fixing relative path loading

admin/application.php

@@ -31,21 +31,21 @@ $csrf = Csrf::token();
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <title>Antragsdetails</title>
-    <link rel="stylesheet" href="/assets/css/tokens.css">
-    <link rel="stylesheet" href="/assets/css/base.css">
+    <link rel="stylesheet" href="<?= htmlspecialchars(Bootstrap::url('assets/css/tokens.css')) ?>">
+    <link rel="stylesheet" href="<?= htmlspecialchars(Bootstrap::url('assets/css/base.css')) ?>">
 </head>
 <body class="admin-page">
 <header class="site-header">
     <div class="container header-inner">
-        <a class="brand" href="/admin/index.php">
-            <img class="brand-logo" src="/assets/images/feuerwehr-Logo-invers.webp" alt="Feuerwehr Logo">
+        <a class="brand" href="<?= htmlspecialchars(Bootstrap::url('admin/index.php')) ?>">
+            <img class="brand-logo" src="<?= htmlspecialchars(Bootstrap::url('assets/images/feuerwehr-Logo-invers.webp')) ?>" alt="Feuerwehr Logo">
             <div class="brand-title"><?= htmlspecialchars((string) ($app['project_name'] ?? 'Admin')) ?></div>
         </a>
     </div>
 </header>
 <main class="container">
     <section class="card">
-        <p><a href="/admin/index.php">Zur Übersicht</a></p>
+        <p><a href="<?= htmlspecialchars(Bootstrap::url('admin/index.php')) ?>">Zur Übersicht</a></p>
         <h1>Antragsdetails</h1>
         <p><strong>E-Mail:</strong> <?= htmlspecialchars((string) ($submission['email'] ?? '')) ?></p>
         <p><strong>Eingereicht:</strong> <?= htmlspecialchars((string) ($submission['submitted_at'] ?? '')) ?></p>
@@ -68,14 +68,14 @@ $csrf = Csrf::token();
         <?php if (empty($submission['uploads'])): ?>
             <p>Keine Uploads vorhanden.</p>
         <?php else: ?>
-            <p><a href="/admin/download-zip.php?id=<?= urlencode((string) ($submission['application_key'] ?? '')) ?>">Alle Uploads als ZIP herunterladen</a></p>
+            <p><a href="<?= htmlspecialchars(Bootstrap::url('admin/download-zip.php?id=' . urlencode((string) ($submission['application_key'] ?? '')))) ?>">Alle Uploads als ZIP herunterladen</a></p>
             <?php foreach ((array) $submission['uploads'] as $field => $files): ?>
                 <h3><?= htmlspecialchars((string) $field) ?></h3>
                 <ul>
                     <?php foreach ((array) $files as $idx => $file): ?>
                         <li>
                             <?= htmlspecialchars((string) ($file['original_filename'] ?? 'Datei')) ?>
-                            - <a href="/admin/download.php?id=<?= urlencode((string) ($submission['application_key'] ?? '')) ?>&field=<?= urlencode((string) $field) ?>&index=<?= urlencode((string) $idx) ?>">Download</a>
+                            - <a href="<?= htmlspecialchars(Bootstrap::url('admin/download.php?id=' . urlencode((string) ($submission['application_key'] ?? '')) . '&field=' . urlencode((string) $field) . '&index=' . urlencode((string) $idx))) ?>">Download</a>
                         </li>
                     <?php endforeach; ?>
                 </ul>
@@ -83,7 +83,7 @@ $csrf = Csrf::token();
         <?php endif; ?>
 
