-Block (ab `u := reqcontext...`) ersetzen:
+
+```go
+func HandleDeleteMedia(media *store.MediaStore, uploadDir string) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		id := r.PathValue("id")
+		asset, err := media.Get(r.Context(), id)
+		if err != nil {
+			http.Error(w, "not found", http.StatusNotFound)
+			return
+		}
+
+		// K3: Rolle-bewusste Berechtigungsprüfung.
+		u := reqcontext.UserFromContext(r.Context())
+		if u == nil || !canDeleteMedia(u, asset) {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
+
+		if asset.StoragePath != "" {
+			filename := filepath.Base(asset.StoragePath)
+			os.Remove(filepath.Join(uploadDir, filename)) //nolint:errcheck
+		}
+
+		if err := media.Delete(r.Context(), id); err != nil {
+			http.Error(w, "db error", http.StatusInternalServerError)
+			return
+		}
+		w.WriteHeader(http.StatusNoContent)
+	}
+}
+```
+
+- [ ] **Step 8: Build + Tests**
+
+```bash
+cd server/backend && go build ./... && go test ./internal/httpapi/manage/... -v
+```
+
+Erwartet: kein Compilerfehler, alle Tests PASS.
+
+- [ ] **Step 9: Commit**
+
+```bash
+git add server/backend/internal/httpapi/manage/media.go \
+        server/backend/internal/httpapi/manage/media_test.go
+git commit -m "feat(manage): canDeleteMedia + handler role-awareness für restricted users"
+```
+
+---
+
+### Task 4: `manage/ui.go` — HandleManageUI, HandleUploadMediaUI, HandleDeleteMediaUI
+
+**Files:**
+- Modify: `server/backend/internal/httpapi/manage/ui.go`
+
+- [ ] **Step 1: `HandleManageUI` — `media.List` Call anpassen (ca. Zeile 397)**
+
+Den Block:
+```go
+assets, err := media.List(r.Context(), screen.TenantID)
+```
+ersetzen durch:
+```go
+ownerUserID := ""
+if u := reqcontext.UserFromContext(r.Context()); u != nil && u.Role == "restricted" {
+    ownerUserID = u.ID
+}
+assets, err := media.List(r.Context(), screen.TenantID, ownerUserID)
+```
+
+Hinweis: `u` wird weiter unten (Zeile ~437) nochmal aus Context gelesen — das ist kein Problem, `reqcontext.UserFromContext` ist idempotent.
+
+- [ ] **Step 2: `HandleUploadMediaUI` — `createdByUserID` an Create-Aufrufe übergeben**
+
+Am Anfang des Handlers (nach dem Tenant-Slug-Block, ca. Zeile 622) existiert bereits:
+```go
+if u := reqcontext.UserFromContext(r.Context()); u != nil && u.TenantSlug != "" {
+    tenantSlug = u.TenantSlug
+}
+```
+
+Direkt danach `createdByUserID` extrahieren:
+```go
+createdByUserID := ""
+if u := reqcontext.UserFromContext(r.Context()); u != nil {
+    createdByUserID = u.ID
+}
+```
+
+Dann beide `media.Create`-Aufrufe (Zeilen 640 und 658) anpassen:
+
+```go
+// web-Zweig (Zeile ~640):
+_, err = media.Create(r.Context(), screen.TenantID, title, "web", "", url, "", createdByUserID, 0)
+
+// file-Zweig (Zeile ~658):
+_, err = media.Create(r.Context(), screen.TenantID, title, assetType, storagePath, "", mimeType, createdByUserID, size)
+```
+
+- [ ] **Step 3: `HandleDeleteMediaUI` — K3-Check für restricted users hinzufügen**
+
+Nach dem `asset, err := media.Get(...)` Block (ca. Zeile 862) einfügen:
+
+```go
+// K3: Restricted User darf nur eigene Medien löschen.
+if u := reqcontext.UserFromContext(r.Context()); u != nil && !canDeleteMedia(u, asset) {
+    http.Error(w, "Forbidden", http.StatusForbidden)
+    return
+}
+```
+
+- [ ] **Step 4: Build**
+
+```bash
+cd server/backend && go build ./...
+```
+
+Erwartet: kein Fehler.
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add server/backend/internal/httpapi/manage/ui.go
+git commit -m "feat(ui): manage-Handler — restricted-aware List/Create/Delete"
+```
+
+---
+
+### Task 5: `tenant/tenant.go` — HandleTenantDashboard + HandleTenantUpload
+
+**Files:**
+- Modify: `server/backend/internal/httpapi/tenant/tenant.go`
+
+- [ ] **Step 1: `HandleTenantDashboard` — List-Call anpassen (Zeile ~76)**
+
+```go
+// Vorher:
+assets, err := mediaStore.List(r.Context(), tenant.ID)
+
+// Nachher:
+assets, err := mediaStore.List(r.Context(), tenant.ID, "")
+```
+
+Tenant-Dashboard wird nur von Admins und screen_users genutzt (restricted users landen auf `/manage/{screenSlug}`), daher kein ownerUserID-Filter nötig.
+
+- [ ] **Step 2: `HandleTenantUpload` — `createdByUserID` an Create-Aufrufe übergeben**
+
+Am Anfang des Handlers (nach `tenantSlug` Extraktion) einfügen:
+
+```go
+createdByUserID := ""
+if u := reqcontext.UserFromContext(r.Context()); u != nil {
+    createdByUserID = u.ID
+}
+```
+
+Beide `mediaStore.Create`-Aufrufe (Zeilen ~161 und ~185) anpassen:
+
+```go
+// web-Zweig (~Zeile 161):
+_, err = mediaStore.Create(r.Context(), tenant.ID, title, "web", "", url, "", createdByUserID, 0)
+
+// file-Zweig (~Zeile 185):
+_, err = mediaStore.Create(r.Context(), tenant.ID, title, assetType, storagePath, "", mimeType, createdByUserID, size)
+```
+
+- [ ] **Step 3: Build**
+
+```bash
+cd server/backend && go build ./...
+```
+
+Erwartet: kein Fehler.
+
+- [ ] **Step 4: Commit**
+
+```bash
+git add server/backend/internal/httpapi/tenant/tenant.go
+git commit -m "feat(tenant): List/Create mit owner-Feld aktualisiert"
+```
+
+---
+
+### Task 6: `templates.go` — Badge, Toggle, JS
+
+**Files:**
+- Modify: `server/backend/internal/httpapi/manage/templates.go`
+
+Kontext: Die Medienbibliothek liegt ab ca. Zeile 1083. Zeilen-Nummern können abweichen — suche nach `<!-- Library -->` als Anker.
+
+- [ ] **Step 1: CSS für versteckte Restricted-Medien hinzufügen**
+
+Suche die Upload-Zone CSS-Sektion (ca. Zeile 779, `.upload-zone { ... }`). Direkt **danach** einfügen:
+
+```css
+/* Restricted-Medien: standardmäßig ausgeblendet */
