Bump version to 1.17.8

- Feat: Verbrauchsauswertung – Ablesung korrigieren (Datum, Zählerstand,
  Korrekturnotiz) und löschen direkt aus der Tabelle (manage_kleingarten)
- Feat: Inventarverwaltung – Gegenstände erfassen, bearbeiten, löschen;
  Ausleihe und Rückgabe je Mitglied mit Notiz und Fälligkeitsdatum tracken;
  Export/Import integriert (InventoryRepository, Schema, Validator, DataTransfer)
- Feat: Jahresabrechnung Sperrstatus – Festschreiben/Freigeben mit
  serverseitiger Prüfung aller Schreibzugriffe auf Kosten und Preise

README.md

@@ -3,7 +3,7 @@ Contributors: ronnygrobel
 Tags: verein, mitgliederverwaltung, parzellen, zaehler, abrechnung
 Requires at least: 6.0
 Tested up to: 6.8
-Stable tag: 1.16.1
+Stable tag: 1.17.8
 Requires PHP: 7.2
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -43,6 +43,44 @@ Ja, insbesondere fuer Kleingartenvereine und deren Verwaltungsprozesse.
 
 == Changelog ==
 
+= 1.17.8 =
+Feat: Verbrauchsauswertung – Ablesung korrigieren (Datum, Zählerstand, Korrekturnotiz) und löschen direkt aus der Tabelle.
+
+= 1.17.7 =
+Feat: Inventarverwaltung – Gegenstände (Werkzeug etc.) erfassen, bearbeiten, löschen. Ausleihe und Rückgabe je Mitglied mit Notiz und Fälligkeitsdatum tracken. Export/Import integriert.
+
+= 1.17.6 =
+Feat: Jahresabrechnung kann festgeschrieben (gesperrt) werden. Alle Schreibzugriffe auf Kosten, Preise und Parzellenzu­ordnungen prüfen den Sperrstatus serverseitig.
+
+= 1.17.5 =
+Fix: Spaltenbreiten in Abrechnungstabellen angepasst für bessere Lesbarkeit langer Texte.
+
+= 1.17.4 =
+Fix: Checkbox "Verpflichtende Position" bei Kostenposten wird jetzt korrekt gespeichert wenn sie deaktiviert ist.
+
+= 1.17.3 =
+Verbesserung: Kostenübersicht zeigt jetzt direkt pro Kostenposten den Status Verpflichtend oder Manuell in einer eigenen Spalte an.
+
+= 1.17.2 =
+Fix: Manuelle Kostenpositionen auf der Jahresabrechnung einer Parzelle werden nach dem Hinzufügen jetzt sofort korrekt berücksichtigt. Pflichtpositionen ohne Einschränkung werden in der Seitenleiste als automatisch aktiv dargestellt.
+
+= 1.17.1 =
+Feat: is_mandatory Flag für Kostenpositionstypen - Kostenposten können jetzt als "verpflichtend" oder "manuell/optional" gekennzeichnet werden. Checkbox in der Kostenposten-Bearbeitung.
+
+= 1.17.0 =
+Parzellenspezifische Kostenpositionenzuweisung: Kostenposten können jetzt einzelnen Parzellen zugeordnet werden (z.B. Versicherung nur für bestimmte Parzellen). Editor auf der Jahresabrechnung Parzelle Seite mit übersichtlicher Liste und Hinzufügen/Entfernen-Funktionen. Zuordnungen werden in einer separaten Tabelle gespeichert und sind vollständig in Export/Import integriert.
+
+= 1.16.3 =
+* Datensicherung erweitert: Export und Import umfassen jetzt zusätzlich die zugehörigen WordPress-Mitgliederkonten inklusive Metadaten.
+
+= 1.16.2 =
+* Neue Datensicherungsfunktion unter Einstellungen: Export und Import aller kgvvm-Tabellen als JSON.
+* Import mit Sicherheitsprüfung und vollständigem Überschreiben der vorhandenen Plugin-Daten.
+
+= 1.16.1 =
+* Wartungsrelease mit synchronisierter Versionsnummer in Plugin-Header, Konstante und Readme-Dateien.
+* Release-Tag 1.16.1 gesetzt.
+
 = 1.16.0 =
 * Neues Modul Arbeitsstunden im Adminbereich mit drei Bereichen: geleistete Arbeiten, Mitgliederuebersicht und Arbeitsarten.
 * Pflichtstunden je Mitglied pro Jahr konfigurierbar, inklusive variablem Preis je fehlender Stunde fuer den Aufschlag in der Jahresrechnung.