         <h2>Löschen</h2>
-        <form method="post" action="/admin/delete.php" onsubmit="return confirm('Antrag wirklich löschen?');">
+        <form method="post" action="<?= htmlspecialchars(Bootstrap::url('admin/delete.php')) ?>" onsubmit="return confirm('Antrag wirklich löschen?');">
             <input type="hidden" name="csrf" value="<?= htmlspecialchars($csrf) ?>">
             <input type="hidden" name="id" value="<?= htmlspecialchars((string) ($submission['application_key'] ?? '')) ?>">
             <button type="submit" class="btn">Antrag löschen</button>

admin/delete.php

@@ -46,5 +46,5 @@ $app = Bootstrap::config('app');
 $uploadDir = rtrim((string) $app['storage']['uploads'], '/') . '/' . (string) ($submission['application_key'] ?? '');
 FileSystem::removeTree($uploadDir);
 
-header('Location: /admin/index.php');
+header('Location: ' . Bootstrap::url('admin/index.php'));
 exit;

admin/index.php

@@ -28,14 +28,14 @@ if ($query !== '') {
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <title>Admin Übersicht</title>
-    <link rel="stylesheet" href="/assets/css/tokens.css">
-    <link rel="stylesheet" href="/assets/css/base.css">
+    <link rel="stylesheet" href="<?= htmlspecialchars(Bootstrap::url('assets/css/tokens.css')) ?>">
+    <link rel="stylesheet" href="<?= htmlspecialchars(Bootstrap::url('assets/css/base.css')) ?>">
 </head>
 <body class="admin-page">
 <header class="site-header">
     <div class="container header-inner">
-        <a class="brand" href="/admin/index.php">
-            <img class="brand-logo" src="/assets/images/feuerwehr-Logo-invers.webp" alt="Feuerwehr Logo">
+        <a class="brand" href="<?= htmlspecialchars(Bootstrap::url('admin/index.php')) ?>">
+            <img class="brand-logo" src="<?= htmlspecialchars(Bootstrap::url('assets/images/feuerwehr-Logo-invers.webp')) ?>" alt="Feuerwehr Logo">
             <div class="brand-title"><?= htmlspecialchars((string) ($app['project_name'] ?? 'Admin')) ?></div>
         </a>
     </div>
@@ -43,7 +43,7 @@ if ($query !== '') {
 <main class="container">
     <section class="card">
         <h1>Abgeschlossene Anträge</h1>
-        <p><a href="/admin/login.php?logout=1">Abmelden</a></p>
+        <p><a href="<?= htmlspecialchars(Bootstrap::url('admin/login.php?logout=1')) ?>">Abmelden</a></p>
 
         <form method="get" class="field">
             <label for="q">Suche E-Mail</label>
@@ -67,7 +67,7 @@ if ($query !== '') {
                             <tr>
                                 <td data-label="E-Mail"><?= htmlspecialchars((string) ($item['email'] ?? '')) ?></td>
                                 <td data-label="Eingereicht"><?= htmlspecialchars((string) ($item['submitted_at'] ?? '')) ?></td>
-                                <td data-label="Aktion"><a href="/admin/application.php?id=<?= urlencode((string) ($item['application_key'] ?? '')) ?>">Details</a></td>
+                                <td data-label="Aktion"><a href="<?= htmlspecialchars(Bootstrap::url('admin/application.php?id=' . urlencode((string) ($item['application_key'] ?? '')))) ?>">Details</a></td>
                             </tr>
                         <?php endforeach; ?>
                     </tbody>

admin/login.php

@@ -14,12 +14,12 @@ $auth = new Auth();
 
 if (isset($_GET['logout']) && $_GET['logout'] === '1') {
     $auth->logout();
-    header('Location: /admin/login.php');
+    header('Location: ' . Bootstrap::url('admin/login.php'));
     exit;
 }
 
 if ($auth->isLoggedIn()) {
-    header('Location: /admin/index.php');
+    header('Location: ' . Bootstrap::url('admin/index.php'));
     exit;
 }
 