+.lib-card[data-owner-restricted="true"] { display: none; }
+.show-restricted .lib-card[data-owner-restricted="true"] { display: flex; }
+```
+
+- [ ] **Step 2: Toggle-Button und Medienbibliothek-Header anpassen**
+
+Suche den Block `<!-- Library -->` (enthält `<h2 class="title is-6 mb-3">Medienbibliothek</h2>`).
+
+Den `<div class="box">` Block ersetzen durch:
+
+```html
+<div class="box">
+  <div style="display:flex;align-items:center;justify-content:space-between;margin-bottom:.75rem">
+    <h2 class="title is-6 mb-0">Medienbibliothek</h2>
+    {{if ne .UserRole "restricted"}}
+    <button id="toggle-restricted-btn" class="button is-small is-light"
+      onclick="toggleRestrictedMedia(this)"
+      style="font-size:.75rem">
+      Restricted-Medien anzeigen
+    </button>
+    {{end}}
+  </div>
+```
+
+- [ ] **Step 3: `lib-card` mit `data-owner-restricted` und Besitzer-Badge versehen**
+
+Den `<div class="lib-card">` innerhalb von `{{range .Assets}}` ersetzen durch:
+
+```html
+<div class="lib-card" data-owner-restricted="{{.OwnerIsRestricted}}">
+```
+
+In `<div class="lib-info">` nach dem `<div class="lib-title"...>` folgendes einfügen:
+
+```html
+<div class="lib-badge">{{typeIcon .Type}} {{.Type}}
+  {{if .OwnerIsRestricted}}<span class="tag is-info is-light ml-1" style="font-size:.65rem">{{.OwnerUsername}}</span>{{end}}
+  {{if and (eq $.UserRole "admin") (not .CreatedByUserID)}}<span class="tag is-warning is-light ml-1" style="font-size:.65rem">Kein Besitzer</span>{{end}}
+</div>
+```
+
+Hinweis: `not` ist eine eingebaute Go-Template-Funktion. Alternativ `{{if eq .CreatedByUserID ""}}`.
+
+- [ ] **Step 4: `not` Template-Funktion prüfen — Go-Templates haben kein `not`**
+
+Go-Templates kennen kein `not`. Den Ausdruck von Step 3 für "Kein Besitzer" ersetzen durch:
+
+```html
+{{if and (eq $.UserRole "admin") (eq .CreatedByUserID "")}}<span class="tag is-warning is-light ml-1" style="font-size:.65rem">Kein Besitzer</span>{{end}}
+```
+
+- [ ] **Step 5: JS-Toggle-Funktion hinzufügen**
+
+Suche die vorhandene JS-Sektion (ca. Zeile 652, enthält `var texts = {...}`). Direkt am Ende des `<script>`-Blocks (vor `</script>`) einfügen:
+
+```javascript
+function toggleRestrictedMedia(btn) {
+  var lib = document.querySelector('.lib-grid');
+  if (!lib) return;
+  var showing = lib.classList.toggle('show-restricted');
+  btn.textContent = showing ? 'Restricted-Medien ausblenden' : 'Restricted-Medien anzeigen';
+  btn.classList.toggle('is-info', showing);
+  btn.classList.toggle('is-light', !showing);
+}
+```
+
+- [ ] **Step 6: Build + Template-Syntax prüfen**
+
+```bash
+cd server/backend && go build ./...
+```
+
+Erwartet: kein Fehler. Go-Templates werden erst zur Laufzeit geparst — Syntax-Fehler erscheinen erst beim ersten Request.
+
+- [ ] **Step 7: Manuell testen**
+
+```bash
+docker compose -f compose/server-stack.yml up --build -d backend
+```
+
+1. Als Restricted User einloggen → Upload ein Medium → nur eigenes Medium sichtbar, kein Toggle-Button
+2. Als Admin einloggen → alle Medien sehen → Toggle-Button vorhanden → anklicken → Restricted-Medien erscheinen mit Besitzer-Badge → Legacy-Medien haben "Kein Besitzer" Badge
+3. Als screen_user einloggen → Restricted-Medien ausgeblendet → Toggle zeigt sie an mit Besitzer-Namen
+
+- [ ] **Step 8: Commit**
+
+```bash
+git add server/backend/internal/httpapi/manage/templates.go
+git commit -m "feat(ui): Restricted-Medien Toggle + Besitzer-Badge + Kein-Besitzer-Badge"
+```
+
+---
+
+### Task 7: Dokumentation
+
+**Files:**
+- Modify: `docs/SCHEMA.md`
+- Modify: `docs/API-ENDPOINTS.md`
+
+- [ ] **Step 1: `docs/SCHEMA.md` — `created_by_user_id` bei `media_assets` ergänzen**
+
+Die `media_assets`-Spalten-Liste (ca. Zeile 258–280 in SCHEMA.md) um folgende Zeile ergänzen:
+
+```
+created_by_user_id text null references users(id) on delete set null
+```
+
+Direkt nach `tenant_id`. Außerdem unter "Wichtige Indizes" ergänzen:
+
+```sql
+create index idx_media_assets_created_by_user_id on media_assets(created_by_user_id);
+```
+
+- [ ] **Step 2: `docs/API-ENDPOINTS.md` — Media-Endpoints dokumentieren**
+
+Im Abschnitt "Media" (falls nicht vorhanden: anlegen nach dem bestehenden Abschnitt) hinzufügen:
+
+```markdown
+## Media
+
+### GET /api/v1/tenants/{tenantSlug}/media
+
+Listet alle Medien eines Tenants.
+
+**Rolle `restricted`:** Gibt nur Medien zurück, die der eingeloggte User selbst hochgeladen hat (`created_by_user_id = user.id`).
+
+**Alle anderen Rollen:** Alle Medien des Tenants. Response-Felder `owner_is_restricted` und `owner_username` sind befüllt wenn das Medium von einem Restricted-User hochgeladen wurde.
+
+### POST /api/v1/tenants/{tenantSlug}/media
+
+Lädt ein Medium hoch oder registriert eine URL. Setzt `created_by_user_id` auf die ID des eingeloggten Users.
+
+### DELETE /api/v1/media/{id}
+
+Löscht ein Medium.
+
+- **Admin:** immer erlaubt
+- **screen_user:** erlaubt wenn `asset.tenant_id == user.tenant_id`
+- **restricted:** erlaubt nur wenn `asset.created_by_user_id == user.id` (eigenes Medium)
+```
+
+- [ ] **Step 3: Commit**
+
+```bash
+git add docs/SCHEMA.md docs/API-ENDPOINTS.md
+git commit -m "docs: media_assets.created_by_user_id + Berechtigungslogik dokumentiert"
+```
--- a/docs/superpowers/specs/2026-03-28-user-spezifische-medien-design.md
+++ b/docs/superpowers/specs/2026-03-28-user-spezifische-medien-design.md
@ -0,0 +1,137 @@
+# User-spezifische Medien für Restricted Users — Design
+
+**Datum:** 2026-03-28
+
+## Problem
+