includes/DataTransfer.php

@@ -0,0 +1,415 @@
+<?php
+/**
+ * Export and import all kgvvm plugin data as JSON.
+ *
+ * @package KGV\VereinManager
+ */
+
+namespace KGV\VereinManager;
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+class DataTransfer {
+
+	/** @var \wpdb */
+	private $wpdb;
+
+	/**
+	 * Table keys in dependency order (parent before child).
+	 *
+	 * @var string[]
+	 */
+	private static $table_keys = array(
+		'sections',
+		'parcels',
+		'tenants',
+		'inventory_items',
+		'parcel_members',
+		'parcel_tenants',
+		'meters',
+		'meter_readings',
+		'chat_messages',
+		'cost_years',
+		'cost_rates',
+		'cost_entries',
+		'parcel_cost_assignments',
+		'work_jobs',
+		'work_year_config',
+		'work_logs',
+		'work_log_members',
+		'inventory_loans',
+	);
+
+	public function __construct( \wpdb $wpdb ) {
+		$this->wpdb = $wpdb;
+	}
+
+	// -------------------------------------------------------------------------
+	// Export
+	// -------------------------------------------------------------------------
+
+	/**
+	 * Build the export payload as an associative array.
+	 *
+	 * @return array
+	 */
+	public function build_export() {
+		$payload = array(
+			'plugin'    => 'kgv-verein-manager',
+			'version'   => KGVVM_VERSION,
+			'exported'  => gmdate( 'Y-m-d\TH:i:s\Z' ),
+			'members'   => array(),
+			'tables'    => array(),
+		);
+
+		$payload['members'] = $this->export_members();
+
+		foreach ( self::$table_keys as $key ) {
+			$table = Schema::table( $key );
+			if ( '' === $table ) {
+				continue;
+			}
+			// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared,WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching
+			$rows = $this->wpdb->get_results( "SELECT * FROM {$table}", ARRAY_A );
+			$payload['tables'][ $key ] = is_array( $rows ) ? $rows : array();
+		}
+
+		return $payload;
+	}
+
+	/**
+	 * Export all member user accounts relevant to the plugin.
+	 *
+	 * @return array
+	 */
+	private function export_members() {
+		$ids = $this->collect_member_user_ids();
+
+		if ( empty( $ids ) ) {
+			return array(
+				'ids'      => array(),
+				'users'    => array(),
+				'usermeta' => array(),
+			);
+		}
+
+		$placeholders = implode( ', ', array_fill( 0, count( $ids ), '%d' ) );
+
+		$users_sql = "SELECT ID, user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_activation_key, user_status, display_name
+			FROM {$this->wpdb->users}
+			WHERE ID IN ({$placeholders})
+			ORDER BY ID ASC";
+
+		$meta_sql = "SELECT user_id, meta_key, meta_value
+			FROM {$this->wpdb->usermeta}
+			WHERE user_id IN ({$placeholders})
+			ORDER BY user_id ASC, umeta_id ASC";
+
+		// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+		$users = $this->wpdb->get_results( $this->wpdb->prepare( $users_sql, $ids ), ARRAY_A );
+		// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+		$meta = $this->wpdb->get_results( $this->wpdb->prepare( $meta_sql, $ids ), ARRAY_A );
+
+		return array(
+			'ids'      => $ids,
+			'users'    => is_array( $users ) ? $users : array(),
+			'usermeta' => is_array( $meta ) ? $meta : array(),
+		);
+	}
+
+	/**
+	 * Collect all user IDs relevant for member data export.
+	 *
+	 * @return int[]
+	 */
+	private function collect_member_user_ids() {
+		$ids = array();
+
+		$member_query = new \WP_User_Query(
+			array(
+				'role'    => Roles::MEMBER_ROLE,
+				'fields'  => 'ID',
+				'number'  => 2000,
+				'orderby' => 'ID',
+				'order'   => 'ASC',
+			)
+		);
+		$ids = array_merge( $ids, (array) $member_query->get_results() );
+
+		$parcel_members_table = Schema::table( 'parcel_members' );
+		if ( '' !== $parcel_members_table ) {
+			// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared,WordPress.DB.DirectDatabaseQuery.DirectQuery
+			$ids = array_merge( $ids, (array) $this->wpdb->get_col( "SELECT DISTINCT user_id FROM {$parcel_members_table}" ) );
+		}
+
+		$work_log_members_table = Schema::table( 'work_log_members' );
+		if ( '' !== $work_log_members_table ) {
+			// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared,WordPress.DB.DirectDatabaseQuery.DirectQuery
+			$ids = array_merge( $ids, (array) $this->wpdb->get_col( "SELECT DISTINCT user_id FROM {$work_log_members_table}" ) );
+		}
+
+		$ids = array_values( array_unique( array_filter( array_map( 'absint', $ids ) ) ) );
+		sort( $ids, SORT_NUMERIC );
+
+		return $ids;
+	}
+
+	/**
+	 * Send the export as a JSON file download and exit.
+	 *
+	 * @return void
+	 */
+	public function send_download() {
+		$payload  = $this->build_export();
+		$json     = wp_json_encode( $payload, JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE );
+		$filename = 'kgvvm-export-' . gmdate( 'Y-m-d' ) . '.json';
+
+		nocache_headers();
+		header( 'Content-Type: application/json; charset=utf-8' );
+		header( 'Content-Disposition: attachment; filename="' . $filename . '"' );
+		header( 'Content-Length: ' . strlen( $json ) );
+		echo $json; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+		exit;
+	}
+
+	// -------------------------------------------------------------------------
+	// Import
+	// -------------------------------------------------------------------------
+
+	/**
+	 * Validate and import data from a decoded JSON array.
+	 *
+	 * Returns an array with keys 'imported' (int[]), 'skipped' (string[]), 'errors' (string[]).
+	 *
+	 * @param array $payload Decoded JSON payload.
+	 * @return array
+	 */
+	public function import( array $payload ) {
+		$result = array(
+			'imported' => array(),
+			'skipped'  => array(),
+			'errors'   => array(),
+		);
+
+		if ( empty( $payload['plugin'] ) || 'kgv-verein-manager' !== $payload['plugin'] ) {
+			$result['errors'][] = __( 'Die Datei stammt nicht vom KGV Verein Manager Plugin.', KGVVM_TEXT_DOMAIN );
+			return $result;
+		}
+
+		if ( empty( $payload['tables'] ) || ! is_array( $payload['tables'] ) ) {
+			$result['errors'][] = __( 'Die Exportdatei enthält keine Tabellendaten.', KGVVM_TEXT_DOMAIN );
+			return $result;
+		}
+
+		// Wrap everything in a transaction so a partial failure can be rolled back.
+		$this->wpdb->query( 'SET FOREIGN_KEY_CHECKS = 0' ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+		$this->wpdb->query( 'START TRANSACTION' ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+
+		if ( ! empty( $payload['members'] ) && is_array( $payload['members'] ) ) {
+			$member_result = $this->import_members( $payload['members'] );
+			if ( ! empty( $member_result['errors'] ) ) {
+				$result['errors'] = array_merge( $result['errors'], $member_result['errors'] );
+				$this->wpdb->query( 'ROLLBACK' ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+				$this->wpdb->query( 'SET FOREIGN_KEY_CHECKS = 1' ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+				return $result;
+			}
+			$result['imported']['wp_members']     = isset( $member_result['users'] ) ? (int) $member_result['users'] : 0;
+			$result['imported']['wp_member_meta'] = isset( $member_result['meta'] ) ? (int) $member_result['meta'] : 0;
+		}
+
+		// Truncate in reverse dependency order.
+		foreach ( array_reverse( self::$table_keys ) as $key ) {
+			if ( ! isset( $payload['tables'][ $key ] ) ) {
+				continue;
+			}
+			$table = Schema::table( $key );
+			if ( '' === $table ) {
+				continue;
+			}
+			// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared,WordPress.DB.DirectDatabaseQuery.DirectQuery
+			$this->wpdb->query( "TRUNCATE TABLE {$table}" );
+		}
+
+		// Re-insert in dependency order.
+		foreach ( self::$table_keys as $key ) {
+			if ( ! isset( $payload['tables'][ $key ] ) ) {
+				$result['skipped'][] = $key;
+				continue;
+			}
+
+			$table = Schema::table( $key );
+			if ( '' === $table ) {
+				$result['skipped'][] = $key;
+				continue;
+			}
+
+			$rows  = (array) $payload['tables'][ $key ];
+			$count = 0;
+
+			foreach ( $rows as $row ) {
+				if ( ! is_array( $row ) || empty( $row ) ) {
+					continue;
+				}
+				// Sanitize keys – only allow simple column names.
+				$clean = array();
+				foreach ( $row as $col => $val ) {
+					$col_clean = preg_replace( '/[^a-zA-Z0-9_]/', '', (string) $col );
+					if ( '' !== $col_clean ) {
+						$clean[ $col_clean ] = $val;
+					}
+				}
+
+				$inserted = $this->wpdb->insert( $table, $clean ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+				if ( false !== $inserted ) {
+					$count++;
+				} else {
+					$result['errors'][] = sprintf(
+						/* translators: 1: table key 2: DB error */
+						__( 'Fehler beim Einfügen in %1$s: %2$s', KGVVM_TEXT_DOMAIN ),
+						$key,
+						(string) $this->wpdb->last_error
+					);
+				}
+			}
+
+			$result['imported'][ $key ] = $count;
+		}
+
+		if ( empty( $result['errors'] ) ) {
+			$this->wpdb->query( 'COMMIT' ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+		} else {
+			$this->wpdb->query( 'ROLLBACK' ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+		}
+
+		$this->wpdb->query( 'SET FOREIGN_KEY_CHECKS = 1' ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+
+		return $result;
+	}
+
+	/**
+	 * Import member user accounts and their usermeta.
+	 *
+	 * @param array $members Member payload from export.
+	 * @return array
+	 */
+	private function import_members( array $members ) {
+		$result = array(
+			'users'  => 0,
+			'meta'   => 0,
+			'errors' => array(),
+		);
+
+		$users = isset( $members['users'] ) && is_array( $members['users'] ) ? $members['users'] : array();
+		$meta  = isset( $members['usermeta'] ) && is_array( $members['usermeta'] ) ? $members['usermeta'] : array();
+
+		if ( empty( $users ) ) {
+			return $result;
+		}
+
+		$imported_user_ids = array();
+
+		foreach ( $users as $row ) {
+			if ( ! is_array( $row ) ) {
+				continue;
+			}
+
+			$user_id = isset( $row['ID'] ) ? absint( $row['ID'] ) : 0;
+			$login   = isset( $row['user_login'] ) ? sanitize_user( (string) $row['user_login'], true ) : '';
+			$email   = isset( $row['user_email'] ) ? sanitize_email( (string) $row['user_email'] ) : '';
+
+			if ( $user_id < 1 || '' === $login || '' === $email ) {
+				continue;
+			}
+
+			$data = array(
+				'user_login'          => $login,
+				'user_pass'           => isset( $row['user_pass'] ) ? (string) $row['user_pass'] : '',
+				'user_nicename'       => isset( $row['user_nicename'] ) ? sanitize_title( (string) $row['user_nicename'] ) : sanitize_title( $login ),
+				'user_email'          => $email,
+				'user_url'            => isset( $row['user_url'] ) ? esc_url_raw( (string) $row['user_url'] ) : '',
+				'user_registered'     => isset( $row['user_registered'] ) ? (string) $row['user_registered'] : current_time( 'mysql', true ),
+				'user_activation_key' => isset( $row['user_activation_key'] ) ? (string) $row['user_activation_key'] : '',
+				'user_status'         => isset( $row['user_status'] ) ? (int) $row['user_status'] : 0,
+				'display_name'        => isset( $row['display_name'] ) ? sanitize_text_field( (string) $row['display_name'] ) : $login,
+			);
+
+			$exists = (int) $this->wpdb->get_var( $this->wpdb->prepare( "SELECT COUNT(*) FROM {$this->wpdb->users} WHERE ID = %d", $user_id ) ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+
+			if ( $exists > 0 ) {
+				$updated = $this->wpdb->update( $this->wpdb->users, $data, array( 'ID' => $user_id ) );
+				if ( false === $updated ) {
+					$result['errors'][] = sprintf(
+						/* translators: %d: user id */
+						__( 'Mitglied mit ID %d konnte nicht aktualisiert werden.', KGVVM_TEXT_DOMAIN ),
+						$user_id
+					);
+					continue;
+				}
+			} else {
+				$insert_data       = $data;
+				$insert_data['ID'] = $user_id;
+				$inserted          = $this->wpdb->insert( $this->wpdb->users, $insert_data );
+				if ( false === $inserted ) {
+					$result['errors'][] = sprintf(
+						/* translators: 1: user id 2: DB error */
+						__( 'Mitglied mit ID %1$d konnte nicht angelegt werden: %2$s', KGVVM_TEXT_DOMAIN ),
+						$user_id,
+						(string) $this->wpdb->last_error
+					);
+					continue;
+				}
+			}
+
+			$imported_user_ids[] = $user_id;
+			$result['users']++;
+		}
+
+		$imported_user_ids = array_values( array_unique( array_filter( array_map( 'absint', $imported_user_ids ) ) ) );
+
+		if ( empty( $imported_user_ids ) || empty( $meta ) ) {
+			return $result;
+		}
+
+		$placeholders = implode( ', ', array_fill( 0, count( $imported_user_ids ), '%d' ) );
+		$delete_sql   = "DELETE FROM {$this->wpdb->usermeta} WHERE user_id IN ({$placeholders})";
+		// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+		$this->wpdb->query( $this->wpdb->prepare( $delete_sql, $imported_user_ids ) );
+
+		$allowed_ids = array_flip( $imported_user_ids );
+
+		foreach ( $meta as $row ) {
+			if ( ! is_array( $row ) ) {
+				continue;
+			}
+
+			$user_id = isset( $row['user_id'] ) ? absint( $row['user_id'] ) : 0;
+			if ( $user_id < 1 || ! isset( $allowed_ids[ $user_id ] ) ) {
+				continue;
+			}
+
+			$meta_key = isset( $row['meta_key'] ) ? (string) $row['meta_key'] : '';
+			if ( '' === $meta_key ) {
+				continue;
+			}
+
+			$meta_value = isset( $row['meta_value'] ) ? maybe_serialize( maybe_unserialize( $row['meta_value'] ) ) : '';
+
+			$inserted = $this->wpdb->insert(
+				$this->wpdb->usermeta,
+				array(
+					'user_id'    => $user_id,
+					'meta_key'   => $meta_key,
+					'meta_value' => $meta_value,
+				)
+			);
+
+			if ( false !== $inserted ) {
+				$result['meta']++;
+			}
+		}
+
+		return $result;
+	}
+}

