fix: patch P0 security vulnerabilities and critical UX issues across 6 modules

Security: Add admin/layout.tsx auth guard; Add requirePermission() to 12 admin pages

Dashboard: Fix StudentStatsGrid rendering; Fix teacher greeting; Add loading/error boundaries; Fix col-span; Add metadata

Announcements: Fix audience filtering; Add user detail page; Trigger notifications on publish; Pass classes data; Add loading.tsx

Messages: Implement soft delete; Add unread badge with polling; Add notification dropdown polling; Add keyword search; Add quiet hours DND

Management: Add loading/error for 9 admin routes; Fix admin-classes-view to use Select for school/grade

Profile/Settings: Add loading/error; Fix parent role routing; Create ParentSettingsView; Integrate AiProviderSettingsCard; Add Tab URL persistence; Add logout confirm; Add avatar; Fix Progress arbitrary class

Schema: Add senderDeletedAt/receiverDeletedAt to messages; Add quietHours to notificationPreferences; Add uniqueIndex import

Docs: Update architecture docs 004/005

src/app/(dashboard)/admin/announcements/[id]/page.tsx

@@ -2,6 +2,8 @@ import { notFound } from "next/navigation"
 import type { Metadata } from "next"
 import type { JSX } from "react"
 
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { getAnnouncementById } from "@/modules/announcements/data-access"
 import { getGrades } from "@/modules/school/data-access"
 import { AnnouncementForm } from "@/modules/announcements/components/announcement-form"
@@ -18,6 +20,7 @@ export default async function EditAnnouncementPage({
 }: {
   params: Promise<{ id: string }>
 }): Promise<JSX.Element> {
+  await requirePermission(Permissions.ANNOUNCEMENT_MANAGE)
   const { id } = await params
 
   const [announcement, grades] = await Promise.all([

src/app/(dashboard)/admin/announcements/loading.tsx

@@ -0,0 +1,40 @@
+import { Card, CardContent, CardHeader } from "@/shared/components/ui/card"
+import { Skeleton } from "@/shared/components/ui/skeleton"
+
+export default function AdminAnnouncementsLoading() {
+  return (
+    <div className="flex h-full flex-col space-y-8 p-8">
+      <div className="flex items-center justify-between space-y-2">
+        <div className="space-y-2">
+          <Skeleton className="h-8 w-48" />
+          <Skeleton className="h-4 w-64" />
+        </div>
+        <Skeleton className="h-9 w-40" />
+      </div>
+
+      <div className="flex items-center gap-3">
+        <Skeleton className="h-9 w-[180px]" />
+      </div>
+
+      <div className="grid grid-cols-1 gap-4 md:grid-cols-2 lg:grid-cols-3">
+        {Array.from({ length: 6 }).map((_, i) => (
+          <Card key={i}>
+            <CardHeader className="flex flex-row items-start justify-between gap-2 space-y-0">
+              <Skeleton className="h-5 w-3/4" />
+              <Skeleton className="h-5 w-16" />
+            </CardHeader>
+            <CardContent className="space-y-2">
+              <Skeleton className="h-4 w-full" />
+              <Skeleton className="h-4 w-full" />
+              <Skeleton className="h-4 w-2/3" />
+              <div className="flex items-center gap-2 pt-2">
+                <Skeleton className="h-5 w-16" />
+                <Skeleton className="h-3 w-32" />
+              </div>
+            </CardContent>
+          </Card>
+        ))}
+      </div>
+    </div>
+  )
+}

src/app/(dashboard)/admin/announcements/page.tsx

@@ -1,8 +1,11 @@
 import type { Metadata } from "next"
 import type { JSX } from "react"
 
