feat: Upload in freigegebene Ordner + Benachrichtigung

Share-Links fuer Ordner erlauben jetzt auch Uploads:

Backend:
- POST /share/<token>/upload - Datei in freigegebenen Ordner hochladen
- Passwort-Schutz wird bei Upload ebenfalls geprueft
- share_info gibt jetzt upload_allowed zurueck (true bei Ordner-Shares)
- Email-Benachrichtigung an den Ersteller wenn jemand eine Datei
  hochlaedt (Dateiname, Groesse, IP-Adresse)

Frontend (ShareView):
- Ordner-Shares zeigen jetzt eine Upload-Zone (Drag & Drop + Button)
- Fortschrittsbalken beim Upload mit Datei-Zaehler
- Erfolgs-/Fehlermeldung nach Upload
- Passwortgeschuetzte Ordner-Shares: erst entsperren, dann uploaden

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

backend/app/api/files.py

@@ -490,6 +490,7 @@ def share_info(token):
         'size': f.size,
         'mime_type': f.mime_type,
         'has_password': bool(link.password_hash),
+        'upload_allowed': f.is_folder,
     }), 200
 
 
@@ -557,6 +558,67 @@ def share_download(token):
                      download_name=f.name)
 
 
+@api_bp.route('/share/<token>/upload', methods=['POST'])
+def share_upload(token):
+    """Upload a file via a share link (only if the shared item is a folder)."""
+    link = ShareLink.query.filter_by(token=token).first()
+    if not link:
+        return jsonify({'error': 'Link nicht gefunden'}), 404
+
+    if link.is_expired():
+        return jsonify({'error': 'Link abgelaufen'}), 410
+
+    # Check password if set
+    if link.password_hash:
+        password = request.form.get('password', '') or request.headers.get('X-Share-Password', '')
+        if not bcrypt.check_password_hash(link.password_hash, password):
+            return jsonify({'error': 'Passwort erforderlich'}), 401
+
+    f = db.session.get(File, link.file_id)
+    if not f.is_folder:
+        return jsonify({'error': 'Upload nur in freigegebene Ordner moeglich'}), 400
+
+    if 'file' not in request.files:
+        return jsonify({'error': 'Keine Datei gesendet'}), 400
+
+    uploaded = request.files['file']
+    if not uploaded.filename:
+        return jsonify({'error': 'Leerer Dateiname'}), 400
+
+    filename = uploaded.filename
+    mime = uploaded.content_type or mimetypes.guess_type(filename)[0] or 'application/octet-stream'
+
+    storage_name = str(uuid.uuid4())
+    user_dir = _user_upload_dir(f.owner_id)
+    storage_path = user_dir / storage_name
+    uploaded.save(str(storage_path))
+
+    size = os.path.getsize(str(storage_path))
+    checksum = _compute_checksum(str(storage_path))
+
+    file_obj = File(
+        owner_id=f.owner_id,
+        parent_id=f.id,
+        name=filename,
+        is_folder=False,
+        mime_type=mime,
+        size=size,
+        storage_path=storage_name,
+        checksum=checksum,
+    )
+    db.session.add(file_obj)
+    db.session.commit()
+
+    # Notify share link creator about the upload
+    try:
+        from app.services.system_mail import notify_share_link_upload
+        notify_share_link_upload(link, f.name, filename, size, request.remote_addr)
+    except Exception:
+        pass
+
+    return jsonify(file_obj.to_dict()), 201
+
+
 @api_bp.route('/share/<token>', methods=['DELETE'])
 @token_required
 def delete_share_link(token):

backend/app/services/system_mail.py

@@ -70,6 +70,35 @@ def notify_share_link_accessed(share_link, file_name, accessor_ip):
     send_system_email(creator.email, subject, body)
 
 
+def notify_share_link_upload(share_link, folder_name, filename, filesize, uploader_ip):
+    """Notify the share link creator that someone uploaded a file via their shared folder."""
+    from app.models.user import User
+
+    creator = User.query.get(share_link.created_by)
+    if not creator or not creator.email:
+        return
+
+    def _fmt_size(b):
+        for u in ['B', 'KB', 'MB', 'GB']:
+            if b < 1024:
+                return f'{b:.1f} {u}'
+            b /= 1024
+        return f'{b:.1f} TB'
+
+    subject = f'Mini-Cloud: Neue Datei in geteiltem Ordner "{folder_name}"'
+    body = (
+        f'Hallo {creator.username},\n\n'
+        f'Jemand hat eine Datei in deinen geteilten Ordner hochgeladen:\n\n'
+        f'  Ordner: {folder_name}\n'
+        f'  Datei: {filename}\n'
+        f'  Groesse: {_fmt_size(filesize)}\n'
+        f'  IP-Adresse: {uploader_ip}\n\n'
+        f'Melde dich in deiner Mini-Cloud an, um die Datei zu sehen.\n\n'
+        f'Deine Mini-Cloud'
+    )
+    send_system_email(creator.email, subject, body)
+
+
 def notify_file_shared_with_user(file_name, owner_username, target_user):
     """Notify a user that a file/folder was shared with them."""
     if not target_user.email: