Full name on comments

Reviewed-on: #14

.gitignore

@@ -12,6 +12,7 @@ keys/
 node_modules/
 package-lock.json
 package.json
+AGENT*.md
 # Diagram cache directory
 media/diagram_cache/
 .env

Documentation/ArgoCD.md

@@ -0,0 +1,241 @@
+# ArgoCD Configuration Documentation
+
+## Overview
+This directory contains the ArgoCD application manifests for deploying the VorgabenUI application and its dependencies to Kubernetes.
+
+## Files
+
+### Application Manifests
+
+#### `001_pvc.yaml`
+- **Purpose**: PersistentVolumeClaim for Django application data
+- **Storage**: 2Gi storage with ReadWriteMany access mode
+- **Storage Class**: Uses NFS storage class for shared storage across multiple pods
+- **Namespace**: vorgabenui
+
+#### `deployment.yaml`
+- **Purpose**: Main application deployment configuration
+- **Contains**: Django application container, environment variables, resource limits
+- **Replicas**: Configurable replica count for high availability
+
+#### `ingress.yaml`
+- **Purpose**: External access configuration
+- **Host**: Configurable hostname for the application
+- **TLS**: SSL/TLS termination configuration
+- **Backend**: Routes traffic to the Django application service
+
+#### `nfs-pv.yaml`
+- **Purpose**: PersistentVolume definition for NFS storage
+- **Server**: 192.168.17.199
+- **Path**: /mnt/user/vorgabenui
+- **Access**: ReadWriteMany for multi-pod access
+- **Reclaim Policy**: Retain (data preserved after PVC deletion)
+
+#### `nfs-storageclass.yaml`
+- **Purpose**: StorageClass definition for NFS volumes
+- **Provisioner**: kubernetes.io/no-provisioner (static provisioning)
+- **Volume Expansion**: Enabled for growing storage capacity
+- **Binding Mode**: Immediate (binds PV to PVC as soon as possible)
+
+#### `diagrammer.yaml`
+- **Purpose**: Deployment configuration for the diagram generation service
+- **Function**: Handles diagram creation and caching for the application
+
+## NFS Storage Configuration
+
+### Prerequisites
+1. NFS server must be running at 192.168.17.199
+2. The directory `/mnt/user/vorgabenui` must exist and be exported
+3. Kubernetes nodes must have NFS client utilities installed
+4. For MicroK8s: `microk8s enable nfs`
+
+## MicroK8s Addons Required
+
+### Required Addons
+Enable the following MicroK8s addons before deployment:
+
+```bash
+# Enable storage and NFS support
+sudo microk8s enable storage
+sudo microk8s enable nfs
+
+# Enable ingress for external access
+sudo microk8s enable ingress
+
+# Enable DNS for service discovery
+sudo microk8s enable dns
+
+# Optional: Enable metrics for monitoring
+sudo microk8s enable metrics-server
+```
+
+### Addon Descriptions
+
+#### `storage`
+- **Purpose**: Provides default storage class for persistent volumes
+- **Required for**: Basic PVC functionality
+- **Note**: Works alongside our custom NFS storage class
+
+#### `nfs`
+- **Purpose**: Installs NFS client utilities on all MicroK8s nodes
+- **Required for**: Mounting NFS volumes in pods
+- **Components**: Installs `nfs-common` package with mount helpers
+
+#### `ingress`
+- **Purpose**: Provides Ingress controller for external HTTP/HTTPS access
+- **Required for**: `ingress.yaml` to function properly
+- **Implementation**: Uses NGINX Ingress Controller
+
+#### `dns`
+- **Purpose**: Provides DNS service for service discovery within cluster
+- **Required for**: Inter-service communication
+- **Note**: Usually enabled by default in MicroK8s
+
+#### `metrics-server` (Optional)
+- **Purpose**: Enables resource usage monitoring
+- **Required for**: `kubectl top` commands and HPA (Horizontal Pod Autoscaling)
+- **Recommended for**: Production monitoring
+
+### Addon Verification
+After enabling addons, verify they are running:
+
+```bash
+# Check addon status
+microk8s status
+
+# Check pods in kube-system namespace
+microk8s kubectl get pods -n kube-system
+
+# Check storage classes
+microk8s kubectl get storageclass
+
+# Check ingress controller
+microk8s kubectl get pods -n ingress
+```
+
+### Troubleshooting Addons
+
+#### NFS Addon Issues
+```bash
+# Check if NFS utilities are installed
+which mount.nfs
+
+# Manually install if addon fails
+sudo apt update && sudo apt install nfs-common
+
+# Restart MicroK8s after manual installation
+sudo microk8s restart
+```
+
+#### Ingress Issues
+```bash
+# Check ingress controller pods
+microk8s kubectl get pods -n ingress
+
+# Check ingress services
+microk8s kubectl get svc -n ingress
+
+# Test ingress connectivity
+curl -k https://your-domain.com
+```
+
+#### Storage Issues
+```bash
+# List available storage classes
+microk8s kubectl get storageclass
+
+# Check default storage class
+microk8s kubectl get storageclass -o yaml
+```
+
+### Storage Architecture
+- **Storage Class**: `nfs` - Static provisioning for NFS shares
+- **Persistent Volume**: Pre-provisioned PV pointing to NFS server
+- **Persistent Volume Claim**: Claims the NFS storage for application use
+- **Access Mode**: ReadWriteMany allows multiple pods to access the same data
+
+### NFS Server Setup
+On the NFS server (192.168.17.199), ensure the following:
+
+```bash
+# Create the shared directory
+sudo mkdir -p /mnt/user/vorgabenui
+sudo chmod 755 /mnt/user/vorgabenui
+
+# Add to /etc/exports
+echo "/mnt/user/vorgabenui *(rw,sync,no_subtree_check,no_root_squash)" | sudo tee -a /etc/exports
+
+# Export the directory
+sudo exportfs -a
+sudo systemctl restart nfs-kernel-server
+```
+
+## Deployment Order
+
+1. **StorageClass** (`nfs-storageclass.yaml`) - Defines NFS storage class
+2. **PersistentVolume** (`nfs-pv.yaml`) - Creates the NFS volume
+3. **PersistentVolumeClaim** (`001_pvc.yaml`) - Claims storage for application
+4. **Application Deployments** (`deployment.yaml`, `diagrammer.yaml`) - Deploy application services
+5. **Ingress** (`ingress.yaml`) - Configure external access
+
+## Configuration Notes
+
+### Namespace
+All resources are deployed to the `vorgabenui` namespace.
+
+### Storage Sizing
+- Current allocation: 2Gi
+- Volume expansion is enabled through the StorageClass
+- Monitor usage and adjust PVC size as needed
+
+### Access Control
+- NFS export uses `no_root_squash` for container root access
+- Ensure proper network security between Kubernetes nodes and NFS server
+- Consider implementing network policies for additional security
+
+## Troubleshooting
+
+### Common Issues
+
+#### Mount Failures
+- **Error**: "bad option; for several filesystems you might need a /sbin/mount.<type> helper program"
+- **Solution**: Install NFS client utilities or enable NFS addon in MicroK8s
+
+#### Permission Issues
+- **Error**: Permission denied when accessing mounted volume
+- **Solution**: Check NFS export permissions and ensure `no_root_squash` is set
+
+#### Network Connectivity
+- **Error**: Connection timeout to NFS server
+- **Solution**: Verify network connectivity and firewall rules between nodes and NFS server
+
+### Debug Commands
+```bash
+# Check PVC status
+kubectl get pvc -n vorgabenui
+
+# Check PV status
+kubectl get pv
+
+# Describe PVC for detailed information
+kubectl describe pvc django-data-pvc -n vorgabenui
+
+# Check pod mount status
+kubectl describe pod <pod-name> -n vorgabenui
+```
+
+## Maintenance
+
+### Backup Strategy
+- The NFS server should have regular backups of `/mnt/user/vorgabenui`
+- Consider snapshot capabilities if using enterprise NFS solutions
+
+### Monitoring
+- Monitor NFS server performance and connectivity
+- Track storage usage and plan capacity upgrades
+- Monitor pod restarts related to storage issues
+
+### Updates
+- When updating storage configuration, update PV first, then PVC
+- Test changes in non-production environment first
+- Ensure backward compatibility when modifying NFS exports

Documentation/modelle_dokumente.md

@@ -0,0 +1,92 @@
+# Modelle (App: dokumente)
+
+Kurzbeschreibungen der Modelle in dokumente/models.py. 
+
+## Dokumententyp
+- Zweck: Kategorisierung von Dokumenten (z. B. Richtlinie, Verfahren).
+- Wichtige Felder: `name` (CharField, PK), `verantwortliche_ve` (CharField).
+- Besonderheiten: `__str__()` gibt `name` zurück.
+- Meta: `verbose_name` und `verbose_name_plural` gesetzt.
+
+## Person
+- Zweck: Repräsentiert Personen (Autoren, Prüfer).
+- Wichtige Felder: `name` (CharField, PK), `funktion` (CharField).
+- Beziehungen: Many-to-many mit Dokument über `autoren` und `pruefende`.
+- Besonderheiten: `__str__()` gibt `name` zurück; `ordering = ['name']`.
+- Meta: `verbose_name_plural = "Personen"`.
+
+## Thema
+- Zweck: Thematische Einordnung von Vorgaben.
+- Wichtige Felder: `name` (CharField, PK), `erklaerung` (TextField, optional).
+- Besonderheiten: `__str__()` gibt `name` zurück.
+
+## Dokument
+- Zweck: Hauptobjekt; ein einzelnes Dokument mit Metadaten.
+- Wichtige Felder:
+  - `nummer` (CharField, PK)
+  - `dokumententyp` (FK → Dokumententyp, on_delete=PROTECT)
+  - `name` (CharField)
+  - `autoren`, `pruefende` (ManyToManyField → Person)
+  - `gueltigkeit_von`, `gueltigkeit_bis` (DateField, optional)
+  - `aktiv` (BooleanField)
+  - `signatur_cso`, `anhaenge` (Metadaten)
+- Besonderheiten: `__str__()` formatiert als "nummer – name".
+- Meta: `verbose_name` / `verbose_name_plural`.
+
+## Vorgabe
+- Zweck: Einzelne Vorgabe / Anforderung innerhalb eines Dokuments.
+- Wichtige Felder:
+  - `order` (IntegerField) — Sortierreihenfolge
+  - `nummer` (IntegerField) — Nummer innerhalb Thema/Dokument
+  - `dokument` (FK → Dokument, CASCADE, related_name='vorgaben')
+  - `thema` (FK → Thema, PROTECT)
+  - `titel` (CharField)
+  - `referenzen` (M2M → Referenz, optional)
+  - `stichworte` (M2M → Stichwort, optional)
+  - `relevanz` (M2M → Rolle, optional)
+  - `gueltigkeit_von`, `gueltigkeit_bis` (Datum/Felder)
+- Beziehungen: zu Dokument, Thema, Referenzen, Stichworte, Rollen.
+- Wichtige Methoden:
+  - `Vorgabennummer()` — generiert eine lesbare Kennung (z. B. "DOK. T. N").
+  - `get_status(check_date, verbose)` — liefert "future", "active" oder "expired" oder eine deutsche Statusbeschreibung, abhängig von Gültigkeitsdaten.
+  - `sanity_check_vorgaben()` (static) — findet Konflikte zwischen Vorgaben mit gleicher Nummer/Thema/Dokument, deren Zeiträume sich überschneiden.
+  - `clean()` — ruft `find_conflicts()` auf und wirft ValidationError bei Konflikten.
+  - `find_conflicts()` — prüft Konflikte mit bestehenden Vorgaben (ohne sich selbst).
+  - `_date_ranges_intersect(...)` (static) — prüft, ob sich zwei Datumsbereiche überschneiden (None = offen).
+- Besonderheiten: `__str__()` gibt "Vorgabennummer: titel" zurück.
+- Meta: `ordering = ['order']`, `verbose_name_plural = "Vorgaben"`.
+
+## VorgabeLangtext, VorgabeKurztext
+- Zweck: Textabschnitts-Modelle, erben von `Textabschnitt` (aus abschnitte.models).
+- Wichtige Felder: je ein FK `abschnitt` → Vorgabe.
+- Besonderheit: konkrete Untertypen für Lang- und Kurztexte; Meta-`verbose_name` gesetzt.
+
+## Geltungsbereich, Einleitung
+- Zweck: Dokumentbezogene Textabschnitte (erben von `Textabschnitt`).
+- Wichtige Felder: FK zum `Dokument` (`geltungsbereich` bzw. `einleitung`).
+- Meta: `verbose_name`/`verbose_name_plural` gesetzt.
+
+## Checklistenfrage
+- Zweck: Einzelne Frage für Checklisten zu einer Vorgabe.
+- Wichtige Felder: `vorgabe` (FK → Vorgabe, related_name="checklistenfragen"), `frage` (CharField).
+- Besonderheiten: `__str__()` gibt `frage` zurück.
+
+## VorgabenTable
+- Zweck: Proxy-Modell für Vorgabe zur Darstellung (Tabellenansicht).
+- Besonderheiten: kein eigenes Schema; nur Meta-Attribute (`proxy = True`, `verbose_name`).
+
+## Changelog
+- Zweck: Änderungsverzeichnis-Eintrag für ein Dokument.
+- Wichtige Felder:
+  - `dokument` (FK → Dokument, related_name='changelog')
+  - `autoren` (M2M → Person)
+  - `datum` (DateField)
+  - `aenderung` (TextField)
+- Besonderheiten: `__str__()` formatiert als "datum – dokumentnummer".
+- Meta: `verbose_name` / `verbose_name_plural`.
+
+Hinweise zur Pflege
+- Wichtige Relationen nutzen häufig on_delete=PROTECT, um versehentliche Löschungen zu vermeiden.
+- Viele Modelle haben CharField-Primärschlüssel (z. B. `nummer`, `name`).
+- Validierungslogik für zeitliche Konflikte ist in Vorgabe implementiert (clean / find_conflicts).
+- Textabschnitt-Modelle erben Verhalten aus `abschnitte.models.Textabschnitt` — dort sind Anzeige- und Inhaltsregeln definiert.