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { getAnnouncements } from "@/modules/announcements/data-access"
 import { getGrades } from "@/modules/school/data-access"
+import { getAdminClasses } from "@/modules/classes/data-access"
 import { AdminAnnouncementsView } from "@/modules/announcements/components/admin-announcements-view"
 import { getSearchParam, type SearchParams } from "@/shared/lib/utils"
 import type { AnnouncementStatus } from "@/modules/announcements/types"
@@ -22,19 +25,22 @@ export default async function AdminAnnouncementsPage({
 }: {
   searchParams: Promise<SearchParams>
 }): Promise<JSX.Element> {
+  await requirePermission(Permissions.ANNOUNCEMENT_MANAGE)
   const sp = await searchParams
   const statusParam = getSearchParam(sp, "status")
   const status = isValidStatus(statusParam) ? statusParam : undefined
 
-  const [announcements, grades] = await Promise.all([
+  const [announcements, grades, classes] = await Promise.all([
     getAnnouncements({ status }),
     getGrades(),
+    getAdminClasses(),
   ])
 
   return (
     <AdminAnnouncementsView
       announcements={announcements}
       grades={grades.map((g) => ({ id: g.id, name: g.name }))}
+      classes={classes.map((c) => ({ id: c.id, name: c.name }))}
       initialStatus={status}
     />
   )

src/app/(dashboard)/admin/layout.tsx

@@ -0,0 +1,10 @@
+import { getAuthContext } from "@/shared/lib/auth-guard"
+
+export default async function AdminLayout({
+  children,
+}: {
+  children: React.ReactNode
+}): Promise<React.ReactNode> {
+  await getAuthContext()
+  return <>{children}</>
+}

src/app/(dashboard)/admin/scheduling/auto/error.tsx

@@ -0,0 +1,22 @@
+"use client"
+
+import { AlertCircle } from "lucide-react"
+
+import { EmptyState } from "@/shared/components/ui/empty-state"
+
+export default function AdminSchedulingAutoError({ reset }: { error: Error & { digest?: string }; reset: () => void }) {
+  return (
+    <div className="flex h-full flex-col items-center justify-center space-y-4 p-8">
+      <EmptyState
+        icon={AlertCircle}
+        title="页面加载失败"
+        description="抱歉，页面加载时发生了意外错误。请稍后重试。"
+        action={{
+          label: "重试",
+          onClick: () => reset(),
+        }}
+        className="border-none shadow-none h-auto"
+      />
+    </div>
+  )
+}

src/app/(dashboard)/admin/scheduling/auto/loading.tsx

@@ -0,0 +1,24 @@
+import { Card, CardContent, CardHeader } from "@/shared/components/ui/card"
+import { Skeleton } from "@/shared/components/ui/skeleton"
+
+export default function AdminSchedulingAutoLoading() {
+  return (
+    <div className="flex h-full flex-col space-y-8 p-8">
+      <div className="space-y-2">
+        <Skeleton className="h-8 w-48" />
+        <Skeleton className="h-4 w-64" />
+      </div>
+
+      <Card>
+        <CardHeader>
+          <Skeleton className="h-5 w-32" />
+        </CardHeader>
+        <CardContent className="space-y-3">
+          {Array.from({ length: 6 }).map((_, i) => (
+            <Skeleton key={i} className="h-12 w-full" />
+          ))}
+        </CardContent>
+      </Card>
+    </div>
+  )
+}

src/app/(dashboard)/admin/scheduling/auto/page.tsx

@@ -3,6 +3,8 @@ import { CalendarClock, ClipboardList, Settings2 } from "lucide-react"
 import type { Metadata } from "next"
 import type { JSX } from "react"
 
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { Button } from "@/shared/components/ui/button"
 import { EmptyState } from "@/shared/components/ui/empty-state"
 import { getAdminClassesForScheduling } from "@/modules/scheduling/data-access"
@@ -16,6 +18,7 @@ export const metadata: Metadata = {
 export const dynamic = "force-dynamic"
 
 export default async function AdminSchedulingAutoPage(): Promise<JSX.Element> {
+  await requirePermission(Permissions.SCHEDULE_AUTO)
   const classes = await getAdminClassesForScheduling()
   const classOptions = classes.map((c) => ({ id: c.id, name: c.name, grade: c.grade }))
 