+Restricted Users können aktuell alle Medien des Tenants sehen und löschen. Sie sollen nur ihre eigenen Medien sehen und verwalten dürfen.
+
+## Anforderungen
+
+- **Restricted Users** sehen ausschließlich Medien, die sie selbst hochgeladen haben
+- **Restricted Users** dürfen nur ihre eigenen Medien löschen
+- **Admins** sehen alle Medien des Tenants — inkl. solcher ohne Besitzer (Legacy-Medien)
+- **screen_users** sehen alle Medien des Tenants (unverändert)
+- Bestehende Medien (ohne Besitzer) bleiben erhalten und funktionieren weiter
+- **Admins und screen_users** können Medien von Restricted Users ein-/ausblenden (Toggle). Default: **ausgeblendet**
+
+## Ansatz: Filter im Store-Layer
+
+Ownership wird als Datenbankfeld gespeichert. Die Filter-Logik liegt im Store-Layer, Handlers delegieren nach Rolle. Entspricht dem bestehenden pgx/raw-SQL-Muster (analog K4-Checks in playlist.go).
+
+## Datenbank
+
+### Migration
+
+Neue Spalte in `media_assets`:
+
+```sql
+ALTER TABLE media_assets
+  ADD COLUMN created_by_user_id text NULL
+  REFERENCES users(id) ON DELETE SET NULL;
+```
+
+- **Nullable**: bestehende Medien behalten `NULL` als Besitzer
+- **ON DELETE SET NULL**: wird ein User gelöscht, bleibt das Medium erhalten, verliert aber den Besitzer
+- Kein Backfill nötig — `NULL` = kein Besitzer (Legacy oder Admin-Upload)
+
+## Go-Datenmodell
+
+`MediaAsset`-Struct bekommt drei neue Felder:
+
+```go
+CreatedByUserID    string // leer = kein Besitzer (legacy)
+OwnerIsRestricted  bool   // true wenn Uploader Rolle "restricted" hat
+OwnerUsername      string // Benutzername des Uploaders; leer wenn kein Besitzer
+```
+
+`OwnerIsRestricted` und `OwnerUsername` werden per `LEFT JOIN users` in der List-Query befüllt — kein separater Lookup nötig.
+
+## Store-Layer
+
+### List
+
+```go
+func (s *MediaStore) List(ctx context.Context, tenantID, ownerUserID string) ([]MediaAsset, error)
+```
+
+- `ownerUserID == ""` → alle Tenant-Medien (Admin, screen_user); `OwnerIsRestricted` per LEFT JOIN befüllt
+- `ownerUserID != ""` → `AND m.created_by_user_id = $2` (Restricted User); kein JOIN nötig
+
+### Create
+
+Kein Signatur-Wandel. `MediaAsset.CreatedByUserID` wird vom Handler befüllt und per Struct übergeben. Bestehende Create-Logik bleibt unverändert.
+
+## Handler-Layer
+
+### Upload (API + Manage-Endpoint)
+
+Beide Upload-Handler befüllen `CreatedByUserID` mit `user.ID`:
+- `POST /api/v1/tenants/{tenantSlug}/media`
+- `POST /manage/{screenSlug}/upload`
+
+### List
+
+Handler übergibt an `Store.List()`:
+- `restricted` → `ownerUserID = u.ID`
+- alle anderen → `ownerUserID = ""`
+
+### Delete (K3-Check)
+
+Aktuell: `u.TenantID == asset.TenantID || u.Role == "admin"`
+
+Neu:
+
+| Rolle | Bedingung |
+|---|---|
+| `admin` | immer erlaubt |
+| `screen_user` | Tenant-Match reicht (wie bisher) |
+| `restricted` | Tenant-Match **und** `asset.CreatedByUserID == u.ID` |
+
+## UI
+
+### Admin- und screen_user-Ansicht
+
+**Badge für Medien ohne Besitzer** (nur für Admins, da screen_users keine Legacy-Medien hochladen können):
+
+```html
+<span class="tag is-warning is-light">Kein Besitzer</span>
+```
+
+Wird angezeigt wenn `CreatedByUserID == ""`. Kein Benutzername wird angezeigt.
+
+**Toggle: Restricted-Medien ein-/ausblenden** (Admin + screen_user):
+
+- Button in der Medienliste: `Restricted-Medien anzeigen` (Bulma `button is-small`)
+- Jedes Medium von einem Restricted-User erhält `data-owner-restricted="true"` im HTML
+- Default: diese Elemente sind per CSS ausgeblendet (`display: none`)
+- Vanilla JS: Toggle-Button wechselt eine CSS-Klasse auf dem Container; Items mit `data-owner-restricted="true"` werden sichtbar/unsichtbar
+- Kein Page-Reload, kein Server-Request — rein clientseitig
+
+**Besitzer-Kennzeichnung** bei Restricted-Medien (Admin + screen_user, wenn sichtbar):
+
+```html
+<span class="tag is-info is-light">{{ .OwnerUsername }}</span>
+```
+
+Wird neben dem Medientitel angezeigt, wenn `OwnerIsRestricted == true`.
+
+### Restricted-User-Ansicht
+
+Keine strukturellen Änderungen. Die Liste ist serverseitig gefiltert — der User sieht einfach nur eigene Einträge. Kein Toggle-Button sichtbar.
+
+## Nicht im Scope
+
+- Übertragung von Medien zwischen Usern
+- Persistierung der Toggle-Einstellung (wird nicht gespeichert, reset bei Seitenladen)
+
+## Betroffene Dateien
+
+| Datei | Änderung |
+|---|---|
+| `server/backend/db/migrations/00X_media_owner.sql` | neue Spalte `created_by_user_id` |
+| `server/backend/internal/store/store.go` | `MediaAsset`-Struct, `List()`-Signatur, `Create()` |
+| `server/backend/internal/httpapi/manage/media.go` | Upload + Delete + List Handler |
+| `manage/templates.go` | Badge für Medien ohne Besitzer; Toggle-Button + JS; `data-owner-restricted` Attribut |
+| `docs/SCHEMA.md` | neue Spalte dokumentieren |
+| `docs/API-ENDPOINTS.md` | ggf. List-Endpoint-Verhalten dokumentieren |
--- a/server/backend/internal/db/migrations/007_media_owner.sql
+++ b/server/backend/internal/db/migrations/007_media_owner.sql
@ -0,0 +1,10 @@
+-- 007_media_owner.sql
+-- Fügt Besitzer-Referenz zu media_assets hinzu.
+-- ON DELETE SET NULL: Medium bleibt erhalten wenn User gelöscht wird.
+
+ALTER TABLE media_assets
+  ADD COLUMN created_by_user_id text NULL
+  REFERENCES users(id) ON DELETE SET NULL;
+
+CREATE INDEX idx_media_assets_created_by_user_id
+  ON media_assets(created_by_user_id);
--- a/server/backend/internal/httpapi/manage/media.go
+++ b/server/backend/internal/httpapi/manage/media.go
@ -15,6 +15,7 @@ import (
 const maxUploadSize = 512 << 20 // 512 MB