includes/Repositories/CostRepository.php

@@ -93,11 +93,12 @@ class CostRepository extends AbstractRepository {
 			'distribution_type' => isset( $data['distribution_type'] ) ? $data['distribution_type'] : 'parcel',
 			'unit_amount'       => isset( $data['unit_amount'] ) ? (float) $data['unit_amount'] : 0,
 			'total_cost'        => (float) $data['total_cost'],
+			'is_mandatory'      => isset( $data['is_mandatory'] ) ? (int) (bool) $data['is_mandatory'] : 1,
 			'note'              => $data['note'],
 			'updated_at'        => $this->now(),
 		);
 
-		$formats = array( '%d', '%s', '%s', '%f', '%f', '%s', '%s' );
+		$formats = array( '%d', '%s', '%s', '%f', '%f', '%d', '%s', '%s' );
 
 		$this->ensure_year( $payload['entry_year'] );
 
@@ -107,7 +108,7 @@ class CostRepository extends AbstractRepository {
 		}
 
 		$payload['created_at'] = $this->now();
-		$this->wpdb->insert( $this->table, $payload, array( '%d', '%s', '%s', '%f', '%f', '%s', '%s', '%s' ) );
+		$this->wpdb->insert( $this->table, $payload, array( '%d', '%s', '%s', '%f', '%f', '%d', '%s', '%s', '%s' ) );
 
 		return $this->wpdb->insert_id;
 	}
@@ -221,6 +222,75 @@ class CostRepository extends AbstractRepository {
 		return $this->wpdb->get_row( $this->wpdb->prepare( "SELECT * FROM {$year_table} WHERE entry_year = %d", $year ) ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
 	}
 
