update

backend/src/controllers/auth.controller.ts

@@ -93,7 +93,7 @@ class AuthController {
         try {
           await authentikService.verifyIdToken(tokens.id_token);
         } catch (error) {
-          logger.warn('ID token verification failed — continuing with userinfo', { error });
+          logger.error('ID token verification failed — continuing with userinfo (security event)', { error });
         }
       }
 
@@ -136,49 +136,10 @@ class AuthController {
           metadata:      { new_account: true },
         });
       } else {
-        // User exists, update last login
+        // User exists — check active status BEFORE any mutations
-        logger.info('Existing user logging in', {
-          userId: user.id,
-          email:  user.email,
-        });
-
-        await userService.updateLastLogin(user.id);
-        await userService.updateGroups(user.id, groups);
-        await memberService.ensureProfileExists(user.id);
-
-        const { given_name: updatedGivenName, family_name: updatedFamilyName } = extractNames(userInfo);
-
-        // Refresh profile fields from Authentik on every login
-        await userService.updateUser(user.id, {
-          name:               userInfo.name,
-          given_name:         updatedGivenName,
-          family_name:        updatedFamilyName,
-          preferred_username: userInfo.preferred_username,
-        });
-
-        // Audit: returning user login
-        auditService.logAudit({
-          user_id:       user.id,
-          user_email:    user.email,
-          action:        AuditAction.LOGIN,
-          resource_type: AuditResourceType.USER,
-          resource_id:   user.id,
-          old_value:     null,
-          new_value:     null,
-          ip_address:    ip,
-          user_agent:    userAgent,
-          metadata:      {},
-        });
-      }
-
-      // Extract normalised names once for use in the response
-      const { given_name: resolvedGivenName, family_name: resolvedFamilyName } = extractNames(userInfo);
-
-      // Check if user is active
         if (!user.is_active) {
           logger.warn('Inactive user attempted login', { userId: user.id });
 
-        // Audit the denied login attempt
           auditService.logAudit({
             user_id:       user.id,
             user_email:    user.email,
@@ -199,6 +160,45 @@ class AuthController {
           return;
         }
 
+        // User is active, proceed with login updates
+        logger.info('Existing user logging in', {
+          userId: user.id,
+          email:  user.email,
+        });
+
+        await userService.updateLastLogin(user.id);
+        await userService.updateGroups(user.id, groups);
+        await memberService.ensureProfileExists(user.id);
+
+        const { given_name: updatedGivenName, family_name: updatedFamilyName } = extractNames(userInfo);
+
+        // Refresh profile fields from Authentik on every login (including profile picture)
+        await userService.updateUser(user.id, {
+          name:                userInfo.name,
+          given_name:          updatedGivenName,
+          family_name:         updatedFamilyName,
+          preferred_username:  userInfo.preferred_username,
+          profile_picture_url: userInfo.picture || null,
+        });
+
+        // Audit: returning user login
+        auditService.logAudit({
+          user_id:       user.id,
+          user_email:    user.email,
+          action:        AuditAction.LOGIN,
+          resource_type: AuditResourceType.USER,
+          resource_id:   user.id,
+          old_value:     null,
+          new_value:     null,
+          ip_address:    ip,
+          user_agent:    userAgent,
+          metadata:      {},
+        });
+      }
+
+      // Extract normalised names once for use in the response
+      const { given_name: resolvedGivenName, family_name: resolvedFamilyName } = extractNames(userInfo);
+
       // Step 5: Generate internal JWT token
       const role = await getUserRole(user.id);
       const accessToken = tokenService.generateToken({

backend/src/controllers/equipment.controller.ts

@@ -252,21 +252,26 @@ class EquipmentController {
       // Determine which category to check permissions against
       const groups = getUserGroups(req);
       if (!groups.includes('dashboard_admin')) {
-        // If kategorie_id is being changed, check against the new category; otherwise fetch existing
+        // Always fetch existing equipment to check old category permission
-        let kategorieId = parsed.data.kategorie_id;
-        if (!kategorieId) {
         const existing = await equipmentService.getEquipmentById(id);
         if (!existing) {
           res.status(404).json({ success: false, message: 'Ausrüstung nicht gefunden' });
           return;
         }
-          kategorieId = existing.kategorie_id;
+        // Check permission against the OLD category (must be allowed to move FROM it)
-        }
+        const allowedOld = await checkCategoryPermission(existing.kategorie_id, groups);
-        const allowed = await checkCategoryPermission(kategorieId, groups);
+        if (!allowedOld) {
-        if (!allowed) {
           res.status(403).json({ success: false, message: 'Keine Berechtigung für diese Kategorie' });
           return;
         }
+        // If kategorie_id is being changed, also check permission against the NEW category
+        if (parsed.data.kategorie_id && parsed.data.kategorie_id !== existing.kategorie_id) {
+          const allowedNew = await checkCategoryPermission(parsed.data.kategorie_id, groups);
+          if (!allowedNew) {
+            res.status(403).json({ success: false, message: 'Keine Berechtigung für die Ziel-Kategorie' });
+            return;
+          }
+        }
       }
       const equipment = await equipmentService.updateEquipment(id, parsed.data, getUserId(req));
       if (!equipment) {

backend/src/controllers/events.controller.ts

@@ -161,7 +161,7 @@ class EventsController {
   // -------------------------------------------------------------------------
   getUpcoming = async (req: Request, res: Response): Promise<void> => {
     try {
-      const limit = Math.min(Number(req.query.limit ?? 10), 50);
+      const limit = Math.min(Number(req.query.limit) || 10, 50);
       const userGroups = getUserGroups(req);
       const data = await eventsService.getUpcomingEvents(limit, userGroups);
       res.json({ success: true, data });

backend/src/controllers/incident.controller.ts

@@ -2,7 +2,7 @@ import { Request, Response } from 'express';
 import incidentService from '../services/incident.service';
 import logger from '../utils/logger';
 import { AppError } from '../middleware/error.middleware';
-import { AppRole, hasPermission } from '../middleware/rbac.middleware';
+import { AppRole, hasPermission, resolveRequestRole } from '../middleware/rbac.middleware';
 import {
   CreateEinsatzSchema,
   UpdateEinsatzSchema,
@@ -75,16 +75,22 @@ class IncidentController {
   async getIncident(req: AuthenticatedRequest, res: Response): Promise<void> {
     try {
       const { id } = req.params as Record<string, string>;
+
+      // UUID validation
+      if (!/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(id)) {
+        res.status(400).json({ success: false, message: 'Ungültige Einsatz-ID' });
+        return;
+      }
+
       const incident = await incidentService.getIncidentById(id);
 
       if (!incident) {
         throw new AppError('Einsatz nicht gefunden', 404);
       }
 
-      // Role-based redaction: only Kommandant+ can see full bericht_text
+      // Role-based redaction: self-contained role resolution (no middleware dependency)
-      const canReadBerichtText =
+      const role = resolveRequestRole(req);
-        req.userRole !== undefined &&
+      const canReadBerichtText = hasPermission(role, 'incidents:read_bericht_text');
-        hasPermission(req.userRole, 'incidents:read_bericht_text');
 
       const responseData = {
         ...incident,

backend/src/controllers/member.controller.ts

@@ -60,8 +60,8 @@ class MemberController {
         search,
         status: normalizeArray(statusParam) as any,
         dienstgrad: normalizeArray(dienstgradParam) as any,
-        page: page ? parseInt(page, 10) : 1,
+        page: page ? parseInt(page, 10) || 1 : 1,
-        pageSize: pageSize ? Math.min(parseInt(pageSize, 10), 100) : 25,
+        pageSize: pageSize ? Math.min(parseInt(pageSize, 10) || 25, 100) : 25,
       });
 
