fix(kiosk): Chromium-Stop beschleunigen (90s → 10s)

Chromium reagiert im Kiosk-Modus nicht auf SIGTERM, sodass systemd
90 Sekunden auf den TimeoutStop wartete und dann SIGKILL senden musste.
ExecStop killt Chromium jetzt explizit per pkill, TimeoutStopSec=10.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ansible/roles/signage_display/templates/morz-kiosk.service.j2

@@ -15,6 +15,8 @@ UtmpMode=user
 Environment=HOME=/home/{{ signage_user }}
 ExecStartPre=/bin/sleep 3
 ExecStart=/usr/bin/startx /usr/local/bin/morz-kiosk -- :0 vt1 -nocursor
+ExecStop=/usr/bin/pkill -u {{ signage_user }} chromium
+TimeoutStopSec=10
 Restart=on-failure
 RestartSec=10
 

server/backend/internal/httpapi/manage/override.go

@@ -112,7 +112,7 @@ func HandleSetScreenOverride(screens *store.ScreenStore, schedules *store.Screen
 			http.Error(w, "screen not found", http.StatusNotFound)
 			return
 		}
-		if !requireScreenAccess(w, r, screen) {
+		if !requireScreenAccess(w, r, screen, screens) {
 			return
 		}
 

server/backend/internal/httpapi/manage/schedule.go

@@ -18,7 +18,7 @@ func HandleUpdateSchedule(screens *store.ScreenStore, schedules *store.ScreenSch
 			http.Error(w, "screen not found", http.StatusNotFound)
 			return
 		}
-		if !requireScreenAccess(w, r, screen) {
+		if !requireScreenAccess(w, r, screen, screens) {
 			return
 		}
 

server/backend/internal/httpapi/manage/templates.go

@@ -1100,14 +1100,14 @@ const manageTmpl = `<!DOCTYPE html>
             <button id="toggle-restricted-btn" class="button is-small is-light"
               onclick="toggleRestrictedMedia(this)"
               style="font-size:.75rem">
-              Restricted-Medien anzeigen
+              Alles anzeigen
             </button>
             {{end}}
           </div>
           {{if .Assets}}
           <div class="lib-grid">
             {{range .Assets}}
-            <div class="lib-card" data-owner-restricted="{{.OwnerIsRestricted}}">
+            <div class="lib-card" data-owner-restricted="{{if eq $.UserRole "restricted"}}false{{else}}{{.OwnerIsRestricted}}{{end}}">
               <div class="lib-thumb">
                 {{if eq .Type "image"}}<img src="{{if .StoragePath}}/uploads/{{.StoragePath}}{{else}}{{.OriginalURL}}{{end}}" style="width:100%;height:80px;object-fit:cover" alt="" loading="lazy" onerror="this.style.display='none';this.parentElement.textContent='🖼'">
                 {{else if eq .Type "video"}}🎬
@@ -1414,6 +1414,18 @@ function startUpload() {
     setTimeout(function() { img.src = img.dataset.src + '?t=' + Date.now(); }, 4000);
   });
 })();
+
+function toggleRestrictedMedia(btn) {
+  var showing = btn.dataset.showing === '1';
+  showing = !showing;
+  btn.dataset.showing = showing ? '1' : '0';
+  document.querySelectorAll('.lib-card[data-owner-restricted="true"]').forEach(function(el) {
+    el.style.display = showing ? 'flex' : 'none';
+  });
+  btn.textContent = showing ? 'Einschränken' : 'Alles anzeigen';
+  btn.classList.toggle('is-info', showing);
+  btn.classList.toggle('is-light', !showing);
+}
 </script>
 </body>
 </html>`
@@ -1706,14 +1718,6 @@ function clearScreenOverride(slug) {
   }).catch(function(){});
 }
 
-function toggleRestrictedMedia(btn) {
-  var lib = document.querySelector('.lib-grid');
-  if (!lib) return;
-  var showing = lib.classList.toggle('show-restricted');
-  btn.textContent = showing ? 'Restricted-Medien ausblenden' : 'Restricted-Medien anzeigen';
-  btn.classList.toggle('is-info', showing);
-  btn.classList.toggle('is-light', !showing);
-}
 </script>
 </body>
 </html>`

server/backend/internal/httpapi/manage/ui.go

@@ -43,9 +43,10 @@ func renderTemplate(w http.ResponseWriter, t *template.Template, data any) {
 }
 