Test Suite-DE.md

@@ -15,7 +15,7 @@ Dieses Dokument bietet einen umfassenden Überblick über alle Tests im vgui-cic
 
 ## abschnitte App Tests
 
-Die abschnitte App enthält 32 Tests, die Modelle, Utility-Funktionen, Diagram-Caching und Management-Befehle abdecken.
+Die abschnitte App enthält 33 Tests, die Modelle, Utility-Funktionen, Diagram-Caching, Management-Befehle und Sicherheit abdecken.
 
 ### Modell-Tests
 
@@ -58,6 +58,7 @@ Die abschnitte App enthält 32 Tests, die Modelle, Utility-Funktionen, Diagram-C
 - **test_render_text_with_footnotes**: Verarbeitet Text, der Fußnoten enthält
 - **test_render_abschnitt_without_type**: Behandelt Textabschnitte ohne AbschnittTyp
 - **test_render_abschnitt_with_empty_content**: Behandelt Textabschnitte mit leerem Inhalt
+- **test_render_textabschnitte_xss_prevention**: Überprüft, dass bösartiger HTML-Code und Skript-Tags aus gerenderten Inhalten bereinigt werden, um XSS-Angriffe zu verhindern
 
 ### Diagram-Caching-Tests
 
@@ -86,7 +87,7 @@ Die abschnitte App enthält 32 Tests, die Modelle, Utility-Funktionen, Diagram-C
 
 ## dokumente App Tests
 
-Die dokumente App enthält 98 Tests und ist damit die umfassendste Test-Suite, die alle Modelle, Views, URLs und Geschäftslogik abdeckt.
+Die dokumente App enthält 121 Tests und ist damit die umfassendste Test-Suite, die alle Modelle, Views, URLs, Geschäftslogik und Kommentarfunktionalität mit XSS-Schutz abdeckt.
 
 ### Modell-Tests
 
@@ -130,6 +131,14 @@ Die dokumente App enthält 98 Tests und ist damit die umfassendste Test-Suite, d
 - **test_checklistenfrage_str**: Überprüft, dass die String-Repräsentation lange Fragen kürzt
 - **test_checklistenfrage_related_name**: Testet die umgekehrte Beziehung von Vorgabe
 
+#### VorgabeCommentModelTest
+- **test_comment_creation**: Testet die Erstellung von VorgabeComment mit Vorgabe, Benutzer und Text
+- **test_comment_str**: Überprüft, dass die String-Repräsentation Benutzername und Vorgabennummer enthält
+- **test_comment_related_name**: Testet die umgekehrte Beziehung von Vorgabe
+- **test_comment_ordering**: Testet, dass Kommentare nach created_at absteigend sortiert sind (neueste zuerst)
+- **test_comment_timestamps_auto_update**: Testet, dass sich updated_at ändert, wenn ein Kommentar geändert wird
+- **test_multiple_users_can_comment**: Testet, dass mehrere Benutzer zur selben Vorgabe kommentieren können
+
 ### Text-Abschnitt-Tests
 
 #### DokumentTextAbschnitteTest
@@ -216,6 +225,40 @@ Die dokumente App enthält 98 Tests und ist damit die umfassendste Test-Suite, d
 - **test_vorgabe_links**: Testet, dass Vorgaben zu korrekten Admin-Seiten verlinken
 - **test_back_link**: Testet, dass der Zurück-Link zur Standardübersicht existiert
 
+### Kommentar-Funktionalität Tests
+
+#### GetVorgabeCommentsViewTest
+- **test_get_comments_requires_login**: Testet, dass anonyme Benutzer keine Kommentare sehen können und weitergeleitet werden
+- **test_regular_user_sees_only_own_comments**: Testet, dass normale Benutzer nur ihre eigenen Kommentare sehen
+- **test_staff_user_sees_all_comments**: Testet, dass Staff-Benutzer alle Kommentare sehen können
+- **test_get_comments_returns_404_for_nonexistent_vorgabe**: Testet 404-Antwort für nicht existierende Vorgabe
+- **test_comments_are_html_escaped**: Testet HTML-Escaping zur Verhinderung von XSS-Angriffen (z.B. `<script>`-Tags)
+- **test_line_breaks_preserved**: Testet, dass Zeilenumbrüche in `<br>`-Tags umgewandelt werden
+- **test_security_headers_present**: Testet, dass Content-Security-Policy und X-Content-Type-Options Header gesetzt sind
+
+#### AddVorgabeCommentViewTest
+- **test_add_comment_requires_login**: Testet, dass anonyme Benutzer keine Kommentare hinzufügen können
+- **test_add_comment_requires_post**: Testet, dass nur POST-Methode erlaubt ist (405 für GET)
+- **test_add_comment_success**: Testet erfolgreiche Kommentarerstellung mit gültigen Daten
+- **test_add_empty_comment_fails**: Testet, dass leere Kommentare mit 400-Fehler abgelehnt werden
+- **test_add_whitespace_only_comment_fails**: Testet, dass Kommentare nur mit Leerzeichen abgelehnt werden
+- **test_add_too_long_comment_fails**: Testet, dass Kommentare über 2000 Zeichen abgelehnt werden
+- **test_add_comment_xss_script_tag_blocked**: Testet, dass Kommentare mit `<script>`-Tags blockiert werden
+- **test_add_comment_xss_javascript_protocol_blocked**: Testet, dass `javascript:`-Protokoll blockiert wird
+- **test_add_comment_xss_event_handlers_blocked**: Testet, dass Event-Handler (onload, onerror, onclick, onmouseover) blockiert werden
+- **test_add_comment_invalid_json_fails**: Testet, dass ungültige JSON-Payloads abgelehnt werden
+- **test_add_comment_nonexistent_vorgabe_fails**: Testet 404-Antwort für nicht existierende Vorgabe
+- **test_add_comment_security_headers**: Testet, dass Sicherheits-Header in Antworten vorhanden sind
+
+#### DeleteVorgabeCommentViewTest
+- **test_delete_comment_requires_login**: Testet, dass anonyme Benutzer keine Kommentare löschen können
+- **test_delete_comment_requires_post**: Testet, dass nur POST-Methode erlaubt ist (405 für GET)
+- **test_user_can_delete_own_comment**: Testet, dass Benutzer ihre eigenen Kommentare löschen können
+- **test_user_cannot_delete_other_users_comment**: Testet, dass Benutzer keine Kommentare anderer löschen können (403 Forbidden)
+- **test_staff_can_delete_any_comment**: Testet, dass Staff-Benutzer jeden Kommentar löschen können
+- **test_delete_nonexistent_comment_returns_404**: Testet 404-Antwort für nicht existierenden Kommentar
+- **test_delete_comment_security_headers**: Testet, dass Sicherheits-Header in Antworten vorhanden sind
+
 ---
 
 ## pages App Tests
@@ -332,9 +375,17 @@ Die stichworte App enthält 18 Tests, die Schlüsselwortmodelle und ihre Sortier
 
 ## Test-Statistiken
 
-- **Gesamt-Tests**: 206
-- **abschnitte**: 32 Tests
-- **dokumente**: 116 Tests (98 in tests.py + 9 in test_json.py + 9 JSON-Tests in Haupt-tests.py)
+- **Gesamt-Tests**: 230
+- **abschnitte**: 33 Tests (einschließlich XSS-Prävention)
+- **dokumente**: 121 Tests (einschließlich Kommentarfunktionalität mit XSS-Schutz)
+  - Modell-Tests: 44 Tests
+  - View-Tests: 7 Tests
+  - URL-Pattern-Tests: 4 Tests
+  - Sanity-Check-Tests: 16 Tests
+  - Management-Befehl-Tests: 2 Tests
+  - JSON-Export-Tests: 9 Tests
+  - Unvollständige-Vorgaben-Tests: 15 Tests
+  - Kommentar-Tests: 24 Tests (6 Modell + 18 View-Tests)
 - **pages**: 4 Tests
 - **referenzen**: 18 Tests
 - **rollen**: 18 Tests
@@ -348,6 +399,17 @@ Die stichworte App enthält 18 Tests, die Schlüsselwortmodelle und ihre Sortier
 4. **Utility-Funktionen**: Textverarbeitung, Caching, Formatierung
 5. **Management-Befehle**: CLI-Schnittstelle und Ausgabeverarbeitung
 6. **Integration**: App-übergreifende Funktionalität und Datenfluss
+7. **Sicherheit**: 
+   - XSS-Prävention durch HTML-Bereinigung beim Rendern von Inhalten
+   - XSS-Angriffsverhinderung im Kommentarsystem (Script-Tags, javascript:-Protokoll, Event-Handler)
+   - Eingabevalidierung und -bereinigung
+   - Autorisierungsprüfungen (Staff vs. normale Benutzer)
+   - Sicherheits-Header (Content-Security-Policy, X-Content-Type-Options)
+8. **Kommentar-Funktionalität**:
+   - CRUD-Operationen (Create, Read, Delete)
+   - Benutzerberechtigungen und -besitz
+   - HTML-Escaping und Erhalt von Zeilenumbrüchen
+   - Verhinderung mehrerer XSS-Angriffsvektoren
 
 ## Ausführen der Tests
 

Test suite.md

@@ -15,7 +15,7 @@ This document provides a comprehensive overview of all tests in the vgui-cicd Dj
 
 ## abschnitte App Tests
 
-The abschnitte app contains 32 tests covering models, utility functions, diagram caching, and management commands.
+The abschnitte app contains 33 tests covering models, utility functions, diagram caching, management commands, and security.
 
 ### Model Tests
 
@@ -58,6 +58,7 @@ The abschnitte app contains 32 tests covering models, utility functions, diagram
 - **test_render_text_with_footnotes**: Processes text containing footnotes
 - **test_render_abschnitt_without_type**: Handles Textabschnitte without AbschnittTyp
 - **test_render_abschnitt_with_empty_content**: Handles Textabschnitte with empty content
+- **test_render_textabschnitte_xss_prevention**: Verifies that malicious HTML and script tags are sanitized from rendered content to prevent XSS attacks
 
 ### Diagram Caching Tests
 
@@ -86,7 +87,7 @@ The abschnitte app contains 32 tests covering models, utility functions, diagram
 
 ## dokumente App Tests
 
-The dokumente app contains 98 tests, making it the most comprehensive test suite, covering all models, views, URLs, and business logic.
+The dokumente app contains 121 tests, making it the most comprehensive test suite, covering all models, views, URLs, business logic, and comment functionality with XSS protection.
 
 ### Model Tests
 
@@ -130,6 +131,14 @@ The dokumente app contains 98 tests, making it the most comprehensive test suite
 - **test_checklistenfrage_str**: Verifies string representation truncates long questions
 - **test_checklistenfrage_related_name**: Tests the reverse relationship from Vorgabe
 
+#### VorgabeCommentModelTest
+- **test_comment_creation**: Tests VorgabeComment creation with vorgabe, user, and text
+- **test_comment_str**: Verifies string representation includes username and Vorgabennummer
+- **test_comment_related_name**: Tests the reverse relationship from Vorgabe
+- **test_comment_ordering**: Tests comments are ordered by created_at descending (newest first)
+- **test_comment_timestamps_auto_update**: Tests that updated_at changes when comment is modified
+- **test_multiple_users_can_comment**: Tests multiple users can comment on same Vorgabe
+
 ### Text Abschnitt Tests
 
 #### DokumentTextAbschnitteTest
@@ -216,6 +225,40 @@ The dokumente app contains 98 tests, making it the most comprehensive test suite
 - **test_vorgabe_links**: Tests Vorgaben link to correct admin pages
 - **test_back_link**: Tests back link to standard list exists
 