 // HandleListMedia returns all media assets for a tenant as JSON.
+// restricted-Users sehen nur ihre eigenen Medien.
 func HandleListMedia(tenants *store.TenantStore, media *store.MediaStore) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		tenant, err := tenants.Get(r.Context(), r.PathValue("tenantSlug"))
@ -22,7 +23,12 @@ func HandleListMedia(tenants *store.TenantStore, media *store.MediaStore) http.H
 			http.Error(w, "tenant not found", http.StatusNotFound)
 			return
 		}
-		assets, err := media.List(r.Context(), tenant.ID)
+		u := reqcontext.UserFromContext(r.Context())
+		ownerUserID := ""
+		if u != nil && u.Role == "restricted" {
+			ownerUserID = u.ID
+		}
+		assets, err := media.List(r.Context(), tenant.ID, ownerUserID)
 		if err != nil {
 			http.Error(w, "db error", http.StatusInternalServerError)
 			return
@ -45,6 +51,12 @@ func HandleUploadMedia(tenants *store.TenantStore, media *store.MediaStore, uplo
 		}
 		tenantID := tenant.ID

+		u := reqcontext.UserFromContext(r.Context())
+		createdByUserID := ""
+		if u != nil {
+			createdByUserID = u.ID
+		}
+
 		// W3: MaxBytesReader begrenzt den gesamten Request-Body auf maxUploadSize.
 		r.Body = http.MaxBytesReader(w, r.Body, maxUploadSize)
 		if err := r.ParseMultipartForm(maxUploadSize); err != nil {
@ -65,7 +77,7 @@ func HandleUploadMedia(tenants *store.TenantStore, media *store.MediaStore, uplo
 			if title == "" {
 				title = url
 			}
-			asset, err := media.Create(r.Context(), tenantID, title, "web", "", url, "", 0)
+			asset, err := media.Create(r.Context(), tenantID, title, "web", "", url, "", createdByUserID, 0)
 			if err != nil {
 				http.Error(w, "db error", http.StatusInternalServerError)
 				return
@ -98,7 +110,7 @@ func HandleUploadMedia(tenants *store.TenantStore, media *store.MediaStore, uplo
 				return
 			}