       res.status(200).json({

backend/src/controllers/nextcloud.controller.ts

@@ -1,4 +1,5 @@
 import { Request, Response } from 'express';
+import path from 'path';
 import { z } from 'zod';
 import nextcloudService from '../services/nextcloud.service';
 import userService from '../services/user.service';
@@ -216,13 +217,20 @@ class NextcloudController {
         res.status(400).json({ success: false, message: 'Dateipfad fehlt' });
         return;
       }
+      // Path traversal protection
+      const normalized = path.normalize(filePath);
+      if (normalized.includes('..') || !normalized.startsWith('/')) {
+        res.status(400).json({ success: false, message: 'Ungültiger Dateipfad' });
+        return;
+      }
       const response = await nextcloudService.downloadFile(
         filePath,
         credentials.loginName,
         credentials.appPassword,
       );
       const contentType = response.headers['content-type'] ?? 'application/octet-stream';
-      const contentDisposition = response.headers['content-disposition'] ?? `attachment; filename="${req.params.fileId}"`;
+      const contentDisposition = response.headers['content-disposition']
+        ?? `attachment; filename="${String(req.params.fileId).replace(/["\r\n\\]/g, '_')}"`;
       res.setHeader('Content-Type', contentType);
       res.setHeader('Content-Disposition', contentDisposition);
       if (response.headers['content-length']) {

backend/src/controllers/settings.controller.ts

@@ -78,6 +78,17 @@ class SettingsController {
     try {
       const userId = (req as any).user.id;
       const preferences = req.body;
+
+      // Basic validation — reject excessively large or non-object payloads
+      if (typeof preferences !== 'object' || preferences === null || Array.isArray(preferences)) {
+        res.status(400).json({ success: false, message: 'Preferences must be a JSON object' });
+        return;
+      }
+      if (JSON.stringify(preferences).length > 10_000) {
+        res.status(400).json({ success: false, message: 'Preferences payload too large' });
+        return;
+      }
+
       await pool.query(
         'UPDATE users SET preferences = $1 WHERE id = $2',
         [JSON.stringify(preferences), userId]

backend/src/middleware/rbac.middleware.ts

@@ -69,7 +69,7 @@ const PERMISSION_ROLE_MIN: Record<string, AppRole> = {
 function roleFromGroups(groups: string[]): AppRole {
   if (groups.includes('dashboard_admin')) return 'admin';
   if (groups.includes('dashboard_kommando')) return 'kommandant';
-  if (groups.includes('dashboard_fahrmeister') || groups.includes('dashboard_zeugmeister')) return 'gruppenfuehrer';
+  if (groups.includes('dashboard_gruppenfuehrer') || groups.includes('dashboard_fahrmeister') || groups.includes('dashboard_zeugmeister')) return 'gruppenfuehrer';
   return 'mitglied';
 }
 
@@ -160,7 +160,19 @@ export function requirePermission(permission: string) {
   };
 }
 
-export { getUserRole, hasPermission };
+/**
+ * Resolve the effective AppRole for a request, combining DB role and group role.
+ * Self-contained — does not depend on requirePermission() middleware having run.
+ */
+export function resolveRequestRole(req: Request): AppRole {
+  const dbRole = (req.user as any)?.role
+    ? ((req.user as any).role as AppRole)
+    : 'mitglied';
+  const groupRole = roleFromGroups(req.user?.groups ?? []);
+  return ROLE_HIERARCHY.indexOf(groupRole) > ROLE_HIERARCHY.indexOf(dbRole) ? groupRole : dbRole;
+}
+
+export { getUserRole, hasPermission, roleFromGroups };
 
 /**
  * Middleware factory: requires the authenticated user to belong to at least

backend/src/routes/admin.routes.ts

@@ -167,8 +167,6 @@ router.get(
   }
 );
 
-export default router;
-
 // ---------------------------------------------------------------------------
 // FDISK Sync proxy — forwards to the fdisk-sync sidecar service
 // ---------------------------------------------------------------------------
@@ -214,3 +212,5 @@ router.post(
     }
   }
 );
+
+export default router;

backend/src/services/audit.service.ts

@@ -366,20 +366,22 @@ class AuditService {
     const escape = (v: unknown): string => {
       if (v === null || v === undefined) return '';
       const str = typeof v === 'object' ? JSON.stringify(v) : String(v);
-      // RFC 4180: wrap in quotes, double any internal quotes
+      let safe = str.replace(/"/g, '""');
-      return `"${str.replace(/"/g, '""')}"`;
+      // Prevent formula injection in spreadsheets
+      if (/^[=+@\-]/.test(safe)) safe = "'" + safe;
+      return `"${safe}"`;
     };
 
     const rows = entries.map((e) =>
       [
-        e.id,
+        escape(e.id),
-        e.created_at.toISOString(),
+        escape(e.created_at instanceof Date ? e.created_at.toISOString() : String(e.created_at)),
-        e.user_id    ?? '',
+        escape(e.user_id    ?? ''),
-        e.user_email ?? '',
+        escape(e.user_email ?? ''),
-        e.action,
+        escape(e.action),
-        e.resource_type,
+        escape(e.resource_type),
-        e.resource_id ?? '',
+        escape(e.resource_id ?? ''),
-        e.ip_address  ?? '',
+        escape(e.ip_address  ?? ''),
         escape(e.user_agent),
         escape(e.old_value),
         escape(e.new_value),

backend/src/services/booking.service.ts

@@ -314,17 +314,19 @@ class BookingService {
 
   /** Soft-cancels a booking by setting abgesagt=TRUE and recording the reason. */
   async cancel(id: string, abgesagt_grund: string): Promise<void> {
-    await pool.query(
+    const result = await pool.query(
       `UPDATE fahrzeug_buchungen
        SET abgesagt = TRUE, abgesagt_grund = $2, aktualisiert_am = NOW()
        WHERE id = $1`,
       [id, abgesagt_grund]
     );
+    if (result.rowCount === 0) throw new Error('Buchung nicht gefunden');
   }
 
   /** Permanently deletes a booking record. */
   async delete(id: string): Promise<void> {
-    await pool.query('DELETE FROM fahrzeug_buchungen WHERE id = $1', [id]);
+    const result = await pool.query('DELETE FROM fahrzeug_buchungen WHERE id = $1', [id]);
+    if (result.rowCount === 0) throw new Error('Buchung nicht gefunden');
   }
 
   /**
@@ -399,6 +401,22 @@ class BookingService {
     const { rows } = await pool.query(query, params);
     const now = toIcalDate(new Date());
 
+    // iCal escaping and folding helpers
+    const icalEscape = (val: string): string =>
+      val.replace(/\\/g, '\\\\').replace(/;/g, '\\;').replace(/,/g, '\\,').replace(/\n/g, '\\n');
+    const icalFold = (line: string): string => {
+      if (Buffer.byteLength(line, 'utf-8') <= 75) return line;
+      let folded = '';
+      let cur = '';
+      let bytes = 0;
+      for (const ch of line) {
+        const cb = Buffer.byteLength(ch, 'utf-8');
+        if (bytes + cb > 75) { folded += cur + '\r\n '; cur = ch; bytes = 1 + cb; }
+        else { cur += ch; bytes += cb; }
+      }
+      return folded + cur;
+    };
+
     const events = rows
       .map((row: any) => {
         const beschreibung = [row.buchungs_art, row.beschreibung]
@@ -410,8 +428,8 @@ class BookingService {
           `DTSTAMP:${now}\r\n` +
           `DTSTART:${toIcalDate(new Date(row.beginn))}\r\n` +
           `DTEND:${toIcalDate(new Date(row.ende))}\r\n` +
-          `SUMMARY:${row.titel} - ${row.fahrzeug_name}\r\n` +
+          icalFold(`SUMMARY:${icalEscape(row.titel)} - ${icalEscape(row.fahrzeug_name)}`) + '\r\n' +
-          `DESCRIPTION:${beschreibung}\r\n` +
+          icalFold(`DESCRIPTION:${icalEscape(beschreibung)}`) + '\r\n' +
           'END:VEVENT\r\n'
         );
       })

