Update dependencies to include TinyMCE and Quill, enhance Navigation component with a new Newsletter submenu, and implement role-based access control for CMS features. Refactor user role handling to support multiple roles and improve user management functionality across various API endpoints.

server/api/auth/login.post.js

@@ -1,4 +1,4 @@
-import { readUsers, writeUsers, verifyPassword, generateToken, createSession } from '../../utils/auth.js'
+import { readUsers, writeUsers, verifyPassword, generateToken, createSession, migrateUserRoles } from '../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -59,6 +59,10 @@ export default defineEventHandler(async (event) => {
       maxAge: 60 * 60 * 24 * 7 // 7 days
     })
 
+    // Migriere Rollen falls nötig
+    const migratedUser = migrateUserRoles({ ...user })
+    const roles = Array.isArray(migratedUser.roles) ? migratedUser.roles : (migratedUser.role ? [migratedUser.role] : ['mitglied'])
+    
     // Return user data (without password) and token for API usage
     return {
       success: true,
@@ -67,8 +71,10 @@ export default defineEventHandler(async (event) => {
         id: user.id,
         email: user.email,
         name: user.name,
-        role: user.role
-      }
+        roles: roles
+      },
+      // Rückwärtskompatibilität: erste Rolle als role
+      role: roles[0] || 'mitglied'
     }
   } catch (error) {
     console.error('Login-Fehler:', error)

server/api/auth/status.get.js

@@ -23,15 +23,19 @@ export default defineEventHandler(async (event) => {
       }
     }
 
+    const roles = Array.isArray(user.roles) ? user.roles : (user.role ? [user.role] : ['mitglied'])
+    
     return {
       isLoggedIn: true,
       user: {
         id: user.id,
         email: user.email,
         name: user.name,
-        role: user.role
+        roles: roles
       },
-      role: user.role
+      roles: roles,
+      // Rückwärtskompatibilität: erste Rolle als role
+      role: roles[0] || 'mitglied'
     }
   } catch (error) {
     console.error('Auth-Status-Fehler:', error)

server/api/cms/satzung-upload.post.js

@@ -3,7 +3,7 @@ import fs from 'fs/promises'
 import path from 'path'
 import { exec } from 'child_process'
 import { promisify } from 'util'
-import { getUserFromToken } from '../../utils/auth.js'
+import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
 
 const execAsync = promisify(exec)
 
@@ -62,7 +62,7 @@ export default defineEventHandler(async (event) => {
     })
   }
 
-  if (currentUser.role !== 'admin' && currentUser.role !== 'vorstand') {
+  if (!hasAnyRole(currentUser, 'admin', 'vorstand')) {
     throw createError({
       statusCode: 403,
       statusMessage: 'Keine Berechtigung'

server/api/cms/save-csv.post.js

@@ -1,6 +1,6 @@
 import fs from 'fs/promises'
 import path from 'path'
-import { getUserFromToken } from '../../utils/auth.js'
+import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -14,7 +14,7 @@ export default defineEventHandler(async (event) => {
       })
     }
 
-    if (currentUser.role !== 'admin' && currentUser.role !== 'vorstand') {
+    if (!hasAnyRole(currentUser, 'admin', 'vorstand')) {
       throw createError({
         statusCode: 403,
         statusMessage: 'Keine Berechtigung'

server/api/cms/upload-spielplan-pdf.post.js

@@ -1,7 +1,7 @@
 import multer from 'multer'
 import fs from 'fs/promises'
 import path from 'path'
-import { getUserFromToken } from '../../utils/auth.js'
+import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
 
 // Multer-Konfiguration für PDF-Uploads
 const storage = multer.diskStorage({
@@ -57,7 +57,7 @@ export default defineEventHandler(async (event) => {
       })
     }
 
-    if (currentUser.role !== 'admin' && currentUser.role !== 'vorstand') {
+    if (!hasAnyRole(currentUser, 'admin', 'vorstand')) {
       throw createError({
         statusCode: 403,
         statusMessage: 'Keine Berechtigung'

server/api/cms/users/approve.post.js

@@ -1,4 +1,4 @@
-import { getUserFromToken, readUsers, writeUsers } from '../../../utils/auth.js'
+import { getUserFromToken, readUsers, writeUsers, hasAnyRole, migrateUserRoles } from '../../../utils/auth.js'
 import nodemailer from 'nodemailer'
 
 export default defineEventHandler(async (event) => {
@@ -6,7 +6,7 @@ export default defineEventHandler(async (event) => {
     const token = getCookie(event, 'auth_token')
     const currentUser = await getUserFromToken(token)
 
-    if (!currentUser || (currentUser.role !== 'admin' && currentUser.role !== 'vorstand')) {
+    if (!currentUser || !hasAnyRole(currentUser, 'admin')) {
       throw createError({
         statusCode: 403,
         message: 'Zugriff verweigert'
@@ -14,7 +14,7 @@ export default defineEventHandler(async (event) => {
     }
 
     const body = await readBody(event)
-    const { userId, role } = body
+    const { userId, roles } = body
 
     const users = await readUsers()
     const user = users.find(u => u.id === userId)
@@ -26,9 +26,17 @@ export default defineEventHandler(async (event) => {
       })
     }
 
-    // Activate user and set role
+    // Migriere Benutzer falls nötig
+    migrateUserRoles(user)
+
+    // Activate user and set roles
     user.active = true
-    user.role = role || 'mitglied'
+    if (Array.isArray(roles) && roles.length > 0) {
+      user.roles = roles
+    } else {
+      // Fallback: einzelne Rolle als Array
+      user.roles = roles ? [roles] : ['mitglied']
+    }
     
     const updatedUsers = users.map(u => u.id === userId ? user : u)
     await writeUsers(updatedUsers)

server/api/cms/users/deactivate.post.js

@@ -1,11 +1,11 @@
-import { getUserFromToken, readUsers, writeUsers } from '../../../utils/auth.js'
+import { getUserFromToken, readUsers, writeUsers, hasAnyRole } from '../../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
     const token = getCookie(event, 'auth_token')
     const currentUser = await getUserFromToken(token)
 
-    if (!currentUser || (currentUser.role !== 'admin' && currentUser.role !== 'vorstand')) {
+    if (!currentUser || !hasAnyRole(currentUser, 'admin')) {
       throw createError({
         statusCode: 403,
         message: 'Zugriff verweigert'

server/api/cms/users/list.get.js

@@ -1,11 +1,11 @@
-import { getUserFromToken, readUsers } from '../../../utils/auth.js'
+import { getUserFromToken, readUsers, hasAnyRole, migrateUserRoles } from '../../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
     const token = getCookie(event, 'auth_token')
     const currentUser = await getUserFromToken(token)
 
-    if (!currentUser || (currentUser.role !== 'admin' && currentUser.role !== 'vorstand')) {
+    if (!currentUser || !hasAnyRole(currentUser, 'admin')) {
       throw createError({
         statusCode: 403,
         message: 'Zugriff verweigert'
@@ -15,16 +15,21 @@ export default defineEventHandler(async (event) => {
     const users = await readUsers()
     
     // Return users without passwords
-    const safeUsers = users.map(u => ({
-      id: u.id,
-      email: u.email,
-      name: u.name,
-      role: u.role,
-      phone: u.phone || '',
-      active: u.active,
-      created: u.created,
-      lastLogin: u.lastLogin
-    }))
+    const safeUsers = users.map(u => {
+      const migrated = migrateUserRoles({ ...u })
+      const roles = Array.isArray(migrated.roles) ? migrated.roles : (migrated.role ? [migrated.role] : ['mitglied'])
+      return {
+        id: u.id,
+        email: u.email,
+        name: u.name,
+        roles: roles,
+        role: roles[0] || 'mitglied', // Rückwärtskompatibilität
+        phone: u.phone || '',
+        active: u.active,
+        created: u.created,
+        lastLogin: u.lastLogin
+      }
+    })
 
     return {
       users: safeUsers

server/api/cms/users/reject.post.js

@@ -1,11 +1,11 @@
-import { getUserFromToken, readUsers, writeUsers } from '../../../utils/auth.js'
+import { getUserFromToken, readUsers, writeUsers, hasAnyRole } from '../../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
     const token = getCookie(event, 'auth_token')
     const currentUser = await getUserFromToken(token)
 
-    if (!currentUser || (currentUser.role !== 'admin' && currentUser.role !== 'vorstand')) {
+    if (!currentUser || !hasAnyRole(currentUser, 'admin')) {
       throw createError({
         statusCode: 403,
         message: 'Zugriff verweigert'

server/api/cms/users/update-role.post.js

@@ -1,11 +1,11 @@
-import { getUserFromToken, readUsers, writeUsers } from '../../../utils/auth.js'
+import { getUserFromToken, readUsers, writeUsers, hasAnyRole, migrateUserRoles } from '../../../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
     const token = getCookie(event, 'auth_token')
     const currentUser = await getUserFromToken(token)
 
-    if (!currentUser || (currentUser.role !== 'admin' && currentUser.role !== 'vorstand')) {
+    if (!currentUser || !hasAnyRole(currentUser, 'admin')) {
       throw createError({
         statusCode: 403,
         message: 'Zugriff verweigert'
@@ -13,12 +13,15 @@ export default defineEventHandler(async (event) => {
     }
 
     const body = await readBody(event)
-    const { userId, role } = body
+    const { userId, roles } = body
 
-    if (!['mitglied', 'vorstand', 'admin'].includes(role)) {
+    const validRoles = ['mitglied', 'vorstand', 'admin', 'newsletter']
+    const rolesArray = Array.isArray(roles) ? roles : (roles ? [roles] : ['mitglied'])
+    
+    if (!rolesArray.every(r => validRoles.includes(r))) {
       throw createError({
         statusCode: 400,
-        message: 'Ungültige Rolle'
+        message: 'Ungültige Rolle(n)'
       })
     }
 
@@ -32,7 +35,11 @@ export default defineEventHandler(async (event) => {
       })
     }
 
-    user.role = role
+    // Migriere Benutzer falls nötig
+    migrateUserRoles(user)
+    
+    // Setze Rollen
+    user.roles = rolesArray
     const updatedUsers = users.map(u => u.id === userId ? user : u)
     await writeUsers(updatedUsers)
 

server/api/config.put.js

@@ -1,4 +1,4 @@
-import { verifyToken, getUserById } from '../utils/auth.js'
+import { verifyToken, getUserById, hasAnyRole } from '../utils/auth.js'
 import { promises as fs } from 'fs'
 import path from 'path'
 
@@ -33,7 +33,7 @@ export default defineEventHandler(async (event) => {
     const user = await getUserById(decoded.id)
 
     // Only admin and vorstand can edit config
-    if (!user || (user.role !== 'admin' && user.role !== 'vorstand')) {
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand')) {
       throw createError({
         statusCode: 403,
         message: 'Keine Berechtigung zum Bearbeiten der Konfiguration.'

server/api/galerie/[id].delete.js

@@ -51,7 +51,7 @@ export default defineEventHandler(async (event) => {
     }
 
     const user = await getUserFromToken(token)
-    if (!user || (user.role !== 'admin' && user.role !== 'vorstand')) {
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand')) {
       throw createError({
         statusCode: 403,
         statusMessage: 'Keine Berechtigung zum Löschen von Bildern'

server/api/galerie/upload.post.js

@@ -2,7 +2,7 @@ import multer from 'multer'
 import fs from 'fs/promises'
 import path from 'path'
 import sharp from 'sharp'
-import { getUserFromToken, verifyToken } from '../../utils/auth.js'
+import { getUserFromToken, verifyToken, hasAnyRole } from '../../utils/auth.js'
 import { randomUUID } from 'crypto'
 