 // requireScreenAccess prüft, ob der eingeloggte User Zugriff auf den Screen hat.
-// Admins dürfen alles. Tenant-User dürfen nur Screens ihres eigenen Tenants bearbeiten.
+// Admins dürfen alles. screen_user dürfen Screens ihres Tenants. restricted User
+// benötigen zusätzlich einen Eintrag in user_screen_permissions.
 // Gibt true zurück wenn Zugriff erlaubt ist; schreibt 403 und gibt false zurück wenn nicht.
-func requireScreenAccess(w http.ResponseWriter, r *http.Request, screen *store.Screen) bool {
+func requireScreenAccess(w http.ResponseWriter, r *http.Request, screen *store.Screen, sc *store.ScreenStore) bool {
 	u := reqcontext.UserFromContext(r.Context())
 	if u == nil {
 		http.Error(w, "Forbidden", http.StatusForbidden)
@@ -54,19 +55,18 @@ func requireScreenAccess(w http.ResponseWriter, r *http.Request, screen *store.S
 	if u.Role == "admin" {
 		return true
 	}
-	// Tenant-User: Screen muss zum eigenen Tenant gehören.
-	// Wir vergleichen über TenantSlug→TenantID, aber der Screen hat TenantID.
-	// Da uns der Tenant-Slug des Users bekannt ist und wir keinen TenantStore
-	// hier haben, vergleichen wir TenantID des Screens mit dem user.TenantID-Feld.
-	// store.User hat TenantSlug aber nicht TenantID — deswegen muss der
-	// aufrufende Handler nach GetBySlug bereits die TenantID des Screens bekannt haben.
-	// Wir nutzen u.TenantSlug und vertrauen darauf dass der Screen bereits geladen ist.
-	// Den eigentlichen Vergleich machen wir via TenantID des Screens vs.
-	// dem TenantID-Feld im User (das über reqcontext gespeichert ist).
 	if u.TenantID != "" && u.TenantID != screen.TenantID {
 		http.Error(w, "Forbidden", http.StatusForbidden)
 		return false
 	}
+	// Restricted User: zusätzlich explizite Screen-Berechtigung prüfen.
+	if u.Role == "restricted" {
+		ok, err := sc.HasUserScreenAccess(r.Context(), u.ID, screen.ID)
+		if err != nil || !ok {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return false
+		}
+	}
 	return true
 }
 
@@ -370,7 +370,7 @@ func HandleManageUI(
 		notifier.RequestScreenshot(screen.Slug)
 
 		// K2: Tenant-Isolation — nur eigener Tenant oder Admin.
-		if !requireScreenAccess(w, r, screen) {
+		if !requireScreenAccess(w, r, screen, screens) {
 			return
 		}
 
@@ -607,7 +607,7 @@ func HandleUploadMediaUI(media *store.MediaStore, screens *store.ScreenStore, up
 		}
 
 		// K2: Tenant-Isolation.
-		if !requireScreenAccess(w, r, screen) {
+		if !requireScreenAccess(w, r, screen, screens) {
 			return
 		}
 
@@ -694,7 +694,7 @@ func HandleAddItemUI(playlists *store.PlaylistStore, media *store.MediaStore, sc
 		}
 
 		// K2: Tenant-Isolation.
-		if !requireScreenAccess(w, r, screen) {
+		if !requireScreenAccess(w, r, screen, screens) {
 			return
 		}
 
@@ -760,7 +760,7 @@ func HandleDeleteItemUI(playlists *store.PlaylistStore, screens *store.ScreenSto
 			http.Error(w, "screen nicht gefunden", http.StatusNotFound)
 			return
 		}
-		if !requireScreenAccess(w, r, screen) {
+		if !requireScreenAccess(w, r, screen, screens) {
 			return
 		}
 
@@ -783,7 +783,7 @@ func HandleReorderUI(playlists *store.PlaylistStore, screens *store.ScreenStore,
 			return
 		}
 		// K2: Tenant-Isolation.
-		if !requireScreenAccess(w, r, screen) {
+		if !requireScreenAccess(w, r, screen, screens) {
 			return
 		}
 		playlist, err := playlists.GetByScreen(r.Context(), screen.ID)
@@ -822,7 +822,7 @@ func HandleUpdateItemUI(playlists *store.PlaylistStore, screens *store.ScreenSto
 			http.Error(w, "screen nicht gefunden", http.StatusNotFound)
 			return
 		}
-		if !requireScreenAccess(w, r, screen) {
+		if !requireScreenAccess(w, r, screen, screens) {
 			return
 		}
 
@@ -864,7 +864,7 @@ func HandleDeleteMediaUI(media *store.MediaStore, screens *store.ScreenStore, up
 			http.Error(w, "screen nicht gefunden", http.StatusNotFound)
 			return
 		}
-		if !requireScreenAccess(w, r, screen) {
+		if !requireScreenAccess(w, r, screen, screens) {
 			return
 		}
 

server/backend/internal/store/store.go

@@ -386,7 +386,7 @@ func (s *MediaStore) List(ctx context.Context, tenantID, ownerUserID string) ([]
 	if ownerUserID != "" {
 		rows, err = s.pool.Query(ctx, base+` AND m.created_by_user_id=$2 ORDER BY m.created_at DESC`, tenantID, ownerUserID)
 	} else {
-		rows, err = s.pool.Query(ctx, base+` ORDER BY m.created_at DESC`, tenantID)
+		rows, err = s.pool.Query(ctx, base+` ORDER BY u.username NULLS LAST, m.created_at DESC`, tenantID)
 	}
 	if err != nil {
 		return nil, err