-			asset, err := media.Create(r.Context(), tenantID, title, assetType, storagePath, "", mimeType, size)
+			asset, err := media.Create(r.Context(), tenantID, title, assetType, storagePath, "", mimeType, createdByUserID, size)
 			if err != nil {
 				http.Error(w, "db error", http.StatusInternalServerError)
 				return
@ -123,13 +135,9 @@ func HandleDeleteMedia(media *store.MediaStore, uploadDir string) http.HandlerFu
 			return
 		}

-		// K3: Tenant-Check — nur der eigene Tenant oder Admin darf löschen.
+		// K3: Rolle-bewusste Berechtigungsprüfung.
 		u := reqcontext.UserFromContext(r.Context())
-		if u == nil {
-			http.Error(w, "Forbidden", http.StatusForbidden)
-			return
-		}
-		if u.Role != "admin" && u.TenantID != asset.TenantID {
+		if u == nil || !canDeleteMedia(u, asset) {
 			http.Error(w, "Forbidden", http.StatusForbidden)
 			return
 		}
@ -178,3 +186,20 @@ func sanitize(s string) string {
 	}
 	return out
 }
+
+// canDeleteMedia prüft ob User u das Medium asset löschen darf.
+// admin:       immer erlaubt
+// screen_user: Tenant-Match reicht
+// restricted:  Tenant-Match UND Besitzer-Match
+func canDeleteMedia(u *store.User, asset *store.MediaAsset) bool {
+	if u.Role == "admin" {
+		return true
+	}
+	if u.TenantID != asset.TenantID {
+		return false
+	}
+	if u.Role == "restricted" {
+		return asset.CreatedByUserID == u.ID
+	}
+	return true
+}
--- a/server/backend/internal/httpapi/manage/media_test.go
+++ b/server/backend/internal/httpapi/manage/media_test.go
@ -0,0 +1,57 @@
+package manage
+
+import (
+	"testing"
+
+	"git.az-it.net/az/morz-infoboard/server/backend/internal/store"
+)
+
+func TestCanDeleteMedia(t *testing.T) {
+	asset := &store.MediaAsset{TenantID: "t1", CreatedByUserID: "u1"}
+
+	tests := []struct {
+		name    string
+		user    *store.User
+		allowed bool
+	}{
+		{
+			name:    "admin darf immer",
+			user:    &store.User{Role: "admin", TenantID: "t2", ID: "x"},
+			allowed: true,
+		},
+		{
+			name:    "screen_user eigener Tenant",
+			user:    &store.User{Role: "screen_user", TenantID: "t1", ID: "x"},
+			allowed: true,
+		},
+		{
+			name:    "screen_user fremder Tenant",
+			user:    &store.User{Role: "screen_user", TenantID: "t2", ID: "x"},
+			allowed: false,
+		},
+		{
+			name:    "restricted eigenes Medium",
+			user:    &store.User{Role: "restricted", TenantID: "t1", ID: "u1"},
+			allowed: true,
+		},
+		{
+			name:    "restricted fremdes Medium gleicher Tenant",
+			user:    &store.User{Role: "restricted", TenantID: "t1", ID: "u2"},
+			allowed: false,
+		},
+		{
+			name:    "restricted fremder Tenant",
+			user:    &store.User{Role: "restricted", TenantID: "t2", ID: "u1"},
+			allowed: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := canDeleteMedia(tt.user, asset)
+			if got != tt.allowed {
+				t.Errorf("canDeleteMedia() = %v, want %v", got, tt.allowed)
+			}
+		})
+	}
+}
--- a/server/backend/internal/httpapi/manage/templates.go
+++ b/server/backend/internal/httpapi/manage/templates.go
@ -780,6 +780,9 @@ const manageTmpl = `<!DOCTYPE html>
    .upload-zone { border:2px dashed #d1d5db; border-radius:var(--radius); padding:1.5rem; text-align:center; cursor:pointer; transition:border-color .15s; }
    .upload-zone:hover,.upload-zone.dragover { border-color:var(--morz-red); background:#fff5f5; }
    .upload-zone p { color:#9ca3af; font-size:.875rem; margin:.25rem 0; }
+    /* Restricted-Medien: standardmäßig ausgeblendet */
+    .lib-card[data-owner-restricted="true"] { display: none; }
+    .show-restricted .lib-card[data-owner-restricted="true"] { display: flex; }
    /* Screenshot */
    .screen-preview { width:100%; max-height:200px; object-fit:cover; background:#1e293b; display:block; border-radius:var(--radius) var(--radius) 0 0; }
    /* Modal */
@ -1091,11 +1094,20 @@ const manageTmpl = `<!DOCTYPE html>

