fix: patch P0 security vulnerabilities and critical UX issues across 6 modules

Security: Add admin/layout.tsx auth guard; Add requirePermission() to 12 admin pages Dashboard: Fix StudentStatsGrid rendering; Fix teacher greeting; Add loading/error boundaries; Fix col-span; Add metadata Announcements: Fix audience filtering; Add user detail page; Trigger notifications on publish; Pass classes data; Add loading.tsx Messages: Implement soft delete; Add unread badge with polling; Add notification dropdown polling; Add keyword search; Add quiet hours DND Management: Add loading/error for 9 admin routes; Fix admin-classes-view to use Select for school/grade Profile/Settings: Add loading/error; Fix parent role routing; Create ParentSettingsView; Integrate AiProviderSettingsCard; Add Tab URL persistence; Add logout confirm; Add avatar; Fix Progress arbitrary class Schema: Add senderDeletedAt/receiverDeletedAt to messages; Add quietHours to notificationPreferences; Add uniqueIndex import Docs: Update architecture docs 004/005
2026-06-22 13:57:31 +08:00
parent 5ff7ab9e72
commit a4d096a6fc
81 changed files with 2145 additions and 124 deletions
--- a/src/app/(dashboard)/admin/announcements/[id]/page.tsx
+++ b/src/app/(dashboard)/admin/announcements/[id]/page.tsx
@@ -2,6 +2,8 @@ import { notFound } from "next/navigation"
 import type { Metadata } from "next"
 import type { JSX } from "react"

+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { getAnnouncementById } from "@/modules/announcements/data-access"
 import { getGrades } from "@/modules/school/data-access"
 import { AnnouncementForm } from "@/modules/announcements/components/announcement-form"
@@ -18,6 +20,7 @@ export default async function EditAnnouncementPage({
 }: {
  params: Promise<{ id: string }>
 }): Promise<JSX.Element> {
+  await requirePermission(Permissions.ANNOUNCEMENT_MANAGE)
  const { id } = await params

  const [announcement, grades] = await Promise.all([
--- a/src/app/(dashboard)/admin/announcements/loading.tsx
+++ b/src/app/(dashboard)/admin/announcements/loading.tsx
@@ -0,0 +1,40 @@
+import { Card, CardContent, CardHeader } from "@/shared/components/ui/card"
+import { Skeleton } from "@/shared/components/ui/skeleton"
+
+export default function AdminAnnouncementsLoading() {
+  return (
+    <div className="flex h-full flex-col space-y-8 p-8">
+      <div className="flex items-center justify-between space-y-2">
+        <div className="space-y-2">
+          <Skeleton className="h-8 w-48" />
+          <Skeleton className="h-4 w-64" />
+        </div>
+        <Skeleton className="h-9 w-40" />
+      </div>
+
+      <div className="flex items-center gap-3">
+        <Skeleton className="h-9 w-[180px]" />
+      </div>
+
+      <div className="grid grid-cols-1 gap-4 md:grid-cols-2 lg:grid-cols-3">
+        {Array.from({ length: 6 }).map((_, i) => (
+          <Card key={i}>
+            <CardHeader className="flex flex-row items-start justify-between gap-2 space-y-0">
+              <Skeleton className="h-5 w-3/4" />
+              <Skeleton className="h-5 w-16" />
+            </CardHeader>
+            <CardContent className="space-y-2">
+              <Skeleton className="h-4 w-full" />
+              <Skeleton className="h-4 w-full" />
+              <Skeleton className="h-4 w-2/3" />
+              <div className="flex items-center gap-2 pt-2">
+                <Skeleton className="h-5 w-16" />
+                <Skeleton className="h-3 w-32" />
+              </div>
+            </CardContent>
+          </Card>
+        ))}
+      </div>
+    </div>
+  )
+}
--- a/src/app/(dashboard)/admin/announcements/page.tsx
+++ b/src/app/(dashboard)/admin/announcements/page.tsx
@@ -1,8 +1,11 @@
 import type { Metadata } from "next"
 import type { JSX } from "react"

+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
 import { getAnnouncements } from "@/modules/announcements/data-access"
 import { getGrades } from "@/modules/school/data-access"
+import { getAdminClasses } from "@/modules/classes/data-access"
 import { AdminAnnouncementsView } from "@/modules/announcements/components/admin-announcements-view"
 import { getSearchParam, type SearchParams } from "@/shared/lib/utils"
 import type { AnnouncementStatus } from "@/modules/announcements/types"
@@ -22,19 +25,22 @@ export default async function AdminAnnouncementsPage({
 }: {
  searchParams: Promise<SearchParams>
 }): Promise<JSX.Element> {
+  await requirePermission(Permissions.ANNOUNCEMENT_MANAGE)
  const sp = await searchParams
  const statusParam = getSearchParam(sp, "status")
  const status = isValidStatus(statusParam) ? statusParam : undefined

-  const [announcements, grades] = await Promise.all([
+  const [announcements, grades, classes] = await Promise.all([
    getAnnouncements({ status }),
    getGrades(),
+    getAdminClasses(),
  ])

  return (
    <AdminAnnouncementsView
      announcements={announcements}
      grades={grades.map((g) => ({ id: g.id, name: g.name }))}
+      classes={classes.map((c) => ({ id: c.id, name: c.name }))}
      initialStatus={status}
    />
  )