+	/**
+	 * Get lock state for one statement year.
+	 *
+	 * @param int $year Selected year.
+	 * @return array
+	 */
+	public function get_statement_lock_state( $year ) {
+		$details = $this->get_year_details( $year );
+
+		if ( ! $details ) {
+			return array(
+				'is_locked' => false,
+				'locked_at' => null,
+				'locked_by' => 0,
+			);
+		}
+
+		return array(
+			'is_locked' => ! empty( $details->statement_is_locked ) && 1 === (int) $details->statement_is_locked,
+			'locked_at' => isset( $details->statement_locked_at ) ? $details->statement_locked_at : null,
+			'locked_by' => isset( $details->statement_locked_by ) ? (int) $details->statement_locked_by : 0,
+		);
+	}
+
+	/**
+	 * Check whether statement data for one year is locked.
+	 *
+	 * @param int $year Selected year.
+	 * @return bool
+	 */
+	public function is_statement_locked( $year ) {
+		$state = $this->get_statement_lock_state( $year );
+
+		return ! empty( $state['is_locked'] );
+	}
+
+	/**
+	 * Lock or unlock a statement year.
+	 *
+	 * @param int  $year       Selected year.
+	 * @param bool $is_locked  Target lock state.
+	 * @param int  $locked_by  User ID that changes the state.
+	 * @return bool
+	 */
+	public function set_statement_lock( $year, $is_locked, $locked_by = 0 ) {
+		$year = absint( $year );
+
+		if ( $year < 1 || ! $this->ensure_year( $year ) ) {
+			return false;
+		}
+
+		$payload = array(
+			'statement_is_locked' => $is_locked ? 1 : 0,
+			'statement_locked_at' => $is_locked ? $this->now() : null,
+			'statement_locked_by' => $is_locked ? absint( $locked_by ) : 0,
+			'updated_at'          => $this->now(),
+		);
+
+		$result = $this->wpdb->update(
+			$this->year_table(),
+			$payload,
+			array( 'entry_year' => $year ),
+			array( '%d', '%s', '%d', '%s' ),
+			array( '%d' )
+		);
+
+		return false !== $result;
+	}
+
 	/**
 	 * Save section-specific yearly prices.
 	 *
@@ -310,4 +380,146 @@ class CostRepository extends AbstractRepository {
 
 		return (float) $total;
 	}
+
+	// -------------------------------------------------------------------------
+	// Parcel cost assignments
+	// -------------------------------------------------------------------------
+
+	/**
+	 * Get the parcel cost assignments table name.
+	 *
+	 * @return string
+	 */
+	private function assignment_table() {
+		return Schema::table( 'parcel_cost_assignments' );
+	}
+
+	/**
+	 * Get cost entry IDs assigned to a specific parcel.
+	 *
+	 * @param int $parcel_id Parcel ID.
+	 * @return int[]
+	 */
+	public function get_assigned_entry_ids( $parcel_id ) {
+		$parcel_id = absint( $parcel_id );
+		$table     = $this->assignment_table();
+
+		if ( $parcel_id < 1 || '' === $table ) {
+			return array();
+		}
+
+		$ids = $this->wpdb->get_col( $this->wpdb->prepare( "SELECT cost_entry_id FROM {$table} WHERE parcel_id = %d", $parcel_id ) ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+
+		return array_map( 'intval', (array) $ids );
+	}
+
+	/**
+	 * Get all cost entry IDs that have at least one parcel assignment.
+	 *
+	 * @param int $year Optional – filter by entry year (0 = all years).
+	 * @return int[]
+	 */
+	public function get_entry_ids_with_assignments( $year = 0 ) {
+		$table = $this->assignment_table();
+
+		if ( '' === $table ) {
+			return array();
+		}
+
+		$year = absint( $year );
+
+		if ( $year > 0 ) {
+			$ids = $this->wpdb->get_col( $this->wpdb->prepare( // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+				"SELECT DISTINCT a.cost_entry_id FROM {$table} a
+				 INNER JOIN {$this->table} e ON e.id = a.cost_entry_id
+				 WHERE e.entry_year = %d",
+				$year
+			) );
+		} else {
+			$ids = $this->wpdb->get_col( "SELECT DISTINCT cost_entry_id FROM {$table}" ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared,WordPress.DB.DirectDatabaseQuery.DirectQuery
+		}
+
+		return array_map( 'intval', (array) $ids );
+	}
+
+	/**
+	 * Assign a cost entry to a parcel.
+	 *
+	 * @param int $parcel_id     Parcel ID.
+	 * @param int $cost_entry_id Cost entry ID.
+	 * @return bool
+	 */
+	public function assign_to_parcel( $parcel_id, $cost_entry_id ) {
+		$parcel_id     = absint( $parcel_id );
+		$cost_entry_id = absint( $cost_entry_id );
+		$table         = $this->assignment_table();
+
+		if ( $parcel_id < 1 || $cost_entry_id < 1 || '' === $table ) {
+			return false;
+		}
+
+		$exists = (int) $this->wpdb->get_var( $this->wpdb->prepare( // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+			"SELECT COUNT(*) FROM {$table} WHERE parcel_id = %d AND cost_entry_id = %d",
+			$parcel_id,
+			$cost_entry_id
+		) );
+
+		if ( $exists > 0 ) {
+			return true;
+		}
+
+		$result = $this->wpdb->insert(
+			$table,
+			array(
+				'parcel_id'     => $parcel_id,
+				'cost_entry_id' => $cost_entry_id,
+				'created_at'    => $this->now(),
+			),
+			array( '%d', '%d', '%s' )
+		);
+
+		return false !== $result;
+	}
+
+	/**
+	 * Remove a cost entry assignment from a parcel.
+	 *
+	 * @param int $parcel_id     Parcel ID.
+	 * @param int $cost_entry_id Cost entry ID.
+	 * @return bool
+	 */
+	public function unassign_from_parcel( $parcel_id, $cost_entry_id ) {
+		$parcel_id     = absint( $parcel_id );
+		$cost_entry_id = absint( $cost_entry_id );
+		$table         = $this->assignment_table();
+
+		if ( $parcel_id < 1 || $cost_entry_id < 1 || '' === $table ) {
+			return false;
+		}
+
+		$result = $this->wpdb->delete(
+			$table,
+			array(
+				'parcel_id'     => $parcel_id,
+				'cost_entry_id' => $cost_entry_id,
+			),
+			array( '%d', '%d' )
+		);
+
+		return false !== $result;
+	}
+
+	/**
+	 * Remove all parcel assignments for a cost entry (e.g. when the entry is deleted).
+	 *
+	 * @param int $cost_entry_id Cost entry ID.
+	 * @return void
+	 */
+	public function delete_assignments_for_entry( $cost_entry_id ) {
+		$table = $this->assignment_table();
+
+		if ( '' !== $table && absint( $cost_entry_id ) > 0 ) {
+			$this->wpdb->delete( $table, array( 'cost_entry_id' => absint( $cost_entry_id ) ), array( '%d' ) );
+		}
+	}
 }