+### Comment Functionality Tests
+
+#### GetVorgabeCommentsViewTest
+- **test_get_comments_requires_login**: Tests anonymous users cannot view comments and are redirected
+- **test_regular_user_sees_only_own_comments**: Tests regular users only see their own comments
+- **test_staff_user_sees_all_comments**: Tests staff users can see all comments
+- **test_get_comments_returns_404_for_nonexistent_vorgabe**: Tests 404 response for non-existent Vorgabe
+- **test_comments_are_html_escaped**: Tests HTML escaping prevents XSS attacks (e.g., `<script>` tags)
+- **test_line_breaks_preserved**: Tests line breaks are converted to `<br>` tags
+- **test_security_headers_present**: Tests Content-Security-Policy and X-Content-Type-Options headers are set
+
+#### AddVorgabeCommentViewTest
+- **test_add_comment_requires_login**: Tests anonymous users cannot add comments
+- **test_add_comment_requires_post**: Tests only POST method is allowed (405 for GET)
+- **test_add_comment_success**: Tests successful comment creation with valid data
+- **test_add_empty_comment_fails**: Tests empty comments are rejected with 400 error
+- **test_add_whitespace_only_comment_fails**: Tests whitespace-only comments are rejected
+- **test_add_too_long_comment_fails**: Tests comments exceeding 2000 characters are rejected
+- **test_add_comment_xss_script_tag_blocked**: Tests comments with `<script>` tags are blocked
+- **test_add_comment_xss_javascript_protocol_blocked**: Tests `javascript:` protocol is blocked
+- **test_add_comment_xss_event_handlers_blocked**: Tests event handlers (onload, onerror, onclick, onmouseover) are blocked
+- **test_add_comment_invalid_json_fails**: Tests invalid JSON payloads are rejected
+- **test_add_comment_nonexistent_vorgabe_fails**: Tests 404 response for non-existent Vorgabe
+- **test_add_comment_security_headers**: Tests security headers are present in responses
+
+#### DeleteVorgabeCommentViewTest
+- **test_delete_comment_requires_login**: Tests anonymous users cannot delete comments
+- **test_delete_comment_requires_post**: Tests only POST method is allowed (405 for GET)
+- **test_user_can_delete_own_comment**: Tests users can delete their own comments
+- **test_user_cannot_delete_other_users_comment**: Tests users cannot delete others' comments (403 Forbidden)
+- **test_staff_can_delete_any_comment**: Tests staff users can delete any comment
+- **test_delete_nonexistent_comment_returns_404**: Tests 404 response for non-existent comment
+- **test_delete_comment_security_headers**: Tests security headers are present in responses
+
 ---
 
 ## pages App Tests
@@ -332,9 +375,17 @@ The stichworte app contains 18 tests covering keyword models and their ordering.
 
 ## Test Statistics
 
-- **Total Tests**: 206
-- **abschnitte**: 32 tests
-- **dokumente**: 116 tests (98 in tests.py + 9 in test_json.py + 9 JSON tests in main tests.py)
+- **Total Tests**: 230
+- **abschnitte**: 33 tests (including XSS prevention)
+- **dokumente**: 121 tests (including comment functionality with XSS protection)
+  - Model tests: 44 tests
+  - View tests: 7 tests
+  - URL pattern tests: 4 tests
+  - Sanity check tests: 16 tests
+  - Management command tests: 2 tests
+  - JSON export tests: 9 tests
+  - Incomplete Vorgaben tests: 15 tests
+  - Comment tests: 24 tests (6 model + 18 view tests)
 - **pages**: 4 tests
 - **referenzen**: 18 tests
 - **rollen**: 18 tests
@@ -348,6 +399,17 @@ The stichworte app contains 18 tests covering keyword models and their ordering.
 4. **Utility Functions**: Text processing, caching, formatting
 5. **Management Commands**: CLI interface and output handling
 6. **Integration**: Cross-app functionality and data flow
+7. **Security**: 
+   - XSS prevention through HTML sanitization in content rendering
+   - XSS attack prevention in comment system (script tags, javascript: protocol, event handlers)
+   - Input validation and sanitization
+   - Authorization checks (staff vs. regular users)
+   - Security headers (Content-Security-Policy, X-Content-Type-Options)
+8. **Comment Functionality**:
+   - CRUD operations (Create, Read, Delete)
+   - User permissions and ownership
+   - HTML escaping and line break preservation
+   - Multiple XSS attack vector prevention
 
 ## Running the Tests
 

VorgabenUI/settings.py

@@ -28,12 +28,6 @@ DEBUG = True
 
 ALLOWED_HOSTS = ["10.128.128.144","localhost","127.0.0.1","*"]
 
-TEMPLATES = [
-        {"BACKEND": "django.template.backends.django.DjangoTemplates",
-        "APP_DIRS": True,
-        }
-]
-
 # Application definition
 
 INSTALLED_APPS = [
@@ -152,6 +146,11 @@ DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
 DATA_UPLOAD_MAX_NUMBER_FIELDS=10250
 NESTED_ADMIN_LAZY_INLINES = True
 
+# Authentication settings
+LOGIN_URL = 'login'
+LOGIN_REDIRECT_URL = '/'
+LOGOUT_REDIRECT_URL = 'login'
+
 #LOGGING = {
 #    "version": 1,
 #    "handlers"  :{

VorgabenUI/urls.py

@@ -18,6 +18,7 @@ from django.contrib import admin
 from django.urls import include, path, re_path
 from django.conf import settings
 from django.conf.urls.static import static
+from django.contrib.auth import views as auth_views
 import dokumente.views
 import pages.views
 import referenzen.views
@@ -32,6 +33,11 @@ urlpatterns = [
     path('stichworte/', include("stichworte.urls")),
     path('referenzen/', referenzen.views.tree, name="referenz_tree"),
     path('referenzen/<str:refid>/', referenzen.views.detail, name="referenz_detail"),
+    # Authentication URLs
+    path('login/', auth_views.LoginView.as_view(template_name='registration/login.html'), name='login'),
+    path('logout/', auth_views.LogoutView.as_view(next_page='/'), name='logout'),
+    path('password_change/', auth_views.PasswordChangeView.as_view(template_name='registration/password_change.html', success_url='/'), name='password_change'),
+    path('password_change/done/', auth_views.PasswordChangeDoneView.as_view(template_name='registration/password_change_done.html'), name='password_change_done'),
 ]
 
 # Serve static files

abschnitte/tests.py

@@ -467,6 +467,32 @@ A -> B
         typ, html = result[0]
         self.assertEqual(typ, "text")
 
+    def test_render_textabschnitte_xss_prevention(self):
+        """Test that malicious HTML is sanitized in rendered content"""
+        from dokumente.models import VorgabeLangtext
+
+        # Create content with malicious HTML
+        malicious_abschnitt = VorgabeLangtext.objects.create(
+            abschnitt=self.vorgabe,
+            abschnitttyp=self.typ_text,
+            inhalt='<script>alert("xss")</script><img src=x onerror=alert(1)>Normal text',
+            order=1
+        )
+
+        result = render_textabschnitte(VorgabeLangtext.objects.filter(pk=malicious_abschnitt.pk))
+
+        self.assertEqual(len(result), 1)
+        typ, html = result[0]
+        self.assertEqual(typ, "text")
+
+        # Dangerous tags and attributes should be removed or sanitized
+        self.assertNotIn('<script>', html)  # Script tags should not be present unescaped
+        self.assertNotIn('onerror', html)   # Dangerous attributes removed
+        # Note: 'alert' may still be present in escaped script tags, which is safe
+
+        # Safe content should remain
+        self.assertIn('Normal text', html)
+
 
 class MdTableToHtmlTest(TestCase):
     """Test cases for md_table_to_html function"""

abschnitte/utils.py

@@ -4,12 +4,34 @@ import zlib
 import re
 from textwrap import dedent
 from django.conf import settings
+import bleach
 
 # Import the caching function
 from diagramm_proxy.diagram_cache import get_cached_diagram
 
 DIAGRAMMSERVER="/diagramm"
 
+# Allowed HTML tags for bleach sanitization
+ALLOWED_TAGS = [
+    'p', 'br', 'strong', 'em', 'u', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
+    'ul', 'ol', 'li', 'blockquote', 'code', 'pre', 'hr',
+    'table', 'thead', 'tbody', 'tr', 'th', 'td',
+    'img', 'a', 'sup', 'sub', 'span', 'div'
+]
+
+ALLOWED_ATTRIBUTES = {
+    'img': ['src', 'alt', 'width', 'height'],
+    'a': ['href', 'title'],
+    'span': ['class'],
+    'div': ['class'],
+    'p': ['class'],
+    'table': ['class'],
+    'th': ['colspan', 'rowspan', 'class'],
+    'td': ['colspan', 'rowspan', 'class'],
+    'pre': ['class'],
+    'code': ['class'],
+}
+
 def render_textabschnitte(queryset):
     """
     Converts a queryset of Textabschnitt-like models into a list of (typ, html) tuples.
@@ -52,6 +74,8 @@ def render_textabschnitte(queryset):
             html += "</code></pre>"
         else:
             html = markdown(inhalt, extensions=['tables', 'attr_list','footnotes'])
+        # Sanitize HTML to prevent XSS
+        html = bleach.clean(html, tags=ALLOWED_TAGS, attributes=ALLOWED_ATTRIBUTES)
         output.append((typ, html))
     return output
 

argocd/001_pvc.yaml

@@ -5,7 +5,8 @@ metadata:
   namespace: vorgabenui
 spec:
   accessModes:
-    - ReadWriteOnce
+    - ReadWriteMany
+  storageClassName: nfs
   resources:
     requests:
       storage: 2Gi

argocd/deployment.yaml

@@ -18,14 +18,14 @@ spec:
         fsGroupChangePolicy: "OnRootMismatch"
       initContainers:
         - name: loader
-          image: git.baumann.gr/adebaumann/vui-data-loader:0.9
+          image: git.baumann.gr/adebaumann/vui-data-loader:0.10
           command: [ "sh","-c","cp -n preload/preload.sqlite3 /data/db.sqlite3; chown -R 999:999 /data; ls -la /data; sleep 10; exit 0" ]
           volumeMounts:
             - name: data
               mountPath: /data
       containers:
         - name: web
-          image: git.baumann.gr/adebaumann/vui:0.952-oblique
+          image: git.baumann.gr/adebaumann/vui:0.960
           imagePullPolicy: Always
           ports:
             - containerPort: 8000
@@ -63,6 +63,8 @@ spec:
   selector:
     app: django
   ports:
-    - port: 8000
+    - name: http
+      protocol: TCP
+      port: 8000
       targetPort: 8000
 

argocd/ingress.yaml

@@ -4,8 +4,9 @@ metadata:
   name: django
   namespace: vorgabenui
   annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: "vorgabenui-vorgabenui-rewrite@kubernetescrd"
+    argocd.argoproj.io/ignore-healthcheck: "true"
 spec:
+  ingressClassName: traefik
   rules:
     - host: vorgabenportal.knowyoursecurity.com
       http:

argocd/nfs-pv.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: django-data-pv
+  namespace: vorgabenui
+spec:
+  capacity:
+    storage: 2Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs
+  nfs:
+    server: 192.168.17.199
+    path: /mnt/user/vorgabenui

argocd/nfs-storageclass.yaml

@@ -0,0 +1,8 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: nfs
+provisioner: kubernetes.io/no-provisioner
+allowVolumeExpansion: true
+reclaimPolicy: Retain
+volumeBindingMode: Immediate

argocd/traefik-middleware.yaml

@@ -1,9 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: vorgabenui-rewrite
-  namespace: vorgabenui
-spec:
-  stripPrefix:
-    prefixes:
-      - "/"

dokumente/admin.py

@@ -293,6 +293,6 @@ class VorgabeAdmin(NestedModelAdmin):
 
 admin.site.register(Checklistenfrage)
 admin.site.register(Dokumententyp)
-#admin.site.register(Person)
+admin.site.register(VorgabeComment)
 
 #admin.site.register(Changelog)

dokumente/migrations/0010_vorgabentable_alter_person_options_vorgabecomment.py

@@ -0,0 +1,49 @@
+# Generated by Django 5.2.5 on 2025-11-27 22:02
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dokumente', '0009_alter_vorgabe_options_vorgabe_order'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='VorgabenTable',
+            fields=[
+            ],
+            options={
+                'verbose_name': 'Vorgabe (Tabellenansicht)',
+                'verbose_name_plural': 'Vorgaben (Tabellenansicht)',
+                'proxy': True,
+                'indexes': [],
+                'constraints': [],
+            },
+            bases=('dokumente.vorgabe',),
+        ),
+        migrations.AlterModelOptions(
+            name='person',
+            options={'ordering': ['name'], 'verbose_name_plural': 'Personen'},
+        ),
+        migrations.CreateModel(
+            name='VorgabeComment',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('text', models.TextField()),
+                ('created_at', models.DateTimeField(auto_now_add=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+                ('vorgabe', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='comments', to='dokumente.vorgabe')),
+            ],
+            options={
+                'verbose_name': 'Vorgabe-Kommentar',
+                'verbose_name_plural': 'Vorgabe-Kommentare',
+                'ordering': ['-created_at'],
+            },
+        ),
+    ]

dokumente/models.py

@@ -1,5 +1,6 @@
 from django.db import models
 from mptt.models import MPTTModel, TreeForeignKey
+from django.contrib.auth.models import User
 from abschnitte.models import Textabschnitt
 from stichworte.models import Stichwort
 from referenzen.models import Referenz
@@ -261,3 +262,19 @@ class Changelog(models.Model):
     class Meta:
         verbose_name_plural="Changelog"
         verbose_name="Changelog-Eintrag"
+
+
+class VorgabeComment(models.Model):
+    vorgabe = models.ForeignKey(Vorgabe, on_delete=models.CASCADE, related_name='comments')
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+    text = models.TextField()
+    created_at = models.DateTimeField(auto_now_add=True)
+    updated_at = models.DateTimeField(auto_now=True)
+
+    class Meta:
+        verbose_name = "Vorgabe-Kommentar"
+        verbose_name_plural = "Vorgabe-Kommentare"
+        ordering = ['-created_at']
+
+    def __str__(self):
+        return f"Kommentar von {self.user.username} zu {self.vorgabe.Vorgabennummer()}"

dokumente/templates/standards/incomplete_vorgaben.html

@@ -105,13 +105,13 @@
 {% else %}
     <div class="alert alert-success" role="alert">
         <h4 class="alert-heading">
-            <i class="fas fa-check-circle"></i> Alle Vorgaben sind vollständig!
+            <span class="emoji-icon">✅</span> Alle Vorgaben sind vollständig!
         </h4>
         <p>Alle Vorgaben haben Referenzen, Stichworte, Text und Checklistenfragen.</p>
         <hr>
         <p class="mb-0">
             <a href="{% url 'standard_list' %}" class="btn btn-primary">
-                <i class="fas fa-list"></i> Zurück zur Übersicht
+                <span class="emoji-icon">📋</span> Zurück zur Übersicht
             </a>
         </p>
     </div>
@@ -119,7 +119,7 @@
 
