refactor(grades,diagnostic): 成绩和学情诊断模块审计修复

P0-1: 10 个页面补充 requirePermission 权限校验 P0-2: diagnostic/data-access-reports.ts 移除直查 users 表，改用 getUserNamesByIds P0-3: 新增 grade/grades/diagnostic 三组 i18n 翻译文件（zh-CN/en） P0-4: 新增 /management/grade 重定向页面 P1-2: 抽取 toNumber/normalize/buildScopeClassFilter 到 lib/grade-utils.ts P1-3: 为 12 个 Action 新增 Zod safeParse 校验（schema.ts +12 查询 schema） P1-4: 修复 as 断言违规，改用类型守卫函数 P2-2: 移除 diagnostic 组件中 Tailwind 任意值同步更新架构图文档 004 和 005
2026-06-22 16:23:34 +08:00
parent 20691f53ce
commit 45ee1ae43c
29 changed files with 2276 additions and 186 deletions
--- a/src/app/(dashboard)/teacher/diagnostic/class/[classId]/page.tsx
+++ b/src/app/(dashboard)/teacher/diagnostic/class/[classId]/page.tsx
@@ -1,7 +1,8 @@
 import type { JSX } from "react"
 import { notFound } from "next/navigation"
 import { Stethoscope } from "lucide-react"
-import { getAuthContext } from "@/shared/lib/auth-guard"
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { getClassMasterySummary } from "@/modules/diagnostic/data-access"
 import { ClassDiagnosticView } from "@/modules/diagnostic/components/class-diagnostic-view"

@@ -13,7 +14,7 @@ export default async function ClassDiagnosticPage({
  params: Promise<{ classId: string }>
 }): Promise<JSX.Element> {
  const { classId } = await params
-  const ctx = await getAuthContext()
+  const ctx = await requirePermission(Permissions.DIAGNOSTIC_READ)

  // DataScope 校验：教师只能查看所教班级，学生/家长不可访问
  if (ctx.dataScope.type === "class_taught" && !ctx.dataScope.classIds.includes(classId)) {
--- a/src/app/(dashboard)/teacher/diagnostic/page.tsx
+++ b/src/app/(dashboard)/teacher/diagnostic/page.tsx
@@ -1,5 +1,6 @@
 import type { JSX } from "react"
-import { getAuthContext } from "@/shared/lib/auth-guard"
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { getParam, type SearchParams } from "@/shared/lib/search-params"
 import { getDiagnosticReports } from "@/modules/diagnostic/data-access-reports"
 import { ReportList } from "@/modules/diagnostic/components/report-list"
@@ -33,7 +34,7 @@ export default async function TeacherDiagnosticPage({
  searchParams: Promise<SearchParams>
 }): Promise<JSX.Element> {
  const sp = await searchParams
-  const ctx = await getAuthContext()
+  const ctx = await requirePermission(Permissions.DIAGNOSTIC_READ)

  const reportType = getParam(sp, "reportType")
  const status = getParam(sp, "status")
--- a/src/app/(dashboard)/teacher/diagnostic/student/[studentId]/page.tsx
+++ b/src/app/(dashboard)/teacher/diagnostic/student/[studentId]/page.tsx
@@ -1,7 +1,8 @@
 import type { JSX } from "react"
 import { notFound } from "next/navigation"
 import { Stethoscope } from "lucide-react"
-import { getAuthContext } from "@/shared/lib/auth-guard"
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import {
  getStudentMasterySummary,
  getKnowledgePointStats,
@@ -18,7 +19,7 @@ export default async function StudentDiagnosticPage({
  params: Promise<{ studentId: string }>
 }): Promise<JSX.Element> {
  const { studentId } = await params
-  const ctx = await getAuthContext()
+  const ctx = await requirePermission(Permissions.DIAGNOSTIC_READ)

  // DataScope 二次校验：学生只能看自己，家长只能看子女
  if (ctx.dataScope.type === "class_members" && ctx.userId !== studentId) {