includes/Repositories/InventoryRepository.php

@@ -0,0 +1,336 @@
+<?php
+/**
+ * Inventory repository.
+ *
+ * @package KGV\VereinManager
+ */
+
+namespace KGV\VereinManager\Repositories;
+
+use KGV\VereinManager\Schema;
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+class InventoryRepository extends AbstractRepository {
+
+	/**
+	 * Resolve main inventory table name.
+	 *
+	 * @return string
+	 */
+	protected function resolve_table() {
+		return Schema::table( 'inventory_items' );
+	}
+
+	/**
+	 * Resolve loan table name.
+	 *
+	 * @return string
+	 */
+	private function loans_table() {
+		return Schema::table( 'inventory_loans' );
+	}
+
+	/**
+	 * Search inventory items.
+	 *
+	 * @param array $args Query arguments.
+	 * @return array
+	 */
+	public function search_items( $args = array() ) {
+		$search  = isset( $args['s'] ) ? sanitize_text_field( wp_unslash( $args['s'] ) ) : '';
+		$status  = isset( $args['status'] ) ? sanitize_key( wp_unslash( $args['status'] ) ) : '';
+		$orderby = $this->sanitize_orderby( isset( $args['orderby'] ) ? sanitize_key( wp_unslash( $args['orderby'] ) ) : 'name', array( 'name', 'total_quantity', 'available_quantity', 'is_active', 'updated_at' ), 'name' );
+		$order   = $this->sanitize_order( isset( $args['order'] ) ? sanitize_key( wp_unslash( $args['order'] ) ) : 'ASC' );
+
+		$sql    = "SELECT * FROM {$this->table} WHERE 1=1";
+		$params = array();
+
+		if ( '' !== $search ) {
+			$like     = '%' . $this->wpdb->esc_like( $search ) . '%';
+			$sql     .= ' AND (name LIKE %s OR storage_location LIKE %s OR description LIKE %s)';
+			$params[] = $like;
+			$params[] = $like;
+			$params[] = $like;
+		}
+
+		if ( in_array( $status, array( 'active', 'inactive' ), true ) ) {
+			$sql     .= ' AND is_active = %d';
+			$params[] = 'active' === $status ? 1 : 0;
+		}
+
+		$sql .= " ORDER BY {$orderby} {$order}, id DESC";
+
+		if ( ! empty( $params ) ) {
+			return $this->wpdb->get_results( $this->wpdb->prepare( $sql, $params ) ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+		}
+
+		return $this->wpdb->get_results( $sql ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared,WordPress.DB.DirectDatabaseQuery.DirectQuery
+	}
+
+	/**
+	 * Save or update one inventory item.
+	 *
+	 * @param array $data Item payload.
+	 * @param int   $id   Optional item ID.
+	 * @return int|false
+	 */
+	public function save_item( $data, $id = 0 ) {
+		$payload = array(
+			'name'               => $data['name'],
+			'total_quantity'     => max( 0, (int) $data['total_quantity'] ),
+			'available_quantity' => max( 0, (int) $data['available_quantity'] ),
+			'storage_location'   => isset( $data['storage_location'] ) ? $data['storage_location'] : '',
+			'description'        => isset( $data['description'] ) ? $data['description'] : '',
+			'is_active'          => ! empty( $data['is_active'] ) ? 1 : 0,
+			'updated_at'         => $this->now(),
+		);
+
+		if ( $payload['available_quantity'] > $payload['total_quantity'] ) {
+			$payload['available_quantity'] = $payload['total_quantity'];
+		}
+
+		if ( $id > 0 ) {
+			$result = $this->wpdb->update(
+				$this->table,
+				$payload,
+				array( 'id' => absint( $id ) ),
+				array( '%s', '%d', '%d', '%s', '%s', '%d', '%s' ),
+				array( '%d' )
+			);
+
+			return false !== $result ? (int) $id : false;
+		}
+
+		$payload['created_at'] = $this->now();
+		$result                = $this->wpdb->insert( $this->table, $payload, array( '%s', '%d', '%d', '%s', '%s', '%d', '%s', '%s' ) );
+
+		return false !== $result ? (int) $this->wpdb->insert_id : false;
+	}
+
+	/**
+	 * Check whether one item has open loans.
+	 *
+	 * @param int $item_id Item ID.
+	 * @return bool
+	 */
+	public function has_open_loans( $item_id ) {
+		$item_id = absint( $item_id );
+		$table   = $this->loans_table();
+
+		if ( $item_id < 1 || '' === $table ) {
+			return false;
+		}
+
+		$count = (int) $this->wpdb->get_var( $this->wpdb->prepare( "SELECT COUNT(*) FROM {$table} WHERE item_id = %d AND status = %s", $item_id, 'open' ) ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+
+		return $count > 0;
+	}
+
+	/**
+	 * Get total currently borrowed quantity for one item.
+	 *
+	 * @param int $item_id Item ID.
+	 * @return int
+	 */
+	public function get_open_borrowed_quantity( $item_id ) {
+		$item_id = absint( $item_id );
+		$table   = $this->loans_table();
+
+		if ( $item_id < 1 || '' === $table ) {
+			return 0;
+		}
+
+		$sum = (int) $this->wpdb->get_var( $this->wpdb->prepare( "SELECT COALESCE(SUM(borrowed_quantity), 0) FROM {$table} WHERE item_id = %d AND status = %s", $item_id, 'open' ) ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+
+		return max( 0, $sum );
+	}
+
+	/**
+	 * Borrow an inventory item.
+	 *
+	 * @param int    $item_id   Item ID.
+	 * @param int    $user_id   Borrower user ID.
+	 * @param int    $quantity  Quantity.
+	 * @param string $due_date  Optional due date.
+	 * @param string $note      Optional note.
+	 * @return bool
+	 */
+	public function borrow_item( $item_id, $user_id, $quantity, $due_date = '', $note = '' ) {
+		$item_id  = absint( $item_id );
+		$user_id  = absint( $user_id );
+		$quantity = max( 0, (int) $quantity );
+		$loan_tab = $this->loans_table();
+
+		if ( $item_id < 1 || $user_id < 1 || $quantity < 1 || '' === $loan_tab ) {
+			return false;
+		}
+
+		$item = $this->find( $item_id );
+
+		if ( ! $item || (int) $item->available_quantity < $quantity ) {
+			return false;
+		}
+
+		$this->wpdb->query( 'START TRANSACTION' ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+
+		$inserted = $this->wpdb->insert(
+			$loan_tab,
+			array(
+				'item_id'           => $item_id,
+				'user_id'           => $user_id,
+				'borrowed_quantity' => $quantity,
+				'borrowed_at'       => $this->now(),
+				'due_date'          => '' !== $due_date ? $due_date : null,
+				'returned_at'       => null,
+				'note'              => $note,
+				'return_note'       => '',
+				'status'            => 'open',
+				'created_at'        => $this->now(),
+				'updated_at'        => $this->now(),
+			),
+			array( '%d', '%d', '%d', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' )
+		);
+
+		if ( false === $inserted ) {
+			$this->wpdb->query( 'ROLLBACK' ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+			return false;
+		}
+
+		$updated = $this->wpdb->update(
+			$this->table,
+			array(
+				'available_quantity' => max( 0, (int) $item->available_quantity - $quantity ),
+				'updated_at'         => $this->now(),
+			),
+			array( 'id' => $item_id ),
+			array( '%d', '%s' ),
+			array( '%d' )
+		);
+
+		if ( false === $updated ) {
+			$this->wpdb->query( 'ROLLBACK' ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+			return false;
+		}
+
+		$this->wpdb->query( 'COMMIT' ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+		return true;
+	}
+
+	/**
+	 * Return one open loan.
+	 *
+	 * @param int    $loan_id      Loan ID.
+	 * @param string $return_note  Optional return note.
+	 * @return bool
+	 */
+	public function return_loan( $loan_id, $return_note = '' ) {
+		$loan_id  = absint( $loan_id );
+		$loan_tab = $this->loans_table();
+
+		if ( $loan_id < 1 || '' === $loan_tab ) {
+			return false;
+		}
+
+		$loan = $this->wpdb->get_row( $this->wpdb->prepare( "SELECT * FROM {$loan_tab} WHERE id = %d", $loan_id ) ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+
+		if ( ! $loan || 'open' !== $loan->status ) {
+			return false;
+		}
+
+		$item = $this->find( (int) $loan->item_id );
+
+		if ( ! $item ) {
+			return false;
+		}
+
+		$this->wpdb->query( 'START TRANSACTION' ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+
+		$updated_loan = $this->wpdb->update(
+			$loan_tab,
+			array(
+				'status'      => 'returned',
+				'returned_at' => $this->now(),
+				'return_note' => $return_note,
+				'updated_at'  => $this->now(),
+			),
+			array( 'id' => $loan_id ),
+			array( '%s', '%s', '%s', '%s' ),
+			array( '%d' )
+		);
+
+		if ( false === $updated_loan ) {
+			$this->wpdb->query( 'ROLLBACK' ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+			return false;
+		}
+
+		$new_available = min( (int) $item->total_quantity, (int) $item->available_quantity + (int) $loan->borrowed_quantity );
+
+		$updated_item = $this->wpdb->update(
+			$this->table,
+			array(
+				'available_quantity' => $new_available,
+				'updated_at'         => $this->now(),
+			),
+			array( 'id' => (int) $loan->item_id ),
+			array( '%d', '%s' ),
+			array( '%d' )
+		);
+
+		if ( false === $updated_item ) {
+			$this->wpdb->query( 'ROLLBACK' ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+			return false;
+		}
+
+		$this->wpdb->query( 'COMMIT' ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+		return true;
+	}
+
+	/**
+	 * Get open loans with item and borrower information.
+	 *
+	 * @return array
+	 */
+	public function get_open_loans() {
+		$table = $this->loans_table();
+
+		if ( '' === $table ) {
+			return array();
+		}
+
+		$sql = "SELECT l.*, i.name AS item_name, u.display_name AS borrower_name
+			FROM {$table} l
+			LEFT JOIN {$this->table} i ON i.id = l.item_id
+			LEFT JOIN {$this->wpdb->users} u ON u.ID = l.user_id
+			WHERE l.status = %s
+			ORDER BY l.borrowed_at DESC, l.id DESC";
+
+		return $this->wpdb->get_results( $this->wpdb->prepare( $sql, 'open' ) ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+	}
+
+	/**
+	 * Get latest loan history entries.
+	 *
+	 * @param int $limit Number of rows.
+	 * @return array
+	 */
+	public function get_recent_loans( $limit = 20 ) {
+		$table = $this->loans_table();
+		$limit = max( 1, min( 200, (int) $limit ) );
+
+		if ( '' === $table ) {
+			return array();
+		}
+
+		$sql = "SELECT l.*, i.name AS item_name, u.display_name AS borrower_name
+			FROM {$table} l
+			LEFT JOIN {$this->table} i ON i.id = l.item_id
+			LEFT JOIN {$this->wpdb->users} u ON u.ID = l.user_id
+			ORDER BY l.borrowed_at DESC, l.id DESC
+			LIMIT %d";
+
+		return $this->wpdb->get_results( $this->wpdb->prepare( $sql, $limit ) ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+	}
+}