src/app/(dashboard)/admin/scheduling/changes/error.tsx

@@ -0,0 +1,22 @@
+"use client"
+
+import { AlertCircle } from "lucide-react"
+
+import { EmptyState } from "@/shared/components/ui/empty-state"
+
+export default function AdminSchedulingChangesError({ reset }: { error: Error & { digest?: string }; reset: () => void }) {
+  return (
+    <div className="flex h-full flex-col items-center justify-center space-y-4 p-8">
+      <EmptyState
+        icon={AlertCircle}
+        title="页面加载失败"
+        description="抱歉，页面加载时发生了意外错误。请稍后重试。"
+        action={{
+          label: "重试",
+          onClick: () => reset(),
+        }}
+        className="border-none shadow-none h-auto"
+      />
+    </div>
+  )
+}

src/app/(dashboard)/admin/scheduling/changes/loading.tsx

@@ -0,0 +1,24 @@
+import { Card, CardContent, CardHeader } from "@/shared/components/ui/card"
+import { Skeleton } from "@/shared/components/ui/skeleton"
+
+export default function AdminSchedulingChangesLoading() {
+  return (
+    <div className="flex h-full flex-col space-y-8 p-8">
+      <div className="space-y-2">
+        <Skeleton className="h-8 w-48" />
+        <Skeleton className="h-4 w-64" />
+      </div>
+
+      <Card>
+        <CardHeader>
+          <Skeleton className="h-5 w-32" />
+        </CardHeader>
+        <CardContent className="space-y-3">
+          {Array.from({ length: 6 }).map((_, i) => (
+            <Skeleton key={i} className="h-12 w-full" />
+          ))}
+        </CardContent>
+      </Card>
+    </div>
+  )
+}

src/app/(dashboard)/admin/scheduling/rules/error.tsx

@@ -0,0 +1,22 @@
+"use client"
+
+import { AlertCircle } from "lucide-react"
+
+import { EmptyState } from "@/shared/components/ui/empty-state"
+
+export default function AdminSchedulingRulesError({ reset }: { error: Error & { digest?: string }; reset: () => void }) {
+  return (
+    <div className="flex h-full flex-col items-center justify-center space-y-4 p-8">
+      <EmptyState
+        icon={AlertCircle}
+        title="页面加载失败"
+        description="抱歉，页面加载时发生了意外错误。请稍后重试。"
+        action={{
+          label: "重试",
+          onClick: () => reset(),
+        }}
+        className="border-none shadow-none h-auto"
+      />
+    </div>
+  )
+}

src/app/(dashboard)/admin/scheduling/rules/loading.tsx

@@ -0,0 +1,24 @@
+import { Card, CardContent, CardHeader } from "@/shared/components/ui/card"
+import { Skeleton } from "@/shared/components/ui/skeleton"
+
+export default function AdminSchedulingRulesLoading() {
+  return (
+    <div className="flex h-full flex-col space-y-8 p-8">
+      <div className="space-y-2">
+        <Skeleton className="h-8 w-48" />
+        <Skeleton className="h-4 w-64" />
+      </div>
+
+      <Card>
+        <CardHeader>
+          <Skeleton className="h-5 w-32" />
+        </CardHeader>
+        <CardContent className="space-y-3">
+          {Array.from({ length: 6 }).map((_, i) => (
+            <Skeleton key={i} className="h-12 w-full" />
+          ))}
+        </CardContent>
+      </Card>
+    </div>
+  )
+}

src/app/(dashboard)/admin/scheduling/rules/page.tsx

@@ -2,6 +2,8 @@
 import type { Metadata } from "next"
 import type { JSX } from "react"
 