 <div class="mt-3">
     <a href="{% url 'standard_list' %}" class="btn btn-secondary">
-        <i class="fas fa-arrow-left"></i> Zurück zur Übersicht
+        <span class="emoji-icon">←</span> Zurück zur Übersicht
     </a>
 </div>
 

dokumente/templates/standards/standard_detail.html

@@ -19,37 +19,13 @@
     <strong>Historische Version vom {{ standard.check_date }}</strong>
   </div>
   {% endif %}
-
-  <!-- Metadata -->
-  <div class="row mb-4">
-    <div class="col-md-12">
-      <dl class="row">
-        <dt class="col-sm-3">Autoren:</dt>
-        <dd class="col-sm-9">{{ standard.autoren.all|join:", " }}</dd>
-
-        <dt class="col-sm-3">Prüfende:</dt>
-        <dd class="col-sm-9">{{ standard.pruefende.all|join:", " }}</dd>
-
-        <dt class="col-sm-3">Gültigkeit:</dt>
-        <dd class="col-sm-9">{{ standard.gueltigkeit_von }} bis {{ standard.gueltigkeit_bis|default_if_none:"auf weiteres" }}</dd>
-      </dl>
-      <p>
-        <a href="{% url 'standard_json' standard.nummer %}"
-           class="btn btn-secondary icon icon--before icon--download"
-           download="{{ standard.nummer }}.json">
-          JSON herunterladen
-        </a>
-      </p>
-    </div>
-  </div>
-
   <!-- Einleitung -->
   {% if standard.einleitung_html %}
   <div class="row mb-4">
     <div class="col-md-12">
       <div class="card">
         <div class="card-header">
-          <h2 class="h4 mb-0">Einleitung</h2>
+          <h2>Einleitung</h2>
         </div>
         <div class="card-body">
           {% for typ, html in standard.einleitung_html %}
@@ -67,7 +43,7 @@
     <div class="col-md-12">
       <div class="card">
         <div class="card-header">
-          <h2 class="h4 mb-0">Geltungsbereich</h2>
+          <h2>Geltungsbereich</h2>
         </div>
         <div class="card-body">
           {% for typ, html in standard.geltungsbereich_html %}
@@ -97,7 +73,7 @@
       <a id="{{ vorgabe.Vorgabennummer }}"></a>
       <div class="card mb-4">
         <div class="card-header" style="display: flex; justify-content: space-between; align-items: center;">
-          <h3 class="h5 mb-0">
+          <h3>
             {{ vorgabe.Vorgabennummer }} – {{ vorgabe.titel }}
             {% if vorgabe.long_status != "active" and standard.history == True %}
             <span class="badge badge-danger">{{ vorgabe.long_status }}</span>
@@ -147,7 +123,7 @@
           {% endif %}
 
           <!-- Stichworte und Referenzen -->
-          <div class="mt-4 p-3" style="background-color: #f8f9fa; border-left: 3px solid #dee2e6;">
+          <div class="mt-4 p-3" style="background-color: #f8f9fa; border-left: 3px solid #dee2e6; padding-left: 0.5en;">
             <p class="mb-2">
               <strong>Stichworte:</strong>
               {% if vorgabe.stichworte.all %}
@@ -169,11 +145,255 @@
               {% endif %}
             </p>
           </div>
+
+          <!-- Comment Button -->
+          {% if user.is_authenticated %}
+          <div class="mt-3 text-right">
+            <button class="btn btn-sm btn-outline-primary comment-btn" 
+                    data-vorgabe-id="{{ vorgabe.id }}" 
+                    data-vorgabe-nummer="{{ vorgabe.Vorgabennummer }}">
+              <span class="emoji-icon">💬</span> Kommentare
+              {% if vorgabe.comment_count > 0 %}
+              <span class="comment-count">{{ vorgabe.comment_count }}</span>
+              {% endif %}
+            </button>
+          </div>
+          {% endif %}
         </div>
       </div>
     </div>
   </div>
   {% endif %}
   {% endfor %}
+  <!-- Metadata -->
+
+  <h2>Metadaten</h2>
+  <div class="row mb-4">
+    <div class="col-md-12">
+      <dl class="row">
+        <dt class="col-sm-3">Autoren:</dt>
+        <dd class="col-sm-9">{{ standard.autoren.all|join:", " }}</dd>
+
+        <dt class="col-sm-3">Prüfende:</dt>
+        <dd class="col-sm-9">{{ standard.pruefende.all|join:", " }}</dd>
+
+        <dt class="col-sm-3">Gültigkeit:</dt>
+        <dd class="col-sm-9">{{ standard.gueltigkeit_von }} bis {{ standard.gueltigkeit_bis|default_if_none:"auf weiteres" }}</dd>
+      </dl>
+      <p>
+        <a href="{% url 'standard_json' standard.nummer %}"
+           class="btn btn-secondary icon icon--before icon--download"
+           download="{{ standard.nummer }}.json">
+          JSON herunterladen
+        </a>
+      </p>
+    </div>
+  </div>
 </div>
+
+<!-- Comment Modal -->
+<div class="modal fade" id="commentModal" tabindex="-1" role="dialog" aria-labelledby="commentModalLabel" aria-hidden="true">
+  <div class="modal-dialog modal-lg" role="document">
+    <div class="modal-content">
+      <div class="modal-header">
+        <h5 class="modal-title" id="commentModalLabel">Kommentare für <span id="modalVorgabeNummer"></span></h5>
+        <button type="button" class="close" data-dismiss="modal" aria-label="Close">
+          <span aria-hidden="true">&times;</span>
+        </button>
+      </div>
+      <div class="modal-body">
+        <div id="commentsContainer">
+          <!-- Comments will be loaded here -->
+        </div>
+        
+        <!-- Add Comment Form -->
+        <div class="mt-4">
+          <h6>Neuen Kommentar hinzufügen:</h6>
+          <textarea id="newCommentText" class="form-control" rows="3" placeholder="Ihr Kommentar..."></textarea>
+          <button id="addCommentBtn" class="btn btn-primary btn-sm mt-2">Kommentar hinzufügen</button>
+        </div>
+      </div>
+    </div>
+  </div>
+</div>
+
+<!-- JavaScript for Comments -->
+<script>
+// Content Security Policy for comment system
+document.addEventListener('DOMContentLoaded', function() {
+  // Prevent inline script execution in dynamically loaded content
+  const commentsContainer = document.getElementById('commentsContainer');
+  if (commentsContainer) {
+    // Use DOMPurify-like approach - only allow safe HTML
+    const allowedTags = ['br', 'small', 'div', 'span', 'button'];
+    const allowedAttributes = ['class', 'data-comment-id', 'aria-hidden'];
+    
+    // Monitor for any script injection attempts
+    const observer = new MutationObserver(function(mutations) {
+      mutations.forEach(function(mutation) {
+        mutation.addedNodes.forEach(function(node) {
+          if (node.nodeType === 1) { // Element node
+            const tagName = node.tagName.toLowerCase();
+            if (tagName === 'script') {
+              console.warn('Script injection attempt blocked');
+              node.parentNode.removeChild(node);
+            }
+          }
+        });
+      });
+    });
+    
+    observer.observe(commentsContainer, {
+      childList: true,
+      subtree: true
+    });
+  }
+});
+document.addEventListener('DOMContentLoaded', function() {
+  let currentVorgabeId = null;
+  let currentVorgabeNummer = null;
+  
+  // Comment button click handler
+  document.querySelectorAll('.comment-btn').forEach(btn => {
+    btn.addEventListener('click', function() {
+      currentVorgabeId = this.dataset.vorgabeId;
+      currentVorgabeNummer = this.dataset.vorgabeNummer;
+      
+      document.getElementById('modalVorgabeNummer').textContent = currentVorgabeNummer;
+      document.getElementById('newCommentText').value = '';
+      
+      loadComments();
+      $('#commentModal').modal('show');
+    });
+  });
+  
+  // Load comments function
+  function loadComments() {
+    fetch(`/dokumente/comments/${currentVorgabeId}/`)
+      .then(response => response.json())
+      .then(data => {
+        renderComments(data.comments);
+      })
+      .catch(error => {
+        console.error('Error loading comments:', error);
+        document.getElementById('commentsContainer').innerHTML = 
+          '<div class="alert alert-danger">Fehler beim Laden der Kommentare</div>';
+      });
+  }
+  
+  // Render comments function
+  function renderComments(comments) {
+    const container = document.getElementById('commentsContainer');
+    
+    if (comments.length === 0) {
+      container.innerHTML = '<p class="text-muted">Noch keine Kommentare vorhanden.</p>';
+      return;
+    }
+    
+    let html = '';
+    comments.forEach(comment => {
+      const canDelete = comment.is_own || {% if user.is_authenticated %}'{{ user.is_staff|yesno:"true,false" }}'{% else %}'false'{% endif %} === 'true';
+      html += `
+        <div class="comment-item border-bottom pb-2 mb-2">
+          <div class="d-flex justify-content-between align-items-start">
+            <div class="flex-grow-1">
+              <strong>${comment.user}</strong>
+              <small class="text-muted">(${comment.created_at})</small>
+              ${comment.updated_at !== comment.created_at ? `<small class="text-muted">(bearbeitet: ${comment.updated_at})</small>` : ''}
+              <div class="mt-1">${comment.text}</div>
+            </div>
+            ${canDelete ? `
+              <button class="btn btn-sm btn-outline-danger ml-2 delete-comment-btn" data-comment-id="${comment.id}">
+<span aria-hidden="true">&times;</span>
+              </button>
+            ` : ''}
+          </div>
+        </div>
+      `;
+    });
+    
+    container.innerHTML = html;
+    
+    // Add delete handlers
+    document.querySelectorAll('.delete-comment-btn').forEach(btn => {
+      btn.addEventListener('click', function() {
+        if (confirm('Möchten Sie diesen Kommentar wirklich löschen?')) {
+          deleteComment(this.dataset.commentId);
+        }
+      });
+    });
+  }
+  
+  // Add comment function
+  document.getElementById('addCommentBtn').addEventListener('click', function() {
+    const text = document.getElementById('newCommentText').value.trim();
+    
+    if (!text) {
+      alert('Bitte geben Sie einen Kommentar ein.');
+      return;
+    }
+    
+    fetch(`/dokumente/comments/${currentVorgabeId}/add/`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-CSRFToken': getCookie('csrftoken')
+      },
+      body: JSON.stringify({ text: text })
+    })
+    .then(response => response.json())
+    .then(data => {
+      if (data.success) {
+        document.getElementById('newCommentText').value = '';
+        loadComments();
+      } else {
+        alert('Fehler: ' + (data.error || 'Unbekannter Fehler'));
+      }
+    })
+    .catch(error => {
+      console.error('Error adding comment:', error);
+      alert('Fehler beim Hinzufügen des Kommentars');
+    });
+  });
+  
+  // Delete comment function
+  function deleteComment(commentId) {
+    fetch(`/dokumente/comments/delete/${commentId}/`, {
+      method: 'POST',
+      headers: {
+        'X-CSRFToken': getCookie('csrftoken')
+      }
+    })
+    .then(response => response.json())
+    .then(data => {
+      if (data.success) {
+        loadComments();
+      } else {
+        alert('Fehler: ' + (data.error || 'Unbekannter Fehler'));
+      }
+    })
+    .catch(error => {
+      console.error('Error deleting comment:', error);
+      alert('Fehler beim Löschen des Kommentars');
+    });
+  }
+  
+  // CSRF token helper
+  function getCookie(name) {
+    let cookieValue = null;
+    if (document.cookie && document.cookie !== '') {
+      const cookies = document.cookie.split(';');
+      for (let i = 0; i < cookies.length; i++) {
+        const cookie = cookies[i].trim();
+        if (cookie.substring(0, name.length + 1) === (name + '=')) {
+          cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
+          break;
+        }
+      }
+    }
+    return cookieValue;
+  }
+});
+</script>
+
 {% endblock %}