@@ -30,7 +30,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     } else {
         $password = (string) ($_POST['password'] ?? '');
         if ($auth->login($password)) {
-            header('Location: /admin/index.php');
+            header('Location: ' . Bootstrap::url('admin/index.php'));
             exit;
         }
         $error = 'Login fehlgeschlagen.';
@@ -44,14 +44,14 @@ $csrf = Csrf::token();
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <title>Admin Login</title>
-    <link rel="stylesheet" href="/assets/css/tokens.css">
-    <link rel="stylesheet" href="/assets/css/base.css">
+    <link rel="stylesheet" href="<?= htmlspecialchars(Bootstrap::url('assets/css/tokens.css')) ?>">
+    <link rel="stylesheet" href="<?= htmlspecialchars(Bootstrap::url('assets/css/base.css')) ?>">
 </head>
 <body class="admin-page">
 <header class="site-header">
     <div class="container header-inner">
-        <a class="brand" href="/admin/login.php">
-            <img class="brand-logo" src="/assets/images/feuerwehr-Logo-invers.webp" alt="Feuerwehr Logo">
+        <a class="brand" href="<?= htmlspecialchars(Bootstrap::url('admin/login.php')) ?>">
+            <img class="brand-logo" src="<?= htmlspecialchars(Bootstrap::url('assets/images/feuerwehr-Logo-invers.webp')) ?>" alt="Feuerwehr Logo">
             <div class="brand-title"><?= htmlspecialchars((string) ($app['project_name'] ?? 'Admin')) ?></div>
         </a>
     </div>

assets/js/form.js

@@ -2,6 +2,7 @@
   const EMAIL_STORAGE_KEY = 'ff_member_form_email_v1';
   const DISCLAIMER_ACCEPTED_KEY = 'ff_member_form_disclaimer_accepted_v1';
   const boot = window.APP_BOOT || { steps: [], csrf: '', contactEmail: '' };
+  const baseUrl = String(boot.baseUrl || '').replace(/\/+$/, '');
 
   const state = {
     email: '',
@@ -33,6 +34,11 @@
   const submitBtn = document.getElementById('submitBtn');
   const stepElements = Array.from(document.querySelectorAll('.step'));
 
+  function appUrl(path) {
+    const normalizedPath = String(path || '').replace(/^\/+/, '');
+    return (baseUrl ? baseUrl + '/' : '/') + normalizedPath;
+  }
+
   function setFeedback(text, isError) {
     feedbackMessage.textContent = text || '';
     feedbackMessage.classList.toggle('error-text', Boolean(isError));
@@ -370,7 +376,7 @@
     fd.append('csrf', boot.csrf);
     fd.append('email', email);
     fd.append('website', '');
-    return postForm('/api/load-draft.php', fd);
+    return postForm(appUrl('api/load-draft.php'), fd);
   }
 
   async function resetSavedData(email) {
@@ -378,12 +384,12 @@
     fd.append('csrf', boot.csrf);
     fd.append('email', email);
     fd.append('website', '');
-    return postForm('/api/reset.php', fd);
+    return postForm(appUrl('api/reset.php'), fd);
   }
 
   async function saveDraft(includeFiles) {
     const payload = collectPayload(includeFiles);
-    const response = await postForm('/api/save-draft.php', payload);
+    const response = await postForm(appUrl('api/save-draft.php'), payload);
 
     if (response.upload_errors && Object.keys(response.upload_errors).length > 0) {
       showErrors(response.upload_errors);
@@ -415,7 +421,7 @@
 
   async function submitApplication() {
     const payload = collectPayload(true);
-    const response = await postForm('/api/submit.php', payload);
+    const response = await postForm(appUrl('api/submit.php'), payload);
     clearErrors();
     setDraftStatus('Abgeschlossen', false);
     setFeedback('Antrag erfolgreich abgeschlossen. Vielen Dank.', false);

index.php

@@ -25,6 +25,7 @@ if (is_string($disclaimerConfigRaw)) {
 $disclaimerTitle = (string) ($disclaimerConfig['title'] ?? 'Hinweis');
 $disclaimerText = (string) ($disclaimerConfig['text'] ?? '');
 $disclaimerAcceptLabel = (string) ($disclaimerConfig['accept_label'] ?? 'Hinweis gelesen, weiter');
+$baseUrl = Bootstrap::baseUrl();
 
