dd3ec070f7
### Security-Fixes (K1–K6, W1–W4, W7, N1, N5–N6, V1, V5–V7)
- K1: CSRF-Schutz via Double-Submit-Cookie (httpapi/csrf.go + csrf_helpers.go)
- K2: requireScreenAccess() in allen manage-Handlern (Tenant-Isolation)
- K3: Tenant-Check bei DELETE /api/v1/media/{id}
- K4: requirePlaylistAccess() + GetByItemID() für JSON-API Playlist-Routen
- K5: Admin-Passwort nur noch als [gesetzt] geloggt
- K6: POST /api/v1/screens/register mit Pre-Shared-Secret (MORZ_INFOBOARD_REGISTER_SECRET)
- W1: Race Condition bei order_index behoben (atomare Subquery in AddItem)
- W2: Graceful Shutdown mit 15s Timeout auf SIGTERM/SIGINT
- W3: http.MaxBytesReader (512 MB) in allen Upload-Handlern
- W4: err.Error() nicht mehr an den Client
- W7: Template-Execution via bytes.Buffer (kein partial write bei Fehler)
- N1: Rate-Limiting auf /login (5 Versuche/Minute pro IP, httpapi/ratelimit.go)
- N5: Directory-Listing auf /uploads/ deaktiviert (neuteredFileSystem)
- N6: Uploads nach Tenant getrennt (uploads/{tenantSlug}/)
- V1: Upload-Logik konsolidiert in internal/fileutil/fileutil.go
- V5: Cookie-Name als Konstante reqcontext.SessionCookieName
- V6: Strukturiertes Logging mit log/slog + JSON-Handler
- V7: DB-Pool wird im Graceful-Shutdown geschlossen
### Phase 6: Screenshot-Erzeugung
- player/agent/internal/screenshot/screenshot.go erstellt
- Integration in app.go mit MORZ_INFOBOARD_SCREENSHOT_EVERY Config
### UX: PDF.js Integration
- pdf.min.js + pdf.worker.min.js als lokale Assets eingebettet
- Automatisches Seitendurchblättern im Player
### Ansible: Neue Rollen
- signage_base, signage_server, signage_provision erstellt
- inventory.yml und site.yml erweitert
### Konzept-Docs
- GRUPPEN-KONZEPT.md, KAMPAGNEN-AKTIVIERUNG.md, MONITORING-KONZEPT.md
- PROVISION-KONZEPT.md, TEMPLATE-EDITOR.md, WATCHDOG-KONZEPT.md
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
57 lines
1.5 KiB
YAML
57 lines
1.5 KiB
YAML
---
|
|
- name: Ensure signage user exists
|
|
ansible.builtin.user:
|
|
name: "{{ signage_user }}"
|
|
create_home: true
|
|
state: present
|
|
become: true
|
|
|
|
- name: Ensure .ssh directory exists for signage user
|
|
ansible.builtin.file:
|
|
path: "/home/{{ signage_user }}/.ssh"
|
|
state: directory
|
|
owner: "{{ signage_user }}"
|
|
group: "{{ signage_user }}"
|
|
mode: "0700"
|
|
become: true
|
|
|
|
- name: Deploy SSH public key for signage user
|
|
ansible.builtin.authorized_key:
|
|
user: "{{ signage_user }}"
|
|
key: "{{ signage_ssh_public_key }}"
|
|
state: present
|
|
become: true
|
|
when: signage_ssh_public_key | length > 0
|
|
|
|
- name: Ensure config directory exists
|
|
ansible.builtin.file:
|
|
path: "{{ signage_config_dir }}"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
become: true
|
|
|
|
- name: Deploy vars.yml template for player config
|
|
ansible.builtin.template:
|
|
src: vars.yml.j2
|
|
dest: "{{ signage_config_dir }}/vars.yml"
|
|
owner: root
|
|
group: "{{ signage_user }}"
|
|
mode: "0640"
|
|
become: true
|
|
|
|
- name: Register screen at server via API
|
|
ansible.builtin.uri:
|
|
url: "{{ signage_server_base_url }}/api/v1/screens/register"
|
|
method: POST
|
|
body_format: json
|
|
body:
|
|
slug: "{{ screen_id }}"
|
|
name: "{{ screen_name | default(screen_id) }}"
|
|
orientation: "{{ screen_orientation | default('landscape') }}"
|
|
headers:
|
|
Content-Type: application/json
|
|
status_code: [200, 201]
|
|
delegate_to: localhost
|
|
when: screen_id is defined
|