From 7c79cd305a8fe938703fa398c7f7387053748164 Mon Sep 17 00:00:00 2001
From: wasrusgen <vasrusgen@gmail.com>
Date: Tue, 2 Jun 2026 07:05:04 +0300
Subject: [PATCH] =?UTF-8?q?security(crm):=20=D0=B7=D0=B0=D0=BA=D1=80=D1=8B?=
 =?UTF-8?q?=D1=82=D1=8C=20=D0=BE=D0=BF=D0=B5=D1=80=D0=B0=D1=82=D0=BE=D1=80?=
 =?UTF-8?q?=D1=81=D0=BA=D0=B8=D0=B5=20=D1=80=D0=BE=D1=83=D1=82=D1=8B=20+?=
 =?UTF-8?q?=20=D0=B0=D0=B2=D1=82=D0=BE-=D1=82=D0=BE=D0=BA=D0=B5=D0=BD=20?=
 =?UTF-8?q?=D0=BD=D0=B0=20=D0=B2=D1=81=D0=B5=20=D0=B2=D1=8B=D0=B7=D0=BE?=
 =?UTF-8?q?=D0=B2=D1=8B=20CRM?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- gate /api/project/crm|tasks|approve|delete под is_operator() (только crm.html их зовёт)
- crm.html: обёртка window.fetch — X-Operator-Token на все /api/ вызовы оператора
---
 backend/elena_app.py | 8 ++++++++
 docs/crm.html        | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/backend/elena_app.py b/backend/elena_app.py
index 11c98ec..ee9295a 100644
--- a/backend/elena_app.py
+++ b/backend/elena_app.py
@@ -994,6 +994,8 @@ def build_spec_client():
 
 @app.route("/api/project/crm", methods=["POST"])
 def update_crm():
+    if not is_operator():
+        return jsonify({"error": "unauthorized"}), 401
     data = request.get_json(force=True) or {}
     proj = get_project(data.get("token"))
     if not proj:
@@ -1409,6 +1411,8 @@ def payment_webhook():
 
 @app.route("/api/project/delete", methods=["POST"])
 def delete_project():
+    if not is_operator():
+        return jsonify({"error": "unauthorized"}), 401
     data = request.get_json(force=True) or {}
     proj = get_project(data.get("token"))
     if not proj:
@@ -1429,6 +1433,8 @@ def delete_project():
 
 @app.route("/api/project/tasks", methods=["POST"])
 def update_tasks():
+    if not is_operator():
+        return jsonify({"error": "unauthorized"}), 401
     data = request.get_json(force=True) or {}
     proj = get_project(data.get("token"))
     if not proj:
@@ -1439,6 +1445,8 @@ def update_tasks():
 
 @app.route("/api/project/approve", methods=["POST"])
 def approve_stage():
+    if not is_operator():
+        return jsonify({"error": "unauthorized"}), 401
     data = request.get_json(force=True) or {}
     proj = get_project(data.get("token"))
     if not proj:
diff --git a/docs/crm.html b/docs/crm.html
index d9f0f6e..7520165 100644
--- a/docs/crm.html
+++ b/docs/crm.html
@@ -215,6 +215,14 @@ function chips(cur,opts,fn){return opts.map(([k,n])=>`<button class="fchip ${cur
 // ── Операторская авторизация ──
 let OP_TOKEN=localStorage.getItem('op_token')||'';
 function opHeaders(extra){return Object.assign({'X-Operator-Token':OP_TOKEN||''},extra||{});}
+// Все вызовы оператора несут X-Operator-Token (crm.html — операторский контекст)
+const _origFetch=window.fetch.bind(window);
+window.fetch=function(url,opts){
+  opts=opts||{};
+  const u=typeof url==='string'?url:((url&&url.url)||'');
+  if(u.indexOf('/api/')>=0){opts.headers=Object.assign({},opts.headers||{},{'X-Operator-Token':OP_TOKEN||''});}
+  return _origFetch(url,opts);
+};
 async function loadProjects(){
   const r=await fetch(`${API}/api/projects`,{headers:opHeaders()});
   if(r.status===401){return false;}