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { EmptyState } from "@/shared/components/ui/empty-state"
 import {
   getAdminClassesForScheduling,
@@ -17,6 +19,7 @@ export const metadata: Metadata = {
 export const dynamic = "force-dynamic"
 
 export default async function AdminSchedulingRulesPage(): Promise<JSX.Element> {
+  await requirePermission(Permissions.SCHEDULE_ADJUST)
   const [classes, existingRules] = await Promise.all([
     getAdminClassesForScheduling(),
     getSchedulingRules(),

src/app/(dashboard)/admin/school/academic-year/error.tsx

@@ -0,0 +1,22 @@
+"use client"
+
+import { AlertCircle } from "lucide-react"
+
+import { EmptyState } from "@/shared/components/ui/empty-state"
+
+export default function AdminAcademicYearError({ reset }: { error: Error & { digest?: string }; reset: () => void }) {
+  return (
+    <div className="flex h-full flex-col items-center justify-center space-y-4 p-8">
+      <EmptyState
+        icon={AlertCircle}
+        title="页面加载失败"
+        description="抱歉，页面加载时发生了意外错误。请稍后重试。"
+        action={{
+          label: "重试",
+          onClick: () => reset(),
+        }}
+        className="border-none shadow-none h-auto"
+      />
+    </div>
+  )
+}

src/app/(dashboard)/admin/school/academic-year/loading.tsx

@@ -0,0 +1,24 @@
+import { Card, CardContent, CardHeader } from "@/shared/components/ui/card"
+import { Skeleton } from "@/shared/components/ui/skeleton"
+
+export default function AdminAcademicYearLoading() {
+  return (
+    <div className="flex h-full flex-col space-y-8 p-8">
+      <div className="space-y-2">
+        <Skeleton className="h-8 w-48" />
+        <Skeleton className="h-4 w-64" />
+      </div>
+
+      <Card>
+        <CardHeader>
+          <Skeleton className="h-5 w-32" />
+        </CardHeader>
+        <CardContent className="space-y-3">
+          {Array.from({ length: 6 }).map((_, i) => (
+            <Skeleton key={i} className="h-12 w-full" />
+          ))}
+        </CardContent>
+      </Card>
+    </div>
+  )
+}

src/app/(dashboard)/admin/school/academic-year/page.tsx

@@ -1,6 +1,8 @@
 import type { Metadata } from "next"
 import type { JSX } from "react"
 
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { AcademicYearClient } from "@/modules/school/components/academic-year-view"
 import { getAcademicYears } from "@/modules/school/data-access"
 
@@ -12,6 +14,7 @@ export const metadata: Metadata = {
 export const dynamic = "force-dynamic"
 
 export default async function AdminAcademicYearPage(): Promise<JSX.Element> {
+  await requirePermission(Permissions.SCHOOL_MANAGE)
   const years = await getAcademicYears()
   return (
     <div className="flex h-full flex-col space-y-8 p-8">

src/app/(dashboard)/admin/school/classes/error.tsx

@@ -0,0 +1,22 @@
+"use client"
+
+import { AlertCircle } from "lucide-react"
+
+import { EmptyState } from "@/shared/components/ui/empty-state"
+
+export default function AdminClassesError({ reset }: { error: Error & { digest?: string }; reset: () => void }) {
+  return (
+    <div className="flex h-full flex-col items-center justify-center space-y-4 p-8">
+      <EmptyState
+        icon={AlertCircle}
+        title="页面加载失败"
+        description="抱歉，页面加载时发生了意外错误。请稍后重试。"
+        action={{
+          label: "重试",
+          onClick: () => reset(),
+        }}
+        className="border-none shadow-none h-auto"
+      />
+    </div>
+  )
+}

src/app/(dashboard)/admin/school/classes/loading.tsx

@@ -0,0 +1,24 @@
+import { Card, CardContent, CardHeader } from "@/shared/components/ui/card"
+import { Skeleton } from "@/shared/components/ui/skeleton"
+
+export default function AdminClassesLoading() {
+  return (
+    <div className="flex h-full flex-col space-y-8 p-8">
+      <div className="space-y-2">
+        <Skeleton className="h-8 w-48" />
+        <Skeleton className="h-4 w-64" />
+      </div>
+
+      <Card>
+        <CardHeader>
+          <Skeleton className="h-5 w-32" />
+        </CardHeader>
+        <CardContent className="space-y-3">
+          {Array.from({ length: 6 }).map((_, i) => (
+            <Skeleton key={i} className="h-12 w-full" />
+          ))}
+        </CardContent>
+      </Card>
+    </div>
+  )
+}

src/app/(dashboard)/admin/school/classes/page.tsx

@@ -1,7 +1,10 @@
-import type { Metadata } from "next"
+import type { Metadata } from "next"
 import type { JSX } from "react"
 