        <!-- Library -->
        <div class="box">
-          <h2 class="title is-6 mb-3">Medienbibliothek</h2>
+          <div style="display:flex;align-items:center;justify-content:space-between;margin-bottom:.75rem">
+            <h2 class="title is-6 mb-0">Medienbibliothek</h2>
+            {{if ne .UserRole "restricted"}}
+            <button id="toggle-restricted-btn" class="button is-small is-light"
+              onclick="toggleRestrictedMedia(this)"
+              style="font-size:.75rem">
+              Restricted-Medien anzeigen
+            </button>
+            {{end}}
+          </div>
          {{if .Assets}}
          <div class="lib-grid">
            {{range .Assets}}
-            <div class="lib-card">
+            <div class="lib-card" data-owner-restricted="{{.OwnerIsRestricted}}">
              <div class="lib-thumb">
                {{if eq .Type "image"}}<img src="{{if .StoragePath}}/uploads/{{.StoragePath}}{{else}}{{.OriginalURL}}{{end}}" style="width:100%;height:80px;object-fit:cover" alt="" loading="lazy" onerror="this.style.display='none';this.parentElement.textContent='🖼'">
                {{else if eq .Type "video"}}🎬
@ -1104,7 +1116,10 @@ const manageTmpl = `<!DOCTYPE html>
              </div>
              <div class="lib-info">
                <div class="lib-title" title="{{.Title}}">{{.Title}}</div>
-                <div class="lib-badge">{{typeIcon .Type}} {{.Type}}</div>
+                <div class="lib-badge">{{typeIcon .Type}} {{.Type}}
+                  {{if .OwnerIsRestricted}}<span class="tag is-info is-light ml-1" style="font-size:.65rem">{{.OwnerUsername}}</span>{{end}}
+                  {{if and (eq $.UserRole "admin") (eq .CreatedByUserID "")}}<span class="tag is-warning is-light ml-1" style="font-size:.65rem">Kein Besitzer</span>{{end}}
+                </div>
              </div>
              <div class="lib-actions">
                {{if index $.AddedAssets .ID}}
@ -1690,6 +1705,15 @@ function clearScreenOverride(slug) {
    if (r.ok) { location.reload(); }
  }).catch(function(){});
 }
+
+function toggleRestrictedMedia(btn) {
+  var lib = document.querySelector('.lib-grid');
+  if (!lib) return;
+  var showing = lib.classList.toggle('show-restricted');
+  btn.textContent = showing ? 'Restricted-Medien ausblenden' : 'Restricted-Medien anzeigen';
+  btn.classList.toggle('is-info', showing);
+  btn.classList.toggle('is-light', !showing);
+}
 </script>
 </body>
 </html>`
--- a/server/backend/internal/httpapi/manage/ui.go
+++ b/server/backend/internal/httpapi/manage/ui.go
@ -394,7 +394,11 @@ func HandleManageUI(
 			return
 		}

-		assets, err := media.List(r.Context(), screen.TenantID)
+		ownerUserID := ""
+	if u := reqcontext.UserFromContext(r.Context()); u != nil && u.Role == "restricted" {
+		ownerUserID = u.ID
+	}
+	assets, err := media.List(r.Context(), screen.TenantID, ownerUserID)
 		if err != nil {
 			http.Error(w, "db error", http.StatusInternalServerError)
 			return
@ -627,6 +631,11 @@ func HandleUploadMediaUI(media *store.MediaStore, screens *store.ScreenStore, up
 			tenantSlug = "default"
 		}

+		createdByUserID := ""
+		if u := reqcontext.UserFromContext(r.Context()); u != nil {
+			createdByUserID = u.ID
+		}
+
 		switch assetType {
 		case "web":
 			url := strings.TrimSpace(r.FormValue("url"))
@ -637,7 +646,7 @@ func HandleUploadMediaUI(media *store.MediaStore, screens *store.ScreenStore, up
 			if title == "" {
 				title = url
 			}
-			_, err = media.Create(r.Context(), screen.TenantID, title, "web", "", url, "", 0)
+			_, err = media.Create(r.Context(), screen.TenantID, title, "web", "", url, "", createdByUserID, 0)
 		case "image", "video", "pdf":
 			file, header, ferr := r.FormFile("file")
 			if ferr != nil {
@ -655,7 +664,7 @@ func HandleUploadMediaUI(media *store.MediaStore, screens *store.ScreenStore, up
 				http.Error(w, "Speicherfehler", http.StatusInternalServerError)
 				return
 			}
-			_, err = media.Create(r.Context(), screen.TenantID, title, assetType, storagePath, "", mimeType, size)
+			_, err = media.Create(r.Context(), screen.TenantID, title, assetType, storagePath, "", mimeType, createdByUserID, size)
 		default:
 			http.Error(w, "Unbekannter Typ", http.StatusBadRequest)
 			return
@ -860,7 +869,18 @@ func HandleDeleteMediaUI(media *store.MediaStore, screens *store.ScreenStore, up
 		}

 		asset, err := media.Get(r.Context(), mediaID)
-		if err == nil && asset.StoragePath != "" {
+		if err != nil {
+			http.Error(w, "medium nicht gefunden", http.StatusNotFound)
+			return
+		}
+
+		// K3: Restricted User darf nur eigene Medien löschen.
+		if u := reqcontext.UserFromContext(r.Context()); u != nil && !canDeleteMedia(u, asset) {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
+
+		if asset.StoragePath != "" {
 			os.Remove(filepath.Join(uploadDir, filepath.Base(asset.StoragePath))) //nolint:errcheck
 		}
 		media.Delete(r.Context(), mediaID) //nolint:errcheck
--- a/server/backend/internal/httpapi/tenant/tenant.go
+++ b/server/backend/internal/httpapi/tenant/tenant.go
@ -12,6 +12,7 @@ import (

 	"git.az-it.net/az/morz-infoboard/server/backend/internal/config"
 	"git.az-it.net/az/morz-infoboard/server/backend/internal/fileutil"
+	"git.az-it.net/az/morz-infoboard/server/backend/internal/reqcontext"
 	"git.az-it.net/az/morz-infoboard/server/backend/internal/store"
 )

@ -73,7 +74,11 @@ func HandleTenantDashboard(
 			return
 		}

-		assets, err := mediaStore.List(r.Context(), tenant.ID)
+		ownerUserID := ""
+		if u := reqcontext.UserFromContext(r.Context()); u != nil && u.Role == "restricted" {
+			ownerUserID = u.ID
+		}
+		assets, err := mediaStore.List(r.Context(), tenant.ID, ownerUserID)
 		if err != nil {
 			http.Error(w, "db error", http.StatusInternalServerError)
 			return
@ -148,6 +153,11 @@ func HandleTenantUpload(
 		assetType := strings.TrimSpace(r.FormValue("type"))
 		title := strings.TrimSpace(r.FormValue("title"))

