feat: API-Endpoints für Phase 4 Block 1

- api/pages.php:
  - DELETE (oder POST ?delete=1) — Seite aus Bericht entfernen
    (source_path wird nur gelöscht wenn unter bericht/work/, damit
     Anhänge von Auftrag/Rechnung nicht mit rausfliegen)
  - POST {note, rotation} — Meta einer Seite updaten
  - POST ?action=signature&bericht_id=X + multipart file= — PNG
    Unterschrift als neue Seite am Bericht anhängen mit
    note='Unterschrift Kunde'
- api/pdf.php — liefert finales PDF oder on-the-fly Preview mit
  JWT-Auth (damit PWA das PDF direkt im <iframe> anzeigen kann)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
[deploy]

api/pages.php

@@ -0,0 +1,94 @@
+<?php
+/* Page-Operationen für Bericht-Seiten (PWA).
+ *
+ * DELETE /api/pages.php?id=<page_id>    — Seite löschen
+ * POST   /api/pages.php?id=<page_id>    — Body { note: "..." }  — Notiz setzen
+ *                                         Body { rotation: 90 } — rotieren
+ * POST   /api/pages.php?action=signature&bericht_id=<id>
+ *        multipart: file=<PNG> — Unterschrift als neue Seite am Bericht anhängen
+ */
+require_once __DIR__.'/_inc.php';
+
+api_authenticate();
+global $db, $user;
+
+if (!$user->hasRight('bericht', 'write')) api_fail('Permission denied', 403);
+
+$method = $_SERVER['REQUEST_METHOD'];
+$action = $_GET['action'] ?? '';
+
+/* ---------- Unterschrift als neue Seite anhängen ---------- */
+if ($method === 'POST' && $action === 'signature') {
+    $bericht_id = (int) ($_GET['bericht_id'] ?? 0);
+    if (!$bericht_id) api_fail('bericht_id fehlt');
+    if (empty($_FILES['file']['tmp_name'])) api_fail('file fehlt');
+
+    $bericht = new Bericht($db);
+    if ($bericht->fetch($bericht_id) <= 0) api_fail('Bericht nicht gefunden', 404);
+
+    require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
+    $workdir = DOL_DATA_ROOT.'/bericht/work/'.$bericht_id;
+    if (!is_dir($workdir)) dol_mkdir($workdir);
+
+    $filename = 'signature_'.dol_print_date(dol_now(), '%Y%m%d_%H%M%S').'.png';
+    $target = $workdir.'/'.$filename;
+    if (!move_uploaded_file($_FILES['file']['tmp_name'], $target)) api_fail('Upload fehlgeschlagen', 500);
+    $relpath = str_replace(DOL_DATA_ROOT.'/', '', $target);
+
+    $resm = $db->query("SELECT COALESCE(MAX(page_order),0) AS m FROM ".$db->prefix()."bericht_page WHERE fk_bericht = ".$bericht_id);
+    $next = ($resm && ($o = $db->fetch_object($resm))) ? ((int) $o->m) + 1 : 1;
+
+    $page = new BerichtPage($db);
+    $page->fk_bericht  = $bericht_id;
+    $page->page_order  = $next;
+    $page->source_type = 'upload';
+    $page->source_path = $relpath;
+    $page->note        = 'Unterschrift Kunde';
+    if ($page->create() <= 0) api_fail('Page-Insert fehlgeschlagen', 500);
+
+    api_ok(array('page_id' => $page->id, 'filename' => $filename));
+}
+
+$page_id = (int) ($_GET['id'] ?? 0);
+if (!$page_id) api_fail('id fehlt');
+
+// Page laden + prüfen dass sie zum User-scope gehört (einfach: Admin oder Bericht-schreiben)
+$pres = $db->query("SELECT rowid, fk_bericht, source_path, source_type FROM ".$db->prefix()."bericht_page WHERE rowid = ".$page_id);
+if (!$pres || !($prow = $db->fetch_object($pres))) api_fail('Seite nicht gefunden', 404);
+
+/* ---------- DELETE page ---------- */
+if ($method === 'DELETE' || ($method === 'POST' && ($_GET['delete'] ?? '') === '1')) {
+    if (!$user->hasRight('bericht', 'delete')) api_fail('Permission denied', 403);
+
+    // Quell-Datei löschen nur wenn sie im bericht/work/ liegt (nicht bei Anhängen von Auftrag/Rechnung)
+    if ($prow->source_path && strpos($prow->source_path, 'bericht/work/') === 0) {
+        $full = bericht_resolve_data_path($prow->source_path);
+        if ($full && file_exists($full)) @unlink($full);
+    }
+    // Multi-Image-Slot-Einträge mit löschen
+    $db->query("DELETE FROM ".$db->prefix()."bericht_page_image WHERE fk_page = ".$page_id);
+    $db->query("DELETE FROM ".$db->prefix()."bericht_page WHERE rowid = ".$page_id);
+    api_ok();
+}
+
+/* ---------- UPDATE page (note, rotation) ---------- */
+if ($method === 'POST') {
+    $in = api_input();
+    $sets = array();
+    if (isset($in['note'])) {
+        $note = (string) $in['note'];
+        $sets[] = "note = ".($note !== '' ? "'".$db->escape($note)."'" : "NULL");
+    }
+    if (isset($in['rotation'])) {
+        $rot = (int) $in['rotation'];
+        $rot = (($rot % 360) + 360) % 360;
+        $sets[] = "rotation = ".$rot;
+    }
+    if (empty($sets)) api_fail('Nichts zu aktualisieren');
+
+    $sql = "UPDATE ".$db->prefix()."bericht_page SET ".implode(',', $sets)." WHERE rowid = ".$page_id;
+    if (!$db->query($sql)) api_fail($db->lasterror(), 500);
+    api_ok();
+}
+
+api_fail('Methode nicht unterstützt', 405);