includes/Repositories/MeterReadingRepository.php

@@ -244,4 +244,25 @@ class MeterReadingRepository extends AbstractRepository {
 
 		return array_reverse( array_values( $monthly ) );
 	}
+
+	/**
+	 * Correct an existing reading (value, date, note).
+	 *
+	 * @param int   $id   Reading ID.
+	 * @param array $data Corrected data: reading_value, reading_date, note.
+	 * @return int|false
+	 */
+	public function update_reading( $id, $data ) {
+		return $this->wpdb->update(
+			$this->table,
+			array(
+				'reading_value' => (float) $data['reading_value'],
+				'reading_date'  => sanitize_text_field( $data['reading_date'] ),
+				'note'          => sanitize_textarea_field( $data['note'] ),
+			),
+			array( 'id' => absint( $id ) ),
+			array( '%f', '%s', '%s' ),
+			array( '%d' )
+		);
+	}
 }

includes/Schema.php

@@ -27,6 +27,8 @@ class Schema {
 			'parcels'        => $wpdb->prefix . 'kgvvm_parcels',
 			'meters'         => $wpdb->prefix . 'kgvvm_meters',
 			'tenants'        => $wpdb->prefix . 'kgvvm_tenants',
+			'inventory_items' => $wpdb->prefix . 'kgvvm_inventory_items',
+			'inventory_loans' => $wpdb->prefix . 'kgvvm_inventory_loans',
 			'parcel_members' => $wpdb->prefix . 'kgvvm_parcel_members',
 			'parcel_tenants' => $wpdb->prefix . 'kgvvm_parcel_tenants',
 			'chat_messages'  => $wpdb->prefix . 'kgvvm_chat_messages',
@@ -36,8 +38,9 @@ class Schema {
 			'cost_entries'      => $wpdb->prefix . 'kgvvm_cost_entries',
 			'work_jobs'         => $wpdb->prefix . 'kgvvm_work_jobs',
 			'work_year_config'  => $wpdb->prefix . 'kgvvm_work_year_config',
-			'work_logs'         => $wpdb->prefix . 'kgvvm_work_logs',
+'work_logs'              => $wpdb->prefix . 'kgvvm_work_logs',
-			'work_log_members'  => $wpdb->prefix . 'kgvvm_work_log_members',
+			'work_log_members'       => $wpdb->prefix . 'kgvvm_work_log_members',
+			'parcel_cost_assignments' => $wpdb->prefix . 'kgvvm_parcel_cost_assignments',
 		);
 
 		return isset( $map[ $key ] ) ? $map[ $key ] : '';
@@ -125,6 +128,42 @@ class Schema {
 			KEY is_active (is_active)
 		) {$charset_collate};";
 