 // Handle both dev and production paths
@@ -90,7 +90,7 @@ export default defineEventHandler(async (event) => {
     }
 
     const user = await getUserFromToken(token)
-    if (!user || (user.role !== 'admin' && user.role !== 'vorstand')) {
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand')) {
       throw createError({
         statusCode: 403,
         statusMessage: 'Keine Berechtigung zum Hochladen von Bildern'

server/api/members.delete.js

@@ -1,4 +1,4 @@
-import { verifyToken, getUserById } from '../utils/auth.js'
+import { verifyToken, getUserById, hasAnyRole } from '../utils/auth.js'
 import { deleteMember } from '../utils/members.js'
 
 export default defineEventHandler(async (event) => {
@@ -24,7 +24,7 @@ export default defineEventHandler(async (event) => {
     const user = await getUserById(decoded.id)
 
     // Only admin and vorstand can delete members
-    if (!user || (user.role !== 'admin' && user.role !== 'vorstand')) {
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand')) {
       throw createError({
         statusCode: 403,
         message: 'Keine Berechtigung zum Löschen von Mitgliedern.'

server/api/members.get.js

@@ -1,6 +1,6 @@
 import { verifyToken } from '../utils/auth.js'
 import { readMembers } from '../utils/members.js'
-import { readUsers } from '../utils/auth.js'
+import { readUsers, migrateUserRoles } from '../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -75,27 +75,33 @@ export default defineEventHandler(async (event) => {
 
       if (matchedManualIndex !== -1) {
         // Merge with existing manual member
+        const migratedUser = migrateUserRoles({ ...user })
+        const roles = Array.isArray(migratedUser.roles) ? migratedUser.roles : (migratedUser.role ? [migratedUser.role] : ['mitglied'])
         mergedMembers[matchedManualIndex] = {
           ...mergedMembers[matchedManualIndex],
           hasLogin: true,
           loginEmail: user.email,
-          loginRole: user.role,
+          loginRoles: roles,
+          loginRole: roles[0] || 'mitglied', // Rückwärtskompatibilität
           lastLogin: user.lastLogin
         }
       } else {
         // Add as new member (from login system)
+        const migratedUser = migrateUserRoles({ ...user })
+        const roles = Array.isArray(migratedUser.roles) ? migratedUser.roles : (migratedUser.role ? [migratedUser.role] : ['mitglied'])
         mergedMembers.push({
           id: user.id,
           name: user.name,
           email: user.email,
           phone: user.phone || '',
           address: '',
-          notes: `Rolle: ${user.role}`,
+          notes: `Rolle(n): ${roles.join(', ')}`,
           source: 'login',
           editable: false,
           hasLogin: true,
           loginEmail: user.email,
-          loginRole: user.role,
+          loginRoles: roles,
+          loginRole: roles[0] || 'mitglied', // Rückwärtskompatibilität
           lastLogin: user.lastLogin
         })
       }

server/api/members.post.js

@@ -1,4 +1,4 @@
-import { verifyToken, getUserById } from '../utils/auth.js'
+import { verifyToken, getUserById, hasAnyRole } from '../utils/auth.js'
 import { saveMember } from '../utils/members.js'
 
 export default defineEventHandler(async (event) => {
@@ -40,7 +40,7 @@ export default defineEventHandler(async (event) => {
     }
 
     // Only admin and vorstand can add/edit members
-    if (user.role !== 'admin' && user.role !== 'vorstand') {
+    if (!hasAnyRole(user, 'admin', 'vorstand')) {
       throw createError({
         statusCode: 403,
         message: 'Keine Berechtigung zum Hinzufügen/Bearbeiten von Mitgliedern. Erforderlich: admin oder vorstand Rolle.'
@@ -48,7 +48,7 @@ export default defineEventHandler(async (event) => {
     }
 
     const body = await readBody(event)
-    const { id, firstName, lastName, geburtsdatum, email, phone, address, notes } = body
+    const { id, firstName, lastName, geburtsdatum, email, phone, address, notes, isMannschaftsspieler } = body
 
     if (!firstName || !lastName) {
       throw createError({
@@ -73,7 +73,8 @@ export default defineEventHandler(async (event) => {
         email: email || '',
         phone: phone || '',
         address: address || '',
-        notes: notes || ''
+        notes: notes || '',
+        isMannschaftsspieler: isMannschaftsspieler === true || isMannschaftsspieler === 'true'
       })
 
       return {

server/api/members/bulk.post.js

@@ -1,4 +1,4 @@
-import { verifyToken, getUserById } from '../../utils/auth.js'
+import { verifyToken, getUserById, hasAnyRole } from '../../utils/auth.js'
 import { readMembers, writeMembers, normalizeDate } from '../../utils/members.js'
 import { randomUUID } from 'crypto'
 
@@ -59,7 +59,7 @@ export default defineEventHandler(async (event) => {
     }
 
     // Only admin and vorstand can add members in bulk
-    if (user.role !== 'admin' && user.role !== 'vorstand') {
+    if (!hasAnyRole(user, 'admin', 'vorstand')) {
       throw createError({
         statusCode: 403,
         message: 'Keine Berechtigung zum Bulk-Import von Mitgliedern. Erforderlich: admin oder vorstand Rolle.'

server/api/membership/download/[id].get.js

@@ -39,7 +39,8 @@ export default defineEventHandler(async (event) => {
     if (token) {
       // Authentifizierte Benutzer prüfen
       const user = await getUserFromToken(token)
-      if (user && ['admin', 'vorstand'].includes(user.role)) {
+      const roles = Array.isArray(user.roles) ? user.roles : (user.role ? [user.role] : [])
+      if (user && (roles.includes('admin') || roles.includes('vorstand'))) {
         // Admin/Vorstand kann alle Dateien herunterladen
         isAuthorized = true
       }

server/api/news.delete.js

@@ -1,4 +1,4 @@
-import { verifyToken, getUserById } from '../utils/auth.js'
+import { verifyToken, getUserById, hasAnyRole } from '../utils/auth.js'
 import { deleteNews } from '../utils/news.js'
 
 export default defineEventHandler(async (event) => {
@@ -24,7 +24,7 @@ export default defineEventHandler(async (event) => {
     const user = await getUserById(decoded.id)
 
     // Only admin and vorstand can delete news
-    if (!user || (user.role !== 'admin' && user.role !== 'vorstand')) {
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand')) {
       throw createError({
         statusCode: 403,
         message: 'Keine Berechtigung zum Löschen von News.'

server/api/news.post.js

@@ -1,4 +1,4 @@
-import { verifyToken, getUserById } from '../utils/auth.js'
+import { verifyToken, getUserById, hasAnyRole } from '../utils/auth.js'
 import { saveNews } from '../utils/news.js'
 
 export default defineEventHandler(async (event) => {
@@ -24,7 +24,7 @@ export default defineEventHandler(async (event) => {
     const user = await getUserById(decoded.id)
 
     // Only admin and vorstand can create/edit news
-    if (!user || (user.role !== 'admin' && user.role !== 'vorstand')) {
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand')) {
       throw createError({
         statusCode: 403,
         message: 'Keine Berechtigung zum Erstellen/Bearbeiten von News.'

server/api/newsletter/[id].delete.js

@@ -0,0 +1,89 @@
+import fs from 'fs/promises'
+import path from 'path'
+import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
+
+const getDataPath = (filename) => {
+  const cwd = process.cwd()
+  if (cwd.endsWith('.output')) {
+    return path.join(cwd, '../server/data', filename)
+  }
+  return path.join(cwd, 'server/data', filename)
+}
+
+const NEWSLETTERS_FILE = getDataPath('newsletters.json')
+
+async function readNewsletters() {
+  try {
+    const data = await fs.readFile(NEWSLETTERS_FILE, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return []
+    }
+    throw error
+  }
+}
+
+async function writeNewsletters(newsletters) {
+  await fs.writeFile(NEWSLETTERS_FILE, JSON.stringify(newsletters, null, 2), 'utf-8')
+}
+
+export default defineEventHandler(async (event) => {
+  try {
+    // Authentifizierung prüfen
+    const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    if (!token) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    const user = await getUserFromToken(token)
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand', 'newsletter')) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Keine Berechtigung'
+      })
+    }
+
+    const newsletterId = getRouterParam(event, 'id')
+
+    const newsletters = await readNewsletters()
+    const newsletterIndex = newsletters.findIndex(n => n.id === newsletterId)
+
+    if (newsletterIndex === -1) {
+      throw createError({
+        statusCode: 404,
+        statusMessage: 'Newsletter nicht gefunden'
+      })
+    }
+
+    // Nur Entwürfe können gelöscht werden
+    if (newsletters[newsletterIndex].status === 'sent') {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Versendete Newsletter können nicht gelöscht werden'
+      })
+    }
+
+    newsletters.splice(newsletterIndex, 1)
+    await writeNewsletters(newsletters)
+
+    return {
+      success: true,
+      message: 'Newsletter erfolgreich gelöscht'
+    }
+  } catch (error) {
+    console.error('Fehler beim Löschen des Newsletters:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Fehler beim Löschen des Newsletters'
+    })
+  }
+})
+

server/api/newsletter/[id].put.js

@@ -0,0 +1,98 @@
+import fs from 'fs/promises'
+import path from 'path'
+import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
+
+const getDataPath = (filename) => {
+  const cwd = process.cwd()
+  if (cwd.endsWith('.output')) {
+    return path.join(cwd, '../server/data', filename)
+  }
+  return path.join(cwd, 'server/data', filename)
+}
+
+const NEWSLETTERS_FILE = getDataPath('newsletters.json')
+
+async function readNewsletters() {
+  try {
+    const data = await fs.readFile(NEWSLETTERS_FILE, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return []
+    }
+    throw error
+  }
+}
+
+async function writeNewsletters(newsletters) {
+  await fs.writeFile(NEWSLETTERS_FILE, JSON.stringify(newsletters, null, 2), 'utf-8')
+}
+
+export default defineEventHandler(async (event) => {
+  try {
+    // Authentifizierung prüfen
+    const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    if (!token) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    const user = await getUserFromToken(token)
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand', 'newsletter')) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Keine Berechtigung'
+      })
+    }
+
+    const newsletterId = getRouterParam(event, 'id')
+    const body = await readBody(event)
+
+    const newsletters = await readNewsletters()
+    const newsletterIndex = newsletters.findIndex(n => n.id === newsletterId)
+
+    if (newsletterIndex === -1) {
+      throw createError({
+        statusCode: 404,
+        statusMessage: 'Newsletter nicht gefunden'
+      })
+    }
+
+    // Nur Entwürfe können bearbeitet werden
+    if (newsletters[newsletterIndex].status === 'sent') {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Versendete Newsletter können nicht bearbeitet werden'
+      })
+    }
+
+    // Update Newsletter
+    newsletters[newsletterIndex] = {
+      ...newsletters[newsletterIndex],
+      ...body,
+      updatedAt: new Date().toISOString(),
+      updatedBy: user.id
+    }
+
+    await writeNewsletters(newsletters)
+
+    return {
+      success: true,
+      message: 'Newsletter erfolgreich aktualisiert',
+      newsletter: newsletters[newsletterIndex]
+    }
+  } catch (error) {
+    console.error('Fehler beim Aktualisieren des Newsletters:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Fehler beim Aktualisieren des Newsletters'
+    })
+  }
+})
+