api/pdf.php

@@ -0,0 +1,119 @@
+<?php
+/* GET /api/pdf.php?id=<bericht_id>&jwt=<token>
+ *   Liefert das finale PDF eines Berichts zur Anzeige/Download.
+ *   Wenn noch kein final_pdf_path existiert oder die Datei fehlt,
+ *   wird direkt eine temporäre Vorschau generiert (wie preview_pdf.php).
+ */
+if (!defined('NOLOGIN'))     define('NOLOGIN', '1');
+if (!defined('NOCSRFCHECK')) define('NOCSRFCHECK', '1');
+if (!defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL', '1');
+if (!defined('NOREQUIREMENU'))  define('NOREQUIREMENU', '1');
+if (!defined('NOREQUIREHTML'))  define('NOREQUIREHTML', '1');
+if (!defined('NOREQUIREAJAX'))  define('NOREQUIREAJAX', '1');
+
+$res = 0;
+if (!$res && !empty($_SERVER["CONTEXT_DOCUMENT_ROOT"])) $res = @include $_SERVER["CONTEXT_DOCUMENT_ROOT"]."/main.inc.php";
+$tmp = empty($_SERVER['SCRIPT_FILENAME']) ? '' : $_SERVER['SCRIPT_FILENAME']; $tmp2 = realpath(__FILE__); $i = strlen($tmp) - 1; $j = strlen($tmp2) - 1;
+while ($i > 0 && $j > 0 && isset($tmp[$i]) && isset($tmp2[$j]) && $tmp[$i] == $tmp2[$j]) { $i--; $j--; }
+if (!$res && $i > 0 && file_exists(substr($tmp, 0, ($i + 1))."/main.inc.php")) $res = @include substr($tmp, 0, ($i + 1))."/main.inc.php";
+if (!$res && $i > 0 && file_exists(dirname(substr($tmp, 0, ($i + 1)))."/main.inc.php")) $res = @include dirname(substr($tmp, 0, ($i + 1)))."/main.inc.php";
+if (!$res && file_exists("../../main.inc.php")) $res = @include "../../main.inc.php";
+if (!$res && file_exists("../../../main.inc.php")) $res = @include "../../../main.inc.php";
+if (!$res) die("Include of main fails");
+
+require_once __DIR__.'/_jwt.php';
+require_once __DIR__.'/../class/bericht.class.php';
+require_once __DIR__.'/../lib/bericht.lib.php';
+
+// JWT robust lesen
+$token_str = '';
+$hdr = $_SERVER['HTTP_AUTHORIZATION'] ?? ($_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ?? '');
+if (!$hdr && function_exists('apache_request_headers')) {
+    foreach (apache_request_headers() as $k => $v) {
+        if (strcasecmp($k, 'Authorization') === 0) { $hdr = $v; break; }
+    }
+}
+if ($hdr && stripos($hdr, 'bearer ') === 0) $token_str = trim(substr($hdr, 7));
+if (!$token_str && !empty($_GET['jwt'])) $token_str = (string) $_GET['jwt'];
+
+$payload = $token_str ? bericht_jwt_decode($token_str) : null;
+if (!$payload || empty($payload['sub'])) {
+    http_response_code(401);
+    header('Content-Type: text/plain');
+    echo 'Token ungültig';
+    exit;
+}
+
+require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php';
+$u = new User($db);