dokumente/tests.py

@@ -7,7 +7,7 @@ from io import StringIO
 from .models import (
     Dokumententyp, Person, Thema, Dokument, Vorgabe,
     VorgabeLangtext, VorgabeKurztext, Geltungsbereich,
-    Einleitung, Checklistenfrage, Changelog
+    Einleitung, Checklistenfrage, Changelog, VorgabeComment
 )
 from .utils import check_vorgabe_conflicts, date_ranges_intersect, format_conflict_report
 from abschnitte.models import AbschnittTyp
@@ -1506,3 +1506,669 @@ class StandardJSONViewTest(TestCase):
         # Check that JSON is properly indented (should be formatted)
         self.assertIn('\n', response.content.decode())
         self.assertIn('  ', response.content.decode())  # Check for indentation
+
+
+class VorgabeCommentModelTest(TestCase):
+    """Test cases for VorgabeComment model"""
+    
+    def setUp(self):
+        """Set up test data for comment tests"""
+        self.user = User.objects.create_user(
+            username='testuser',
+            password='testpass123'
+        )
+        
+        self.dokumententyp = Dokumententyp.objects.create(
+            name="Test Typ",
+            verantwortliche_ve="Test VE"
+        )
+        
+        self.thema = Thema.objects.create(
+            name="Test Thema"
+        )
+        
+        self.dokument = Dokument.objects.create(
+            nummer="COMM-001",
+            dokumententyp=self.dokumententyp,
+            name="Comment Test Document",
+            aktiv=True
+        )
+        
+        self.vorgabe = Vorgabe.objects.create(
+            order=1,
+            nummer=1,
+            dokument=self.dokument,
+            thema=self.thema,
+            titel="Test Vorgabe",
+            gueltigkeit_von=date.today()
+        )
+        
+        self.comment = VorgabeComment.objects.create(
+            vorgabe=self.vorgabe,
+            user=self.user,
+            text="Dies ist ein Testkommentar"
+        )
+    
+    def test_comment_creation(self):
+        """Test that VorgabeComment is created correctly"""
+        self.assertEqual(self.comment.vorgabe, self.vorgabe)
+        self.assertEqual(self.comment.user, self.user)
+        self.assertEqual(self.comment.text, "Dies ist ein Testkommentar")
+        self.assertIsNotNone(self.comment.created_at)
+        self.assertIsNotNone(self.comment.updated_at)
+    
+    def test_comment_str(self):
+        """Test string representation of VorgabeComment"""
+        expected = f"Kommentar von {self.user.username} zu {self.vorgabe.Vorgabennummer()}"
+        self.assertEqual(str(self.comment), expected)
+    
+    def test_comment_related_name(self):
+        """Test related name works correctly"""
+        self.assertIn(self.comment, self.vorgabe.comments.all())
+    
+    def test_comment_ordering(self):
+        """Test comments are ordered by created_at descending"""
+        comment2 = VorgabeComment.objects.create(
+            vorgabe=self.vorgabe,
+            user=self.user,
+            text="Zweiter Kommentar"
+        )
+        
+        comments = list(self.vorgabe.comments.all())
+        self.assertEqual(comments[0], comment2)  # Newest first
+        self.assertEqual(comments[1], self.comment)
+    
+    def test_comment_timestamps_auto_update(self):
+        """Test that updated_at changes when comment is modified"""
+        original_updated_at = self.comment.updated_at
+        
+        # Wait a tiny bit and update
+        import time
+        time.sleep(0.01)
+        
+        self.comment.text = "Updated text"
+        self.comment.save()
+        
+        self.assertNotEqual(self.comment.updated_at, original_updated_at)
+        self.assertEqual(self.comment.text, "Updated text")
+    
+    def test_multiple_users_can_comment(self):
+        """Test multiple users can comment on same Vorgabe"""
+        user2 = User.objects.create_user(
+            username='testuser2',
+            password='testpass123'
+        )
+        
+        comment2 = VorgabeComment.objects.create(
+            vorgabe=self.vorgabe,
+            user=user2,
+            text="Kommentar von anderem Benutzer"
+        )
+        
+        self.assertEqual(self.vorgabe.comments.count(), 2)
+        self.assertIn(self.comment, self.vorgabe.comments.all())
+        self.assertIn(comment2, self.vorgabe.comments.all())
+
+
+class GetVorgabeCommentsViewTest(TestCase):
+    """Test cases for get_vorgabe_comments view"""
+    
+    def setUp(self):
+        """Set up test data"""
+        self.client = Client()
+        
+        # Create users
+        self.regular_user = User.objects.create_user(
+            username='regularuser',
+            password='testpass123'
+        )
+        
+        self.staff_user = User.objects.create_user(
+            username='staffuser',
+            password='testpass123'
+        )
+        self.staff_user.is_staff = True
+        self.staff_user.save()
+        
+        self.other_user = User.objects.create_user(
+            username='otheruser',
+            password='testpass123'
+        )
+        
+        # Create test data
+        self.dokumententyp = Dokumententyp.objects.create(
+            name="Test Typ",
+            verantwortliche_ve="Test VE"
+        )
+        
+        self.thema = Thema.objects.create(name="Test Thema")
+        
+        self.dokument = Dokument.objects.create(
+            nummer="COMM-001",
+            dokumententyp=self.dokumententyp,
+            name="Comment Test",
+            aktiv=True
+        )
+        
+        self.vorgabe = Vorgabe.objects.create(
+            order=1,
+            nummer=1,
+            dokument=self.dokument,
+            thema=self.thema,
+            titel="Test Vorgabe",
+            gueltigkeit_von=date.today()
+        )
+        
+        # Create comments from different users
+        self.comment1 = VorgabeComment.objects.create(
+            vorgabe=self.vorgabe,
+            user=self.regular_user,
+            text="Kommentar von Regular User"
+        )
+        
+        self.comment2 = VorgabeComment.objects.create(
+            vorgabe=self.vorgabe,
+            user=self.other_user,
+            text="Kommentar von Other User"
+        )
+    
+    def test_get_comments_requires_login(self):
+        """Test that anonymous users cannot view comments"""
+        url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.get(url)
+        
+        # Should redirect to login
+        self.assertEqual(response.status_code, 302)
+        self.assertIn('/login/', response.url)
+    
+    def test_regular_user_sees_only_own_comments(self):
+        """Test that regular users only see their own comments"""
+        self.client.login(username='regularuser', password='testpass123')
+        
+        url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.get(url)
+        
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response['Content-Type'], 'application/json')
+        
+        import json
+        data = json.loads(response.content)
+        
+        # Should only see their own comment
+        self.assertEqual(len(data['comments']), 1)
+        self.assertEqual(data['comments'][0]['text'], 'Kommentar von Regular User')
+        self.assertEqual(data['comments'][0]['user'], 'regularuser')
+        self.assertTrue(data['comments'][0]['is_own'])
+    
+    def test_staff_user_sees_all_comments(self):
+        """Test that staff users see all comments"""
+        self.client.login(username='staffuser', password='testpass123')
+        
+        url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.get(url)
+        
+        self.assertEqual(response.status_code, 200)
+        
+        import json
+        data = json.loads(response.content)
+        
+        # Should see all comments
+        self.assertEqual(len(data['comments']), 2)
+        usernames = [c['user'] for c in data['comments']]
+        self.assertIn('regularuser', usernames)
+        self.assertIn('otheruser', usernames)
+    
+    def test_get_comments_returns_404_for_nonexistent_vorgabe(self):
+        """Test that requesting comments for non-existent Vorgabe returns 404"""
+        self.client.login(username='regularuser', password='testpass123')
+        
+        url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': 99999})
+        response = self.client.get(url)
+        
+        self.assertEqual(response.status_code, 404)
+    
+    def test_comments_are_html_escaped(self):
+        """Test that comments are properly HTML escaped"""
+        # Create comment with HTML
+        comment = VorgabeComment.objects.create(
+            vorgabe=self.vorgabe,
+            user=self.regular_user,
+            text="Test <script>alert('xss')</script> comment"
+        )
+        
+        self.client.login(username='regularuser', password='testpass123')
+        
+        url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.get(url)
+        
+        import json
+        data = json.loads(response.content)
+        
+        # Find the comment with script tag
+        script_comment = [c for c in data['comments'] if 'script' in c['text'].lower()][0]
+        
+        # Should be escaped
+        self.assertIn('&lt;script&gt;', script_comment['text'])
+        self.assertNotIn('<script>', script_comment['text'])
+    
+    def test_line_breaks_preserved(self):
+        """Test that line breaks are converted to <br> tags"""
+        comment = VorgabeComment.objects.create(
+            vorgabe=self.vorgabe,
+            user=self.regular_user,
+            text="Line 1\nLine 2\nLine 3"
+        )
+        
+        self.client.login(username='regularuser', password='testpass123')
+        
+        url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.get(url)
+        
+        import json
+        data = json.loads(response.content)
+        
+        # Find the multiline comment
+        multiline_comment = [c for c in data['comments'] if 'Line 1' in c['text']][0]
+        
+        # Should contain <br> tags
+        self.assertIn('<br>', multiline_comment['text'])
+        self.assertIn('Line 1<br>Line 2<br>Line 3', multiline_comment['text'])
+    
+    def test_security_headers_present(self):
+        """Test that security headers are present in response"""
+        self.client.login(username='regularuser', password='testpass123')
+        
+        url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.get(url)
+        
+        self.assertIn('Content-Security-Policy', response)
+        self.assertIn('X-Content-Type-Options', response)
+        self.assertEqual(response['X-Content-Type-Options'], 'nosniff')
+
+
+class AddVorgabeCommentViewTest(TestCase):
+    """Test cases for add_vorgabe_comment view"""
+    
+    def setUp(self):
+        """Set up test data"""
+        self.client = Client()
+        
+        self.user = User.objects.create_user(
+            username='testuser',
+            password='testpass123'
+        )
+        
+        self.dokumententyp = Dokumententyp.objects.create(
+            name="Test Typ",
+            verantwortliche_ve="Test VE"
+        )
+        
+        self.thema = Thema.objects.create(name="Test Thema")
+        
+        self.dokument = Dokument.objects.create(
+            nummer="COMM-001",
+            dokumententyp=self.dokumententyp,
+            name="Comment Test",
+            aktiv=True
+        )
+        
+        self.vorgabe = Vorgabe.objects.create(
+            order=1,
+            nummer=1,
+            dokument=self.dokument,
+            thema=self.thema,
+            titel="Test Vorgabe",
+            gueltigkeit_von=date.today()
+        )
+    
+    def test_add_comment_requires_login(self):
+        """Test that anonymous users cannot add comments"""
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url, 
+            data='{"text": "Test comment"}',
+            content_type='application/json'
+        )
+        
+        # Should redirect to login
+        self.assertEqual(response.status_code, 302)
+    
+    def test_add_comment_requires_post(self):
+        """Test that only POST method is allowed"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.get(url)
+        
+        # Should return method not allowed
+        self.assertEqual(response.status_code, 405)
+    
+    def test_add_comment_success(self):
+        """Test successful comment addition"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url,
+            data='{"text": "Dies ist ein neuer Kommentar"}',
+            content_type='application/json'
+        )
+        
+        self.assertEqual(response.status_code, 200)
+        
+        import json
+        data = json.loads(response.content)
+        
+        self.assertTrue(data['success'])
+        self.assertEqual(data['comment']['text'], 'Dies ist ein neuer Kommentar')
+        self.assertEqual(data['comment']['user'], 'testuser')
+        self.assertTrue(data['comment']['is_own'])
+        
+        # Verify comment was created in database
+        self.assertEqual(VorgabeComment.objects.count(), 1)
+        comment = VorgabeComment.objects.first()
+        self.assertEqual(comment.text, 'Dies ist ein neuer Kommentar')
+        self.assertEqual(comment.user, self.user)
+    
+    def test_add_empty_comment_fails(self):
+        """Test that empty comments are rejected"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url,
+            data='{"text": ""}',
+            content_type='application/json'
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        
+        import json
+        data = json.loads(response.content)
+        
+        self.assertIn('error', data)
+        self.assertIn('leer', data['error'].lower())
+        
+        # No comment should be created
+        self.assertEqual(VorgabeComment.objects.count(), 0)
+    
+    def test_add_whitespace_only_comment_fails(self):
+        """Test that whitespace-only comments are rejected"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url,
+            data='{"text": "   \\n\\t  "}',
+            content_type='application/json'
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        self.assertEqual(VorgabeComment.objects.count(), 0)
+    
+    def test_add_too_long_comment_fails(self):
+        """Test that comments exceeding max length are rejected"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        long_text = "a" * 2001  # Over the 2000 character limit
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url,
+            data=f'{{"text": "{long_text}"}}',
+            content_type='application/json'
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        
+        import json
+        data = json.loads(response.content)
+        
+        self.assertIn('error', data)
+        self.assertIn('lang', data['error'].lower())
+        
+        # No comment should be created
+        self.assertEqual(VorgabeComment.objects.count(), 0)
+    
+    def test_add_comment_xss_script_tag_blocked(self):
+        """Test that comments with <script> tags are blocked"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url,
+            data='{"text": "Test <script>alert(\\"xss\\")</script> comment"}',
+            content_type='application/json'
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        
+        import json
+        data = json.loads(response.content)
+        
+        self.assertIn('error', data)
+        self.assertIn('ungültige', data['error'].lower())
+        
+        # No comment should be created
+        self.assertEqual(VorgabeComment.objects.count(), 0)
+    
+    def test_add_comment_xss_javascript_protocol_blocked(self):
+        """Test that comments with javascript: protocol are blocked"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url,
+            data='{"text": "Click <a href=\\"javascript:alert(1)\\">here</a>"}',
+            content_type='application/json'
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        self.assertEqual(VorgabeComment.objects.count(), 0)
+    
+    def test_add_comment_xss_event_handlers_blocked(self):
+        """Test that comments with event handlers are blocked"""
+        dangerous_inputs = [
+            'Test onload=alert(1) comment',
+            'Test onerror=alert(1) comment',
+            'Test onclick=alert(1) comment',
+            'Test onmouseover=alert(1) comment'
+        ]
+        
+        self.client.login(username='testuser', password='testpass123')
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        
+        for dangerous_input in dangerous_inputs:
+            response = self.client.post(url,
+                data=f'{{"text": "{dangerous_input}"}}',
+                content_type='application/json'
+            )
+            
+            self.assertEqual(response.status_code, 400)
+        
+        # No comments should be created
+        self.assertEqual(VorgabeComment.objects.count(), 0)
+    
+    def test_add_comment_invalid_json_fails(self):
+        """Test that invalid JSON is rejected"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url,
+            data='invalid json',
+            content_type='application/json'
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        
+        import json
+        data = json.loads(response.content)
+        
+        self.assertIn('error', data)
+        self.assertIn('Ungültige', data['error'])
+    
+    def test_add_comment_nonexistent_vorgabe_fails(self):
+        """Test that adding comment to non-existent Vorgabe returns 404"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': 99999})
+        response = self.client.post(url,
+            data='{"text": "Test comment"}',
+            content_type='application/json'
+        )
+        
+        self.assertEqual(response.status_code, 404)
+    
+    def test_add_comment_security_headers(self):
+        """Test that security headers are present in response"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url,
+            data='{"text": "Test comment"}',
+            content_type='application/json'
+        )
+        
+        self.assertIn('Content-Security-Policy', response)
+        self.assertIn('X-Content-Type-Options', response)
+        self.assertEqual(response['X-Content-Type-Options'], 'nosniff')
+
+
+class DeleteVorgabeCommentViewTest(TestCase):
+    """Test cases for delete_vorgabe_comment view"""
+    
+    def setUp(self):
+        """Set up test data"""
+        self.client = Client()
+        
+        self.user = User.objects.create_user(
+            username='testuser',
+            password='testpass123'
+        )
+        
+        self.other_user = User.objects.create_user(
+            username='otheruser',
+            password='testpass123'
+        )
+        
+        self.staff_user = User.objects.create_user(
+            username='staffuser',
+            password='testpass123'
+        )
+        self.staff_user.is_staff = True
+        self.staff_user.save()
+        
+        self.dokumententyp = Dokumententyp.objects.create(
+            name="Test Typ",
+            verantwortliche_ve="Test VE"
+        )
+        
+        self.thema = Thema.objects.create(name="Test Thema")
+        
+        self.dokument = Dokument.objects.create(
+            nummer="COMM-001",
+            dokumententyp=self.dokumententyp,
+            name="Comment Test",
+            aktiv=True
+        )
+        
+        self.vorgabe = Vorgabe.objects.create(
+            order=1,
+            nummer=1,
+            dokument=self.dokument,
+            thema=self.thema,
+            titel="Test Vorgabe",
+            gueltigkeit_von=date.today()
+        )
+        
+        self.comment = VorgabeComment.objects.create(
+            vorgabe=self.vorgabe,
+            user=self.user,
+            text="Test comment to delete"
+        )
+    
+    def test_delete_comment_requires_login(self):
+        """Test that anonymous users cannot delete comments"""
+        url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
+        response = self.client.post(url)
+        
+        # Should redirect to login
+        self.assertEqual(response.status_code, 302)
+        
+        # Comment should still exist
+        self.assertTrue(VorgabeComment.objects.filter(id=self.comment.id).exists())
+    
+    def test_delete_comment_requires_post(self):
+        """Test that only POST method is allowed"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
+        response = self.client.get(url)
+        
+        # Should return method not allowed
+        self.assertEqual(response.status_code, 405)
+    
+    def test_user_can_delete_own_comment(self):
+        """Test that users can delete their own comments"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
+        response = self.client.post(url)
+        
+        self.assertEqual(response.status_code, 200)
+        
+        import json
+        data = json.loads(response.content)
+        
+        self.assertTrue(data['success'])
+        
+        # Comment should be deleted
+        self.assertFalse(VorgabeComment.objects.filter(id=self.comment.id).exists())
+    
+    def test_user_cannot_delete_other_users_comment(self):
+        """Test that users cannot delete other users' comments"""
+        self.client.login(username='otheruser', password='testpass123')
+        
+        url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
+        response = self.client.post(url)
+        
+        self.assertEqual(response.status_code, 403)
+        
+        import json
+        data = json.loads(response.content)
+        
+        self.assertIn('error', data)
+        self.assertIn('Berechtigung', data['error'])
+        
+        # Comment should still exist
+        self.assertTrue(VorgabeComment.objects.filter(id=self.comment.id).exists())
+    
+    def test_staff_can_delete_any_comment(self):
+        """Test that staff users can delete any comment"""
+        self.client.login(username='staffuser', password='testpass123')
+        
+        url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
+        response = self.client.post(url)
+        
+        self.assertEqual(response.status_code, 200)
+        
+        import json
+        data = json.loads(response.content)
+        
+        self.assertTrue(data['success'])
+        
+        # Comment should be deleted
+        self.assertFalse(VorgabeComment.objects.filter(id=self.comment.id).exists())
+    
+    def test_delete_nonexistent_comment_returns_404(self):
+        """Test that deleting non-existent comment returns 404"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('delete_vorgabe_comment', kwargs={'comment_id': 99999})
+        response = self.client.post(url)
+        
+        self.assertEqual(response.status_code, 404)
+    
+    def test_delete_comment_security_headers(self):
+        """Test that security headers are present in response"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
+        response = self.client.post(url)
+        
+        self.assertIn('Content-Security-Policy', response)
+        self.assertIn('X-Content-Type-Options', response)
+        self.assertEqual(response['X-Content-Type-Options'], 'nosniff')