+		$sql[] = "CREATE TABLE " . self::table( 'inventory_items' ) . " (
+			id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
+			name VARCHAR(190) NOT NULL,
+			total_quantity INT UNSIGNED NOT NULL DEFAULT 0,
+			available_quantity INT UNSIGNED NOT NULL DEFAULT 0,
+			storage_location VARCHAR(190) NULL,
+			description TEXT NULL,
+			is_active TINYINT(1) NOT NULL DEFAULT 1,
+			created_at DATETIME NOT NULL,
+			updated_at DATETIME NOT NULL,
+			PRIMARY KEY  (id),
+			KEY name (name),
+			KEY is_active (is_active)
+		) {$charset_collate};";
+
+		$sql[] = "CREATE TABLE " . self::table( 'inventory_loans' ) . " (
+			id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
+			item_id BIGINT UNSIGNED NOT NULL,
+			user_id BIGINT UNSIGNED NOT NULL,
+			borrowed_quantity INT UNSIGNED NOT NULL,
+			borrowed_at DATETIME NOT NULL,
+			due_date DATE NULL,
+			returned_at DATETIME NULL,
+			note TEXT NULL,
+			return_note TEXT NULL,
+			status VARCHAR(20) NOT NULL DEFAULT 'open',
+			created_at DATETIME NOT NULL,
+			updated_at DATETIME NOT NULL,
+			PRIMARY KEY  (id),
+			KEY item_id (item_id),
+			KEY user_id (user_id),
+			KEY status (status),
+			KEY borrowed_at (borrowed_at),
+			KEY due_date (due_date)
+		) {$charset_collate};";
+
 		$sql[] = "CREATE TABLE " . self::table( 'parcel_members' ) . " (
 			parcel_id BIGINT UNSIGNED NOT NULL,
 			user_id BIGINT UNSIGNED NOT NULL,
@@ -174,6 +213,9 @@ class Schema {
 			entry_year SMALLINT UNSIGNED NOT NULL,
 			power_price_per_kwh DECIMAL(12,4) NULL,
 			water_price_per_m3 DECIMAL(12,4) NULL,
+			statement_is_locked TINYINT(1) NOT NULL DEFAULT 0,
+			statement_locked_at DATETIME NULL,
+			statement_locked_by BIGINT UNSIGNED NOT NULL DEFAULT 0,
 			created_at DATETIME NOT NULL,
 			updated_at DATETIME NOT NULL,
 			PRIMARY KEY  (id),
@@ -200,6 +242,7 @@ class Schema {
 			distribution_type VARCHAR(20) NOT NULL DEFAULT 'parcel',
 			unit_amount DECIMAL(12,2) NULL,
 			total_cost DECIMAL(12,2) NOT NULL DEFAULT 0.00,
+			is_mandatory TINYINT(1) NOT NULL DEFAULT 1,
 			note TEXT NULL,
 			created_at DATETIME NOT NULL,
 			updated_at DATETIME NOT NULL,
@@ -254,6 +297,14 @@ class Schema {
 			KEY log_id (log_id)
 		) {$charset_collate};";
 
+		$sql[] = "CREATE TABLE " . self::table( 'parcel_cost_assignments' ) . " (
+			parcel_id BIGINT UNSIGNED NOT NULL,
+			cost_entry_id BIGINT UNSIGNED NOT NULL,
+			created_at DATETIME NOT NULL,
+			PRIMARY KEY  (parcel_id, cost_entry_id),
+			KEY cost_entry_id (cost_entry_id)
+		) {$charset_collate};";
+
 		foreach ( $sql as $statement ) {
 			dbDelta( $statement );
 		}
@@ -272,6 +323,8 @@ class Schema {
 			self::table( 'parcels' ),
 			self::table( 'meters' ),
 			self::table( 'tenants' ),
+			self::table( 'inventory_items' ),
+			self::table( 'inventory_loans' ),
 			self::table( 'parcel_members' ),
 			self::table( 'parcel_tenants' ),
 			self::table( 'chat_messages' ),
@@ -283,6 +336,7 @@ class Schema {
 			self::table( 'work_year_config' ),
 			self::table( 'work_logs' ),
 			self::table( 'work_log_members' ),
+			self::table( 'parcel_cost_assignments' ),
 		);
 
 		foreach ( $tables as $table ) {
@@ -301,10 +355,13 @@ class Schema {
 		global $wpdb;
 
 		$tables = array(
+			self::table( 'parcel_cost_assignments' ),
 			self::table( 'work_log_members' ),
 			self::table( 'work_logs' ),
 			self::table( 'work_year_config' ),
 			self::table( 'work_jobs' ),
+			self::table( 'inventory_loans' ),
+			self::table( 'inventory_items' ),
 			self::table( 'cost_entries' ),
 			self::table( 'cost_rates' ),
 			self::table( 'cost_years' ),

includes/Validator.php

@@ -259,6 +259,7 @@ class Validator {
 		$unit_amount       = isset( $data['unit_amount'] ) ? str_replace( ',', '.', wp_unslash( $data['unit_amount'] ) ) : '';
 		$entry_year        = $this->sanitize_cost_year( $data );
 		$distribution_type = sanitize_key( wp_unslash( isset( $data['distribution_type'] ) ? $data['distribution_type'] : 'parcel' ) );
+		$is_mandatory      = isset( $data['is_mandatory'] ) && '1' === (string) wp_unslash( $data['is_mandatory'] );
 
 		return array(
 			'entry_year'        => $entry_year,
@@ -266,6 +267,7 @@ class Validator {
 			'distribution_type' => $distribution_type,
 			'unit_amount'       => '' === trim( (string) $unit_amount ) ? '' : (float) $unit_amount,
 			'total_cost'        => 0.0,
+			'is_mandatory'      => $is_mandatory,
 			'note'              => sanitize_textarea_field( wp_unslash( isset( $data['note'] ) ? $data['note'] : '' ) ),
 		);
 	}
@@ -365,6 +367,91 @@ class Validator {
 		return $errors;
 	}
 
+	/**
+	 * Sanitize one inventory item payload.
+	 *
+	 * @param array $data Raw request data.
+	 * @return array
+	 */
+	public function sanitize_inventory_item( $data ) {
+		return array(
+			'name'               => sanitize_text_field( wp_unslash( isset( $data['name'] ) ? $data['name'] : '' ) ),
+			'total_quantity'     => absint( isset( $data['total_quantity'] ) ? $data['total_quantity'] : 0 ),
+			'available_quantity' => absint( isset( $data['available_quantity'] ) ? $data['available_quantity'] : 0 ),
+			'storage_location'   => sanitize_text_field( wp_unslash( isset( $data['storage_location'] ) ? $data['storage_location'] : '' ) ),
+			'description'        => sanitize_textarea_field( wp_unslash( isset( $data['description'] ) ? $data['description'] : '' ) ),
+			'is_active'          => ! empty( $data['is_active'] ) ? 1 : 0,
+		);
+	}
+
+	/**
+	 * Validate one inventory item payload.
+	 *
+	 * @param array $data Sanitized data.
+	 * @return \WP_Error
+	 */
+	public function validate_inventory_item( $data ) {
+		$errors = new \WP_Error();
+
+		if ( '' === $data['name'] ) {
+			$errors->add( 'inventory_name_required', __( 'Bitte einen Namen für den Inventargegenstand eingeben.', KGVVM_TEXT_DOMAIN ) );
+		}
+
+		if ( (int) $data['total_quantity'] < 0 ) {
+			$errors->add( 'inventory_total_invalid', __( 'Die Gesamtmenge muss 0 oder größer sein.', KGVVM_TEXT_DOMAIN ) );
+		}
+
+		if ( (int) $data['available_quantity'] < 0 ) {
+			$errors->add( 'inventory_available_invalid', __( 'Die verfügbare Menge muss 0 oder größer sein.', KGVVM_TEXT_DOMAIN ) );
+		}
+
+		if ( (int) $data['available_quantity'] > (int) $data['total_quantity'] ) {
+			$errors->add( 'inventory_available_too_high', __( 'Die verfügbare Menge darf nicht größer als die Gesamtmenge sein.', KGVVM_TEXT_DOMAIN ) );
+		}
+
+		return $errors;
+	}
+
+	/**
+	 * Sanitize one inventory borrow request.
+	 *
+	 * @param array $data Raw request data.
+	 * @return array
+	 */
+	public function sanitize_inventory_loan( $data ) {
+		return array(
+			'item_id'  => absint( isset( $data['item_id'] ) ? $data['item_id'] : 0 ),
+			'user_id'  => absint( isset( $data['user_id'] ) ? $data['user_id'] : 0 ),
+			'quantity' => absint( isset( $data['quantity'] ) ? $data['quantity'] : 0 ),
+			'due_date' => $this->normalize_date( isset( $data['due_date'] ) ? $data['due_date'] : '' ),
+			'note'     => sanitize_textarea_field( wp_unslash( isset( $data['note'] ) ? $data['note'] : '' ) ),
+		);
+	}
+
+	/**
+	 * Validate one inventory borrow request.
+	 *
+	 * @param array $data Sanitized data.
+	 * @return \WP_Error
+	 */
+	public function validate_inventory_loan( $data ) {
+		$errors = new \WP_Error();
+
+		if ( (int) $data['item_id'] < 1 ) {
+			$errors->add( 'inventory_item_required', __( 'Bitte einen Inventargegenstand auswählen.', KGVVM_TEXT_DOMAIN ) );
+		}
+
+		if ( (int) $data['user_id'] < 1 ) {
+			$errors->add( 'inventory_user_required', __( 'Bitte ein Mitglied auswählen.', KGVVM_TEXT_DOMAIN ) );
+		}
+
+		if ( (int) $data['quantity'] < 1 ) {
+			$errors->add( 'inventory_quantity_required', __( 'Bitte eine gültige Ausleihmenge eingeben.', KGVVM_TEXT_DOMAIN ) );
+		}
+
+		return $errors;
+	}
+
 	/**
 	 * Normalize optional date fields to Y-m-d.
 	 *