server/api/newsletter/[id]/send.post.js

@@ -0,0 +1,268 @@
+import fs from 'fs/promises'
+import path from 'path'
+import { getUserFromToken, hasAnyRole } from '../../../utils/auth.js'
+import { getRecipientsByGroup, getNewsletterSubscribers, generateUnsubscribeToken } from '../../../utils/newsletter.js'
+import nodemailer from 'nodemailer'
+
+const getDataPath = (filename) => {
+  const cwd = process.cwd()
+  if (cwd.endsWith('.output')) {
+    return path.join(cwd, '../server/data', filename)
+  }
+  return path.join(cwd, 'server/data', filename)
+}
+
+const NEWSLETTERS_FILE = getDataPath('newsletters.json')
+
+async function readNewsletters() {
+  try {
+    const data = await fs.readFile(NEWSLETTERS_FILE, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return []
+    }
+    throw error
+  }
+}
+
+async function writeNewsletters(newsletters) {
+  await fs.writeFile(NEWSLETTERS_FILE, JSON.stringify(newsletters, null, 2), 'utf-8')
+}
+
+// Lädt Config für Logo und Clubname
+async function loadConfig() {
+  try {
+    const configPath = getDataPath('config.json')
+    const data = await fs.readFile(configPath, 'utf-8')
+    return JSON.parse(data)
+  } catch {
+    return {
+      verein: { name: 'Harheimer Tischtennis-Club 1954 e.V.' }
+    }
+  }
+}
+
+// Erstellt Newsletter-HTML mit Header und Footer
+async function createNewsletterHTML(newsletter, unsubscribeToken = null) {
+  const config = await loadConfig()
+  const clubName = config.verein?.name || 'Harheimer Tischtennis-Club 1954 e.V.'
+  const baseUrl = process.env.NUXT_PUBLIC_BASE_URL || 'http://localhost:3100'
+  
+  let unsubscribeLink = ''
+  if (unsubscribeToken) {
+    const unsubscribeUrl = `${baseUrl}/newsletter/unsubscribe?token=${unsubscribeToken}`
+    unsubscribeLink = `
+      <div style="margin-top: 40px; padding-top: 20px; border-top: 1px solid #e5e7eb; text-align: center; color: #6b7280; font-size: 12px;">
+        <p>Sie erhalten diese E-Mail, weil Sie sich für unseren Newsletter angemeldet haben.</p>
+        <p style="margin-top: 10px;">
+          <a href="${unsubscribeUrl}" style="color: #dc2626; text-decoration: underline;">Newsletter abmelden</a>
+        </p>
+      </div>
+    `
+  }
+
+  return `
+    <!DOCTYPE html>
+    <html>
+    <head>
+      <meta charset="utf-8">
+      <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    </head>
+    <body style="margin: 0; padding: 0; font-family: Arial, sans-serif; background-color: #f3f4f6;">
+      <table width="100%" cellpadding="0" cellspacing="0" style="background-color: #f3f4f6; padding: 20px 0;">
+        <tr>
+          <td align="center">
+            <table width="600" cellpadding="0" cellspacing="0" style="background-color: #ffffff; border-radius: 8px; overflow: hidden; box-shadow: 0 2px 4px rgba(0,0,0,0.1);">
+              <!-- Header -->
+              <tr>
+                <td style="background-color: #dc2626; padding: 30px; text-align: center;">
+                  <h1 style="margin: 0; color: #ffffff; font-size: 24px; font-weight: bold;">
+                    ${clubName}
+                  </h1>
+                </td>
+              </tr>
+              
+              <!-- Content -->
+              <tr>
+                <td style="padding: 30px;">
+                  <h2 style="margin: 0 0 20px 0; color: #111827; font-size: 20px;">
+                    ${newsletter.title}
+                  </h2>
+                  <div style="color: #374151; line-height: 1.6;">
+                    ${newsletter.content}
+                  </div>
+                  ${unsubscribeLink}
+                </td>
+              </tr>
+              
+              <!-- Footer -->
+              <tr>
+                <td style="background-color: #f9fafb; padding: 20px; text-align: center; color: #6b7280; font-size: 12px; border-top: 1px solid #e5e7eb;">
+                  <p style="margin: 0;">
+                    ${clubName}<br>
+                    <a href="${baseUrl}" style="color: #dc2626; text-decoration: none;">${baseUrl}</a>
+                  </p>
+                </td>
+              </tr>
+            </table>
+          </td>
+        </tr>
+      </table>
+    </body>
+    </html>
+  `
+}
+
+export default defineEventHandler(async (event) => {
+  try {
+    // Authentifizierung prüfen
+    const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    if (!token) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    const user = await getUserFromToken(token)
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand', 'newsletter')) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Keine Berechtigung'
+      })
+    }
+
+    const newsletterId = getRouterParam(event, 'id')
+
+    const newsletters = await readNewsletters()
+    const newsletterIndex = newsletters.findIndex(n => n.id === newsletterId)
+
+    if (newsletterIndex === -1) {
+      throw createError({
+        statusCode: 404,
+        statusMessage: 'Newsletter nicht gefunden'
+      })
+    }
+
+    const newsletter = newsletters[newsletterIndex]
+
+    if (newsletter.status === 'sent') {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Newsletter wurde bereits versendet'
+      })
+    }
+
+    // Prüfe ob Newsletter Inhalt hat
+    if (!newsletter.content || newsletter.content.trim() === '' || newsletter.content === '<p><br></p>') {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Newsletter hat keinen Inhalt. Bitte fügen Sie Inhalte hinzu, bevor Sie den Newsletter versenden.'
+      })
+    }
+
+    // SMTP-Credentials prüfen
+    const smtpUser = process.env.SMTP_USER
+    const smtpPass = process.env.SMTP_PASS
+    
+    if (!smtpUser || !smtpPass) {
+      throw createError({
+        statusCode: 500,
+        statusMessage: 'SMTP-Credentials fehlen! Bitte setzen Sie SMTP_USER und SMTP_PASS in der .env Datei.'
+      })
+    }
+
+    const transporter = nodemailer.createTransport({
+      host: process.env.SMTP_HOST || 'smtp.gmail.com',
+      port: process.env.SMTP_PORT || 587,
+      secure: false,
+      auth: {
+        user: smtpUser,
+        pass: smtpPass
+      }
+    })
+
+    // Empfänger bestimmen
+    let recipients = []
+    
+    if (newsletter.type === 'subscription') {
+      // Abonnenten-Newsletter
+      recipients = await getNewsletterSubscribers(!newsletter.sendToExternal)
+    } else if (newsletter.type === 'group') {
+      // Gruppen-Newsletter
+      recipients = await getRecipientsByGroup(newsletter.targetGroup)
+    }
+
+    if (recipients.length === 0) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Keine Empfänger gefunden'
+      })
+    }
+
+    // Newsletter versenden
+    let sentCount = 0
+    let failedCount = 0
+    const failedEmails = []
+
+    for (const recipient of recipients) {
+      try {
+        // Abmelde-Token generieren (nur für Abonnenten-Newsletter)
+        let unsubscribeToken = null
+        if (newsletter.type === 'subscription') {
+          unsubscribeToken = await generateUnsubscribeToken(recipient.email)
+        }
+
+        const htmlContent = await createNewsletterHTML(newsletter, unsubscribeToken)
+
+        await transporter.sendMail({
+          from: process.env.SMTP_FROM || 'noreply@harheimertc.de',
+          to: recipient.email,
+          subject: newsletter.title,
+          html: htmlContent
+        })
+
+        sentCount++
+      } catch (error) {
+        console.error(`Fehler beim Senden an ${recipient.email}:`, error)
+        failedCount++
+        failedEmails.push(recipient.email)
+      }
+    }
+
+    // Newsletter als versendet markieren
+    newsletters[newsletterIndex].status = 'sent'
+    newsletters[newsletterIndex].sentAt = new Date().toISOString()
+    newsletters[newsletterIndex].sentTo = {
+      total: recipients.length,
+      sent: sentCount,
+      failed: failedCount,
+      failedEmails: failedEmails.length > 0 ? failedEmails : undefined
+    }
+
+    await writeNewsletters(newsletters)
+
+    return {
+      success: true,
+      message: `Newsletter erfolgreich versendet`,
+      stats: {
+        total: recipients.length,
+        sent: sentCount,
+        failed: failedCount,
+        failedEmails: failedEmails.length > 0 ? failedEmails : undefined
+      }
+    }
+  } catch (error) {
+    console.error('Fehler beim Versenden des Newsletters:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: error.message || 'Fehler beim Versenden des Newsletters'
+    })
+  }
+})
+

server/api/newsletter/check-subscription.get.js

@@ -0,0 +1,38 @@
+import { readSubscribers } from '../../utils/newsletter.js'
+
+export default defineEventHandler(async (event) => {
+  try {
+    const query = getQuery(event)
+    const { email, groupId } = query
+
+    if (!email || !groupId) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'E-Mail und Gruppen-ID sind erforderlich'
+      })
+    }
+
+    const subscribers = await readSubscribers()
+    const emailLower = email.toLowerCase()
+    
+    const subscriber = subscribers.find(s => {
+      const sEmail = (s.email || '').toLowerCase()
+      return sEmail === emailLower && s.groupIds && s.groupIds.includes(groupId) && s.confirmed && !s.unsubscribedAt
+    })
+
+    return {
+      success: true,
+      subscribed: !!subscriber
+    }
+  } catch (error) {
+    console.error('Fehler beim Prüfen der Newsletter-Anmeldung:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Fehler beim Prüfen der Newsletter-Anmeldung'
+    })
+  }
+})
+

server/api/newsletter/confirm.get.js

@@ -0,0 +1,62 @@
+import { readSubscribers, writeSubscribers } from '../../utils/newsletter.js'
+
+export default defineEventHandler(async (event) => {
+  try {
+    const query = getQuery(event)
+    const token = query.token
+
+    if (!token) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Bestätigungstoken fehlt'
+      })
+    }
+
+    const subscribers = await readSubscribers()
+    const subscriber = subscribers.find(s => s.confirmationToken === token)
+
+    if (!subscriber) {
+      throw createError({
+        statusCode: 404,
+        statusMessage: 'Ungültiger Bestätigungstoken'
+      })
+    }
+
+    if (subscriber.confirmed) {
+      // Bereits bestätigt
+      return {
+        success: true,
+        alreadyConfirmed: true,
+        message: 'Newsletter-Anmeldung wurde bereits bestätigt'
+      }
+    }
+
+    // Bestätigung durchführen
+    subscriber.confirmed = true
+    subscriber.confirmedAt = new Date().toISOString()
+    subscriber.confirmationToken = null
+    
+    // Stelle sicher, dass groupIds existiert (für Rückwärtskompatibilität)
+    if (!subscriber.groupIds) {
+      subscriber.groupIds = []
+    }
+
+    await writeSubscribers(subscribers)
+
+    return {
+      success: true,
+      alreadyConfirmed: false,
+      message: 'Newsletter-Anmeldung erfolgreich bestätigt'
+    }
+  } catch (error) {
+    console.error('Fehler bei Newsletter-Bestätigung:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Fehler bei der Newsletter-Bestätigung'
+    })
+  }
+})
+