dokumente/urls.py

@@ -8,6 +8,9 @@ urlpatterns = [
     path('<str:nummer>/history/<str:check_date>/', views.standard_detail),
     path('<str:nummer>/history/', views.standard_detail, {"check_date":"today"}, name='standard_history'),
     path('<str:nummer>/checkliste/', views.standard_checkliste, name='standard_checkliste'),
-    path('<str:nummer>/json/', views.standard_json, name='standard_json')
+    path('<str:nummer>/json/', views.standard_json, name='standard_json'),
+    path('comments/<int:vorgabe_id>/', views.get_vorgabe_comments, name='get_vorgabe_comments'),
+    path('comments/<int:vorgabe_id>/add/', views.add_vorgabe_comment, name='add_vorgabe_comment'),
+    path('comments/delete/<int:comment_id>/', views.delete_vorgabe_comment, name='delete_vorgabe_comment'),
 ]
 

dokumente/views.py

@@ -2,8 +2,12 @@ from django.shortcuts import render, get_object_or_404
 from django.contrib.auth.decorators import login_required, user_passes_test
 from django.http import JsonResponse
 from django.core.serializers.json import DjangoJSONEncoder
+from django.views.decorators.http import require_POST
+from django.views.decorators.csrf import csrf_exempt
+from django.utils.html import escape, mark_safe
+from django.utils.safestring import SafeString
 import json
-from .models import Dokument, Vorgabe, VorgabeKurztext, VorgabeLangtext, Checklistenfrage
+from .models import Dokument, Vorgabe, VorgabeKurztext, VorgabeLangtext, Checklistenfrage, VorgabeComment
 from abschnitte.utils import render_textabschnitte
 
 from datetime import date
@@ -44,6 +48,15 @@ def standard_detail(request, nummer,check_date=""):
         for r in vorgabe.referenzen.all():
             referenz_items.append(r.Path())
         vorgabe.referenzpfade = referenz_items
+        
+        # Add comment count
+        if request.user.is_authenticated:
+            if request.user.is_staff:
+                vorgabe.comment_count = vorgabe.comments.count()
+            else:
+                vorgabe.comment_count = vorgabe.comments.filter(user=request.user).count()
+        else:
+            vorgabe.comment_count = 0
 
     return render(request, 'standards/standard_detail.html', {
         'standard': standard,
@@ -237,3 +250,119 @@ def standard_json(request, nummer):
 
     # Return JSON response
     return JsonResponse(doc_data, json_dumps_params={'indent': 2, 'ensure_ascii': False}, encoder=DjangoJSONEncoder)
+
+
+@login_required
+def get_vorgabe_comments(request, vorgabe_id):
+    """Get comments for a specific Vorgabe"""
+    vorgabe = get_object_or_404(Vorgabe, id=vorgabe_id)
+    
+    if request.user.is_staff:
+        # Staff can see all comments
+        comments = vorgabe.comments.all().select_related('user').order_by('created_at')
+    else:
+        # Regular users can only see their own comments
+        comments = vorgabe.comments.filter(user=request.user).select_related('user').order_by('created_at')
+    
+    comments_data = []
+    for comment in comments:
+        # Escape HTML but preserve line breaks
+        escaped_text = escape(comment.text).replace('\n', '<br>')
+        comments_data.append({
+            'id': comment.id,
+            'text': escaped_text,
+            'user': escape(comment.user.first_name+" "+comment.user.last_name),
+            'created_at': comment.created_at.strftime('%d.%m.%Y %H:%M'),
+            'updated_at': comment.updated_at.strftime('%d.%m.%Y %H:%M'),
+            'is_own': comment.user == request.user
+        })
+    
+    response = JsonResponse({'comments': comments_data})
+    response['Content-Security-Policy'] = "default-src 'self'"
+    response['X-Content-Type-Options'] = 'nosniff'
+    return response
+
+
+@require_POST
+@login_required
+def add_vorgabe_comment(request, vorgabe_id):
+    """Add a new comment to a Vorgabe"""
+    vorgabe = get_object_or_404(Vorgabe, id=vorgabe_id)
+    
+    try:
+        data = json.loads(request.body)
+        text = data.get('text', '').strip()
+        
+        # Validate input
+        if not text:
+            return JsonResponse({'error': 'Kommentar darf nicht leer sein'}, status=400)
+        
+        if len(text) > 2000:  # Reasonable length limit
+            return JsonResponse({'error': 'Kommentar ist zu lang (max 2000 Zeichen)'}, status=400)
+        
+        # Additional XSS prevention - check for dangerous patterns
+        dangerous_patterns = ['<script', 'javascript:', 'onload=', 'onerror=', 'onclick=', 'onmouseover=']
+        text_lower = text.lower()
+        for pattern in dangerous_patterns:
+            if pattern in text_lower:
+                return JsonResponse({'error': 'Kommentar enthält ungültige Zeichen'}, status=400)
+        
+        comment = VorgabeComment.objects.create(
+            vorgabe=vorgabe,
+            user=request.user,
+            text=text
+        )
+        
+        # Escape HTML but preserve line breaks
+        escaped_text = escape(comment.text).replace('\n', '<br>')
+        response = JsonResponse({
+            'success': True,
+            'comment': {
+                'id': comment.id,
+                'text': escaped_text,
+                'user': escape(comment.user.username),
+                'created_at': comment.created_at.strftime('%d.%m.%Y %H:%M'),
+                'updated_at': comment.updated_at.strftime('%d.%m.%Y %H:%M'),
+                'is_own': True
+            }
+        })
+        response['Content-Security-Policy'] = "default-src 'self'"
+        response['X-Content-Type-Options'] = 'nosniff'
+        return response
+        
+    except json.JSONDecodeError:
+        response = JsonResponse({'error': 'Ungültige Daten'}, status=400)
+        response['Content-Security-Policy'] = "default-src 'self'"
+        response['X-Content-Type-Options'] = 'nosniff'
+        return response
+    except Exception as e:
+        response = JsonResponse({'error': 'Serverfehler'}, status=500)
+        response['Content-Security-Policy'] = "default-src 'self'"
+        response['X-Content-Type-Options'] = 'nosniff'
+        return response
+
+
+@require_POST
+@login_required
+def delete_vorgabe_comment(request, comment_id):
+    """Delete a comment (only own comments or staff can delete)"""
+    comment = get_object_or_404(VorgabeComment, id=comment_id)
+    
+    # Check if user can delete this comment
+    if comment.user != request.user and not request.user.is_staff:
+        response = JsonResponse({'error': 'Keine Berechtigung zum Löschen dieses Kommentars'}, status=403)
+        response['Content-Security-Policy'] = "default-src 'self'"
+        response['X-Content-Type-Options'] = 'nosniff'
+        return response
+    
+    try:
+        comment.delete()
+        response = JsonResponse({'success': True})
+        response['Content-Security-Policy'] = "default-src 'self'"
+        response['X-Content-Type-Options'] = 'nosniff'
+        return response
+    except Exception as e:
+        response = JsonResponse({'error': 'Serverfehler'}, status=500)
+        response['Content-Security-Policy'] = "default-src 'self'"
+        response['X-Content-Type-Options'] = 'nosniff'
+        return response

k8s/nfs-pv.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: django-data-pv
+  namespace: vorgabenui
+spec:
+  capacity:
+    storage: 2Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs
+  nfs:
+    server: 192.168.17.199
+    path: /mnt/user/vorgabenui

k8s/nfs-storageclass.yaml

@@ -0,0 +1,8 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: nfs
+provisioner: kubernetes.io/no-provisioner
+allowVolumeExpansion: true
+reclaimPolicy: Retain
+volumeBindingMode: Immediate