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { getAdminClasses, getTeacherOptions } from "@/modules/classes/data-access"
+import { getGrades, getSchools } from "@/modules/school/data-access"
 import { AdminClassesClient } from "@/modules/classes/components/admin-classes-view"
 
 export const metadata: Metadata = {
@@ -12,7 +15,13 @@ export const metadata: Metadata = {
 export const dynamic = "force-dynamic"
 
 export default async function AdminSchoolClassesPage(): Promise<JSX.Element> {
-  const [classes, teachers] = await Promise.all([getAdminClasses(), getTeacherOptions()])
+  await requirePermission(Permissions.SCHOOL_MANAGE)
+  const [classes, teachers, schools, grades] = await Promise.all([
+    getAdminClasses(),
+    getTeacherOptions(),
+    getSchools(),
+    getGrades(),
+  ])
 
   return (
     <div className="flex h-full flex-col space-y-8 p-8">
@@ -20,7 +29,7 @@ export default async function AdminSchoolClassesPage(): Promise<JSX.Element> {
         <h2 className="text-2xl font-bold tracking-tight">班级管理</h2>
         <p className="text-muted-foreground">管理班级并分配教师。</p>
       </div>
-      <AdminClassesClient classes={classes} teachers={teachers} />
+      <AdminClassesClient classes={classes} teachers={teachers} schools={schools} grades={grades} />
     </div>
   )
 }

src/app/(dashboard)/admin/school/departments/error.tsx

@@ -0,0 +1,22 @@
+"use client"
+
+import { AlertCircle } from "lucide-react"
+
+import { EmptyState } from "@/shared/components/ui/empty-state"
+
+export default function AdminDepartmentsError({ reset }: { error: Error & { digest?: string }; reset: () => void }) {
+  return (
+    <div className="flex h-full flex-col items-center justify-center space-y-4 p-8">
+      <EmptyState
+        icon={AlertCircle}
+        title="页面加载失败"
+        description="抱歉，页面加载时发生了意外错误。请稍后重试。"
+        action={{
+          label: "重试",
+          onClick: () => reset(),
+        }}
+        className="border-none shadow-none h-auto"
+      />
+    </div>
+  )
+}

src/app/(dashboard)/admin/school/departments/loading.tsx

@@ -0,0 +1,24 @@
+import { Card, CardContent, CardHeader } from "@/shared/components/ui/card"
+import { Skeleton } from "@/shared/components/ui/skeleton"
+
+export default function AdminDepartmentsLoading() {
+  return (
+    <div className="flex h-full flex-col space-y-8 p-8">
+      <div className="space-y-2">
+        <Skeleton className="h-8 w-48" />
+        <Skeleton className="h-4 w-64" />
+      </div>
+
+      <Card>
+        <CardHeader>
+          <Skeleton className="h-5 w-32" />
+        </CardHeader>
+        <CardContent className="space-y-3">
+          {Array.from({ length: 6 }).map((_, i) => (
+            <Skeleton key={i} className="h-12 w-full" />
+          ))}
+        </CardContent>
+      </Card>
+    </div>
+  )
+}

src/app/(dashboard)/admin/school/departments/page.tsx

@@ -1,6 +1,8 @@
 import type { Metadata } from "next"
 import type { JSX } from "react"
 
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { DepartmentsClient } from "@/modules/school/components/departments-view"
 import { getDepartments } from "@/modules/school/data-access"
 