server/api/newsletter/create.post.js

@@ -0,0 +1,115 @@
+import fs from 'fs/promises'
+import path from 'path'
+import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
+import { randomUUID } from 'crypto'
+
+const getDataPath = (filename) => {
+  const cwd = process.cwd()
+  if (cwd.endsWith('.output')) {
+    return path.join(cwd, '../server/data', filename)
+  }
+  return path.join(cwd, 'server/data', filename)
+}
+
+const NEWSLETTERS_FILE = getDataPath('newsletters.json')
+
+async function readNewsletters() {
+  try {
+    const data = await fs.readFile(NEWSLETTERS_FILE, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return []
+    }
+    throw error
+  }
+}
+
+async function writeNewsletters(newsletters) {
+  await fs.writeFile(NEWSLETTERS_FILE, JSON.stringify(newsletters, null, 2), 'utf-8')
+}
+
+export default defineEventHandler(async (event) => {
+  try {
+    // Authentifizierung prüfen
+    const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    if (!token) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    const user = await getUserFromToken(token)
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand', 'newsletter')) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Keine Berechtigung'
+      })
+    }
+
+    const body = await readBody(event)
+    const { title, content, type, targetGroup, sendToExternal } = body
+
+    if (!title || !type) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Titel und Typ sind erforderlich'
+      })
+    }
+
+    if (type === 'subscription' && sendToExternal === undefined) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'sendToExternal ist für Abonnenten-Newsletter erforderlich'
+      })
+    }
+
+    if (type === 'group' && !targetGroup) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Zielgruppe ist für Gruppen-Newsletter erforderlich'
+      })
+    }
+
+    const newsletters = await readNewsletters()
+    
+    const newNewsletter = {
+      id: randomUUID(),
+      title,
+      content,
+      type, // 'subscription' oder 'group'
+      targetGroup: type === 'group' ? targetGroup : null, // 'alle', 'erwachsene', 'nachwuchs', 'mannschaftsspieler', 'vorstand'
+      sendToExternal: type === 'subscription' ? sendToExternal : false, // true = auch extern, false = nur intern
+      status: 'draft', // 'draft', 'sent'
+      createdAt: new Date().toISOString(),
+      createdBy: user.id,
+      sentAt: null,
+      sentTo: null
+    }
+
+    newsletters.push(newNewsletter)
+    await writeNewsletters(newsletters)
+
+    return {
+      success: true,
+      message: 'Newsletter erfolgreich erstellt',
+      newsletter: {
+        id: newNewsletter.id,
+        title: newNewsletter.title,
+        type: newNewsletter.type
+      }
+    }
+  } catch (error) {
+    console.error('Fehler beim Erstellen des Newsletters:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Fehler beim Erstellen des Newsletters'
+    })
+  }
+})
+

server/api/newsletter/groups/[id]/posts/create.post.js

@@ -0,0 +1,401 @@
+import fs from 'fs/promises'
+import path from 'path'
+import { getUserFromToken, hasAnyRole } from '../../../../../utils/auth.js'
+import { randomUUID } from 'crypto'
+import { getRecipientsByGroup, getNewsletterSubscribers, generateUnsubscribeToken } from '../../../../../utils/newsletter.js'
+import { encryptObject, decryptObject } from '../../../../../utils/encryption.js'
+import nodemailer from 'nodemailer'
+
+const getDataPath = (filename) => {
+  const cwd = process.cwd()
+  if (cwd.endsWith('.output')) {
+    return path.join(cwd, '../server/data', filename)
+  }
+  return path.join(cwd, 'server/data', filename)
+}
+
+const NEWSLETTER_GROUPS_FILE = getDataPath('newsletter-groups.json')
+const NEWSLETTER_POSTS_FILE = getDataPath('newsletter-posts.json')
+
+async function readGroups() {
+  try {
+    const data = await fs.readFile(NEWSLETTER_GROUPS_FILE, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return []
+    }
+    throw error
+  }
+}
+
+async function writeGroups(groups) {
+  await fs.writeFile(NEWSLETTER_GROUPS_FILE, JSON.stringify(groups, null, 2), 'utf-8')
+}
+
+async function readPosts() {
+  try {
+    const data = await fs.readFile(NEWSLETTER_POSTS_FILE, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return []
+    }
+    throw error
+  }
+}
+
+async function writePosts(posts) {
+  await fs.writeFile(NEWSLETTER_POSTS_FILE, JSON.stringify(posts, null, 2), 'utf-8')
+}
+
+// Lädt Config für Logo und Clubname
+async function loadConfig() {
+  try {
+    const configPath = getDataPath('config.json')
+    const data = await fs.readFile(configPath, 'utf-8')
+    return JSON.parse(data)
+  } catch {
+    return {
+      verein: { name: 'Harheimer Tischtennis-Club 1954 e.V.' }
+    }
+  }
+}
+
+// Lädt Logo als Base64
+async function loadLogoAsBase64() {
+  try {
+    const logoPath = path.join(process.cwd(), 'public', 'images', 'logos', 'Harheimer TC.svg')
+    const logoData = await fs.readFile(logoPath, 'utf-8')
+    // SVG als Base64 kodieren
+    const base64Logo = Buffer.from(logoData).toString('base64')
+    return `data:image/svg+xml;base64,${base64Logo}`
+  } catch (error) {
+    console.error('Fehler beim Laden des Logos:', error)
+    return null
+  }
+}
+
+// Erstellt Newsletter-HTML mit Header und Footer
+async function createNewsletterHTML(post, group, unsubscribeToken = null, creatorName = null, creatorEmail = null) {
+  const config = await loadConfig()
+  const clubName = config.verein?.name || 'Harheimer Tischtennis-Club 1954 e.V.'
+  const baseUrl = process.env.NUXT_PUBLIC_BASE_URL || 'http://localhost:3100'
+  
+  // Logo als Base64 laden
+  const logoDataUri = await loadLogoAsBase64()
+  
+  let unsubscribeLink = ''
+  if (unsubscribeToken) {
+    const unsubscribeUrl = `${baseUrl}/newsletter/unsubscribe?token=${unsubscribeToken}`
+    unsubscribeLink = `
+      <div style="margin-top: 40px; padding-top: 20px; border-top: 1px solid #e5e7eb; text-align: center; color: #6b7280; font-size: 12px;">
+        <p>Sie erhalten diese E-Mail, weil Sie sich für unseren Newsletter angemeldet haben.</p>
+        <p style="margin-top: 10px;">
+          <a href="${unsubscribeUrl}" style="color: #dc2626; text-decoration: underline;">Newsletter abmelden</a>
+        </p>
+      </div>
+    `
+  }
+
+  return `
+    <!DOCTYPE html>
+    <html>
+    <head>
+      <meta charset="utf-8">
+      <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    </head>
+    <body style="margin: 0; padding: 0; font-family: Arial, sans-serif; background-color: #f3f4f6;">
+      <table width="100%" cellpadding="0" cellspacing="0" style="background-color: #f3f4f6; padding: 20px 0;">
+        <tr>
+          <td align="center">
+            <table width="600" cellpadding="0" cellspacing="0" style="background-color: #ffffff; border-radius: 8px; overflow: hidden; box-shadow: 0 2px 4px rgba(0,0,0,0.1);">
+              <!-- Header -->
+              <tr>
+                <td style="background: linear-gradient(to right, #111827, #991b1b, #111827); padding: 30px;">
+                  <table width="100%" cellpadding="0" cellspacing="0">
+                    <tr>
+                      <td width="50" valign="middle" style="padding-right: 15px;">
+                        ${logoDataUri ? `<img src="${logoDataUri}" alt="Harheimer TC Logo" style="width: 50px; height: 50px; display: block;" />` : ''}
+                      </td>
+                      <td valign="middle">
+                        <h1 style="margin: 0; color: #ffffff; font-size: 24px; font-weight: bold; font-family: 'Montserrat', Arial, sans-serif;">
+                          Harheimer <span style="color: #fca5a5;">TC</span>
+                        </h1>
+                        <p style="margin: 5px 0 0 0; color: #e5e7eb; font-size: 14px;">
+                          ${clubName}
+                        </p>
+                      </td>
+                    </tr>
+                  </table>
+                </td>
+              </tr>
+              
+              <!-- Content -->
+              <tr>
+                <td style="padding: 30px;">
+                  <h2 style="margin: 0 0 20px 0; color: #111827; font-size: 20px;">
+                    ${post.title}
+                  </h2>
+                  <div style="color: #374151; line-height: 1.6;">
+                    ${post.content}
+                  </div>
+                  ${unsubscribeLink}
+                </td>
+              </tr>
+              
+              <!-- Footer -->
+              <tr>
+                <td style="background-color: #f9fafb; padding: 20px; text-align: center; color: #6b7280; font-size: 12px; border-top: 1px solid #e5e7eb;">
+                  <p style="margin: 0;">
+                    ${clubName}<br>
+                    <a href="${baseUrl}" style="color: #dc2626; text-decoration: none;">${baseUrl}</a>
+                  </p>
+                </td>
+              </tr>
+            </table>
+          </td>
+        </tr>
+      </table>
+    </body>
+    </html>
+  `
+}
+
+export default defineEventHandler(async (event) => {
+  try {
+    // Authentifizierung prüfen
+    const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    if (!token) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    const user = await getUserFromToken(token)
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand', 'newsletter')) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Keine Berechtigung'
+      })
+    }
+
+    const groupId = getRouterParam(event, 'id')
+    const body = await readBody(event)
+    const { title, content } = body
+    
+    // Creator-Informationen für Absender
+    const creatorName = user.name || 'Harheimer TC'
+    const creatorEmail = user.email || process.env.SMTP_FROM || 'noreply@harheimertc.de'
+
+    if (!title || !content || (!content.trim() || content === '<p><br></p>')) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Titel und Inhalt sind erforderlich'
+      })
+    }
+
+    // Lade Gruppe
+    const groups = await readGroups()
+    const group = groups.find(g => g.id === groupId)
+
+    if (!group) {
+      throw createError({
+        statusCode: 404,
+        statusMessage: 'Newsletter-Gruppe nicht gefunden'
+      })
+    }
+
+    // SMTP-Credentials prüfen
+    const smtpUser = process.env.SMTP_USER
+    const smtpPass = process.env.SMTP_PASS
+    
+    if (!smtpUser || !smtpPass) {
+      throw createError({
+        statusCode: 500,
+        statusMessage: 'SMTP-Credentials fehlen! Bitte setzen Sie SMTP_USER und SMTP_PASS in der .env Datei.'
+      })
+    }
+
+    const transporter = nodemailer.createTransport({
+      host: process.env.SMTP_HOST || 'smtp.gmail.com',
+      port: process.env.SMTP_PORT || 587,
+      secure: false,
+      auth: {
+        user: smtpUser,
+        pass: smtpPass
+      }
+    })
+
+    // Empfänger bestimmen
+    let recipients = []
+    
+    if (group.type === 'subscription') {
+      // Abonnenten-Newsletter
+      recipients = await getNewsletterSubscribers(!group.sendToExternal, group.id)
+    } else if (group.type === 'group') {
+      // Gruppen-Newsletter
+      recipients = await getRecipientsByGroup(group.targetGroup)
+    }
+
+    // Wenn keine Empfänger gefunden, Post trotzdem erstellen (aber nicht versenden)
+    if (recipients.length === 0) {
+      // Post ohne Versand erstellen
+      const posts = await readPosts()
+      const newPost = {
+        id: randomUUID(),
+        groupId,
+        title,
+        content,
+        createdAt: new Date().toISOString(),
+        createdBy: user.id,
+        sentAt: null,
+        sentTo: {
+          total: 0,
+          sent: 0,
+          failed: 0,
+          recipients: []
+        }
+      }
+
+      posts.push(newPost)
+      await writePosts(posts)
+
+      // Post-Count in Gruppe erhöhen
+      group.postCount = (group.postCount || 0) + 1
+      await writeGroups(groups)
+
+      return {
+        success: true,
+        message: 'Post erfolgreich erstellt (keine Empfänger gefunden)',
+        post: {
+          id: newPost.id,
+          title: newPost.title,
+          groupId: newPost.groupId
+        },
+        stats: {
+          total: 0,
+          sent: 0,
+          failed: 0,
+          recipients: []
+        }
+      }
+    }
+
+    // Post erstellen
+    const posts = await readPosts()
+    const newPost = {
+      id: randomUUID(),
+      groupId,
+      title,
+      content,
+      createdAt: new Date().toISOString(),
+      createdBy: user.id,
+      sentAt: new Date().toISOString(),
+      sentTo: {
+        total: recipients.length,
+        sent: 0,
+        failed: 0,
+        failedEmails: []
+      }
+    }
+
+    // Newsletter versenden
+    let sentCount = 0
+    let failedCount = 0
+    const failedEmails = []
+    const errorDetails = []
+
+    console.log(`Versende Newsletter an ${recipients.length} Empfänger...`)
+    console.log('Empfänger:', recipients.map(r => r.email))
+
+    for (const recipient of recipients) {
+      try {
+        // Validiere E-Mail-Adresse
+        if (!recipient.email || !recipient.email.match(/^[^\s@]+@[^\s@]+\.[^\s@]+$/)) {
+          throw new Error(`Ungültige E-Mail-Adresse: ${recipient.email}`)
+        }
+
+        // Abmelde-Token generieren (nur für Abonnenten-Newsletter)
+        let unsubscribeToken = null
+        if (group.type === 'subscription') {
+          unsubscribeToken = await generateUnsubscribeToken(recipient.email)
+        }
+
+        const htmlContent = await createNewsletterHTML(newPost, group, unsubscribeToken, creatorName, creatorEmail)
+
+        const mailResult = await transporter.sendMail({
+          from: `"${creatorName}" <${creatorEmail}>`,
+          replyTo: creatorEmail,
+          to: recipient.email,
+          subject: title,
+          html: htmlContent
+        })
+
+        console.log(`✅ Erfolgreich versendet an ${recipient.email}:`, mailResult.messageId)
+        sentCount++
+      } catch (error) {
+        const errorMsg = error.message || error.toString()
+        console.error(`❌ Fehler beim Senden an ${recipient.email}:`, errorMsg)
+        failedCount++
+        failedEmails.push(recipient.email)
+        errorDetails.push({
+          email: recipient.email,
+          error: errorMsg
+        })
+      }
+    }
+
+    console.log(`Versand abgeschlossen: ${sentCount} erfolgreich, ${failedCount} fehlgeschlagen`)
+
+    // Post speichern mit Versand-Statistik und Empfängerliste
+    newPost.sentTo = {
+      total: recipients.length,
+      sent: sentCount,
+      failed: failedCount,
+      failedEmails: failedEmails.length > 0 ? failedEmails : undefined,
+      errorDetails: errorDetails.length > 0 ? errorDetails : undefined,
+      recipients: recipients.map(r => ({
+        email: r.email,
+        name: r.name || '',
+        sent: !failedEmails.includes(r.email)
+      }))
+    }
+
+    posts.push(newPost)
+    await writePosts(posts)
+
+    // Post-Count in Gruppe erhöhen
+    group.postCount = (group.postCount || 0) + 1
+    await writeGroups(groups)
+
+    return {
+      success: true,
+      message: `Post erfolgreich erstellt und versendet`,
+      post: {
+        id: newPost.id,
+        title: newPost.title,
+        groupId: newPost.groupId
+      },
+      stats: {
+        total: recipients.length,
+        sent: sentCount,
+        failed: failedCount,
+        failedEmails: failedEmails.length > 0 ? failedEmails : undefined,
+        errorDetails: errorDetails.length > 0 ? errorDetails : undefined
+      }
+    }
+  } catch (error) {
+    console.error('Fehler beim Erstellen und Versenden des Posts:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: error.message || 'Fehler beim Erstellen und Versenden des Posts'
+    })
+  }
+})
+

