功能性及安全修复

2026-06-09 23:34:54 +08:00
parent 70e7ad8e5e
commit 5e0052564b
3 changed files with 12 additions and 5 deletions
--- a/backend/middleware/auth_middleware.py
+++ b/backend/middleware/auth_middleware.py
@@ -29,8 +29,6 @@ PUBLIC_PATHS = [
    r'^/$',
    r'^/health$',
    r'^/api/auth/login$',
-    r'^/api/auth/logout$',
-    r'^/api/config/deduction-rules$',
 ]
 def is_public_path(path: str) -> bool:
    """检查是否为公开路径"""
--- a/backend/routes/admin.py
+++ b/backend/routes/admin.py
@@ -125,7 +125,8 @@ async def add_student(request: Request, req: AddStudentRequest):
        name=req.name,
        parent_phone=req.parent_phone,
        operator_id=user["user_id"],
-        initial_points=60
+        initial_points=60,
+        dormitory_number=req.dormitory_number
    )
    if result["success"]:
        await LogService.write_operation_log(
--- a/backend/services/auth_service.py
+++ b/backend/services/auth_service.py
@@ -123,8 +123,16 @@ class AuthService:
        if not user:
            return {"success": False, "message": "用户不存在"}
        
-        # 验证原密码（强制改密时跳过）
-        if not force:
+        # 验证原密码
+        # force=True 仅在 need_change_password=1 时允许（首次登录强制改密）
+        # 其他情况必须验证旧密码
+        if force and user.get("need_change_password") == 1:
+            # 首次登录强制改密，跳过旧密码验证
+            pass
+        else:
+            # 正常改密，必须验证旧密码
+            if not old_password:
+                return {"success": False, "message": "请输入原密码"}
            is_valid, _ = security.verify_password_v2(old_password, user["password_hash"])
            if not is_valid:
                return {"success": False, "message": "原密码错误"}