@@ -12,6 +14,7 @@ export const metadata: Metadata = {
 export const dynamic = "force-dynamic"
 
 export default async function AdminDepartmentsPage(): Promise<JSX.Element> {
+  await requirePermission(Permissions.SCHOOL_MANAGE)
   const departments = await getDepartments()
   return (
     <div className="flex h-full flex-col space-y-8 p-8">

src/app/(dashboard)/admin/school/grades/error.tsx

@@ -0,0 +1,22 @@
+"use client"
+
+import { AlertCircle } from "lucide-react"
+
+import { EmptyState } from "@/shared/components/ui/empty-state"
+
+export default function AdminGradesError({ reset }: { error: Error & { digest?: string }; reset: () => void }) {
+  return (
+    <div className="flex h-full flex-col items-center justify-center space-y-4 p-8">
+      <EmptyState
+        icon={AlertCircle}
+        title="页面加载失败"
+        description="抱歉，页面加载时发生了意外错误。请稍后重试。"
+        action={{
+          label: "重试",
+          onClick: () => reset(),
+        }}
+        className="border-none shadow-none h-auto"
+      />
+    </div>
+  )
+}

src/app/(dashboard)/admin/school/grades/insights/page.tsx

@@ -3,6 +3,8 @@ import type { Metadata } from "next"
 import type { JSX } from "react"
 import { BarChart3 } from "lucide-react"
 
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { getGrades } from "@/modules/school/data-access"
 import { getGradeHomeworkInsights } from "@/modules/classes/data-access"
 import { EmptyState } from "@/shared/components/ui/empty-state"
@@ -25,6 +27,7 @@ export default async function AdminGradeInsightsPage({
 }: {
   searchParams: Promise<SearchParams>
 }): Promise<JSX.Element> {
+  await requirePermission(Permissions.SCHOOL_MANAGE)
   const params = await searchParams
   const gradeId = getSearchParam(params, "gradeId")
   const selected = gradeId && gradeId !== "all" ? gradeId : ""

src/app/(dashboard)/admin/school/grades/loading.tsx

@@ -0,0 +1,24 @@
+import { Card, CardContent, CardHeader } from "@/shared/components/ui/card"
+import { Skeleton } from "@/shared/components/ui/skeleton"
+
+export default function AdminGradesLoading() {
+  return (
+    <div className="flex h-full flex-col space-y-8 p-8">
+      <div className="space-y-2">
+        <Skeleton className="h-8 w-48" />
+        <Skeleton className="h-4 w-64" />
+      </div>
+
+      <Card>
+        <CardHeader>
+          <Skeleton className="h-5 w-32" />
+        </CardHeader>
+        <CardContent className="space-y-3">
+          {Array.from({ length: 6 }).map((_, i) => (
+            <Skeleton key={i} className="h-12 w-full" />
+          ))}
+        </CardContent>
+      </Card>
+    </div>
+  )
+}

src/app/(dashboard)/admin/school/grades/page.tsx

@@ -1,6 +1,8 @@
 import type { Metadata } from "next"
 import type { JSX } from "react"
 
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { GradesClient } from "@/modules/school/components/grades-view"
 import { getGrades, getSchools, getStaffOptions } from "@/modules/school/data-access"
 
@@ -12,6 +14,7 @@ export const metadata: Metadata = {
 export const dynamic = "force-dynamic"
 
 export default async function AdminGradesPage(): Promise<JSX.Element> {
+  await requirePermission(Permissions.SCHOOL_MANAGE)
   const [grades, schools, staff] = await Promise.all([getGrades(), getSchools(), getStaffOptions()])
 
   return (

src/app/(dashboard)/admin/school/schools/error.tsx

@@ -0,0 +1,22 @@
+"use client"
+
+import { AlertCircle } from "lucide-react"
+
+import { EmptyState } from "@/shared/components/ui/empty-state"
+
+export default function AdminSchoolsError({ reset }: { error: Error & { digest?: string }; reset: () => void }) {
+  return (
+    <div className="flex h-full flex-col items-center justify-center space-y-4 p-8">
+      <EmptyState
+        icon={AlertCircle}
+        title="页面加载失败"
+        description="抱歉，页面加载时发生了意外错误。请稍后重试。"
+        action={{
+          label: "重试",
+          onClick: () => reset(),
+        }}
+        className="border-none shadow-none h-auto"
+      />
+    </div>
+  )
+}