server/api/newsletter/groups/[id]/posts/list.get.js

@@ -0,0 +1,113 @@
+import fs from 'fs/promises'
+import path from 'path'
+import { getUserFromToken, hasAnyRole } from '../../../../../utils/auth.js'
+import { encryptObject, decryptObject } from '../../../../../utils/encryption.js'
+
+const getDataPath = (filename) => {
+  const cwd = process.cwd()
+  if (cwd.endsWith('.output')) {
+    return path.join(cwd, '../server/data', filename)
+  }
+  return path.join(cwd, 'server/data', filename)
+}
+
+const NEWSLETTER_POSTS_FILE = getDataPath('newsletter-posts.json')
+
+function getEncryptionKey() {
+  return process.env.ENCRYPTION_KEY || 'local_development_encryption_key_change_in_production'
+}
+
+// Prüft ob Daten verschlüsselt sind
+function isEncrypted(data) {
+  try {
+    const parsed = JSON.parse(data.trim())
+    if (Array.isArray(parsed)) {
+      return false
+    }
+    if (typeof parsed === 'object' && parsed !== null && !parsed.encryptedData) {
+      return false
+    }
+    return false
+  } catch (e) {
+    return true
+  }
+}
+
+async function readPosts() {
+  try {
+    const data = await fs.readFile(NEWSLETTER_POSTS_FILE, 'utf-8')
+    const encrypted = isEncrypted(data)
+    
+    if (encrypted) {
+      const encryptionKey = getEncryptionKey()
+      try {
+        return decryptObject(data, encryptionKey)
+      } catch (decryptError) {
+        console.error('Fehler beim Entschlüsseln der Newsletter-Posts:', decryptError)
+        try {
+          const plainData = JSON.parse(data)
+          console.warn('Entschlüsselung fehlgeschlagen, versuche als unverschlüsseltes Format zu lesen')
+          return plainData
+        } catch (parseError) {
+          console.error('Konnte Newsletter-Posts weder entschlüsseln noch als JSON lesen')
+          return []
+        }
+      }
+    } else {
+      // Plain JSON - migriere zu verschlüsselter Speicherung
+      const posts = JSON.parse(data)
+      console.log('Migriere unverschlüsselte Newsletter-Posts zu verschlüsselter Speicherung...')
+      // Schreiben wird hier nicht gemacht, da wir nur lesen
+      return posts
+    }
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return []
+    }
+    throw error
+  }
+}
+
+export default defineEventHandler(async (event) => {
+  try {
+    // Authentifizierung prüfen
+    const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    if (!token) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    const user = await getUserFromToken(token)
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand', 'newsletter')) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Keine Berechtigung'
+      })
+    }
+
+    const groupId = getRouterParam(event, 'id')
+    const posts = await readPosts()
+    
+    // Filtere Posts nach Gruppe und sortiere nach Datum (neueste zuerst)
+    const groupPosts = posts
+      .filter(p => p.groupId === groupId)
+      .sort((a, b) => new Date(b.createdAt) - new Date(a.createdAt))
+
+    return {
+      success: true,
+      posts: groupPosts
+    }
+  } catch (error) {
+    console.error('Fehler beim Laden der Posts:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Fehler beim Laden der Posts'
+    })
+  }
+})

server/api/newsletter/groups/[id]/subscribers/add.post.js

@@ -0,0 +1,254 @@
+import { getUserFromToken, hasAnyRole } from '../../../../../utils/auth.js'
+import { readSubscribers, writeSubscribers } from '../../../../../utils/newsletter.js'
+import { randomUUID } from 'crypto'
+import nodemailer from 'nodemailer'
+import crypto from 'crypto'
+import fs from 'fs/promises'
+import path from 'path'
+
+const getDataPath = (filename) => {
+  const cwd = process.cwd()
+  if (cwd.endsWith('.output')) {
+    return path.join(cwd, '../server/data', filename)
+  }
+  return path.join(cwd, 'server/data', filename)
+}
+
+const NEWSLETTER_GROUPS_FILE = getDataPath('newsletter-groups.json')
+
+async function readGroups() {
+  try {
+    const data = await fs.readFile(NEWSLETTER_GROUPS_FILE, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return []
+    }
+    throw error
+  }
+}
+
+export default defineEventHandler(async (event) => {
+  try {
+    // Authentifizierung prüfen
+    const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    if (!token) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    const user = await getUserFromToken(token)
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand', 'newsletter')) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Keine Berechtigung'
+      })
+    }
+
+    const groupId = getRouterParam(event, 'id')
+    const body = await readBody(event)
+    const { email, name, customMessage } = body
+
+    if (!email || !email.match(/^[^\s@]+@[^\s@]+\.[^\s@]+$/)) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Ungültige E-Mail-Adresse'
+      })
+    }
+
+    // Prüfe ob Gruppe existiert und vom Typ 'subscription' ist
+    const groups = await readGroups()
+    const group = groups.find(g => g.id === groupId)
+    
+    if (!group) {
+      throw createError({
+        statusCode: 404,
+        statusMessage: 'Newsletter-Gruppe nicht gefunden'
+      })
+    }
+
+    if (group.type !== 'subscription') {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Diese Funktion ist nur für Abonnenten-Newsletter verfügbar'
+      })
+    }
+
+    const subscribers = await readSubscribers()
+    const emailLower = email.toLowerCase()
+    
+    // Prüfe ob bereits für diese Gruppe angemeldet
+    const existing = subscribers.find(s => {
+      const sEmail = (s.email || '').toLowerCase()
+      return sEmail === emailLower && s.groupIds && s.groupIds.includes(groupId)
+    })
+    
+    if (existing) {
+      if (existing.confirmed) {
+        throw createError({
+          statusCode: 409,
+          statusMessage: 'Diese E-Mail-Adresse ist bereits für diesen Newsletter angemeldet'
+        })
+      } else {
+        // Bestätigungsmail erneut senden mit individueller Nachricht
+        await sendConfirmationEmail(existing.email, existing.name || name, existing.confirmationToken, group.name, customMessage, user.name)
+        return {
+          success: true,
+          message: 'Eine Bestätigungsmail wurde an die E-Mail-Adresse gesendet'
+        }
+      }
+    }
+
+    // Prüfe ob E-Mail bereits existiert (für andere Gruppe oder ohne Gruppe)
+    const existingEmail = subscribers.find(s => (s.email || '').toLowerCase() === emailLower)
+    
+    if (existingEmail) {
+      // Bestehender Subscriber - Gruppe hinzufügen
+      if (!existingEmail.groupIds) {
+        existingEmail.groupIds = []
+      }
+      
+      if (existingEmail.groupIds.includes(groupId)) {
+        // Bereits für diese Gruppe angemeldet
+        if (existingEmail.confirmed) {
+          throw createError({
+            statusCode: 409,
+            statusMessage: 'Diese E-Mail-Adresse ist bereits für diesen Newsletter angemeldet'
+          })
+        } else {
+          // Bestätigungsmail erneut senden mit individueller Nachricht
+          await sendConfirmationEmail(existingEmail.email, existingEmail.name || name, existingEmail.confirmationToken, group.name, customMessage, user.name)
+          return {
+            success: true,
+            message: 'Eine Bestätigungsmail wurde an die E-Mail-Adresse gesendet'
+          }
+        }
+      }
+      
+      // Gruppe hinzufügen
+      existingEmail.groupIds.push(groupId)
+      if (!existingEmail.confirmed) {
+        // Neuer Bestätigungstoken für alle Gruppen
+        existingEmail.confirmationToken = crypto.randomBytes(32).toString('hex')
+      }
+      existingEmail.name = name || existingEmail.name || ''
+      
+      await writeSubscribers(subscribers)
+      
+      if (existingEmail.confirmed) {
+        // Bereits bestätigt - sofort aktiviert
+        return {
+          success: true,
+          message: `Empfänger wurde erfolgreich für den Newsletter "${group.name}" hinzugefügt`
+        }
+      } else {
+        // Bestätigungsmail senden mit individueller Nachricht
+        await sendConfirmationEmail(existingEmail.email, existingEmail.name, existingEmail.confirmationToken, group.name, customMessage, user.name)
+        return {
+          success: true,
+          message: 'Eine Bestätigungsmail wurde an die E-Mail-Adresse gesendet'
+        }
+      }
+    }
+
+    // Neuer Abonnent
+    const confirmationToken = crypto.randomBytes(32).toString('hex')
+    const unsubscribeToken = crypto.randomBytes(32).toString('hex')
+    const newSubscriber = {
+      id: randomUUID(),
+      email: emailLower,
+      name: name || '',
+      groupIds: [groupId],
+      confirmed: false,
+      confirmationToken,
+      unsubscribeToken,
+      subscribedAt: new Date().toISOString(),
+      confirmedAt: null,
+      unsubscribedAt: null
+    }
+
+    subscribers.push(newSubscriber)
+    await writeSubscribers(subscribers)
+
+    // Bestätigungsmail senden mit individueller Nachricht
+    await sendConfirmationEmail(email, name, confirmationToken, group.name, customMessage, user.name)
+
+    return {
+      success: true,
+      message: 'Eine Bestätigungsmail wurde an die E-Mail-Adresse gesendet'
+    }
+  } catch (error) {
+    console.error('Fehler beim Hinzufügen des Empfängers:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Fehler beim Hinzufügen des Empfängers'
+    })
+  }
+})
+
+async function sendConfirmationEmail(email, name, token, groupName, customMessage = null, inviterName = null) {
+  const smtpUser = process.env.SMTP_USER
+  const smtpPass = process.env.SMTP_PASS
+  
+  if (!smtpUser || !smtpPass) {
+    console.warn('SMTP-Credentials fehlen! Bestätigungsmail kann nicht gesendet werden.')
+    return
+  }
+
+  const baseUrl = process.env.NUXT_PUBLIC_BASE_URL || 'http://localhost:3100'
+  const confirmationUrl = `${baseUrl}/newsletter/confirm?token=${token}`
+
+  const transporter = nodemailer.createTransport({
+    host: process.env.SMTP_HOST || 'smtp.gmail.com',
+    port: process.env.SMTP_PORT || 587,
+    secure: false,
+    auth: {
+      user: smtpUser,
+      pass: smtpPass
+    }
+  })
+
+  // Individuelle Nachricht einbauen, falls vorhanden
+  const customMessageHtml = customMessage 
+    ? `<div style="background-color: #f3f4f6; padding: 15px; border-left: 4px solid #dc2626; margin: 20px 0;">
+         <p style="margin: 0; color: #374151; font-style: italic;">${customMessage.replace(/\n/g, '<br>')}</p>
+       </div>`
+    : ''
+
+  const inviterText = inviterName 
+    ? `<p style="margin-top: 20px; color: #666; font-size: 14px;">Sie wurden von ${inviterName} zum Newsletter eingeladen.</p>`
+    : ''
+
+  await transporter.sendMail({
+    from: process.env.SMTP_FROM || 'noreply@harheimertc.de',
+    to: email,
+    subject: `Newsletter-Anmeldung bestätigen - ${groupName} - Harheimer TC`,
+    html: `
+      <div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
+        <h2 style="color: #dc2626;">Newsletter-Anmeldung bestätigen</h2>
+        <p>Hallo ${name || 'Liebe/r Abonnent/in'},</p>
+        ${inviterText}
+        <p>vielen Dank für Ihre Anmeldung zum Newsletter "${groupName}" des Harheimer TC!</p>
+        ${customMessageHtml}
+        <p>Bitte bestätigen Sie Ihre Anmeldung, indem Sie auf den folgenden Link klicken:</p>
+        <p style="margin: 30px 0;">
+          <a href="${confirmationUrl}" style="display: inline-block; padding: 12px 24px; background-color: #dc2626; color: white; text-decoration: none; border-radius: 5px;">
+            Newsletter-Anmeldung bestätigen
+          </a>
+        </p>
+        <p>Falls Sie sich nicht angemeldet haben, können Sie diese E-Mail ignorieren.</p>
+        <p style="margin-top: 30px; color: #666; font-size: 12px;">
+          Mit sportlichen Grüßen,<br>
+          Ihr Harheimer Tischtennis-Club 1954 e.V.
+        </p>
+      </div>
+    `
+  })
+}
+