backend/src/services/bookstack.service.ts

@@ -158,6 +158,7 @@ async function searchPages(query: string): Promise<BookStackSearchResult[]> {
         headers: buildHeaders(),
       },
     );
+    const bookSlugMap = await getBookSlugMap();
     const results: BookStackSearchResult[] = (response.data?.data ?? [])
       .filter((item: any) => item.type === 'page')
       .map((item: any) => ({
@@ -166,7 +167,7 @@ async function searchPages(query: string): Promise<BookStackSearchResult[]> {
         slug: item.slug,
         book_id: item.book_id ?? 0,
         book_slug: item.book_slug ?? '',
-        url: `${bookstack.url}/books/${item.book_slug || item.book_id}/page/${item.slug}`,
+        url: `${bookstack.url}/books/${bookSlugMap.get(item.book_id) || item.book_slug || item.book_id}/page/${item.slug}`,
         preview_html: item.preview_html ?? { content: '' },
         tags: item.tags ?? [],
       }));

backend/src/services/events.service.ts

@@ -78,13 +78,23 @@ function formatIcalDate(date: Date): string {
 
 /** Fold long iCal lines at 75 octets (RFC 5545 §3.1) */
 function icalFold(line: string): string {
-  if (line.length <= 75) return line;
+  if (Buffer.byteLength(line, 'utf-8') <= 75) return line;
   let folded = '';
-  while (line.length > 75) {
+  let currentLine = '';
-    folded += line.slice(0, 75) + '\r\n ';
+  let currentBytes = 0;
-    line = line.slice(75);
+
+  for (const char of line) {
+    const charBytes = Buffer.byteLength(char, 'utf-8');
+    if (currentBytes + charBytes > 75) {
+      folded += currentLine + '\r\n ';
+      currentLine = char;
+      currentBytes = 1 + charBytes; // continuation line leading space = 1 byte
+    } else {
+      currentLine += char;
+      currentBytes += charBytes;
     }
-  folded += line;
+  }
+  folded += currentLine;
   return folded;
 }
 
@@ -241,7 +251,7 @@ class EventsService {
          v.alle_gruppen, v.zielgruppen, v.abgesagt, v.anmeldung_erforderlich
        FROM veranstaltungen v
        LEFT JOIN veranstaltung_kategorien k ON k.id = v.kategorie_id
-       WHERE (v.datum_von BETWEEN $1 AND $2 OR v.datum_bis BETWEEN $1 AND $2)
+       WHERE (v.datum_von BETWEEN $1 AND $2 OR v.datum_bis BETWEEN $1 AND $2 OR (v.datum_von <= $1 AND v.datum_bis >= $2))
          AND (
            v.alle_gruppen = TRUE
            OR v.zielgruppen && $3
@@ -388,6 +398,7 @@ class EventsService {
     const effectiveLimit = limitDate < maxDate ? limitDate : maxDate;
 
     let current = new Date(startDate);
+    const originalDay = startDate.getDate();
 
     while (dates.length < 100) {
       // Advance to next occurrence
@@ -400,10 +411,15 @@ class EventsService {
           current = new Date(current);
           current.setDate(current.getDate() + 14);
           break;
-        case 'monatlich_datum':
+        case 'monatlich_datum': {
           current = new Date(current);
-          current.setMonth(current.getMonth() + 1);
+          const targetMonth = current.getMonth() + 1;
+          current.setDate(1);
+          current.setMonth(targetMonth);
+          const lastDay = new Date(current.getFullYear(), current.getMonth() + 1, 0).getDate();
+          current.setDate(Math.min(originalDay, lastDay));
           break;
+        }
         case 'monatlich_erster_wochentag': {
           const targetWeekday = config.wochentag ?? 0; // 0=Mon
           current = new Date(current);

backend/src/services/serviceMonitor.service.ts

@@ -177,6 +177,23 @@ class ServiceMonitorService {
   }
 
   async getStatusSummary(): Promise<StatusSummary> {
+    // Read latest stored ping results instead of triggering a new ping cycle
+    try {
+      const { rows } = await pool.query(`
+        SELECT DISTINCT ON (service_id) service_id, status
+        FROM service_ping_history
+        ORDER BY service_id, checked_at DESC
+      `);
+      if (rows.length > 0) {
+        return {
+          up: rows.filter((r: any) => r.status === 'up').length,
+          total: rows.length,
+        };
+      }
+    } catch {
+      // Fall through to live ping if no history
+    }
+    // Fallback: no history yet — do a live ping
     const results = await this.pingAll();
     return {
       up: results.filter((r) => r.status === 'up').length,

backend/src/services/token.service.ts

@@ -16,6 +16,7 @@ class TokenService {
           authentikSub: payload.authentikSub,
           groups: payload.groups ?? [],
           role: payload.role,
+          type: 'access',
         },
         environment.jwt.secret,
         {
@@ -39,7 +40,11 @@ class TokenService {
       const decoded = jwt.verify(
         token,
         environment.jwt.secret
-      ) as JwtPayload;
+      ) as JwtPayload & { type?: string };
+
+      if (decoded.type && decoded.type !== 'access') {
+        throw new Error('Invalid token type');
+      }
 
       logger.debug('JWT token verified', { userId: decoded.userId });
       return decoded;
@@ -66,6 +71,7 @@ class TokenService {
         {
           userId: payload.userId,
           email: payload.email,
+          type: 'refresh',
         },
         environment.jwt.secret,
         {
@@ -89,7 +95,11 @@ class TokenService {
       const decoded = jwt.verify(
         token,
         environment.jwt.secret
-      ) as RefreshTokenPayload;
+      ) as RefreshTokenPayload & { type?: string };
+
+      if (decoded.type && decoded.type !== 'refresh') {
+        throw new Error('Invalid token type');
+      }
 
       logger.debug('Refresh token verified', { userId: decoded.userId });
       return decoded;

backend/src/services/training.service.ts

@@ -116,8 +116,7 @@ class TrainingService {
       FROM uebungen u
       LEFT JOIN uebung_teilnahmen t ON t.uebung_id = u.id
       ${userId ? `LEFT JOIN uebung_teilnahmen own_t ON own_t.uebung_id = u.id AND own_t.user_id = $3` : ''}
-      WHERE u.datum_von >= $1
+      WHERE (u.datum_von BETWEEN $1 AND $2 OR u.datum_bis BETWEEN $1 AND $2 OR (u.datum_von <= $1 AND u.datum_bis >= $2))
-        AND u.datum_von <= $2
       GROUP BY u.id ${userId ? `, own_t.status` : ''}
       ORDER BY u.datum_von ASC
     `;
@@ -510,16 +509,24 @@ function formatIcsDate(date: Date): string {
  * Continuation lines start with a single space.
  */
 function foldLine(line: string): string {
-  const MAX = 75;
+  if (Buffer.byteLength(line, 'utf-8') <= 75) return line;
-  if (line.length <= MAX) return line;
+  let folded = '';
+  let currentLine = '';
+  let currentBytes = 0;
 
-  let result = '';
+  for (const char of line) {
-  while (line.length > MAX) {
+    const charBytes = Buffer.byteLength(char, 'utf-8');
-    result += line.substring(0, MAX) + '\r\n ';
+    if (currentBytes + charBytes > 75) {
-    line = line.substring(MAX);
+      folded += currentLine + '\r\n ';
+      currentLine = char;
+      currentBytes = 1 + charBytes;
+    } else {
+      currentLine += char;
+      currentBytes += charBytes;
     }
-  result += line;
+  }
-  return result;
+  folded += currentLine;
+  return folded;
 }
 
 /**
@@ -592,7 +599,7 @@ export function generateICS(
     lines.push(foldLine(`SUMMARY:${escapeIcsText(summary)}`));
 
     if (descParts.length > 0) {
-      lines.push(foldLine(`DESCRIPTION:${escapeIcsText(descParts.join('\\n'))}`));
+      lines.push(foldLine(`DESCRIPTION:${escapeIcsText(descParts.join('\n'))}`));
     }
     if (event.ort) {
       lines.push(foldLine(`LOCATION:${escapeIcsText(event.ort)}`));

backend/src/services/vikunja.service.ts

@@ -93,7 +93,7 @@ async function getOverdueTasks(): Promise<VikunjaTask[]> {
   const tasks = await getMyTasks();
   const now = new Date();
   return tasks.filter((t) => {
-    if (!t.due_date) return false;
+    if (!t.due_date || t.due_date.startsWith('0001-')) return false;
     return new Date(t.due_date) < now;
   });
 }

frontend/src/components/admin/UserOverviewTab.tsx

@@ -18,6 +18,16 @@ import { useQuery } from '@tanstack/react-query';
 import { adminApi } from '../../services/admin';
 import type { UserOverview } from '../../types/admin.types';
 