 /** @param array<string, mixed> $field */
 function renderField(array $field): void
@@ -90,14 +91,14 @@ function renderField(array $field): void
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <title><?= htmlspecialchars((string) $app['project_name']) ?></title>
-    <link rel="stylesheet" href="/assets/css/tokens.css">
-    <link rel="stylesheet" href="/assets/css/base.css">
+    <link rel="stylesheet" href="<?= htmlspecialchars(Bootstrap::url('assets/css/tokens.css')) ?>">
+    <link rel="stylesheet" href="<?= htmlspecialchars(Bootstrap::url('assets/css/base.css')) ?>">
 </head>
 <body>
 <header class="site-header">
     <div class="container header-inner">
-        <a class="brand" href="/">
-            <img class="brand-logo" src="/assets/images/feuerwehr-Logo-invers.webp" alt="Feuerwehr Logo">
+        <a class="brand" href="<?= htmlspecialchars(Bootstrap::url('index.php')) ?>">
+            <img class="brand-logo" src="<?= htmlspecialchars(Bootstrap::url('assets/images/feuerwehr-Logo-invers.webp')) ?>" alt="Feuerwehr Logo">
             <div>
                 <div class="brand-title"><?= htmlspecialchars((string) $app['project_name']) ?></div>
                 <div class="brand-subtitle">Feuerwehr Freising</div>
@@ -170,9 +171,10 @@ function renderField(array $field): void
 window.APP_BOOT = {
     steps: <?= json_encode($steps, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES) ?>,
     csrf: <?= json_encode($csrf, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES) ?>,
-    contactEmail: <?= json_encode((string) ($app['contact_email'] ?? ''), JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES) ?>
+    contactEmail: <?= json_encode((string) ($app['contact_email'] ?? ''), JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES) ?>,
+    baseUrl: <?= json_encode($baseUrl, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES) ?>
 };
 </script>
-<script src="/assets/js/form.js"></script>
+<script src="<?= htmlspecialchars(Bootstrap::url('assets/js/form.js')) ?>"></script>
 </body>
 </html>