server/api/newsletter/groups/[id]/subscribers/list.get.js

@@ -0,0 +1,115 @@
+import fs from 'fs/promises'
+import path from 'path'
+import { getUserFromToken, hasAnyRole } from '../../../../../utils/auth.js'
+import { readSubscribers } from '../../../../../utils/newsletter.js'
+
+const getDataPath = (filename) => {
+  const cwd = process.cwd()
+  if (cwd.endsWith('.output')) {
+    return path.join(cwd, '../server/data', filename)
+  }
+  return path.join(cwd, 'server/data', filename)
+}
+
+const NEWSLETTER_GROUPS_FILE = getDataPath('newsletter-groups.json')
+
+async function readGroups() {
+  try {
+    const data = await fs.readFile(NEWSLETTER_GROUPS_FILE, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return []
+    }
+    throw error
+  }
+}
+
+export default defineEventHandler(async (event) => {
+  try {
+    // Authentifizierung prüfen
+    const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    if (!token) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    const user = await getUserFromToken(token)
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand', 'newsletter')) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Keine Berechtigung'
+      })
+    }
+
+    const groupId = getRouterParam(event, 'id')
+    
+    // Prüfe ob Gruppe existiert und vom Typ 'subscription' ist
+    const groups = await readGroups()
+    const group = groups.find(g => g.id === groupId)
+    
+    if (!group) {
+      throw createError({
+        statusCode: 404,
+        statusMessage: 'Newsletter-Gruppe nicht gefunden'
+      })
+    }
+
+    if (group.type !== 'subscription') {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Diese Funktion ist nur für Abonnenten-Newsletter verfügbar'
+      })
+    }
+
+    // Lade alle Abonnenten
+    const subscribers = await readSubscribers()
+    
+    // Filtere Abonnenten für diese Gruppe
+    const groupSubscribers = subscribers
+      .filter(s => {
+        // Stelle sicher, dass groupIds existiert (für Rückwärtskompatibilität)
+        if (!s.groupIds || !Array.isArray(s.groupIds)) {
+          return false
+        }
+        return s.groupIds.includes(groupId)
+      })
+      .map(s => ({
+        id: s.id,
+        email: s.email,
+        name: s.name || '',
+        confirmed: s.confirmed || false,
+        subscribedAt: s.subscribedAt || null,
+        confirmedAt: s.confirmedAt || null,
+        unsubscribedAt: s.unsubscribedAt || null
+      }))
+      .sort((a, b) => {
+        // Sortiere nach bestätigt, dann nach Datum
+        if (a.confirmed !== b.confirmed) {
+          return a.confirmed ? -1 : 1
+        }
+        if (a.subscribedAt && b.subscribedAt) {
+          return new Date(b.subscribedAt) - new Date(a.subscribedAt)
+        }
+        return 0
+      })
+
+    return {
+      success: true,
+      subscribers: groupSubscribers
+    }
+  } catch (error) {
+    console.error('Fehler beim Laden der Abonnenten:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Fehler beim Laden der Abonnenten'
+    })
+  }
+})
+

server/api/newsletter/groups/[id]/subscribers/remove.post.js

@@ -0,0 +1,84 @@
+import { getUserFromToken, hasAnyRole } from '../../../../../utils/auth.js'
+import { readSubscribers, writeSubscribers } from '../../../../../utils/newsletter.js'
+
+export default defineEventHandler(async (event) => {
+  try {
+    // Authentifizierung prüfen
+    const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    if (!token) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    const user = await getUserFromToken(token)
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand', 'newsletter')) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Keine Berechtigung'
+      })
+    }
+
+    const groupId = getRouterParam(event, 'id')
+    const body = await readBody(event)
+    const { subscriberId } = body
+
+    if (!subscriberId) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Abonnenten-ID ist erforderlich'
+      })
+    }
+
+    const subscribers = await readSubscribers()
+    const subscriber = subscribers.find(s => s.id === subscriberId)
+
+    if (!subscriber) {
+      throw createError({
+        statusCode: 404,
+        statusMessage: 'Abonnent nicht gefunden'
+      })
+    }
+
+    // Stelle sicher, dass groupIds existiert
+    if (!subscriber.groupIds || !Array.isArray(subscriber.groupIds)) {
+      subscriber.groupIds = []
+    }
+
+    // Entferne Gruppe aus groupIds
+    const index = subscriber.groupIds.indexOf(groupId)
+    if (index === -1) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Abonnent ist nicht für diese Gruppe angemeldet'
+      })
+    }
+
+    subscriber.groupIds.splice(index, 1)
+
+    // Wenn keine Gruppen mehr vorhanden, als abgemeldet markieren
+    if (subscriber.groupIds.length === 0) {
+      subscriber.unsubscribedAt = new Date().toISOString()
+      subscriber.confirmed = false
+    }
+
+    await writeSubscribers(subscribers)
+
+    return {
+      success: true,
+      message: 'Abonnent erfolgreich entfernt'
+    }
+  } catch (error) {
+    console.error('Fehler beim Entfernen des Abonnenten:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Fehler beim Entfernen des Abonnenten'
+    })
+  }
+})
+

server/api/newsletter/groups/create.post.js

@@ -0,0 +1,117 @@
+import fs from 'fs/promises'
+import path from 'path'
+import { getUserFromToken, hasAnyRole } from '../../../utils/auth.js'
+import { randomUUID } from 'crypto'
+
+const getDataPath = (filename) => {
+  const cwd = process.cwd()
+  if (cwd.endsWith('.output')) {
+    return path.join(cwd, '../server/data', filename)
+  }
+  return path.join(cwd, 'server/data', filename)
+}
+
+const NEWSLETTER_GROUPS_FILE = getDataPath('newsletter-groups.json')
+
+async function readGroups() {
+  try {
+    const data = await fs.readFile(NEWSLETTER_GROUPS_FILE, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return []
+    }
+    throw error
+  }
+}
+
+async function writeGroups(groups) {
+  await fs.writeFile(NEWSLETTER_GROUPS_FILE, JSON.stringify(groups, null, 2), 'utf-8')
+}
+
+export default defineEventHandler(async (event) => {
+  try {
+    // Authentifizierung prüfen
+    const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    if (!token) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    const user = await getUserFromToken(token)
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand', 'newsletter')) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Keine Berechtigung'
+      })
+    }
+
+    const body = await readBody(event)
+    const { name, type, targetGroup, sendToExternal, description } = body
+
+    if (!name || !type) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Name und Typ sind erforderlich'
+      })
+    }
+
+    if (type === 'subscription' && sendToExternal === undefined) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'sendToExternal ist für Abonnenten-Newsletter erforderlich'
+      })
+    }
+
+    if (type === 'group' && !targetGroup) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Zielgruppe ist für Gruppen-Newsletter erforderlich'
+      })
+    }
+
+    const groups = await readGroups()
+    
+    // Prüfe ob Name bereits existiert
+    if (groups.find(g => g.name.toLowerCase() === name.toLowerCase())) {
+      throw createError({
+        statusCode: 409,
+        statusMessage: 'Eine Newsletter-Gruppe mit diesem Namen existiert bereits'
+      })
+    }
+    
+    const newGroup = {
+      id: randomUUID(),
+      name,
+      description: description || '',
+      type, // 'subscription' oder 'group'
+      targetGroup: type === 'group' ? targetGroup : null,
+      sendToExternal: type === 'subscription' ? sendToExternal : false,
+      createdAt: new Date().toISOString(),
+      createdBy: user.id,
+      postCount: 0
+    }
+
+    groups.push(newGroup)
+    await writeGroups(groups)
+
+    return {
+      success: true,
+      message: 'Newsletter-Gruppe erfolgreich erstellt',
+      group: newGroup
+    }
+  } catch (error) {
+    console.error('Fehler beim Erstellen der Newsletter-Gruppe:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Fehler beim Erstellen der Newsletter-Gruppe'
+    })
+  }
+})
+