kgv-verein-manager.php

@@ -4,7 +4,7 @@
  * Plugin Name: KGV Vereinsverwaltung
  * Plugin URI: https://apex-project.de/
  * Description: Verwaltung von Sparten, Parzellen, Mitgliedern, Pächtern sowie Wasser- und Stromzählern für Kleingartenvereine.
- * Version: 1.16.1
+ * Version: 1.17.7
  * Author: Ronny Grobel
  * Author URI: https://apex-project.de/
  * License: GPL v2 or later
@@ -31,7 +31,7 @@ if ( ! defined( 'ABSPATH' ) ) {
 	exit;
 }
 
-define( 'KGVVM_VERSION', '1.16.1' );
+define( 'KGVVM_VERSION', '1.17.8' );
 define( 'KGVVM_PLUGIN_FILE', __FILE__ );
 define( 'KGVVM_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
 define( 'KGVVM_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
@@ -45,8 +45,9 @@ register_activation_hook( __FILE__, array( '\\KGV\\VereinManager\\Activator', 'a
 register_deactivation_hook( __FILE__, array( '\\KGV\\VereinManager\\Deactivator', 'deactivate' ) );
 
 add_action(
-	'plugins_loaded',
+	'init',
 	function() {
 		\KGV\VereinManager\Plugin::instance()->run();
-	}
+	},
+	1
 );

readme.txt

@@ -3,7 +3,7 @@ Contributors: ronnygrobel
 Tags: verein, mitgliederverwaltung, parzellen, zaehler, abrechnung
 Requires at least: 6.0
 Tested up to: 6.8
-Stable tag: 1.16.1
+Stable tag: 1.17.8
 Requires PHP: 7.2
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -41,6 +41,44 @@ Ja, insbesondere fuer Kleingartenvereine und deren Verwaltungsprozesse.
 
 == Changelog ==
 
+= 1.17.8 =
+Feat: Verbrauchsauswertung – Ablesung korrigieren (Datum, Zählerstand, Korrekturnotiz) und löschen direkt aus der Tabelle.
+
+= 1.17.7 =
+Feat: Inventarverwaltung – Gegenstände (Werkzeug etc.) erfassen, bearbeiten, löschen. Ausleihe und Rückgabe je Mitglied mit Notiz und Fälligkeitsdatum tracken. Export/Import integriert.
+
+= 1.17.6 =
+Feat: Jahresabrechnung kann festgeschrieben (gesperrt) werden. Alle Schreibzugriffe auf Kosten, Preise und Parzellenzuordnungen prüfen den Sperrstatus serverseitig.
+
+= 1.17.5 =
+Fix: Spaltenbreiten in Abrechnungstabellen angepasst für bessere Lesbarkeit langer Texte.
+
+= 1.17.4 =
+Fix: Checkbox "Verpflichtende Position" bei Kostenposten wird jetzt korrekt gespeichert wenn sie deaktiviert ist.
+
+= 1.17.3 =
+Verbesserung: Kostenübersicht zeigt jetzt direkt pro Kostenposten den Status Verpflichtend oder Manuell in einer eigenen Spalte an.
+
+= 1.17.2 =
+Fix: Manuelle Kostenpositionen auf der Jahresabrechnung einer Parzelle werden nach dem Hinzufügen jetzt sofort korrekt berücksichtigt. Pflichtpositionen ohne Einschränkung werden in der Seitenleiste als automatisch aktiv dargestellt.
+
+= 1.17.1 =
+Feat: is_mandatory Flag für Kostenpositionstypen - Kostenposten können jetzt als "verpflichtend" oder "manuell/optional" gekennzeichnet werden. Checkbox in der Kostenposten-Bearbeitung.
+
+= 1.17.0 =
+Parzellenspezifische Kostenpositionenzuweisung: Kostenposten können jetzt einzelnen Parzellen zugeordnet werden (z.B. Versicherung nur für bestimmte Parzellen). Editor auf der Jahresabrechnung Parzelle Seite mit übersichtlicher Liste und Hinzufügen/Entfernen-Funktionen. Zuordnungen werden in einer separaten Tabelle gespeichert und sind vollständig in Export/Import integriert.
+
+= 1.16.3 =
+* Datensicherung erweitert: Export und Import umfassen jetzt zusätzlich die zugehörigen WordPress-Mitgliederkonten inklusive Metadaten.
+
+= 1.16.2 =
+* Neue Datensicherungsfunktion unter Einstellungen: Export und Import aller kgvvm-Tabellen als JSON.
+* Import mit Sicherheitsprüfung und vollständigem Überschreiben der vorhandenen Plugin-Daten.
+
+= 1.16.1 =
+* Wartungsrelease mit synchronisierter Versionsnummer in Plugin-Header, Konstante und Readme-Dateien.
+* Release-Tag 1.16.1 gesetzt.
+
 = 1.16.0 =
 * Neues Modul Arbeitsstunden im Adminbereich mit drei Bereichen: geleistete Arbeiten, Mitgliederuebersicht und Arbeitsarten.
 * Pflichtstunden je Mitglied pro Jahr konfigurierbar, inklusive variablem Preis je fehlender Stunde fuer den Aufschlag in der Jahresrechnung.