更新v1.4版本，修复了一些已知问题

2026-04-28 03:16:17 +08:00
parent 76088b0dd4
commit 3aac2395a0
26 changed files with 342 additions and 151 deletions
--- a/backend/middleware/auth_middleware.py
+++ b/backend/middleware/auth_middleware.py
@@ -92,7 +92,6 @@ class AuthMiddleware(BaseHTTPMiddleware):
                logger.warning(f"[Auth] {path} - Redis Token不匹配, user_id={user_id}, stored={'有' if stored_token else '无'}")
                return self._cors_response(request, 401, "令牌已失效，请重新登录")
            
-            # 将用户信息存储到request.state
            # 将用户信息存储到request.state
            request.state.user_id = payload.get("user_id")
            request.state.username = payload.get("username")
@@ -142,20 +141,3 @@ class AuthMiddleware(BaseHTTPMiddleware):
            },
            headers=headers
        )
-
-
-async def get_current_user(request: Request) -> Dict[str, Any]:
-    """获取当前登录用户信息"""
-    return {
-        "user_id": request.state.user_id,
-        "username": request.state.username,
-        "real_name": getattr(request.state, 'real_name', None) or request.state.username,
-        "user_type": request.state.user_type,
-        "student_id": request.state.student_id,
-        "role": request.state.role
-    }
-
-
-async def get_current_user_id(request: Request) -> int:
-    """获取当前用户ID"""
-    return request.state.user_id
--- a/backend/middleware/permission.py
+++ b/backend/middleware/permission.py
@@ -26,6 +26,7 @@ async def get_current_user(request: Request) -> Dict[str, Any]:
    return {
        "user_id": getattr(request.state, 'user_id', None),
        "username": getattr(request.state, 'username', None),
+        "real_name": getattr(request.state, 'real_name', None),
        "user_type": getattr(request.state, 'user_type', None),
        "student_id": getattr(request.state, 'student_id', None),
        "role": getattr(request.state, 'role', None)
@@ -124,19 +125,23 @@ class PermissionChecker:
    async def check_can_revoke(user_id: int, record_id: int) -> bool:
        """
        检查是否可以撤销扣分记录
-        班主任：可以撤销任何记录
-        班长：可以撤销任何记录
-        考勤委员：可以撤销自己的记录
-        其他：只能撤销自己的记录
+        班主任：可以撤销/反撤销任何记录
+        班长：可以撤销/反撤销任何记录
+        考勤委员：可以撤销自己创建的记录
+        其他角色：无撤销权限
        """
-        sql = "SELECT recorder_id FROM conduct_records WHERE record_id = %s"
-        record = await execute_one(sql, (record_id,))
+        record = await execute_one(
+            "SELECT record_id, recorder_id FROM conduct_records WHERE record_id = %s",
+            (record_id,)
+        )
        if not record:
            return False
        role = await PermissionChecker.get_user_role(user_id)
-        if role in ["班主任", "班长", "志愿委员"]:
+        if role in ["班主任", "班长"]:
            return True
-        return record["recorder_id"] == user_id
+        if role == "考勤委员" and record.get("recorder_id") == user_id:
+            return True
+        return False


 def require_auth(func: Callable):