scripts/wsl-dev-server-setup.sh

@@ -0,0 +1,93 @@
+#!/usr/bin/env bash
+# WSL dev server setup: remove Caddy, install Apache+PHP, configure for feuerwehr project.
+# Run with: bash scripts/wsl-dev-server-setup.sh
+# You will be prompted for sudo when needed.
+
+set -e
+
+PROJECT_NAME="feuerwehr-freising-antragsformular"
+REPO_ROOT="/home/user/${PROJECT_NAME}"
+WWW_ROOT="/var/www"
+VHOST_NAME="feuerwehr-dev"
+SERVER_NAME="feuerwehr.local"
+
+echo "=== 1. Remove Caddy ==="
+if systemctl is-active --quiet caddy 2>/dev/null; then
+  sudo systemctl stop caddy
+  echo "Stopped caddy."
+fi
+if systemctl is-enabled --quiet caddy 2>/dev/null; then
+  sudo systemctl disable caddy
+  echo "Disabled caddy."
+fi
+if command -v caddy &>/dev/null; then
+  sudo apt-get remove -y caddy || true
+  echo "Removed caddy package."
+fi
+if [ -d /etc/caddy ]; then
+  sudo rm -rf /etc/caddy
+  echo "Removed /etc/caddy."
+fi
+if [ -d /var/lib/caddy ]; then
+  sudo rm -rf /var/lib/caddy
+  echo "Removed /var/lib/caddy."
+fi
+echo "Caddy removal done."
+
+echo ""
+echo "=== 2. Install Apache and PHP ==="
+sudo apt-get update -qq
+sudo apt-get install -y apache2 libapache2-mod-php php php-cli php-json php-mbstring php-xml
+sudo a2enmod rewrite
+echo "Apache and PHP installed; mod_rewrite enabled."
+
+echo ""
+echo "=== 3. Document root and symlink ==="
+sudo mkdir -p "$WWW_ROOT"
+if [ ! -L "${WWW_ROOT}/${PROJECT_NAME}" ]; then
+  sudo ln -s "$REPO_ROOT" "${WWW_ROOT}/${PROJECT_NAME}"
+  echo "Symlink ${WWW_ROOT}/${PROJECT_NAME} -> ${REPO_ROOT} created."
+else
+  echo "Symlink ${WWW_ROOT}/${PROJECT_NAME} already exists."
+fi
+# Ensure www-data can read project and write storage
+sudo chmod -R o+rX "$REPO_ROOT"
+sudo chmod -R o+w "$REPO_ROOT/storage" 2>/dev/null || true
+echo "Permissions set for www-data."
+
+echo ""
+echo "=== 4. Apache vhost ==="
+VHOST_FILE="/etc/apache2/sites-available/${VHOST_NAME}.conf"
+sudo tee "$VHOST_FILE" << EOF
+<VirtualHost *:80>
+    ServerName ${SERVER_NAME}
+    DocumentRoot ${WWW_ROOT}/${PROJECT_NAME}
+    <Directory ${WWW_ROOT}/${PROJECT_NAME}>
+        AllowOverride All
+        Require all granted
+    </Directory>
+</VirtualHost>
+EOF
+echo "Vhost written to $VHOST_FILE."
+sudo a2ensite "${VHOST_NAME}.conf"
+# Disable default site if it would take port 80
+sudo a2dissite 000-default.conf 2>/dev/null || true
+sudo systemctl reload apache2
+echo "Site enabled and Apache reloaded."
+
+echo ""
+echo "=== Hosts entry ==="
+echo "Add this line to your hosts file so ${SERVER_NAME} resolves:"
+echo "  127.0.0.1 ${SERVER_NAME}"
+echo ""
+echo "  Windows (run as Admin): notepad C:\\Windows\\System32\\drivers\\etc\\hosts"
+echo "  WSL: sudo sed -i '/${SERVER_NAME}/d' /etc/hosts; echo '127.0.0.1 ${SERVER_NAME}' | sudo tee -a /etc/hosts"
+if ! grep -q "${SERVER_NAME}" /etc/hosts 2>/dev/null; then
+  echo "127.0.0.1 ${SERVER_NAME}" | sudo tee -a /etc/hosts
+  echo "Added ${SERVER_NAME} to /etc/hosts (WSL)."
+fi
+
+echo ""
+echo "=== Done ==="
+echo "Open http://${SERVER_NAME} in your browser to view the app."
+echo "To add more projects: symlink under ${WWW_ROOT}/ and add a new site in /etc/apache2/sites-available/."

src/Admin/Auth.php

@@ -64,7 +64,7 @@ final class Auth
         }
 
         if (!$this->isLoggedIn()) {
-            header('Location: /admin/login.php');
+            header('Location: ' . Bootstrap::url('admin/login.php'));
             exit;
         }
     }

src/App/Bootstrap.php

@@ -50,6 +50,30 @@ final class Bootstrap
         return is_array($value) ? $value : [];
     }
 
+    public static function baseUrl(): string
+    {
+        $app = self::config('app');
+        $configured = trim((string) ($app['base_url'] ?? '/'));
+
+        if ($configured === '' || $configured === '/') {
+            return '';
+        }
+
+        return '/' . trim($configured, '/');
+    }
+
+    public static function url(string $path = ''): string
+    {
+        $base = self::baseUrl();
+        $normalizedPath = ltrim($path, '/');
+
+        if ($normalizedPath === '') {
+            return $base !== '' ? ($base . '/') : '/';
+        }
+
+        return ($base !== '' ? $base : '') . '/' . $normalizedPath;
+    }
+
     /** @param array<string, mixed> $payload */
     public static function jsonResponse(array $payload, int $statusCode = 200): void
     {

storage/drafts/171850f6f2db42389515be04a34547b94c2ea40623447597f8115bb8a9c35e23.json

