KRITISCHER BUG behoben:
- savePrompt() und Aktivieren/Deaktivieren sendeten KEIN Auth-Token
- Backend require_admin() warf deshalb 401 Unauthorized
- Prompt-Bearbeitung funktionierte überhaupt nicht (auch für Admins)
Fix:
- X-Auth-Token Header zu beiden fetch()-Calls hinzugefügt
- Token aus localStorage wie in anderen Admin-Funktionen
Rechtesystem BESTÄTIGT korrekt:
✅ Backend: nur require_admin() darf Prompts ändern
✅ DB: ai_prompts hat KEINE profile_id → universell
✅ Frontend: Tab "Prompts" nur für isAdmin sichtbar
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Backend: POST /api/import/zip endpoint with validation and rollback
- CSV import with ON CONFLICT DO NOTHING for duplicate detection
- Photo import with existence check
- AI insights import
- Frontend: file upload UI in SettingsPage
- Import summary showing count per category
- Full transaction rollback on error
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
SettingsPage was still calling window.open() directly,
bypassing the auth-enabled fetch methods in api.js.
Changed buttons to use api.exportZip() and api.exportJson()
which properly include authentication headers.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Frontend was sending {email, pin} but backend expects {email, password}.
This caused 422 Unprocessable Entity errors.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
