功能性及安全修复
This commit is contained in:
@@ -29,8 +29,6 @@ PUBLIC_PATHS = [
|
|||||||
r'^/$',
|
r'^/$',
|
||||||
r'^/health$',
|
r'^/health$',
|
||||||
r'^/api/auth/login$',
|
r'^/api/auth/login$',
|
||||||
r'^/api/auth/logout$',
|
|
||||||
r'^/api/config/deduction-rules$',
|
|
||||||
]
|
]
|
||||||
def is_public_path(path: str) -> bool:
|
def is_public_path(path: str) -> bool:
|
||||||
"""检查是否为公开路径"""
|
"""检查是否为公开路径"""
|
||||||
|
|||||||
@@ -125,7 +125,8 @@ async def add_student(request: Request, req: AddStudentRequest):
|
|||||||
name=req.name,
|
name=req.name,
|
||||||
parent_phone=req.parent_phone,
|
parent_phone=req.parent_phone,
|
||||||
operator_id=user["user_id"],
|
operator_id=user["user_id"],
|
||||||
initial_points=60
|
initial_points=60,
|
||||||
|
dormitory_number=req.dormitory_number
|
||||||
)
|
)
|
||||||
if result["success"]:
|
if result["success"]:
|
||||||
await LogService.write_operation_log(
|
await LogService.write_operation_log(
|
||||||
|
|||||||
@@ -123,8 +123,16 @@ class AuthService:
|
|||||||
if not user:
|
if not user:
|
||||||
return {"success": False, "message": "用户不存在"}
|
return {"success": False, "message": "用户不存在"}
|
||||||
|
|
||||||
# 验证原密码(强制改密时跳过)
|
# 验证原密码
|
||||||
if not force:
|
# force=True 仅在 need_change_password=1 时允许(首次登录强制改密)
|
||||||
|
# 其他情况必须验证旧密码
|
||||||
|
if force and user.get("need_change_password") == 1:
|
||||||
|
# 首次登录强制改密,跳过旧密码验证
|
||||||
|
pass
|
||||||
|
else:
|
||||||
|
# 正常改密,必须验证旧密码
|
||||||
|
if not old_password:
|
||||||
|
return {"success": False, "message": "请输入原密码"}
|
||||||
is_valid, _ = security.verify_password_v2(old_password, user["password_hash"])
|
is_valid, _ = security.verify_password_v2(old_password, user["password_hash"])
|
||||||
if not is_valid:
|
if not is_valid:
|
||||||
return {"success": False, "message": "原密码错误"}
|
return {"success": False, "message": "原密码错误"}
|
||||||
|
|||||||
Reference in New Issue
Block a user