+function getRoleFromGroups(groups: string[] | null): string {
+  if (!groups) return 'Mitglied';
+  if (groups.includes('dashboard_admin')) return 'Admin';
+  if (groups.includes('dashboard_kommando')) return 'Kommandant';
+  if (groups.includes('dashboard_gruppenfuehrer')) return 'Gruppenführer';
+  if (groups.includes('dashboard_moderator')) return 'Moderator';
+  if (groups.includes('dashboard_atemschutz')) return 'Atemschutz';
+  return 'Mitglied';
+}
+
 type SortKey = 'name' | 'email' | 'role' | 'is_active' | 'last_login_at';
 type SortDir = 'asc' | 'desc';
 
@@ -145,9 +155,9 @@ function UserOverviewTab() {
                 <TableCell>{user.email}</TableCell>
                 <TableCell>
                   <Chip
-                    label={user.role}
+                    label={getRoleFromGroups(user.groups)}
                     size="small"
-                    color={user.role === 'admin' ? 'error' : 'default'}
+                    color={getRoleFromGroups(user.groups) === 'Admin' ? 'error' : 'default'}
                   />
                 </TableCell>
                 <TableCell>

frontend/src/components/chat/ChatMessageView.tsx

@@ -24,6 +24,8 @@ const ChatMessageView: React.FC = () => {
   const { chatPanelOpen } = useLayout();
   const queryClient = useQueryClient();
   const messagesEndRef = useRef<HTMLDivElement>(null);
+  const scrollContainerRef = useRef<HTMLDivElement>(null);
+  const isInitialLoadRef = useRef(true);
   const [input, setInput] = useState('');
   const [messages, setMessages] = useState<NextcloudMessage[]>([]);
   const [isLoading, setIsLoading] = useState(false);
@@ -63,6 +65,7 @@ const ChatMessageView: React.FC = () => {
       setIsLoading(true);
       setMessages([]);
       setReactionsMap(new Map());
+      isInitialLoadRef.current = true;
       lastMsgIdRef.current = 0;
 
       // Step 1: Initial fetch — Nextcloud returns newest-first, so reverse for chronological display
@@ -143,17 +146,31 @@ const ChatMessageView: React.FC = () => {
     },
   });
 
-  // Mark room as read while viewing messages
+  // Mark room as read when first opened
   useEffect(() => {
     if (selectedRoomToken && chatPanelOpen) {
       nextcloudApi.markAsRead(selectedRoomToken).then(() => {
         queryClient.invalidateQueries({ queryKey: ['nextcloud', 'rooms'] });
       }).catch(() => {});
     }
-  }, [selectedRoomToken, chatPanelOpen, queryClient, messages.length]);
+  }, [selectedRoomToken, chatPanelOpen, queryClient]);
 
+  // Smart scroll: instant on initial load, smooth only when user is near bottom
   useEffect(() => {
-    messagesEndRef.current?.scrollIntoView({ behavior: 'smooth' });
+    if (!messagesEndRef.current) return;
+    if (isInitialLoadRef.current) {
+      messagesEndRef.current.scrollIntoView();
+      if (messages.length > 0) isInitialLoadRef.current = false;
+      return;
+    }
+    const container = scrollContainerRef.current;
+    if (container) {
+      const { scrollHeight, scrollTop, clientHeight } = container;
+      const isNearBottom = scrollHeight - scrollTop - clientHeight < 150;
+      if (isNearBottom) {
+        messagesEndRef.current.scrollIntoView({ behavior: 'smooth' });
+      }
+    }
   }, [messages]);
 
   const handleSend = () => {
@@ -230,6 +247,7 @@ const ChatMessageView: React.FC = () => {
       </Box>
 
       <Box
+        ref={scrollContainerRef}
         sx={{
           flex: 1,
           overflow: 'auto',

frontend/src/components/chat/ChatPanel.tsx

@@ -30,6 +30,7 @@ const ChatPanelInner: React.FC = () => {
   const { chatPanelOpen, setChatPanelOpen } = useLayout();
   const { rooms, selectedRoomToken, selectRoom, connected } = useChat();
   const queryClient = useQueryClient();
+  const markedRoomsRef = React.useRef(new Set<string>());
   const { data: externalLinks } = useQuery({
     queryKey: ['external-links'],
     queryFn: () => configApi.getExternalLinks(),
@@ -46,11 +47,17 @@ const ChatPanelInner: React.FC = () => {
     }).catch(() => {});
   }, [chatPanelOpen, queryClient]);
 
-  // Mark unread rooms as read in Nextcloud whenever panel is open and rooms update
+  // Mark unread rooms as read in Nextcloud whenever panel is open
   React.useEffect(() => {
-    if (!chatPanelOpen) return;
+    if (!chatPanelOpen) {
-    const unread = rooms.filter((r) => r.unreadMessages > 0);
+      markedRoomsRef.current.clear();
+      return;
+    }
+    const unread = rooms.filter(
+      (r) => r.unreadMessages > 0 && !markedRoomsRef.current.has(r.token),
+    );
     if (unread.length === 0) return;
+    unread.forEach((r) => markedRoomsRef.current.add(r.token));
     Promise.allSettled(unread.map((r) => nextcloudApi.markAsRead(r.token))).then(() => {
       queryClient.invalidateQueries({ queryKey: ['nextcloud', 'rooms'] });
     });

frontend/src/components/chat/NewChatDialog.tsx

@@ -1,4 +1,4 @@
-import React, { useState } from 'react';
+import React, { useState, useEffect } from 'react';
 import Dialog from '@mui/material/Dialog';
 import DialogTitle from '@mui/material/DialogTitle';
 import DialogContent from '@mui/material/DialogContent';
@@ -25,6 +25,14 @@ const NewChatDialog: React.FC<NewChatDialogProps> = ({ open, onClose, onRoomCrea
   const [search, setSearch] = useState('');
   const [creating, setCreating] = useState(false);
 
+  // Reset state when dialog opens
+  useEffect(() => {
+    if (open) {
+      setSearch('');
+      setCreating(false);
+    }
+  }, [open]);
+
   const { data: users, isLoading } = useQuery({
     queryKey: ['nextcloud', 'users', search],
     queryFn: () => nextcloudApi.searchUsers(search),

frontend/src/components/dashboard/BookStackRecentWidget.tsx

@@ -76,7 +76,7 @@ const BookStackRecentWidget: React.FC = () => {
     retry: 1,
   });
 