k8s/pvc.yaml

@@ -5,7 +5,8 @@ metadata:
   namespace: vorgabenui
 spec:
   accessModes:
-    - ReadWriteOnce
+    - ReadWriteMany
+  storageClassName: nfs
   resources:
     requests:
       storage: 2Gi

openspec/changes/archive/2025-11-24-add-login/tasks.md

@@ -0,0 +1,5 @@
+## 1. Add user login functionality
+- [x] add a login screen for users
+- [x] add an icon for logged in user on the top right corner of all page
+- [x] add a menu to log out and change password on the user icon
+- [x] all functions should go back to the main page, not the django admin page

openspec/project.md

@@ -0,0 +1,63 @@
+# Project Context
+
+## Purpose
+This is a Django-based document management system for regulatory documents (Dokumente) and their provisions (Vorgaben). It manages validity periods, conflicts between overlapping provisions, references, keywords, and roles. The system supports importing documents, checking for compliance, and maintaining changelogs.
+
+## Tech Stack
+- Python 3.x
+- Django 5.2.5
+- SQLite (development), PostgreSQL (production)
+- Django MPTT for tree structures
+- Django Nested Admin for inline editing
+- Kubernetes for deployment
+- ArgoCD for continuous deployment
+- Traefik for ingress
+- Gunicorn for WSGI server
+
+## Project Conventions
+
+### Code Style
+- Language: German for user-facing strings and model names, English for code comments and internal naming
+- Imports: Standard library first, then Django, then third-party, then local apps
+- Model naming: German nouns (Dokument, Vorgabe, Person)
+- Field naming: German for field names, English Django conventions
+- Class naming: PascalCase for models, snake_case for functions/variables
+- All models have __str__ methods returning meaningful German strings
+- Use verbose_name and verbose_name_plural in Meta classes (German)
+
+### Architecture Patterns
+- Django apps: abschnitte, dokumente, referenzen, rollen, stichworte, pages
+- MPTT for hierarchical text sections
+- Foreign keys with on_delete=models.PROTECT for important relationships
+- Many-to-many with descriptive related_name
+- Proxy models for different views (e.g., VorgabenTable)
+- Management commands for data operations
+
+### Testing Strategy
+- Django test framework
+- Test class names in English, methods in English
+- Comprehensive model tests
+- Test both success and error cases
+- Run with `python manage.py test`
+
+### Git Workflow
+- Standard Git workflow
+- Commits in English
+- Use Gitea workflows for CI/CD
+
+## Domain Context
+The system manages regulatory documents with numbered provisions that have validity dates. Provisions can conflict if they have overlapping date ranges for the same document, theme, and number. The system includes sanity checks for conflicts, diagram caching for visualization, and JSON export functionality.
+
+## Important Constraints
+- German language for all user interfaces and data
+- Strict validation of date ranges to prevent overlapping provisions
+- Documents have types, authors, reviewers, and validity periods
+- Provisions linked to themes, references, keywords, and relevant roles
+- Active/inactive status for documents
+
+## External Dependencies
+- Django ecosystem: MPTT, nested-admin, revproxy
+- Kubernetes cluster for deployment
+- ArgoCD for GitOps
+- Traefik for load balancing
+- External diagram services (diagramm_proxy)

pages/templates/base.html

@@ -41,6 +41,37 @@
            alt="Zur Startseite" />
       <h1>Vorgaben Informatiksicherheit BIT</h1>
     </a>
+    
+    <!-- User Menu -->
+    {% if user.is_authenticated %}
+    <div class="user-menu" style="position: absolute; top: 20px; right: 20px; z-index: 1000;">
+      <div class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown" style="text-decoration: none; color: #000; display: flex; align-items: center;">
+          <span style="font-size: 24px; margin-right: 8px;">👤</span>
+          <span class="hidden-xs" style="margin-left: 0;">{{ user.username }}</span>
+          <span class="caret" style="margin-left: 8px;"></span>
+        </a>
+        <ul class="dropdown-menu dropdown-menu-right" role="menu">
+          <li><a href="{% url 'password_change' %}">Passwort ändern</a></li>
+          <li class="divider"></li>
+          <li>
+            <form method="post" action="{% url 'logout' %}" style="display: inline;">
+              {% csrf_token %}
+              <button type="submit" style="background: none; border: none; color: inherit; padding: 3px 20px; width: 100%; text-align: left; cursor: pointer;">
+                Abmelden
+              </button>
+            </form>
+          </li>
+        </ul>
+      </div>
+    </div>
+    {% else %}
+    <div class="user-menu" style="position: absolute; top: 20px; right: 20px; z-index: 1000;">
+      <a href="{% url 'login' %}" class="btn btn-sm btn-primary" style="text-decoration: none;">
+        Anmelden
+      </a>
+    </div>
+    {% endif %}
   </header>
 
   <!-- Main Navigation -->
@@ -71,6 +102,7 @@
                   <li><a href="/dokumente">Standards</a></li>
                   {% if user.is_staff %}
                   <li><a href="/dokumente/unvollstaendig/">Unvollständig</a></li>
+                  <li><a href="/autorenumgebung/">Autorenumgebung</a></li>
                   {% endif %}
                   <li><a href="/referenzen">Referenzen</a></li>
                   <li><a href="/stichworte">Stichworte</a></li>
@@ -100,6 +132,9 @@
       <li class="dropdown {% if 'unvollstaendig' in request.path %}current{% endif %}">
         <a href="/dokumente/unvollstaendig/">Unvollständig</a>
       </li>
+      <li class="dropdown {% if 'autorenumgebung' in request.path %}current{% endif %}">
+        <a href="/autorenumgebung/">Autorenumgebung</a>
+      </li>
       {% endif %}
       <li class="dropdown {% if 'referenzen' in request.path %}current{% endif %}">
         <a href="/referenzen">Referenzen</a>
@@ -180,7 +215,7 @@
           </p>
         </div>
         <div class="col-sm-6 text-right">
-          <p class="text-muted">Version {{ version|default:"0.951" }}</p>
+          <p class="text-muted">Version {{ version|default:"0.960" }}</p>
         </div>
       </div>
     </div>

pages/templates/registration/login.html

@@ -0,0 +1,43 @@
+{% extends "base.html" %}
+{% load static %}
+
+{% block title %}Anmelden{% endblock %}
+
+{% block content %}
+<div class="row">
+  <div class="col-md-4 col-md-offset-4">
+    <div class="panel panel-default">
+      <div class="panel-heading">
+        <h3 class="panel-title">Anmelden</h3>
+      </div>
+      <div class="panel-body">
+        <form method="post">
+          {% csrf_token %}
+          
+          {% if form.errors %}
+            <div class="alert alert-danger">
+              <p>Ihr Benutzername und Passwort stimmen nicht überein. Bitte versuchen Sie es erneut.</p>
+            </div>
+          {% endif %}
+          
+          <div class="form-group">
+            <label for="id_username">Benutzername:</label>
+            <input type="text" name="username" class="form-control" id="id_username" required autofocus>
+          </div>
+          
+          <div class="form-group">
+            <label for="id_password">Passwort:</label>
+            <input type="password" name="password" class="form-control" id="id_password" required>
+          </div>
+          
+          <div class="form-group">
+            <button type="submit" class="btn btn-primary">Anmelden</button>
+          </div>
+          
+          <input type="hidden" name="next" value="{{ next }}">
+        </form>
+      </div>
+    </div>
+  </div>
+</div>
+{% endblock %}

pages/templates/registration/password_change.html

@@ -0,0 +1,56 @@
+{% extends "base.html" %}
+{% load static %}
+
+{% block title %}Passwort ändern{% endblock %}
+
+{% block content %}
+<div class="row">
+  <div class="col-md-6 col-md-offset-3">
+    <div class="panel panel-default">
+      <div class="panel-heading">
+        <h3 class="panel-title">Passwort ändern</h3>
+      </div>
+      <div class="panel-body">
+        <form method="post">
+          {% csrf_token %}
+          
+          {% if form.errors %}
+            <div class="alert alert-danger">
+              <p>Bitte korrigieren Sie die Fehler unten.</p>
+            </div>
+          {% endif %}
+          
+          <div class="form-group">
+            <label for="id_old_password">Aktuelles Passwort:</label>
+            <input type="password" name="old_password" class="form-control" id="id_old_password" required>
+            {% if form.old_password.errors %}
+              <div class="text-danger">{{ form.old_password.errors }}</div>
+            {% endif %}
+          </div>
+          
+          <div class="form-group">
+            <label for="id_new_password1">Neues Passwort:</label>
+            <input type="password" name="new_password1" class="form-control" id="id_new_password1" required>
+            {% if form.new_password1.errors %}
+              <div class="text-danger">{{ form.new_password1.errors }}</div>
+            {% endif %}
+          </div>
+          
+          <div class="form-group">
+            <label for="id_new_password2">Neues Passwort bestätigen:</label>
+            <input type="password" name="new_password2" class="form-control" id="id_new_password2" required>
+            {% if form.new_password2.errors %}
+              <div class="text-danger">{{ form.new_password2.errors }}</div>
+            {% endif %}
+          </div>
+          
+          <div class="form-group">
+            <button type="submit" class="btn btn-primary">Passwort ändern</button>
+            <a href="/" class="btn btn-default">Abbrechen</a>
+          </div>
+        </form>
+      </div>
+    </div>
+  </div>
+</div>
+{% endblock %}

pages/templates/registration/password_change_done.html

@@ -0,0 +1,24 @@
+{% extends "base.html" %}
+{% load static %}
+
+{% block title %}Passwort geändert{% endblock %}
+
+{% block content %}
+<div class="row">
+  <div class="col-md-6 col-md-offset-3">
+    <div class="panel panel-default">
+      <div class="panel-heading">
+        <h3 class="panel-title">Passwort erfolgreich geändert</h3>
+      </div>
+      <div class="panel-body">
+        <div class="alert alert-success">
+          <p>Ihr Passwort wurde erfolgreich geändert.</p>
+        </div>
+        <p>
+          <a href="/" class="btn btn-primary">Zurück zur Startseite</a>
+        </p>
+      </div>
+    </div>
+  </div>
+</div>
+{% endblock %}

