diff --git a/.cospec/plan/changes/fix-admin-multi-issues/task.md b/.cospec/plan/changes/fix-admin-multi-issues/task.md
index 3b9bd42..a641094 100644
--- a/.cospec/plan/changes/fix-admin-multi-issues/task.md
+++ b/.cospec/plan/changes/fix-admin-multi-issues/task.md
@@ -346,3 +346,14 @@
     【修改方式】
        - auth_service.py: login 方法返回字典添加 `"student_id": user["student_id"]`
        - auth.py: 登录路由 success_response data 字典添加 `"student_id": result.get("student_id")`
+
+- [x] 12.12 批量修复6个管理端/学生端Bug
+    【目标对象】`backend/models/user.py`、`backend/routes/admin.py`、`frontend/assets/js/admin.js`、`backend/services/conduct_service.py`、`backend/models/conduct.py`、`frontend/admin/history.php`
+    【修改目的】用户报告6个运行时Bug：1) 修改密码失败；2) 管理端学生列表422；3) 添加管理员404；4) admin.js报错null；5) 历史记录500；6) history.php学生列表不完整
+    【修改方式】
+       - user.py: get_by_user_id SQL 添加 password_hash 字段（修改密码时验证旧密码需要此字段）
+       - admin.py: page_size 上限 le=100→le=1000；路由 /admin/add→/add, /admin/list→/list（避免双重/api/admin前缀）
+       - admin.js: showAddAdminModal 中 addAdminForm.reset() 改为 ?.reset()
+       - conduct_service.py: get_history 方法开头添加空字符串→None转换
+       - conduct.py: get_all_records 方法开头添加空字符串→None转换
+       - history.php: loadStudentsForSelect 传 {page_size: 1000}
diff --git a/backend/models/conduct.py b/backend/models/conduct.py
index a1e96d4..dd7042d 100644
--- a/backend/models/conduct.py
+++ b/backend/models/conduct.py
@@ -84,6 +84,12 @@ class ConductModel:
         end_date: str = None
     ) -> List[Dict[str, Any]]:
         """获取所有记录（班主任/班长专用）"""
+        # 空字符串转为None
+        if start_date == "":
+            start_date = None
+        if end_date == "":
+            end_date = None
+        
         sql = """
             SELECT cr.*, s.name as student_name, s.student_no, u.real_name as recorder_name
             FROM conduct_records cr
diff --git a/backend/models/user.py b/backend/models/user.py
index 2b7b3ce..6aa03a8 100644
--- a/backend/models/user.py
+++ b/backend/models/user.py
@@ -34,9 +34,9 @@ class UserModel:
     async def get_by_user_id(user_id: int) -> dict:
         """根据用户ID获取用户"""
         sql = """
-            SELECT user_id, username, real_name, user_type, student_id, 
+            SELECT user_id, username, password_hash, real_name, user_type, student_id,
                    need_change_password, status
-            FROM users 
+            FROM users
             WHERE user_id = %s
         """
         return await execute_one(sql, (user_id,))
diff --git a/backend/routes/admin.py b/backend/routes/admin.py
index 9e5a291..da8effb 100644
--- a/backend/routes/admin.py
+++ b/backend/routes/admin.py
@@ -42,7 +42,7 @@ logger = get_logger(__name__)
 async def get_students(
     request: Request,
     page: int = Query(1, ge=1),
-    page_size: int = Query(20, ge=1, le=100),
+    page_size: int = Query(20, ge=1, le=1000),
     search: Optional[str] = None
 ):
     """获取所有学生列表（单班级）"""
@@ -328,7 +328,7 @@ async def get_attendance_records(
 
 # ========== 管理员管理 ==========
 
-@router.post("/admin/add")
+@router.post("/add")
 async def add_admin(request: Request, req: AddAdminRequest):
     """添加管理员（班主任）"""
     user = await get_current_user(request)
@@ -357,7 +357,7 @@ async def add_admin(request: Request, req: AddAdminRequest):
         return error_response(message=result["message"])
 
 
-@router.get("/admin/list")
+@router.get("/list")
 async def get_admins(request: Request):
     """获取管理员列表（班主任）"""
     user = await get_current_user(request)
diff --git a/backend/services/conduct_service.py b/backend/services/conduct_service.py
index 43c0eb3..cb19e30 100644
--- a/backend/services/conduct_service.py
+++ b/backend/services/conduct_service.py
@@ -138,6 +138,12 @@ class ConductService:
         end_date: Optional[str] = None
     ) -> Dict[str, Any]:
         """获取历史记录"""
+        # 空字符串转为None
+        if start_date == "":
+            start_date = None
+        if end_date == "":
+            end_date = None
+        
         role = await PermissionChecker.get_user_role(user_id)
         offset = (page - 1) * page_size
         
diff --git a/frontend/admin/history.php b/frontend/admin/history.php
index 50a9848..043efae 100644
--- a/frontend/admin/history.php
+++ b/frontend/admin/history.php
@@ -70,7 +70,7 @@ var currentHistoryPage = 1;
 var totalHistoryPages = 1;
 
 async function loadStudentsForSelect() {
-    const res = await apiGet('/api/admin/students');
+    const res = await apiGet('/api/admin/students', {page_size: 1000});
     if (res && res.success) {
         let html = '<option value="">全部</option>';
         res.data.students.forEach(s => {
diff --git a/frontend/assets/js/admin.js b/frontend/assets/js/admin.js
index 86873ca..0c15697 100644
--- a/frontend/assets/js/admin.js
+++ b/frontend/assets/js/admin.js
@@ -174,7 +174,7 @@ async function submitAddStudent() {
 // 显示添加管理员模态框
 function showAddAdminModal() {
     document.getElementById('addAdminModal').style.display = 'flex';
-    document.getElementById('addAdminForm').reset();
+    document.getElementById('addAdminForm')?.reset();
 }
 
 // 提交添加管理员