src/app/(dashboard)/admin/school/schools/loading.tsx

@@ -0,0 +1,24 @@
+import { Card, CardContent, CardHeader } from "@/shared/components/ui/card"
+import { Skeleton } from "@/shared/components/ui/skeleton"
+
+export default function AdminSchoolsLoading() {
+  return (
+    <div className="flex h-full flex-col space-y-8 p-8">
+      <div className="space-y-2">
+        <Skeleton className="h-8 w-48" />
+        <Skeleton className="h-4 w-64" />
+      </div>
+
+      <Card>
+        <CardHeader>
+          <Skeleton className="h-5 w-32" />
+        </CardHeader>
+        <CardContent className="space-y-3">
+          {Array.from({ length: 6 }).map((_, i) => (
+            <Skeleton key={i} className="h-12 w-full" />
+          ))}
+        </CardContent>
+      </Card>
+    </div>
+  )
+}

src/app/(dashboard)/admin/school/schools/page.tsx

@@ -1,6 +1,8 @@
 import type { Metadata } from "next"
 import type { JSX } from "react"
 
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { SchoolsClient } from "@/modules/school/components/schools-view"
 import { getSchools } from "@/modules/school/data-access"
 
@@ -12,6 +14,7 @@ export const metadata: Metadata = {
 export const dynamic = "force-dynamic"
 
 export default async function AdminSchoolsPage(): Promise<JSX.Element> {
+  await requirePermission(Permissions.SCHOOL_MANAGE)
   const schools = await getSchools()
   return (
     <div className="flex h-full flex-col space-y-8 p-8">

src/app/(dashboard)/admin/users/import/error.tsx

@@ -0,0 +1,22 @@
+"use client"
+
+import { AlertCircle } from "lucide-react"
+
+import { EmptyState } from "@/shared/components/ui/empty-state"
+
+export default function AdminUsersImportError({ reset }: { error: Error & { digest?: string }; reset: () => void }) {
+  return (
+    <div className="flex h-full flex-col items-center justify-center space-y-4 p-8">
+      <EmptyState
+        icon={AlertCircle}
+        title="页面加载失败"
+        description="抱歉，页面加载时发生了意外错误。请稍后重试。"
+        action={{
+          label: "重试",
+          onClick: () => reset(),
+        }}
+        className="border-none shadow-none h-auto"
+      />
+    </div>
+  )
+}

src/app/(dashboard)/admin/users/import/loading.tsx

@@ -0,0 +1,24 @@
+import { Card, CardContent, CardHeader } from "@/shared/components/ui/card"
+import { Skeleton } from "@/shared/components/ui/skeleton"
+
+export default function AdminUsersImportLoading() {
+  return (
+    <div className="flex h-full flex-col space-y-8 p-8">
+      <div className="space-y-2">
+        <Skeleton className="h-8 w-48" />
+        <Skeleton className="h-4 w-64" />
+      </div>
+
+      <Card>
+        <CardHeader>
+          <Skeleton className="h-5 w-32" />
+        </CardHeader>
+        <CardContent className="space-y-3">
+          {Array.from({ length: 6 }).map((_, i) => (
+            <Skeleton key={i} className="h-12 w-full" />
+          ))}
+        </CardContent>
+      </Card>
+    </div>
+  )
+}

src/app/(dashboard)/admin/users/import/page.tsx

@@ -3,6 +3,8 @@ import type { JSX } from "react"
 import Link from "next/link"
 import { ArrowLeft, Users, FileSpreadsheet, Info } from "lucide-react"
 
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { Button } from "@/shared/components/ui/button"
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/shared/components/ui/card"
 import {
@@ -22,7 +24,8 @@ export const metadata: Metadata = {
 
 export const dynamic = "force-dynamic"
 
-export default function UserImportPage(): JSX.Element {
+export default async function UserImportPage(): Promise<JSX.Element> {
+  await requirePermission(Permissions.USER_MANAGE)
   return (
     <div className="h-full flex-1 flex-col space-y-6 p-8 md:flex">
       <div className="flex items-center justify-between space-y-2">