pages/test_auth.py

@@ -0,0 +1,266 @@
+from django.test import TestCase, Client
+from django.contrib.auth.models import User
+from django.urls import reverse
+from django.core.exceptions import ValidationError
+
+
+class AuthenticationTest(TestCase):
+    """Test login, logout, and password change functionality"""
+    
+    def setUp(self):
+        self.client = Client()
+        self.test_user = User.objects.create_user(
+            username='testuser',
+            password='testpass123',
+            email='test@example.com'
+        )
+        self.staff_user = User.objects.create_user(
+            username='staffuser',
+            password='staffpass123',
+            email='staff@example.com'
+        )
+        self.staff_user.is_staff = True
+        self.staff_user.save()
+    
+    def test_login_page_loads(self):
+        """Test that login page loads correctly"""
+        response = self.client.get(reverse('login'))
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, 'Anmelden')
+        self.assertContains(response, 'Benutzername:')
+        self.assertContains(response, 'Passwort:')
+    
+    def test_login_valid_credentials(self):
+        """Test successful login with valid credentials"""
+        response = self.client.post(reverse('login'), {
+            'username': 'testuser',
+            'password': 'testpass123'
+        })
+        self.assertEqual(response.status_code, 302)  # Redirect after login
+        self.assertRedirects(response, '/')  # Should redirect to main page
+        
+        # Check user is logged in
+        response = self.client.get('/')
+        self.assertContains(response, 'testuser')  # Username should appear in header
+    
+    def test_login_invalid_credentials(self):
+        """Test login with invalid credentials shows error"""
+        response = self.client.post(reverse('login'), {
+            'username': 'testuser',
+            'password': 'wrongpassword'
+        })
+        self.assertEqual(response.status_code, 200)  # Stay on login page
+        self.assertContains(response, 'Ihr Benutzername und Passwort stimmen nicht überein')
+    
+    def test_login_empty_credentials(self):
+        """Test login with empty credentials"""
+        response = self.client.post(reverse('login'), {
+            'username': '',
+            'password': ''
+        })
+        self.assertEqual(response.status_code, 200)  # Stay on login page
+        # Django's form validation should handle this
+    
+    def test_logout_functionality(self):
+        """Test logout functionality"""
+        # First login
+        self.client.login(username='testuser', password='testpass123')
+        
+        # Verify user is logged in
+        response = self.client.get('/')
+        self.assertContains(response, 'testuser')
+        
+        # Logout using POST
+        response = self.client.post(reverse('logout'))
+        self.assertEqual(response.status_code, 302)  # Redirect after logout
+        self.assertRedirects(response, '/')  # Should redirect to main page
+        
+        # Verify user is logged out
+        response = self.client.get('/')
+        self.assertNotContains(response, 'testuser')
+        self.assertContains(response, 'Anmelden')  # Should show login link
+    
+    def test_logout_requires_post(self):
+        """Test that logout requires POST method"""
+        # Login first
+        self.client.login(username='testuser', password='testpass123')
+        
+        # Try GET logout (should fail with 405)
+        response = self.client.get(reverse('logout'))
+        self.assertEqual(response.status_code, 405)  # Method Not Allowed
+        
+        # User should still be logged in
+        response = self.client.get('/')
+        self.assertContains(response, 'testuser')
+    
+    def test_password_change_page_loads(self):
+        """Test that password change page loads for authenticated users"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        response = self.client.get(reverse('password_change'))
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, 'Passwort ändern')
+        self.assertContains(response, 'Aktuelles Passwort:')
+        self.assertContains(response, 'Neues Passwort:')
+        self.assertContains(response, 'Neues Passwort bestätigen:')
+    
+    def test_password_change_requires_authentication(self):
+        """Test that password change page requires authentication"""
+        response = self.client.get(reverse('password_change'))
+        self.assertEqual(response.status_code, 302)  # Redirect to login
+        
+        # Should redirect to login page
+        self.assertIn(reverse('login'), response.url)
+    
+    def test_password_change_valid(self):
+        """Test successful password change"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        response = self.client.post(reverse('password_change'), {
+            'old_password': 'testpass123',
+            'new_password1': 'newpass456',
+            'new_password2': 'newpass456'
+        })
+        self.assertEqual(response.status_code, 302)  # Redirect after success
+        self.assertRedirects(response, '/')  # Should redirect to main page
+        
+        # Verify new password works
+        self.client.logout()
+        response = self.client.post(reverse('login'), {
+            'username': 'testuser',
+            'password': 'newpass456'
+        })
+        self.assertEqual(response.status_code, 302)  # Successful login
+    
+    def test_password_change_wrong_old_password(self):
+        """Test password change with wrong old password"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        response = self.client.post(reverse('password_change'), {
+            'old_password': 'wrongpassword',
+            'new_password1': 'newpass456',
+            'new_password2': 'newpass456'
+        })
+        self.assertEqual(response.status_code, 200)  # Stay on form page
+        self.assertContains(response, 'Bitte korrigieren Sie die Fehler unten')
+    
+    def test_password_change_mismatched_new_passwords(self):
+        """Test password change with mismatched new passwords"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        response = self.client.post(reverse('password_change'), {
+            'old_password': 'testpass123',
+            'new_password1': 'newpass456',
+            'new_password2': 'differentpass789'
+        })
+        self.assertEqual(response.status_code, 200)  # Stay on form page
+        self.assertContains(response, 'Bitte korrigieren Sie die Fehler unten')
+    
+    def test_password_change_same_as_old_password(self):
+        """Test password change with same password as old"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        response = self.client.post(reverse('password_change'), {
+            'old_password': 'testpass123',
+            'new_password1': 'testpass123',
+            'new_password2': 'testpass123'
+        })
+        # Django's default validators don't prevent same password, so it should succeed
+        self.assertEqual(response.status_code, 302)  # Redirect after success
+        self.assertRedirects(response, '/')  # Should redirect to main page
+    
+    def test_password_change_cancel_button(self):
+        """Test password change cancel button"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        response = self.client.get(reverse('password_change'))
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, 'Abbrechen')
+        # The cancel button should link to main page
+        self.assertContains(response, 'href="/"')
+    
+    def test_user_menu_display_for_authenticated_user(self):
+        """Test that user menu displays correctly for authenticated users"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        response = self.client.get('/')
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, 'testuser')  # Username in menu
+        self.assertContains(response, 'Passwort ändern')  # Password change link
+        self.assertContains(response, 'Abmelden')  # Logout link
+        self.assertNotContains(response, 'Anmelden')  # Should not show login link
+    
+    def test_login_link_display_for_anonymous_user(self):
+        """Test that login link displays for anonymous users"""
+        response = self.client.get('/')
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, 'Anmelden')  # Should show login link
+        self.assertNotContains(response, 'testuser')  # Should not show username
+        self.assertNotContains(response, 'Passwort ändern')  # Should not show password change
+        self.assertNotContains(response, 'Abmelden')  # Should not show logout
+    
+    def test_staff_user_menu(self):
+        """Test that staff users see appropriate menu"""
+        self.client.login(username='staffuser', password='staffpass123')
+        
+        response = self.client.get('/')
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, 'staffuser')  # Username in menu
+        self.assertContains(response, 'Passwort ändern')  # Password change link
+        self.assertContains(response, 'Abmelden')  # Logout link
+    
+    def test_login_redirect_to_main_page(self):
+        """Test that successful login redirects to main page"""
+        response = self.client.post(reverse('login'), {
+            'username': 'testuser',
+            'password': 'testpass123'
+        }, follow=True)
+        self.assertEqual(response.status_code, 200)
+        # Should end up on main page
+        self.assertContains(response, 'Vorgaben Informatiksicherheit')
+    
+    def test_logout_redirect_to_main_page(self):
+        """Test that logout redirects to main page"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        response = self.client.post(reverse('logout'), follow=True)
+        self.assertEqual(response.status_code, 200)
+        # Should end up on main page
+        self.assertContains(response, 'Vorgaben Informatiksicherheit')
+        # Should show login link for anonymous users
+        self.assertContains(response, 'Anmelden')
+    
+    def test_password_change_redirect_to_main_page(self):
+        """Test that successful password change redirects to main page"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        response = self.client.post(reverse('password_change'), {
+            'old_password': 'testpass123',
+            'new_password1': 'newpass456',
+            'new_password2': 'newpass456'
+        }, follow=True)
+        self.assertEqual(response.status_code, 200)
+        # Should end up on main page
+        self.assertContains(response, 'Vorgaben Informatiksicherheit')
+    
+    def test_csrf_token_present_in_forms(self):
+        """Test that CSRF tokens are present in authentication forms"""
+        # Login form
+        response = self.client.get(reverse('login'))
+        self.assertContains(response, 'csrfmiddlewaretoken')
+        
+        # Password change form
+        self.client.login(username='testuser', password='testpass123')
+        response = self.client.get(reverse('password_change'))
+        self.assertContains(response, 'csrfmiddlewaretoken')
+    
+    def test_login_with_next_parameter(self):
+        """Test login with next parameter for redirect"""
+        response = self.client.post(reverse('login'), {
+            'username': 'testuser',
+            'password': 'testpass123',
+            'next': '/dokumente/'
+        })
+        self.assertEqual(response.status_code, 302)
+        # Should redirect to the specified next page
+        self.assertRedirects(response, '/dokumente/')

pages/tests.py

@@ -4,7 +4,6 @@ from django.utils import timezone
 from datetime import date, timedelta
 from dokumente.models import Dokument, Vorgabe, VorgabeKurztext, VorgabeLangtext, Geltungsbereich, Dokumententyp, Thema
 from stichworte.models import Stichwort
-from unittest.mock import patch
 import re
 
 
@@ -67,24 +66,24 @@ class SearchViewTest(TestCase):
         """Test POST request with valid search term"""
         response = self.client.post('/search/', {'q': 'Test'})
         self.assertEqual(response.status_code, 200)
-        self.assertContains(response, 'Suchresultate für Test')
+        self.assertContains(response, 'Suchergebnisse')
     
     def test_search_case_insensitive(self):
         """Test that search is case insensitive"""
         # Search for lowercase
         response = self.client.post('/search/', {'q': 'test'})
         self.assertEqual(response.status_code, 200)
-        self.assertContains(response, 'Suchresultate für test')
+        self.assertContains(response, 'Suchergebnisse für "test"')
         
         # Search for uppercase
         response = self.client.post('/search/', {'q': 'TEST'})
         self.assertEqual(response.status_code, 200)
-        self.assertContains(response, 'Suchresultate für TEST')
+        self.assertContains(response, 'Suchergebnisse für "TEST"')
         
         # Search for mixed case
         response = self.client.post('/search/', {'q': 'TeSt'})
         self.assertEqual(response.status_code, 200)
-        self.assertContains(response, 'Suchresultate für TeSt')
+        self.assertContains(response, 'Suchergebnisse für "TeSt"')
     
     def test_search_in_kurztext(self):
         """Test search in Kurztext content"""
@@ -114,7 +113,7 @@ class SearchViewTest(TestCase):
         """Test search with no results"""
         response = self.client.post('/search/', {'q': 'NichtVorhanden'})
         self.assertEqual(response.status_code, 200)
-        self.assertContains(response, 'Keine Resultate für "NichtVorhanden"')
+        self.assertContains(response, 'Keine Ergebnisse gefunden')
     
     def test_search_expired_vorgabe_not_included(self):
         """Test that expired Vorgaben are not included in results"""
@@ -160,8 +159,8 @@ class SearchViewTest(TestCase):
         """Test that HTML tags are stripped from search input"""
         response = self.client.post('/search/', {'q': '<script>alert("xss")</script>Test'})
         self.assertEqual(response.status_code, 200)
-        # Should search for "alert('xss')Test" after HTML tag removal
-        self.assertContains(response, 'Suchresultate für alert(&quot;xss&quot;)Test')
+        # Should search for "alert("xss")Test" after HTML tag removal
+        self.assertContains(response, 'Suchergebnisse für "alert')
     
     def test_search_invalid_characters_validation(self):
         """Test validation for invalid characters"""
@@ -206,7 +205,7 @@ class SearchViewTest(TestCase):
         self.assertEqual(response.status_code, 200)
         # The input should be preserved (escaped) in the form
         # Since HTML tags are stripped, we expect "Test" to be searched
-        self.assertContains(response, 'Suchresultate für Test')
+        self.assertContains(response, 'Suchergebnisse für "Test"')
     
     def test_search_xss_prevention_in_results(self):
         """Test that search terms are escaped in results to prevent XSS"""
@@ -218,15 +217,14 @@ class SearchViewTest(TestCase):
         self.assertEqual(response.status_code, 200)
         # The script tag should be escaped in the output
         # Note: This depends on how the template renders the content
-        self.assertContains(response, 'Suchresultate für term')
+        self.assertContains(response, 'Suchergebnisse für "term"')
     
-    @patch('pages.views.pprint.pp')
-    def test_search_result_logging(self, mock_pprint):
-        """Test that search results are logged for debugging"""
+    def test_search_result_structure(self):
+        """Test that search results have expected structure"""
         response = self.client.post('/search/', {'q': 'Test'})
         self.assertEqual(response.status_code, 200)
-        # Verify that pprint.pp was called with the result
-        mock_pprint.assert_called_once()
+        # Verify the results page is rendered with correct structure
+        self.assertContains(response, 'Suchergebnisse für "Test"')
     
     def test_search_multiple_documents(self):
         """Test search across multiple documents"""

referenzen/migrations/0003_alter_referenzerklaerung_options.py

@@ -0,0 +1,17 @@
+# Generated by Django 5.2.5 on 2025-11-27 22:02
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('referenzen', '0002_alter_referenz_table_alter_referenzerklaerung_table'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='referenzerklaerung',
+            options={'verbose_name': 'Erklärung', 'verbose_name_plural': 'Erklärungen'},
+        ),
+    ]

requirements.txt

@@ -32,3 +32,4 @@ six==1.17.0
 sqlparse==0.5.3
 urllib3==2.5.0
 wcwidth==0.2.13
+bleach==6.1.0

static/custom/css/admin_extras.css

@@ -11,4 +11,93 @@
     margin-bottom: 1em;
     border: 1px solid #ccc;
     padding: 0;
-  }
+  }
+
+/* Comment System Styles */
+.comment-btn {
+  position: relative;
+}
+
+.comment-btn .comment-count {
+  position: absolute;
+  top: -8px;
+  right: -8px;
+  background-color: #dc3545;
+  color: white;
+  border-radius: 50%;
+  width: 20px;
+  height: 20px;
+  font-size: 11px;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  font-weight: bold;
+}
+
+.comment-item {
+  max-width: 100%;
+  word-wrap: break-word;
+  overflow-wrap: break-word;
+}
+
+.comment-item .text-muted {
+  font-size: 0.85em;
+}
+
+#commentModal .modal-body {
+  max-height: 60vh;
+  overflow-y: auto;
+}
+
+#commentsContainer {
+  min-height: 100px;
+}
+
+.delete-comment-btn {
+  opacity: 0.7;
+  transition: opacity 0.2s;
+}
+
+.delete-comment-btn:hover {
+  opacity: 1;
+}
+
+.delete-comment-btn {
+  font-size: 18px;
+  font-weight: bold;
+  line-height: 1;
+  color: #721c24;
+  border: 1px solid #f5c6cb;
+  border-radius: 4px;
+  width: 28px;
+  height: 28px;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  padding: 0;
+}
+
+.delete-comment-btn:hover {
+  opacity: 1;
+  background-color: #f8d7da;
+  border-color: #f5c6cb;
+}
+
+/* Icon styling for emoji replacements */
+.emoji-icon {
+  font-size: 1.1em;
+  margin-right: 0.3em;
+  vertical-align: middle;
+}
+
+/* Responsive adjustments */
+@media (max-width: 768px) {
+  .comment-item .d-flex {
+    flex-direction: column;
+  }
+  
+  .delete-comment-btn {
+    margin-left: 0 !important;
+    margin-top: 0.5rem;
+  }
+}

stichworte/migrations/0003_alter_stichworterklaerung_options.py

@@ -0,0 +1,17 @@
+# Generated by Django 5.2.5 on 2025-11-27 22:02
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('stichworte', '0002_stichworterklaerung_order'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='stichworterklaerung',
+            options={'verbose_name': 'Erklärung', 'verbose_name_plural': 'Erklärungen'},
+        ),
+    ]