-  const configured = data?.configured ?? true;
+  const configured = data?.configured ?? false;
   const pages = (data?.data ?? []).slice(0, 5);
 
   if (!configured) {

frontend/src/components/dashboard/BookStackSearchWidget.tsx

@@ -69,6 +69,11 @@ const BookStackSearchWidget: React.FC = () => {
   const [searching, setSearching] = useState(false);
   const debounceRef = useRef<ReturnType<typeof setTimeout> | null>(null);
   const latestQueryRef = useRef<string>('');
+  const isMountedRef = useRef(true);
+
+  useEffect(() => {
+    return () => { isMountedRef.current = false; };
+  }, []);
 
   const { data, isLoading: configLoading } = useQuery({
     queryKey: ['bookstack-recent'],
@@ -96,15 +101,15 @@ const BookStackSearchWidget: React.FC = () => {
     debounceRef.current = setTimeout(async () => {
       try {
         const response = await bookstackApi.search(thisQuery);
-        if (latestQueryRef.current === thisQuery) {
+        if (isMountedRef.current && latestQueryRef.current === thisQuery) {
           setResults(response.data);
         }
       } catch {
-        if (latestQueryRef.current === thisQuery) {
+        if (isMountedRef.current && latestQueryRef.current === thisQuery) {
           setResults([]);
         }
       } finally {
-        if (latestQueryRef.current === thisQuery) {
+        if (isMountedRef.current && latestQueryRef.current === thisQuery) {
           setSearching(false);
         }
       }

frontend/src/components/dashboard/DashboardLayout.tsx

@@ -25,7 +25,7 @@ function DashboardLayoutInner({ children }: DashboardLayoutProps) {
   }
 
   const sidebarWidth = sidebarCollapsed ? DRAWER_WIDTH_COLLAPSED : DRAWER_WIDTH;
-  const chatWidth = chatPanelOpen ? 360 : 60;
+  const chatWidth = chatPanelOpen ? 360 : 64;
 
   return (
     <Box sx={{ display: 'flex', height: '100vh', overflow: 'hidden' }}>

frontend/src/components/dashboard/EventQuickAddWidget.tsx

@@ -128,13 +128,6 @@ const EventQuickAddWidget: React.FC = () => {
           <Typography variant="h6">Veranstaltung</Typography>
         </Box>
 
-        {false ? (
-          <Box>
-            <Skeleton variant="rectangular" height={40} sx={{ mb: 1.5, borderRadius: 1 }} />
-            <Skeleton variant="rectangular" height={40} sx={{ mb: 1.5, borderRadius: 1 }} />
-            <Skeleton variant="rectangular" height={40} sx={{ borderRadius: 1 }} />
-          </Box>
-        ) : (
         <Box component="form" onSubmit={handleSubmit} sx={{ display: 'flex', flexDirection: 'column', gap: 1.5 }}>
             <TextField
               fullWidth
@@ -207,7 +200,6 @@ const EventQuickAddWidget: React.FC = () => {
               {mutation.isPending ? 'Wird erstellt…' : 'Erstellen'}
             </Button>
           </Box>
-        )}
       </CardContent>
     </Card>
   );

frontend/src/components/dashboard/VehicleBookingQuickAddWidget.tsx

@@ -75,6 +75,7 @@ const VehicleBookingQuickAddWidget: React.FC = () => {
       setEnde(fresh.ende);
       setBeschreibung('');
       queryClient.invalidateQueries({ queryKey: ['bookings'] });
+      queryClient.invalidateQueries({ queryKey: ['upcoming-vehicle-bookings'] });
     },
     onError: () => {
       showError('Fahrzeugbuchung konnte nicht erstellt werden');

frontend/src/components/incidents/CreateEinsatzDialog.tsx

@@ -76,8 +76,13 @@ const CreateEinsatzDialog: React.FC<CreateEinsatzDialogProps> = ({
     try {
       // Convert local datetime string to UTC ISO string
       const isoLocal = fromGermanDateTime(form.alarm_time_local);
+      if (!isoLocal) {
+        setError('Ungültiges Datum/Uhrzeit-Format. Bitte TT.MM.JJJJ HH:MM verwenden.');
+        setLoading(false);
+        return;
+      }
       const payload: CreateEinsatzPayload = {
-        alarm_time: isoLocal ? new Date(isoLocal).toISOString() : new Date().toISOString(),
+        alarm_time: new Date(isoLocal).toISOString(),
         einsatz_art: form.einsatz_art,
         einsatz_stichwort: form.einsatz_stichwort || null,
         strasse: form.strasse || null,

frontend/src/components/shared/ErrorBoundary.tsx

@@ -91,7 +91,7 @@ class ErrorBoundary extends Component<Props, State> {
                 <Box
                   sx={{
                     width: '100%',
-                    bgcolor: 'grey.100',
+                    bgcolor: 'action.hover',
                     p: 2,
                     borderRadius: 1,
                     mb: 3,

frontend/src/components/shared/NotificationBell.tsx

@@ -26,9 +26,15 @@ import type { Notification, NotificationSchwere } from '../../types/notification
 
 const POLL_INTERVAL_MS = 15_000; // 15 seconds
 
+let sharedAudioCtx: AudioContext | null = null;
+
 function playNotificationSound() {
   try {
-    const ctx = new AudioContext();
+    if (!sharedAudioCtx || sharedAudioCtx.state === 'closed') {
+      sharedAudioCtx = new AudioContext();
+    }
+    const ctx = sharedAudioCtx;
+    if (ctx.state === 'suspended') ctx.resume();
     const oscillator = ctx.createOscillator();
     const gain = ctx.createGain();
     oscillator.connect(gain);
@@ -41,7 +47,6 @@ function playNotificationSound() {
     gain.gain.linearRampToValueAtTime(0, now + 0.15);
     oscillator.start(now);
     oscillator.stop(now + 0.15);
-    oscillator.onended = () => ctx.close();
   } catch {
     // Audio blocked before first user interaction — fail silently
   }
@@ -113,7 +118,9 @@ const NotificationBell: React.FC = () => {
         showNotificationToast(n.titel, severity);
       });
       // Also add all known IDs to avoid re-toasting on re-fetch
-      data.forEach((n) => knownIdsRef.current!.add(n.id));
+      // Prune to only current IDs to prevent unbounded growth
+      const currentIds = new Set(data.map((n) => n.id));
+      knownIdsRef.current = currentIds;
     } catch {
       // non-critical
     }

frontend/src/components/shared/ServiceModeGuard.tsx

@@ -11,13 +11,16 @@ export default function ServiceModeGuard({ children }: Props) {
   const { user } = useAuth();
   const isAdmin = user?.groups?.includes('dashboard_admin') ?? false;
 
-  const { data: serviceMode } = useQuery({
+  const { data: serviceMode, isLoading } = useQuery({
     queryKey: ['service-mode'],
     queryFn: configApi.getServiceMode,
     refetchInterval: 60_000,
     retry: false,
   });
 
+  // Don't render children until we know the service mode status
+  if (isLoading) return null;
+
   if (serviceMode?.active && !isAdmin) {
     return <ServiceModePage message={serviceMode.message} />;
   }

frontend/src/contexts/AuthContext.tsx

@@ -139,10 +139,13 @@ export const AuthProvider: React.FC<AuthProviderProps> = ({ children }) => {
       const user = await authService.getCurrentUser();
       setUser(user);
       setState((prev) => ({ ...prev, user }));
-    } catch (error) {
+    } catch (error: any) {
       console.error('Failed to refresh user data:', error);
+      // Only logout on explicit 401 — network errors / 5xx should not destroy the session
+      if (error?.response?.status === 401) {
         logout();
       }
+    }
   }, [logout]);
 
   const value: AuthContextType = {

frontend/src/contexts/ChatContext.tsx

@@ -56,19 +56,43 @@ export const ChatProvider: React.FC<ChatProviderProps> = ({ children }) => {
   const connected = data?.connected ?? false;
   const loginName = data?.loginName ?? null;
 