+if ($u->fetch((int) $payload['sub']) <= 0 || empty($u->statut)) {
+    http_response_code(401);
+    exit;
+}
+$u->loadRights();
+if (!$u->hasRight('bericht', 'read')) {
+    http_response_code(403);
+    exit;
+}
+$user = $u;
+
+$id = (int) ($_GET['id'] ?? 0);
+if (!$id) { http_response_code(400); exit; }
+
+$bericht = new Bericht($db);
+if ($bericht->fetch($id) <= 0) { http_response_code(404); exit; }
+
+// Fertiges PDF ausliefern wenn vorhanden
+if ($bericht->final_pdf_path) {
+    $full = bericht_resolve_data_path($bericht->final_pdf_path);
+    if ($full && file_exists($full)) {
+        header('Content-Type: application/pdf');
+        header('Content-Length: '.filesize($full));
+        header('Cache-Control: private, max-age=60');
+        readfile($full);
+        exit;
+    }
+}
+
+// Sonst: on-the-fly Vorschau (wie preview_pdf.php)
+$parent = bericht_fetch_parent($db, $bericht->element_type, $bericht->fk_element);
+if (!$parent) { http_response_code(404); exit; }
+$pages = BerichtPage::fetchAllForBericht($db, $bericht->id);
+if (empty($pages)) { http_response_code(400); exit; }
+
+$tcpdf_loaded = false;
+foreach (array(
+    DOL_DOCUMENT_ROOT.'/includes/tecnickcom/tcpdf/tcpdf.php',
+    DOL_DOCUMENT_ROOT.'/includes/tcpdf/tcpdf.php',
+) as $p) { if (file_exists($p)) { require_once $p; $tcpdf_loaded = true; break; } }
+if (!$tcpdf_loaded) { http_response_code(500); exit; }
+
+$fpdi_loaded = false;
+foreach (array(
+    DOL_DOCUMENT_ROOT.'/includes/setasign/vendor/setasign/fpdi/src/Tcpdf/Fpdi.php',
+    DOL_DOCUMENT_ROOT.'/includes/fpdi/src/Tcpdf/Fpdi.php',
+) as $p) { if (file_exists($p)) { require_once $p; $fpdi_loaded = true; break; } }
+
+$ori = in_array($bericht->page_orientation, array('P','L'), true) ? $bericht->page_orientation : 'P';
+$fmt = in_array($bericht->page_format, array('A4','A3','A5','Letter'), true) ? $bericht->page_format : 'A4';
+
+$pdf = $fpdi_loaded
+    ? new \setasign\Fpdi\Tcpdf\Fpdi($ori, 'mm', $fmt, true, 'UTF-8', false)
+    : new TCPDF($ori, 'mm', $fmt, true, 'UTF-8', false);
+
+$pdf->SetCreator('Dolibarr Bericht (PWA Vorschau)');
+$pdf->SetAuthor($user->getFullName($langs ?? null));
+$pdf->SetTitle($bericht->titel ?: $bericht->ref);
+$pdf->SetMargins(10, 10, 10);
+$pdf->SetAutoPageBreak(true, 10);
+$pdf->setPrintHeader(false);
+$pdf->setPrintFooter(false);
+
+foreach ($pages as $page) {
+    bericht_render_page_to_pdf($pdf, $page, $ori, $fmt, $fpdi_loaded);
+}
+
+header('Content-Type: application/pdf');
+header('Cache-Control: no-store');
+$pdf->Output('bericht_'.$bericht->ref.'.pdf', 'I');
+exit;