修复考勤管理bug并加强了信息保护

backend/middleware/auth_middleware.py

@@ -92,15 +92,16 @@ class AuthMiddleware(BaseHTTPMiddleware):
                 logger.warning(f"[Auth] {path} - Redis Token不匹配, user_id={user_id}, stored={'有' if stored_token else '无'}")
                 return self._cors_response(request, 401, "令牌已失效，请重新登录")
             
+            # 将用户信息存储到request.state
             # 将用户信息存储到request.state
             request.state.user_id = payload.get("user_id")
             request.state.username = payload.get("username")
+            request.state.real_name = payload.get("real_name") or payload.get("username")
             request.state.user_type = payload.get("user_type")
             request.state.student_id = payload.get("student_id")
             request.state.role = payload.get("role")
-            
-            # 刷新Token过期时间
-            await RedisClient.expire(f"user_token:{user_id}", settings.JWT_EXPIRE_MINUTES * 60)
+            # 刷新Token过期时间（空闲超时：10分钟无操作则需重新登录）
+            await RedisClient.expire(f"user_token:{user_id}", settings.JWT_IDLE_TIMEOUT_MINUTES * 60)
             
             logger.debug(f"[Auth] {path} - 认证成功, user_id={user_id}, username={payload.get('username')}")
             
@@ -148,6 +149,7 @@ async def get_current_user(request: Request) -> Dict[str, Any]:
     return {
         "user_id": request.state.user_id,
         "username": request.state.username,
+        "real_name": getattr(request.state, 'real_name', None) or request.state.username,
         "user_type": request.state.user_type,
         "student_id": request.state.student_id,
         "role": request.state.role

backend/middleware/permission.py

@@ -126,6 +126,7 @@ class PermissionChecker:
         检查是否可以撤销扣分记录
         班主任：可以撤销任何记录
         班长：可以撤销任何记录
+        考勤委员：可以撤销自己的记录
         其他：只能撤销自己的记录
         """
         sql = "SELECT recorder_id FROM conduct_records WHERE record_id = %s"