+  const prevUnreadRef = useRef<Map<string, number>>(new Map());
+  const isInitializedRef = useRef(false);
+
+  // Reset initialization flag when disconnected
+  useEffect(() => {
+    if (!isConnected) {
+      isInitializedRef.current = false;
+    }
+  }, [isConnected]);
+
   // Detect new unread messages while panel is closed and show toast
   useEffect(() => {
     if (!rooms.length) return;
     const prev = prevUnreadRef.current;
-    const isFirstLoad = prev.size === 0;
+
+    if (!isInitializedRef.current) {
+      // First load (or after reconnect) — initialize without toasting
+      for (const room of rooms) {
+        prev.set(room.token, room.unreadMessages);
+      }
+      isInitializedRef.current = true;
+      return;
+    }
 
     for (const room of rooms) {
       const prevCount = prev.get(room.token) ?? 0;
-      if (!isFirstLoad && !chatPanelOpen && room.unreadMessages > prevCount) {
+      if (!chatPanelOpen && room.unreadMessages > prevCount) {
         showNotificationToast(room.displayName, 'info');
       }
       prev.set(room.token, room.unreadMessages);
     }
+
+    // Prune entries for rooms no longer in the list
+    const currentTokens = new Set(rooms.map((r) => r.token));
+    for (const key of prev.keys()) {
+      if (!currentTokens.has(key)) prev.delete(key);
+    }
   }, [rooms, chatPanelOpen, showNotificationToast]);
 
   const selectRoom = useCallback((token: string | null) => {

frontend/src/contexts/NotificationContext.tsx

@@ -1,4 +1,4 @@
-import React, { createContext, useContext, useState, ReactNode, useCallback } from 'react';
+import React, { createContext, useContext, useState, useRef, ReactNode, useCallback } from 'react';
 import { Snackbar, Alert, AlertColor } from '@mui/material';
 
 interface Notification {
@@ -22,8 +22,8 @@ interface NotificationProviderProps {
 }
 
 export const NotificationProvider: React.FC<NotificationProviderProps> = ({ children }) => {
-  const [_notifications, setNotifications] = useState<Notification[]>([]);
   const [currentNotification, setCurrentNotification] = useState<Notification | null>(null);
+  const queueRef = useRef<Notification[]>([]);
 
   // Left-side toast queue for new backend notifications
   const [toastQueue, setToastQueue] = useState<Notification[]>([]);
@@ -32,13 +32,15 @@ export const NotificationProvider: React.FC<NotificationProviderProps> = ({ chil
     const id = Date.now();
     const notification: Notification = { id, message, severity };
 
-    setNotifications((prev) => [...prev, notification]);
+    // Use functional update to avoid stale closure over currentNotification
-
+    setCurrentNotification((prev) => {
-    // If no notification is currently displayed, show this one immediately
+      if (prev) {
-    if (!currentNotification) {
+        queueRef.current.push(notification);
-      setCurrentNotification(notification);
+        return prev;
       }
-  }, [currentNotification]);
+      return notification;
+    });
+  }, []);
 
   const showSuccess = useCallback((message: string) => {
     addNotification(message, 'success');
@@ -68,15 +70,12 @@ export const NotificationProvider: React.FC<NotificationProviderProps> = ({ chil
 
     setCurrentNotification(null);
 
-    // Show next notification after a short delay
+    // Show next queued notification after a short delay
     setTimeout(() => {
-      setNotifications((prev) => {
+      const next = queueRef.current.shift();
-        const remaining = prev.filter((n) => n.id !== currentNotification?.id);
+      if (next) {
-        if (remaining.length > 0) {
+        setCurrentNotification(next);
-          setCurrentNotification(remaining[0]);
       }
-        return remaining;
-      });
     }, 200);
   };
 

frontend/src/contexts/ThemeContext.tsx

@@ -1,4 +1,4 @@
-import React, { createContext, useContext, useState, useEffect, useMemo } from 'react';
+import React, { createContext, useContext, useState, useEffect, useMemo, useCallback } from 'react';
 import { ThemeProvider } from '@mui/material/styles';
 import { CssBaseline } from '@mui/material';
 import { lightTheme, darkTheme } from '../theme/theme';
@@ -50,10 +50,10 @@ export const ThemeModeProvider: React.FC<{ children: React.ReactNode }> = ({ chi
     return () => mq.removeEventListener('change', handler);
   }, []);
 
-  const setThemeMode = (mode: ThemeMode) => {
+  const setThemeMode = useCallback((mode: ThemeMode) => {
     setThemeModeState(mode);
     localStorage.setItem(STORAGE_KEY, mode);
-  };
+  }, []);
 
   const resolvedMode: 'light' | 'dark' =
     themeMode === 'system' ? systemPreference : themeMode;

frontend/src/pages/Atemschutz.tsx

@@ -41,6 +41,7 @@ import {
   Search,
 } from '@mui/icons-material';
 import DashboardLayout from '../components/dashboard/DashboardLayout';
+import ChatAwareFab from '../components/shared/ChatAwareFab';
 import { atemschutzApi } from '../services/atemschutz';
 import { membersService } from '../services/members';
 import { useNotification } from '../contexts/NotificationContext';
@@ -314,11 +315,11 @@ function Atemschutz() {
           lehrgang_datum: normalizeDate(form.lehrgang_datum || undefined),
           untersuchung_datum: normalizeDate(form.untersuchung_datum || undefined),
           untersuchung_gueltig_bis: normalizeDate(form.untersuchung_gueltig_bis || undefined),
-          untersuchung_ergebnis: (form.untersuchung_ergebnis as UntersuchungErgebnis) || undefined,
+          untersuchung_ergebnis: (form.untersuchung_ergebnis as UntersuchungErgebnis) || null,
           leistungstest_datum: normalizeDate(form.leistungstest_datum || undefined),
           leistungstest_gueltig_bis: normalizeDate(form.leistungstest_gueltig_bis || undefined),
           leistungstest_bestanden: form.leistungstest_bestanden,
-          bemerkung: form.bemerkung || undefined,
+          bemerkung: form.bemerkung || null,
         };
         await atemschutzApi.update(editingId, payload);
         notification.showSuccess('Atemschutzträger erfolgreich aktualisiert.');
@@ -594,14 +595,13 @@ function Atemschutz() {
 
         {/* FAB to create */}
         {canWrite && (
-        <Fab
+        <ChatAwareFab
           color="primary"
           aria-label="Atemschutzträger hinzufügen"
-          sx={{ position: 'fixed', bottom: 32, right: 32 }}
           onClick={handleOpenCreate}
         >
           <Add />
-        </Fab>
+        </ChatAwareFab>
         )}
 
         {/* ── Add / Edit Dialog ───────────────────────────────────────────── */}

frontend/src/pages/Ausruestung.tsx

@@ -45,6 +45,7 @@ import {
   EquipmentStats,
 } from '../types/equipment.types';
 import { usePermissions } from '../hooks/usePermissions';
+import ChatAwareFab from '../components/shared/ChatAwareFab';
 
 // ── Status chip config ────────────────────────────────────────────────────────
 
@@ -464,14 +465,13 @@ function Ausruestung() {
 
         {/* FAB for adding new equipment */}
         {canManageEquipment && (
-          <Fab
+          <ChatAwareFab
             color="primary"
             aria-label="Ausrüstung hinzufügen"
-            sx={{ position: 'fixed', bottom: 32, right: 32 }}
             onClick={() => navigate('/ausruestung/neu')}
           >
             <Add />
-          </Fab>
+          </ChatAwareFab>
         )}
       </Container>
     </DashboardLayout>

frontend/src/pages/AusruestungForm.tsx

@@ -85,27 +85,6 @@ function AusruestungForm() {
   const { canManageEquipment } = usePermissions();
   const isEditMode = Boolean(id);
 
-  // -- Permission guard: only authorized users may create or edit equipment ----
-  if (!canManageEquipment) {
-    return (
-      <DashboardLayout>
-        <Container maxWidth="lg">
-          <Box sx={{ textAlign: 'center', py: 8 }}>
-            <Typography variant="h5" gutterBottom>
-              Keine Berechtigung
-            </Typography>
-            <Typography variant="body1" color="text.secondary" sx={{ mb: 3 }}>
-              Sie haben nicht die erforderlichen Rechte, um Ausrüstung zu bearbeiten.
-            </Typography>
-            <Button variant="contained" onClick={() => navigate('/ausruestung')}>
-              Zurück zur Ausrüstungsübersicht
-            </Button>
-          </Box>
-        </Container>
-      </DashboardLayout>
-    );
-  }
-
   const [form, setForm]       = useState<FormState>(EMPTY_FORM);
   const [loading, setLoading] = useState(isEditMode);
   const [saving, setSaving]   = useState(false);
@@ -168,6 +147,27 @@ function AusruestungForm() {
     if (isEditMode) fetchEquipment();
   }, [isEditMode, fetchEquipment]);
 