@@ -0,0 +1,38 @@
+{
+    "email": "inbox+1@medowar.de",
+    "application_key": "171850f6f2db42389515be04a34547b94c2ea40623447597f8115bb8a9c35e23",
+    "status": "draft",
+    "created_at": "2026-03-01T13:27:26+01:00",
+    "updated_at": "2026-03-01T13:31:28+01:00",
+    "expires_at": "2026-03-15T13:31:28+01:00",
+    "step": 3,
+    "form_data": {
+        "vorname": "",
+        "nachname": "",
+        "geburtsdatum": "",
+        "strasse": "",
+        "plz": "",
+        "ort": "",
+        "telefon": "",
+        "mitgliedsart": "",
+        "abteilung": "",
+        "ist_minderjaehrig": "",
+        "qualifikation_vorhanden": "",
+        "bemerkung": "",
+        "einwilligung_datenschutz": "1",
+        "einwilligung_ordnung": "1"
+    },
+    "uploads": {
+        "portraitfoto": [
+            {
+                "original_filename": "Medowar-logo.png",
+                "stored_dir": "171850f6f2db42389515be04a34547b94c2ea40623447597f8115bb8a9c35e23/portraitfoto/aec38684",
+                "stored_filename": "Medowar-logo.png",
+                "relative_path": "171850f6f2db42389515be04a34547b94c2ea40623447597f8115bb8a9c35e23/portraitfoto/aec38684/Medowar-logo.png",
+                "mime": "image/png",
+                "size": 101500,
+                "uploaded_at": "2026-03-01T13:29:22+01:00"
+            }
+        ]
+    }
+}

storage/rate_limit/10cde6e8c9d5a51a7afaf5763f648baf27610db5f198f1d9b289d30001e786bf.json

@@ -0,0 +1 @@
+[1772368191]

storage/rate_limit/3e75457ec3cf41f69e89ecfa6c2e742d72641697215fc22beb2cd42b45d7f11d.json

@@ -0,0 +1 @@
+[1772367699,1772367970]

storage/rate_limit/617de944e41ca7e8d68b17ab1d0261750d33b91f040a4f8030f6de1a24e72e69.json

@@ -0,0 +1 @@
+[1772368030,1772368030]

storage/rate_limit/74f39ed2a43bfebe59773e4d61c0a1608138c777769ada7adc937e364403f8d6.json

@@ -0,0 +1 @@
+[1772367999,1772368014]

storage/rate_limit/82a3ab8d9cae4b620abd6f88592b28068a20a4b201a3ba7f689df0419e1c43b6.json

@@ -0,0 +1 @@
+[1772368046,1772368061,1772368076,1772368092,1772368107,1772368122,1772368136,1772368136,1772368146,1772368150,1772368162,1772368165,1772368182,1772368183,1772368196,1772368213,1772368224,1772368226,1772368243,1772368258,1772368273,1772368288]

storage/rate_limit/9318aa04f60f69fc1a9c9de3ab00bbfe94579cac4a55a1fc683c31eb174c12d7.json

@@ -0,0 +1 @@
+[1772368016]

storage/rate_limit/b0fed1f6ec5edf838e5145f5335fffefdc0fdb436ced58d01fe2ac705f8b9007.json

@@ -0,0 +1 @@
+[1772367982,1772367982]

storage/rate_limit/b4c1180c18bed33aa365dd621eea52fddf34b767e76607fc90a419190e450ce3.json

@@ -0,0 +1 @@
+[1772367633,1772367697,1772367776]

storage/rate_limit/de95c8223d4d24b050ef53eabf0cf6d0a49a8ea3b9c7745c09aa776fa76de7ff.json

@@ -0,0 +1 @@
+[1772367666,1772367681,1772367791,1772367806,1772367821,1772367836,1772367851,1772367866,1772367881,1772367896,1772367911,1772367926,1772367941,1772367956]