server/api/newsletter/groups/list.get.js

@@ -0,0 +1,64 @@
+import fs from 'fs/promises'
+import path from 'path'
+import { getUserFromToken, hasAnyRole } from '../../../utils/auth.js'
+
+const getDataPath = (filename) => {
+  const cwd = process.cwd()
+  if (cwd.endsWith('.output')) {
+    return path.join(cwd, '../server/data', filename)
+  }
+  return path.join(cwd, 'server/data', filename)
+}
+
+const NEWSLETTER_GROUPS_FILE = getDataPath('newsletter-groups.json')
+
+async function readGroups() {
+  try {
+    const data = await fs.readFile(NEWSLETTER_GROUPS_FILE, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return []
+    }
+    throw error
+  }
+}
+
+export default defineEventHandler(async (event) => {
+  try {
+    // Authentifizierung prüfen
+    const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    if (!token) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    const user = await getUserFromToken(token)
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand', 'newsletter')) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Keine Berechtigung'
+      })
+    }
+
+    const groups = await readGroups()
+    
+    return {
+      success: true,
+      groups
+    }
+  } catch (error) {
+    console.error('Fehler beim Laden der Newsletter-Gruppen:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Fehler beim Laden der Newsletter-Gruppen'
+    })
+  }
+})
+

server/api/newsletter/groups/public-list.get.js

@@ -0,0 +1,73 @@
+import fs from 'fs/promises'
+import path from 'path'
+import { getUserFromToken } from '../../../utils/auth.js'
+
+const getDataPath = (filename) => {
+  const cwd = process.cwd()
+  if (cwd.endsWith('.output')) {
+    return path.join(cwd, '../server/data', filename)
+  }
+  return path.join(cwd, 'server/data', filename)
+}
+
+const NEWSLETTER_GROUPS_FILE = getDataPath('newsletter-groups.json')
+
+async function readGroups() {
+  try {
+    const data = await fs.readFile(NEWSLETTER_GROUPS_FILE, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return []
+    }
+    throw error
+  }
+}
+
+export default defineEventHandler(async (event) => {
+  try {
+    // Prüfe ob Benutzer eingeloggt ist
+    let isLoggedIn = false
+    try {
+      const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+      if (token) {
+        const user = await getUserFromToken(token)
+        if (user && user.active) {
+          isLoggedIn = true
+        }
+      }
+    } catch (e) {
+      // Nicht eingeloggt - kein Problem
+    }
+
+    const groups = await readGroups()
+    
+    // Filtere Newsletter-Gruppen basierend auf Login-Status
+    let publicGroups
+    if (isLoggedIn) {
+      // Eingeloggte Benutzer sehen alle Abonnenten-Newsletter (intern und extern)
+      publicGroups = groups.filter(g => g.type === 'subscription')
+    } else {
+      // Nicht eingeloggte Benutzer sehen nur externe Newsletter
+      publicGroups = groups.filter(g => 
+        g.type === 'subscription' && g.sendToExternal === true
+      )
+    }
+    
+    return {
+      success: true,
+      groups: publicGroups.map(g => ({
+        id: g.id,
+        name: g.name,
+        description: g.description || ''
+      }))
+    }
+  } catch (error) {
+    console.error('Fehler beim Laden der öffentlichen Newsletter-Gruppen:', error)
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Fehler beim Laden der Newsletter-Gruppen'
+    })
+  }
+})
+

server/api/newsletter/list.get.js

@@ -0,0 +1,67 @@
+import fs from 'fs/promises'
+import path from 'path'
+import { getUserFromToken, hasAnyRole } from '../../utils/auth.js'
+
+const getDataPath = (filename) => {
+  const cwd = process.cwd()
+  if (cwd.endsWith('.output')) {
+    return path.join(cwd, '../server/data', filename)
+  }
+  return path.join(cwd, 'server/data', filename)
+}
+
+const NEWSLETTERS_FILE = getDataPath('newsletters.json')
+
+async function readNewsletters() {
+  try {
+    const data = await fs.readFile(NEWSLETTERS_FILE, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return []
+    }
+    throw error
+  }
+}
+
+export default defineEventHandler(async (event) => {
+  try {
+    // Authentifizierung prüfen
+    const token = getCookie(event, 'auth_token') || getHeader(event, 'authorization')?.replace('Bearer ', '')
+    
+    if (!token) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Nicht authentifiziert'
+      })
+    }
+
+    const user = await getUserFromToken(token)
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand', 'newsletter')) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Keine Berechtigung'
+      })
+    }
+
+    const newsletters = await readNewsletters()
+    
+    // Sortiere nach Erstellungsdatum (neueste zuerst)
+    newsletters.sort((a, b) => new Date(b.createdAt) - new Date(a.createdAt))
+
+    return {
+      success: true,
+      newsletters
+    }
+  } catch (error) {
+    console.error('Fehler beim Laden der Newsletter:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Fehler beim Laden der Newsletter'
+    })
+  }
+})
+

server/api/newsletter/subscribe.post.js

@@ -0,0 +1,228 @@
+import { readSubscribers, writeSubscribers } from '../../utils/newsletter.js'
+import { randomUUID } from 'crypto'
+import nodemailer from 'nodemailer'
+import crypto from 'crypto'
+import fs from 'fs/promises'
+import path from 'path'
+
+const getDataPath = (filename) => {
+  const cwd = process.cwd()
+  if (cwd.endsWith('.output')) {
+    return path.join(cwd, '../server/data', filename)
+  }
+  return path.join(cwd, 'server/data', filename)
+}
+
+const NEWSLETTER_GROUPS_FILE = getDataPath('newsletter-groups.json')
+
+async function readGroups() {
+  try {
+    const data = await fs.readFile(NEWSLETTER_GROUPS_FILE, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return []
+    }
+    throw error
+  }
+}
+
+export default defineEventHandler(async (event) => {
+  try {
+    const body = await readBody(event)
+    const { email, name, groupId } = body
+
+    if (!email || !email.match(/^[^\s@]+@[^\s@]+\.[^\s@]+$/)) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Ungültige E-Mail-Adresse'
+      })
+    }
+
+    if (!groupId) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Newsletter-Gruppe muss ausgewählt werden'
+      })
+    }
+
+    // Prüfe ob Gruppe existiert und für externe Abonnements verfügbar ist
+    const groups = await readGroups()
+    const group = groups.find(g => g.id === groupId)
+    
+    if (!group) {
+      throw createError({
+        statusCode: 404,
+        statusMessage: 'Newsletter-Gruppe nicht gefunden'
+      })
+    }
+
+    if (group.type !== 'subscription' || group.sendToExternal !== true) {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Diese Newsletter-Gruppe ist nicht für externe Abonnements verfügbar'
+      })
+    }
+
+    const subscribers = await readSubscribers()
+    const emailLower = email.toLowerCase()
+    
+    // Prüfe ob bereits für diese Gruppe angemeldet
+    const existing = subscribers.find(s => {
+      const sEmail = (s.email || '').toLowerCase()
+      return sEmail === emailLower && s.groupIds && s.groupIds.includes(groupId)
+    })
+    
+    if (existing) {
+      if (existing.confirmed) {
+        throw createError({
+          statusCode: 409,
+          statusMessage: 'Sie sind bereits für diesen Newsletter angemeldet'
+        })
+      } else {
+        // Bestätigungsmail erneut senden
+        await sendConfirmationEmail(existing.email, existing.name || name, existing.confirmationToken, group.name)
+        return {
+          success: true,
+          message: 'Eine Bestätigungsmail wurde an Ihre E-Mail-Adresse gesendet'
+        }
+      }
+    }
+
+    // Prüfe ob E-Mail bereits existiert (für andere Gruppe oder ohne Gruppe)
+    const existingEmail = subscribers.find(s => (s.email || '').toLowerCase() === emailLower)
+    
+    if (existingEmail) {
+      // Bestehender Subscriber - Gruppe hinzufügen
+      if (!existingEmail.groupIds) {
+        existingEmail.groupIds = []
+      }
+      
+      if (existingEmail.groupIds.includes(groupId)) {
+        // Bereits für diese Gruppe angemeldet
+        if (existingEmail.confirmed) {
+          throw createError({
+            statusCode: 409,
+            statusMessage: 'Sie sind bereits für diesen Newsletter angemeldet'
+          })
+        } else {
+          // Bestätigungsmail erneut senden
+          await sendConfirmationEmail(existingEmail.email, existingEmail.name || name, existingEmail.confirmationToken, group.name)
+          return {
+            success: true,
+            message: 'Eine Bestätigungsmail wurde an Ihre E-Mail-Adresse gesendet'
+          }
+        }
+      }
+      
+      // Gruppe hinzufügen
+      existingEmail.groupIds.push(groupId)
+      if (!existingEmail.confirmed) {
+        // Neuer Bestätigungstoken für alle Gruppen
+        existingEmail.confirmationToken = crypto.randomBytes(32).toString('hex')
+      }
+      existingEmail.name = name || existingEmail.name || ''
+      
+      await writeSubscribers(subscribers)
+      
+      if (existingEmail.confirmed) {
+        // Bereits bestätigt - sofort aktiviert
+        return {
+          success: true,
+          message: `Sie wurden erfolgreich für den Newsletter "${group.name}" angemeldet`
+        }
+      } else {
+        // Bestätigungsmail senden
+        await sendConfirmationEmail(existingEmail.email, existingEmail.name, existingEmail.confirmationToken, group.name)
+        return {
+          success: true,
+          message: 'Eine Bestätigungsmail wurde an Ihre E-Mail-Adresse gesendet. Bitte bestätigen Sie Ihre Anmeldung.'
+        }
+      }
+    }
+
+    // Neuer Abonnent
+    const confirmationToken = crypto.randomBytes(32).toString('hex')
+    const unsubscribeToken = crypto.randomBytes(32).toString('hex')
+    const newSubscriber = {
+      id: randomUUID(),
+      email: emailLower,
+      name: name || '',
+      groupIds: [groupId],
+      confirmed: false,
+      confirmationToken,
+      unsubscribeToken,
+      subscribedAt: new Date().toISOString(),
+      confirmedAt: null,
+      unsubscribedAt: null
+    }
+
+    subscribers.push(newSubscriber)
+    await writeSubscribers(subscribers)
+
+    // Bestätigungsmail senden
+    await sendConfirmationEmail(email, name, confirmationToken, group.name)
+
+    return {
+      success: true,
+      message: 'Eine Bestätigungsmail wurde an Ihre E-Mail-Adresse gesendet. Bitte bestätigen Sie Ihre Anmeldung.'
+    }
+  } catch (error) {
+    console.error('Fehler bei Newsletter-Anmeldung:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Fehler bei der Newsletter-Anmeldung'
+    })
+  }
+})
+
+async function sendConfirmationEmail(email, name, token, groupName) {
+  const smtpUser = process.env.SMTP_USER
+  const smtpPass = process.env.SMTP_PASS
+  
+  if (!smtpUser || !smtpPass) {
+    console.warn('SMTP-Credentials fehlen! Bestätigungsmail kann nicht gesendet werden.')
+    return
+  }
+
+  const baseUrl = process.env.NUXT_PUBLIC_BASE_URL || 'http://localhost:3100'
+  const confirmationUrl = `${baseUrl}/newsletter/confirm?token=${token}`
+
+  const transporter = nodemailer.createTransport({
+    host: process.env.SMTP_HOST || 'smtp.gmail.com',
+    port: process.env.SMTP_PORT || 587,
+    secure: false,
+    auth: {
+      user: smtpUser,
+      pass: smtpPass
+    }
+  })
+
+  await transporter.sendMail({
+    from: process.env.SMTP_FROM || 'noreply@harheimertc.de',
+    to: email,
+    subject: `Newsletter-Anmeldung bestätigen - ${groupName} - Harheimer TC`,
+    html: `
+      <div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
+        <h2 style="color: #dc2626;">Newsletter-Anmeldung bestätigen</h2>
+        <p>Hallo ${name || 'Liebe/r Abonnent/in'},</p>
+        <p>vielen Dank für Ihre Anmeldung zum Newsletter "${groupName}" des Harheimer TC!</p>
+        <p>Bitte bestätigen Sie Ihre Anmeldung, indem Sie auf den folgenden Link klicken:</p>
+        <p style="margin: 30px 0;">
+          <a href="${confirmationUrl}" style="display: inline-block; padding: 12px 24px; background-color: #dc2626; color: white; text-decoration: none; border-radius: 5px;">
+            Newsletter-Anmeldung bestätigen
+          </a>
+        </p>
+        <p>Falls Sie sich nicht angemeldet haben, können Sie diese E-Mail ignorieren.</p>
+        <p style="margin-top: 30px; color: #666; font-size: 12px;">
+          Mit sportlichen Grüßen,<br>
+          Ihr Harheimer Tischtennis-Club 1954 e.V.
+        </p>
+      </div>
+    `
+  })
+}
+

server/api/newsletter/unsubscribe-by-email.post.js

@@ -0,0 +1,121 @@
+import { readSubscribers, writeSubscribers } from '../../utils/newsletter.js'
+import fs from 'fs/promises'
+import path from 'path'
+
+const getDataPath = (filename) => {
+  const cwd = process.cwd()
+  if (cwd.endsWith('.output')) {
+    return path.join(cwd, '../server/data', filename)
+  }
+  return path.join(cwd, 'server/data', filename)
+}
+
+const NEWSLETTER_GROUPS_FILE = getDataPath('newsletter-groups.json')
+
+async function readGroups() {
+  try {
+    const data = await fs.readFile(NEWSLETTER_GROUPS_FILE, 'utf-8')
+    return JSON.parse(data)
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return []
+    }
+    throw error
+  }
+}
+
+export default defineEventHandler(async (event) => {
+  try {
+    const body = await readBody(event)
+    const { email, groupId } = body
+
+    if (!email || !email.match(/^[^\s@]+@[^\s@]+\.[^\s@]+$/)) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Ungültige E-Mail-Adresse'
+      })
+    }
+
+    if (!groupId) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Newsletter-Gruppe muss angegeben werden'
+      })
+    }
+
+    // Prüfe ob Gruppe existiert
+    const groups = await readGroups()
+    const group = groups.find(g => g.id === groupId)
+    
+    if (!group) {
+      throw createError({
+        statusCode: 404,
+        statusMessage: 'Newsletter-Gruppe nicht gefunden'
+      })
+    }
+
+    if (group.type !== 'subscription') {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Diese Funktion ist nur für Abonnenten-Newsletter verfügbar'
+      })
+    }
+
+    const subscribers = await readSubscribers()
+    const emailLower = email.toLowerCase()
+    
+    const subscriber = subscribers.find(s => {
+      const sEmail = (s.email || '').toLowerCase()
+      return sEmail === emailLower
+    })
+
+    if (!subscriber) {
+      // Nicht gefunden - aber trotzdem Erfolg zurückgeben (keine Information preisgeben)
+      return {
+        success: true,
+        message: 'Sie wurden erfolgreich vom Newsletter abgemeldet'
+      }
+    }
+
+    // Stelle sicher, dass groupIds existiert
+    if (!subscriber.groupIds || !Array.isArray(subscriber.groupIds)) {
+      subscriber.groupIds = []
+    }
+
+    // Prüfe ob für diese Gruppe angemeldet
+    if (!subscriber.groupIds.includes(groupId)) {
+      // Nicht für diese Gruppe angemeldet - aber trotzdem Erfolg zurückgeben
+      return {
+        success: true,
+        message: 'Sie wurden erfolgreich vom Newsletter abgemeldet'
+      }
+    }
+
+    // Entferne Gruppe aus groupIds
+    const index = subscriber.groupIds.indexOf(groupId)
+    subscriber.groupIds.splice(index, 1)
+
+    // Wenn keine Gruppen mehr vorhanden, als abgemeldet markieren
+    if (subscriber.groupIds.length === 0) {
+      subscriber.unsubscribedAt = new Date().toISOString()
+      subscriber.confirmed = false
+    }
+
+    await writeSubscribers(subscribers)
+
+    return {
+      success: true,
+      message: 'Sie wurden erfolgreich vom Newsletter abgemeldet'
+    }
+  } catch (error) {
+    console.error('Fehler bei Newsletter-Abmeldung:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Fehler bei der Newsletter-Abmeldung'
+    })
+  }
+})
+

server/api/newsletter/unsubscribe.get.js

@@ -0,0 +1,56 @@
+import { readSubscribers, writeSubscribers } from '../../utils/newsletter.js'
+
+export default defineEventHandler(async (event) => {
+  try {
+    const query = getQuery(event)
+    const token = query.token
+
+    if (!token) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Abmeldetoken fehlt'
+      })
+    }
+
+    const subscribers = await readSubscribers()
+    const subscriber = subscribers.find(s => s.unsubscribeToken === token)
+
+    if (!subscriber) {
+      throw createError({
+        statusCode: 404,
+        statusMessage: 'Ungültiger Abmeldetoken'
+      })
+    }
+
+    if (subscriber.unsubscribedAt) {
+      // Bereits abgemeldet
+      return sendRedirect(event, '/newsletter/unsubscribed?already=true')
+    }
+
+    // Abmeldung durchführen
+    subscriber.unsubscribedAt = new Date().toISOString()
+    subscriber.confirmed = false
+    
+    // Stelle sicher, dass groupIds existiert (für Rückwärtskompatibilität)
+    if (!subscriber.groupIds) {
+      subscriber.groupIds = []
+    }
+    // Leere groupIds, um von allen Gruppen abzumelden
+    subscriber.groupIds = []
+
+    await writeSubscribers(subscribers)
+
+    // Weiterleitung zur Abmelde-Bestätigungsseite
+    return sendRedirect(event, '/newsletter/unsubscribed')
+  } catch (error) {
+    console.error('Fehler bei Newsletter-Abmeldung:', error)
+    if (error.statusCode) {
+      throw error
+    }
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Fehler bei der Newsletter-Abmeldung'
+    })
+  }
+})
+

server/api/personen/upload.post.js

@@ -2,7 +2,7 @@ import multer from 'multer'
 import fs from 'fs/promises'
 import path from 'path'
 import sharp from 'sharp'
-import { getUserFromToken, verifyToken } from '../../utils/auth.js'
+import { getUserFromToken, verifyToken, hasAnyRole } from '../../utils/auth.js'
 import { randomUUID } from 'crypto'
 
 // Handle both dev and production paths
@@ -69,7 +69,7 @@ export default defineEventHandler(async (event) => {
     }
 
     const user = await getUserFromToken(token)
-    if (!user || (user.role !== 'admin' && user.role !== 'vorstand')) {
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand')) {
       throw createError({
         statusCode: 403,
         statusMessage: 'Keine Berechtigung zum Hochladen von Bildern'

server/api/profile.get.js

@@ -1,4 +1,4 @@
-import { verifyToken, getUserById } from '../utils/auth.js'
+import { verifyToken, getUserById, migrateUserRoles } from '../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -29,6 +29,9 @@ export default defineEventHandler(async (event) => {
       })
     }
 
+    const migratedUser = migrateUserRoles({ ...user })
+    const roles = Array.isArray(migratedUser.roles) ? migratedUser.roles : (migratedUser.role ? [migratedUser.role] : ['mitglied'])
+
     // Return user data (without password)
     return {
       success: true,
@@ -37,7 +40,8 @@ export default defineEventHandler(async (event) => {
         email: user.email,
         name: user.name,
         phone: user.phone || '',
-        role: user.role
+        roles: roles,
+        role: roles[0] || 'mitglied' // Rückwärtskompatibilität
       }
     }
   } catch (error) {

server/api/profile.put.js

@@ -1,4 +1,4 @@
-import { verifyToken, getUserById, readUsers, writeUsers, verifyPassword, hashPassword } from '../utils/auth.js'
+import { verifyToken, getUserById, readUsers, writeUsers, verifyPassword, hashPassword, migrateUserRoles } from '../utils/auth.js'
 
 export default defineEventHandler(async (event) => {
   try {
@@ -80,6 +80,9 @@ export default defineEventHandler(async (event) => {
 
     await writeUsers(users)
 
+    const migratedUser = migrateUserRoles({ ...user })
+    const roles = Array.isArray(migratedUser.roles) ? migratedUser.roles : (migratedUser.role ? [migratedUser.role] : ['mitglied'])
+
     return {
       success: true,
       message: 'Profil erfolgreich aktualisiert.',
@@ -88,7 +91,8 @@ export default defineEventHandler(async (event) => {
         email: user.email,
         name: user.name,
         phone: user.phone,
-        role: user.role
+        roles: roles,
+        role: roles[0] || 'mitglied' // Rückwärtskompatibilität
       }
     }
   } catch (error) {

server/api/termine-manage.delete.js

@@ -1,4 +1,4 @@
-import { verifyToken, getUserById } from '../utils/auth.js'
+import { verifyToken, getUserById, hasAnyRole } from '../utils/auth.js'
 import { deleteTermin } from '../utils/termine.js'
 
 export default defineEventHandler(async (event) => {
@@ -24,7 +24,7 @@ export default defineEventHandler(async (event) => {
     const user = await getUserById(decoded.id)
 
     // Only admin and vorstand can delete termine
-    if (!user || (user.role !== 'admin' && user.role !== 'vorstand')) {
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand')) {
       throw createError({
         statusCode: 403,
         message: 'Keine Berechtigung zum Löschen von Terminen.'

server/api/termine-manage.get.js

@@ -1,4 +1,4 @@
-import { verifyToken, getUserById } from '../utils/auth.js'
+import { verifyToken, getUserById, hasAnyRole } from '../utils/auth.js'
 import { readTermine } from '../utils/termine.js'
 
 export default defineEventHandler(async (event) => {
@@ -24,7 +24,7 @@ export default defineEventHandler(async (event) => {
     const user = await getUserById(decoded.id)
 
     // Only admin and vorstand can manage termine
-    if (!user || (user.role !== 'admin' && user.role !== 'vorstand')) {
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand')) {
       throw createError({
         statusCode: 403,
         message: 'Keine Berechtigung zum Verwalten von Terminen.'

server/api/termine-manage.post.js

@@ -1,4 +1,4 @@
-import { verifyToken, getUserById } from '../utils/auth.js'
+import { verifyToken, getUserById, hasAnyRole } from '../utils/auth.js'
 import { saveTermin } from '../utils/termine.js'
 
 export default defineEventHandler(async (event) => {
@@ -24,7 +24,7 @@ export default defineEventHandler(async (event) => {
     const user = await getUserById(decoded.id)
 
     // Only admin and vorstand can create termine
-    if (!user || (user.role !== 'admin' && user.role !== 'vorstand')) {
+    if (!user || !hasAnyRole(user, 'admin', 'vorstand')) {
       throw createError({
         statusCode: 403,
         message: 'Keine Berechtigung zum Erstellen von Terminen.'