+  // -- Permission guard: only authorized users may create or edit equipment ----
+  if (!canManageEquipment) {
+    return (
+      <DashboardLayout>
+        <Container maxWidth="lg">
+          <Box sx={{ textAlign: 'center', py: 8 }}>
+            <Typography variant="h5" gutterBottom>
+              Keine Berechtigung
+            </Typography>
+            <Typography variant="body1" color="text.secondary" sx={{ mb: 3 }}>
+              Sie haben nicht die erforderlichen Rechte, um Ausrüstung zu bearbeiten.
+            </Typography>
+            <Button variant="contained" onClick={() => navigate('/ausruestung')}>
+              Zurück zur Ausrüstungsübersicht
+            </Button>
+          </Box>
+        </Container>
+      </DashboardLayout>
+    );
+  }
+
   // -- Validation -------------------------------------------------------------
 
   const validate = (): boolean => {
@@ -213,19 +213,19 @@ function AusruestungForm() {
         const payload: UpdateAusruestungPayload = {
           bezeichnung:           form.bezeichnung.trim() || undefined,
           kategorie_id:          form.kategorie_id || undefined,
-          seriennummer:          form.seriennummer.trim() || undefined,
+          seriennummer:          form.seriennummer.trim() || null,
-          inventarnummer:        form.inventarnummer.trim() || undefined,
+          inventarnummer:        form.inventarnummer.trim() || null,
-          hersteller:            form.hersteller.trim() || undefined,
+          hersteller:            form.hersteller.trim() || null,
-          baujahr:               form.baujahr ? parseInt(form.baujahr, 10) : undefined,
+          baujahr:               form.baujahr ? parseInt(form.baujahr, 10) : null,
           status:                form.status,
-          status_bemerkung:      form.status_bemerkung.trim() || undefined,
+          status_bemerkung:      form.status_bemerkung.trim() || null,
           ist_wichtig:           form.ist_wichtig,
           fahrzeug_id:           form.fahrzeug_id || null,
           standort:              !form.fahrzeug_id ? (form.standort.trim() || 'Lager') : undefined,
-          pruef_intervall_monate: form.pruef_intervall_monate ? parseInt(form.pruef_intervall_monate, 10) : undefined,
+          pruef_intervall_monate: form.pruef_intervall_monate ? parseInt(form.pruef_intervall_monate, 10) : null,
-          letzte_pruefung_am:    form.letzte_pruefung_am ? fromGermanDate(form.letzte_pruefung_am) || undefined : undefined,
+          letzte_pruefung_am:    form.letzte_pruefung_am ? fromGermanDate(form.letzte_pruefung_am) || null : null,
-          naechste_pruefung_am:  form.naechste_pruefung_am ? fromGermanDate(form.naechste_pruefung_am) || undefined : undefined,
+          naechste_pruefung_am:  form.naechste_pruefung_am ? fromGermanDate(form.naechste_pruefung_am) || null : null,
-          bemerkung:             form.bemerkung.trim() || undefined,
+          bemerkung:             form.bemerkung.trim() || null,
         };
         await equipmentApi.update(id, payload);
         navigate(`/ausruestung/${id}`);

frontend/src/pages/Dashboard.tsx

@@ -70,6 +70,8 @@ function Dashboard() {
 
   return (
     <DashboardLayout>
+      {/* Vikunja — Overdue Notifier (invisible, polling component — outside grid) */}
+      <VikunjaOverdueNotifier />
       <Container maxWidth={false} disableGutters>
         <Box
           sx={{
@@ -97,9 +99,6 @@ function Dashboard() {
             </Box>
           )}
 
-          {/* Vikunja — Overdue Notifier (invisible, polling component) */}
-          <VikunjaOverdueNotifier />
-
           {/* Status Group */}
           <WidgetGroup title="Status" gridColumn="1 / -1">
             {widgetVisible('vehicles') && (

frontend/src/pages/Einsaetze.tsx

@@ -49,6 +49,7 @@ import {
   EINSATZ_STATUS_LABELS,
 } from '../services/incidents';
 import CreateEinsatzDialog from '../components/incidents/CreateEinsatzDialog';
+import { useAuth } from '../contexts/AuthContext';
 
 // ---------------------------------------------------------------------------
 // COLOUR MAP for Einsatzart chips
@@ -175,6 +176,10 @@ function StatsSummaryBar({ stats, loading }: StatsSummaryProps) {
 // ---------------------------------------------------------------------------
 function Einsaetze() {
   const navigate = useNavigate();
+  const { user } = useAuth();
+  const canWrite = user?.groups?.some((g: string) =>
+    ['dashboard_admin', 'dashboard_kommando', 'dashboard_gruppenfuehrer'].includes(g)
+  ) ?? false;
 
   // List state
   const [items, setItems] = useState<EinsatzListItem[]>([]);
@@ -220,7 +225,7 @@ function Einsaetze() {
           filters.dateTo = end.toISOString();
         }
       }
-      if (selectedArts.length === 1) filters.einsatzArt = selectedArts[0];
+      if (selectedArts.length >= 1) filters.einsatzArt = selectedArts[0];
 
       const result = await incidentsApi.getAll(filters as Parameters<typeof incidentsApi.getAll>[0]);
       setItems(result.items);
@@ -308,6 +313,7 @@ function Einsaetze() {
                 <Refresh />
               </IconButton>
             </Tooltip>
+            {canWrite && (
               <Button
                 variant="contained"
                 color="primary"
@@ -316,6 +322,7 @@ function Einsaetze() {
               >
                 Neuer Einsatz
               </Button>
+            )}
           </Stack>
         </Box>
 

frontend/src/pages/EinsatzDetail.tsx

@@ -43,6 +43,7 @@ import {
   EinsatzArt,
 } from '../services/incidents';
 import { useNotification } from '../contexts/NotificationContext';
+import { useAuth } from '../contexts/AuthContext';
 
 // ---------------------------------------------------------------------------
 // COLOUR MAPS
@@ -164,6 +165,10 @@ function EinsatzDetail() {
   const { id } = useParams<{ id: string }>();
   const navigate = useNavigate();
   const notification = useNotification();
+  const { user } = useAuth();
+  const canWrite = user?.groups?.some((g: string) =>
+    ['dashboard_admin', 'dashboard_kommando', 'dashboard_gruppenfuehrer'].includes(g)
+  ) ?? false;
 
   const [einsatz, setEinsatz] = useState<EinsatzDetailType | null>(null);
   const [loading, setLoading] = useState(true);
@@ -297,7 +302,7 @@ function EinsatzDetail() {
                 PDF Export
               </Button>
             </Tooltip>
-            {!editing ? (
+            {canWrite && !editing ? (
               <Button
                 variant="contained"
                 startIcon={<Edit />}
@@ -306,7 +311,7 @@ function EinsatzDetail() {
               >
                 Bearbeiten
               </Button>
-            ) : (
+            ) : canWrite && editing ? (
               <>
                 <Button
                   variant="outlined"
@@ -328,7 +333,7 @@ function EinsatzDetail() {
                   {saving ? 'Speichere...' : 'Speichern'}
                 </Button>
               </>
-            )}
+            ) : null}
           </Stack>
         </Box>
 

frontend/src/pages/FahrzeugBuchungen.tsx

@@ -43,6 +43,7 @@ import {
   Block,
 } from '@mui/icons-material';
 import DashboardLayout from '../components/dashboard/DashboardLayout';
+import ChatAwareFab from '../components/shared/ChatAwareFab';
 import { useAuth } from '../contexts/AuthContext';
 import { useNotification } from '../contexts/NotificationContext';
 import { bookingApi, fetchVehicles } from '../services/bookings';
@@ -593,14 +594,13 @@ function FahrzeugBuchungen() {
 
         {/* ── FAB ── */}
         {canCreate && (
-          <Fab
+          <ChatAwareFab
             color="primary"
             aria-label="Buchung erstellen"
-            sx={{ position: 'fixed', bottom: 32, right: 32 }}
             onClick={openCreateDialog}
           >
             <Add />
-          </Fab>
+          </ChatAwareFab>
         )}
 