+		createdByUserID := ""
+		if u := reqcontext.UserFromContext(r.Context()); u != nil {
+			createdByUserID = u.ID
+		}
+
 		switch assetType {
 		case "web":
 			url := strings.TrimSpace(r.FormValue("url"))
@ -158,7 +168,7 @@ func HandleTenantUpload(
 			if title == "" {
 				title = url
 			}
-			_, err = mediaStore.Create(r.Context(), tenant.ID, title, "web", "", url, "", 0)
+			_, err = mediaStore.Create(r.Context(), tenant.ID, title, "web", "", url, "", createdByUserID, 0)

 		case "image", "video", "pdf":
 			file, header, ferr := r.FormFile("file")
@ -182,7 +192,7 @@ func HandleTenantUpload(
 				http.Error(w, "Speicherfehler", http.StatusInternalServerError)
 				return
 			}
-			_, err = mediaStore.Create(r.Context(), tenant.ID, title, assetType, storagePath, "", mimeType, size)
+			_, err = mediaStore.Create(r.Context(), tenant.ID, title, assetType, storagePath, "", mimeType, createdByUserID, size)

 		default:
 			http.Error(w, "Unbekannter Typ", http.StatusBadRequest)
@ -224,6 +234,11 @@ func HandleTenantDeleteMedia(
 			http.Error(w, "Forbidden", http.StatusForbidden)
 			return
 		}
+		// K3: Restricted User darf nur eigene Medien löschen.
+		if u := reqcontext.UserFromContext(r.Context()); u != nil && u.Role == "restricted" && asset.CreatedByUserID != u.ID {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
 		if asset.StoragePath != "" {
 			os.Remove(filepath.Join(uploadDir, filepath.Base(asset.StoragePath))) //nolint:errcheck
 		}
--- a/server/backend/internal/store/store.go
+++ b/server/backend/internal/store/store.go
@ -50,16 +50,19 @@ type ScreenSchedule struct {
 }

 type MediaAsset struct {
-	ID          string    `json:"id"`
-	TenantID    string    `json:"tenant_id"`
-	Title       string    `json:"title"`
-	Type        string    `json:"type"` // image | video | pdf | web
-	StoragePath string    `json:"storage_path,omitempty"`
-	OriginalURL string    `json:"original_url,omitempty"`
-	MimeType    string    `json:"mime_type,omitempty"`
-	SizeBytes   int64     `json:"size_bytes,omitempty"`
-	Enabled     bool      `json:"enabled"`
-	CreatedAt   time.Time `json:"created_at"`
+	ID                string    `json:"id"`
+	TenantID          string    `json:"tenant_id"`
+	Title             string    `json:"title"`
+	Type              string    `json:"type"` // image | video | pdf | web
+	StoragePath       string    `json:"storage_path,omitempty"`
+	OriginalURL       string    `json:"original_url,omitempty"`
+	MimeType          string    `json:"mime_type,omitempty"`
+	SizeBytes         int64     `json:"size_bytes,omitempty"`
+	Enabled           bool      `json:"enabled"`
+	CreatedAt         time.Time `json:"created_at"`
+	CreatedByUserID   string    `json:"created_by_user_id,omitempty"`
+	OwnerIsRestricted bool      `json:"owner_is_restricted,omitempty"`
+	OwnerUsername     string    `json:"owner_username,omitempty"`
 }

 type Playlist struct {
@ -367,19 +370,31 @@ func (s *ScreenStore) GetDisplayState(ctx context.Context, screenID string) (str
 // MediaStore
 // ------------------------------------------------------------------

-func (s *MediaStore) List(ctx context.Context, tenantID string) ([]*MediaAsset, error) {
-	rows, err := s.pool.Query(ctx,
-		`select id, tenant_id, title, type, coalesce(storage_path,''),
-		        coalesce(original_url,''), coalesce(mime_type,''), coalesce(size_bytes,0),
-		        enabled, created_at
-		   from media_assets where tenant_id=$1 order by created_at desc`, tenantID)
+func (s *MediaStore) List(ctx context.Context, tenantID, ownerUserID string) ([]*MediaAsset, error) {
+	const base = `
+		SELECT m.id, m.tenant_id, m.title, m.type,
+		       coalesce(m.storage_path,''), coalesce(m.original_url,''),
+		       coalesce(m.mime_type,''), coalesce(m.size_bytes,0),
+		       m.enabled, m.created_at, coalesce(m.created_by_user_id,''),
+		       coalesce(u.role,''), coalesce(u.username,'')
+		  FROM media_assets m
+		  LEFT JOIN users u ON m.created_by_user_id = u.id
+		 WHERE m.tenant_id=$1`
+
+	var rows pgx.Rows
+	var err error
+	if ownerUserID != "" {
+		rows, err = s.pool.Query(ctx, base+` AND m.created_by_user_id=$2 ORDER BY m.created_at DESC`, tenantID, ownerUserID)
+	} else {
+		rows, err = s.pool.Query(ctx, base+` ORDER BY m.created_at DESC`, tenantID)
+	}
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
 	var out []*MediaAsset
 	for rows.Next() {
-		m, err := scanMedia(rows)
+		m, err := scanMediaFull(rows)
 		if err != nil {
 			return nil, err
 		}
@ -390,21 +405,21 @@ func (s *MediaStore) List(ctx context.Context, tenantID string) ([]*MediaAsset,

 func (s *MediaStore) Get(ctx context.Context, id string) (*MediaAsset, error) {
 	row := s.pool.QueryRow(ctx,
-		`select id, tenant_id, title, type, coalesce(storage_path,''),
+		`SELECT id, tenant_id, title, type, coalesce(storage_path,''),
 		        coalesce(original_url,''), coalesce(mime_type,''), coalesce(size_bytes,0),
-		        enabled, created_at
-		   from media_assets where id=$1`, id)
+		        enabled, created_at, coalesce(created_by_user_id,'')
+		   FROM media_assets WHERE id=$1`, id)
 	return scanMedia(row)
 }

-func (s *MediaStore) Create(ctx context.Context, tenantID, title, assetType, storagePath, originalURL, mimeType string, sizeBytes int64) (*MediaAsset, error) {
+func (s *MediaStore) Create(ctx context.Context, tenantID, title, assetType, storagePath, originalURL, mimeType, createdByUserID string, sizeBytes int64) (*MediaAsset, error) {
 	row := s.pool.QueryRow(ctx,
-		`insert into media_assets(tenant_id, title, type, storage_path, original_url, mime_type, size_bytes)
-		 values($1,$2,$3,nullif($4,''),nullif($5,''),nullif($6,''),nullif($7,0))
-		 returning id, tenant_id, title, type, coalesce(storage_path,''),
+		`INSERT INTO media_assets(tenant_id, title, type, storage_path, original_url, mime_type, size_bytes, created_by_user_id)
+		 VALUES($1,$2,$3,nullif($4,''),nullif($5,''),nullif($6,''),nullif($7,0),nullif($8,''))
+		 RETURNING id, tenant_id, title, type, coalesce(storage_path,''),
 		           coalesce(original_url,''), coalesce(mime_type,''), coalesce(size_bytes,0),
-		           enabled, created_at`,
-		tenantID, title, assetType, storagePath, originalURL, mimeType, sizeBytes)
+		           enabled, created_at, coalesce(created_by_user_id,'')`,
+		tenantID, title, assetType, storagePath, originalURL, mimeType, sizeBytes, createdByUserID)
 	return scanMedia(row)
 }

@ -419,13 +434,29 @@ func scanMedia(row interface {
 	var m MediaAsset
 	err := row.Scan(&m.ID, &m.TenantID, &m.Title, &m.Type,
 		&m.StoragePath, &m.OriginalURL, &m.MimeType, &m.SizeBytes,
-		&m.Enabled, &m.CreatedAt)
+		&m.Enabled, &m.CreatedAt, &m.CreatedByUserID)
 	if err != nil {
 		return nil, fmt.Errorf("scan media: %w", err)
 	}
 	return &m, nil
 }

+func scanMediaFull(row interface {
+	Scan(dest ...any) error
+}) (*MediaAsset, error) {
+	var m MediaAsset
+	var ownerRole string
+	err := row.Scan(&m.ID, &m.TenantID, &m.Title, &m.Type,
+		&m.StoragePath, &m.OriginalURL, &m.MimeType, &m.SizeBytes,
+		&m.Enabled, &m.CreatedAt, &m.CreatedByUserID,
+		&ownerRole, &m.OwnerUsername)
+	if err != nil {
+		return nil, fmt.Errorf("scan media full: %w", err)
+	}
+	m.OwnerIsRestricted = ownerRole == "restricted"
+	return &m, nil
+}
+
 // ------------------------------------------------------------------
 // PlaylistStore
 // ------------------------------------------------------------------
Author	SHA1	Message	Date
Jesko Anschütz	cc9ca2cd81	fix: nil-pointer in DeleteMediaUI, restricted delete-check in tenant handler, SCHEMA fix - HandleDeleteMediaUI: check err after media.Get before using asset (prevents nil-pointer panic) - HandleTenantDeleteMedia: add restricted-user ownership check (K3) - HandleTenantDashboard: filter media list by ownerUserID for restricted users - SCHEMA.md: correct created_by_user_id to 'text null ... on delete set null' Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-28 09:18:12 +01:00
Jesko Anschütz	e884acf41d	docs: media_assets.created_by_user_id + Berechtigungslogik dokumentiert - SCHEMA.md: Index idx_media_assets_created_by_user_id hinzugefügt - API-ENDPOINTS.md: GET/POST Media-Endpoints erweitert um owner_is_restricted und owner_username - API-ENDPOINTS.md: DELETE Media-Endpoint mit Berechtigungslogik dokumentiert * admin_user: immer erlaubt * screen_user: erlaubt wenn asset.tenant_id == user.tenant_id * restricted: erlaubt nur wenn asset.created_by_user_id == user.id Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-28 09:14:35 +01:00
Jesko Anschütz	8bcb59468a	feat(ui): Restricted-Medien Toggle + Besitzer-Badge + Kein-Besitzer-Badge Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-28 09:13:07 +01:00
Jesko Anschütz	bfef6e25f5	feat(tenant): List/Create mit owner-Feld aktualisiert	2026-03-28 09:11:16 +01:00
Jesko Anschütz	7b0b132169	feat(ui): manage-Handler — restricted-aware List/Create/Delete	2026-03-28 09:09:59 +01:00
Jesko Anschütz	865c5e7ca8	feat(manage): canDeleteMedia + role-aware handlers für restricted users Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-28 09:07:13 +01:00
Jesko Anschütz	52f503d462	feat(store): MediaAsset-Ownership — List/Create/Get mit created_by_user_id Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-28 09:03:44 +01:00
Jesko Anschütz	c40c846436	feat(db): created_by_user_id zu media_assets hinzufügen	2026-03-28 09:01:00 +01:00
Jesko Anschütz	e6ad773e74	docs: Implementierungsplan user-spezifische Medien	2026-03-28 08:55:36 +01:00
Jesko Anschütz	922cb905b3	docs: spec — Besitzername bei Restricted-Medien anzeigen	2026-03-28 08:47:17 +01:00
Jesko Anschütz	0feb3073af	docs: spec erweitern — Toggle für Restricted-Medien (Admin + screen_user)	2026-03-28 08:45:07 +01:00
Jesko Anschütz	6d74a4aa30	docs: spec user-spezifische Medien für Restricted Users	2026-03-28 08:41:48 +01:00