         {/* ── Booking detail popover ── */}

frontend/src/pages/FahrzeugForm.tsx

@@ -80,27 +80,6 @@ function FahrzeugForm() {
   const { isAdmin } = usePermissions();
   const isEditMode = Boolean(id);
 
-  // ── Permission guard: only admins may create or edit vehicles ──────────────
-  if (!isAdmin) {
-    return (
-      <DashboardLayout>
-        <Container maxWidth="lg">
-          <Box sx={{ textAlign: 'center', py: 8 }}>
-            <Typography variant="h5" gutterBottom>
-              Keine Berechtigung
-            </Typography>
-            <Typography variant="body1" color="text.secondary" sx={{ mb: 3 }}>
-              Sie haben nicht die erforderlichen Rechte, um Fahrzeuge zu bearbeiten.
-            </Typography>
-            <Button variant="contained" onClick={() => navigate('/fahrzeuge')}>
-              Zurück zur Fahrzeugübersicht
-            </Button>
-          </Box>
-        </Container>
-      </DashboardLayout>
-    );
-  }
-
   const [form, setForm]       = useState<FormState>(EMPTY_FORM);
   const [loading, setLoading] = useState(isEditMode);
   const [saving, setSaving]   = useState(false);
@@ -141,6 +120,27 @@ function FahrzeugForm() {
     if (isEditMode) fetchVehicle();
   }, [isEditMode, fetchVehicle]);
 
+  // ── Permission guard: only admins may create or edit vehicles ──────────────
+  if (!isAdmin) {
+    return (
+      <DashboardLayout>
+        <Container maxWidth="lg">
+          <Box sx={{ textAlign: 'center', py: 8 }}>
+            <Typography variant="h5" gutterBottom>
+              Keine Berechtigung
+            </Typography>
+            <Typography variant="body1" color="text.secondary" sx={{ mb: 3 }}>
+              Sie haben nicht die erforderlichen Rechte, um Fahrzeuge zu bearbeiten.
+            </Typography>
+            <Button variant="contained" onClick={() => navigate('/fahrzeuge')}>
+              Zurück zur Fahrzeugübersicht
+            </Button>
+          </Box>
+        </Container>
+      </DashboardLayout>
+    );
+  }
+
   const validate = (): boolean => {
     const errors: Partial<Record<keyof FormState, string>> = {};
     if (!form.bezeichnung.trim()) {
@@ -160,19 +160,19 @@ function FahrzeugForm() {
       if (isEditMode && id) {
         const payload: UpdateFahrzeugPayload = {
           bezeichnung:            form.bezeichnung.trim() || undefined,
-          kurzname:               form.kurzname.trim() || undefined,
+          kurzname:               form.kurzname.trim() || null,
-          amtliches_kennzeichen:  form.amtliches_kennzeichen.trim() || undefined,
+          amtliches_kennzeichen:  form.amtliches_kennzeichen.trim() || null,
-          fahrgestellnummer:      form.fahrgestellnummer.trim() || undefined,
+          fahrgestellnummer:      form.fahrgestellnummer.trim() || null,
-          baujahr:                form.baujahr ? Number(form.baujahr) : undefined,
+          baujahr:                form.baujahr ? Number(form.baujahr) : null,
-          hersteller:             form.hersteller.trim() || undefined,
+          hersteller:             form.hersteller.trim() || null,
-          typ_schluessel:         form.typ_schluessel.trim() || undefined,
+          typ_schluessel:         form.typ_schluessel.trim() || null,
-          besatzung_soll:         form.besatzung_soll.trim() || undefined,
+          besatzung_soll:         form.besatzung_soll.trim() || null,
           status:                 form.status,
-          status_bemerkung:       form.status_bemerkung.trim() || undefined,
+          status_bemerkung:       form.status_bemerkung.trim() || null,
           standort:               form.standort.trim() || 'Feuerwehrhaus',
-          bild_url:               form.bild_url.trim() || undefined,
+          bild_url:               form.bild_url.trim() || null,
-          paragraph57a_faellig_am: form.paragraph57a_faellig_am || undefined,
+          paragraph57a_faellig_am: form.paragraph57a_faellig_am || null,
-          naechste_wartung_am:    form.naechste_wartung_am || undefined,
+          naechste_wartung_am:    form.naechste_wartung_am || null,
         };
         await vehiclesApi.update(id, payload);
         navigate(`/fahrzeuge/${id}`);

frontend/src/pages/Mitglieder.tsx

@@ -135,8 +135,13 @@ function Mitglieder() {
     fetchMembers();
   }, [fetchMembers, debouncedSearch]);
 
-  // Also fetch when page/filters change
+  // Also fetch when page/filters change (skip initial mount to avoid double-fetch)
+  const isInitialMount = useRef(true);
   useEffect(() => {
+    if (isInitialMount.current) {
+      isInitialMount.current = false;
+      return;
+    }
     fetchMembers();
     // eslint-disable-next-line react-hooks/exhaustive-deps
   }, [page, selectedStatus, selectedDienstgrad]);

frontend/src/pages/Settings.tsx

@@ -130,8 +130,8 @@ function Settings() {
           const result = await nextcloudApi.poll(pollToken, pollEndpoint);
           if (result.completed) {
             stopPolling();
-            queryClient.invalidateQueries({ queryKey: ['nextcloud-talk'] });
+            queryClient.invalidateQueries({ queryKey: ['nextcloud', 'connection'] });
-            queryClient.invalidateQueries({ queryKey: ['nextcloud-talk-rooms'] });
+            queryClient.invalidateQueries({ queryKey: ['nextcloud', 'rooms'] });
           }
         } catch {
           // Polling error — keep trying until timeout

frontend/src/pages/Veranstaltungen.tsx

@@ -1101,7 +1101,8 @@ export default function Veranstaltungen() {
   };
 
   const handleToday = () => {
-    setViewMonth({ year: today.getFullYear(), month: today.getMonth() });
+    const now = new Date();
+    setViewMonth({ year: now.getFullYear(), month: now.getMonth() });
   };
 
   // ---------------------------------------------------------------------------

frontend/src/pages/admin/AuditLog.tsx

@@ -457,30 +457,29 @@ const AuditLog: React.FC = () => {
     setLoading(true);
     setError(null);
     try {
-      const params: Record<string, string> = {
+      const params = new URLSearchParams();
-        page:     String(pagination.page + 1),  // convert 0-based to 1-based
+      params.set('page', String(pagination.page + 1));
-        pageSize: String(pagination.pageSize),
+      params.set('pageSize', String(pagination.pageSize));
-      };
 
       if (f.dateFrom) {
         const iso = fromGermanDate(f.dateFrom);
-        if (iso) params.dateFrom = new Date(iso).toISOString();
+        if (iso) params.set('dateFrom', new Date(iso).toISOString());
       }
       if (f.dateTo) {
         const iso = fromGermanDate(f.dateTo);
-        if (iso) params.dateTo = new Date(iso + 'T23:59:59').toISOString();
+        if (iso) params.set('dateTo', new Date(iso + 'T23:59:59').toISOString());
       }
       if (f.action && f.action.length > 0) {
-        params.action = f.action.join(',');
+        f.action.forEach((a) => params.append('action', a));
       }
       if (f.resourceType && f.resourceType.length > 0) {
-        params.resourceType = f.resourceType.join(',');
+        f.resourceType.forEach((rt) => params.append('resourceType', rt));
       }
-      if (f.userId) params.userId = f.userId;
+      if (f.userId) params.set('userId', f.userId);
 
-      const queryString = new URLSearchParams(params).toString();
+      const queryString = params.toString();
       const response = await api.get<{ success: boolean; data: AuditLogPage }>(
-        `/admin/audit-log?${queryString}`
+        `/api/admin/audit-log?${queryString}`
       );
 
       setRows(response.data.data.entries);
@@ -538,7 +537,7 @@ const AuditLog: React.FC = () => {
 
       const queryString = new URLSearchParams(params).toString();
       const response = await api.get<Blob>(
-        `/admin/audit-log/export?${queryString}`,
+        `/api/admin/audit-log/export?${queryString}`,
         { responseType: 'blob' }
       );