fix: patch P0 security vulnerabilities and critical UX issues across 6 modules

Security: Add admin/layout.tsx auth guard; Add requirePermission() to 12 admin pages Dashboard: Fix StudentStatsGrid rendering; Fix teacher greeting; Add loading/error boundaries; Fix col-span; Add metadata Announcements: Fix audience filtering; Add user detail page; Trigger notifications on publish; Pass classes data; Add loading.tsx Messages: Implement soft delete; Add unread badge with polling; Add notification dropdown polling; Add keyword search; Add quiet hours DND Management: Add loading/error for 9 admin routes; Fix admin-classes-view to use Select for school/grade Profile/Settings: Add loading/error; Fix parent role routing; Create ParentSettingsView; Integrate AiProviderSettingsCard; Add Tab URL persistence; Add logout confirm; Add avatar; Fix Progress arbitrary class Schema: Add senderDeletedAt/receiverDeletedAt to messages; Add quietHours to notificationPreferences; Add uniqueIndex import Docs: Update architecture docs 004/005
2026-06-22 13:57:31 +08:00
parent 5ff7ab9e72
commit a4d096a6fc
81 changed files with 2145 additions and 124 deletions
--- a/src/app/(dashboard)/announcements/[id]/page.tsx
+++ b/src/app/(dashboard)/announcements/[id]/page.tsx
@@ -0,0 +1,36 @@
+import { notFound } from "next/navigation"
+import type { Metadata } from "next"
+import type { JSX } from "react"
+
+import { requirePermission } from "@/shared/lib/auth-guard"
+import { Permissions } from "@/shared/types/permissions"
+import { getAnnouncementById } from "@/modules/announcements/data-access"
+import { AnnouncementDetail } from "@/modules/announcements/components/announcement-detail"
+
+export const metadata: Metadata = {
+  title: "Announcement - Next_Edu",
+}
+
+export const dynamic = "force-dynamic"
+
+export default async function AnnouncementDetailPage({
+  params,
+}: {
+  params: Promise<{ id: string }>
+}): Promise<JSX.Element> {
+  const { id } = await params
+  await requirePermission(Permissions.ANNOUNCEMENT_READ)
+
+  const announcement = await getAnnouncementById(id)
+  if (!announcement) notFound()
+
+  return (
+    <div className="flex h-full flex-col space-y-8 p-8">
+      <AnnouncementDetail
+        announcement={announcement}
+        canManage={false}
+        backHref="/announcements"
+      />
+    </div>
+  )
+}
--- a/src/app/(dashboard)/announcements/loading.tsx
+++ b/src/app/(dashboard)/announcements/loading.tsx
@@ -0,0 +1,37 @@
+import { Card, CardContent, CardHeader } from "@/shared/components/ui/card"
+import { Skeleton } from "@/shared/components/ui/skeleton"
+
+export default function AnnouncementsLoading() {
+  return (
+    <div className="flex h-full flex-col space-y-8 p-8">
+      <div className="space-y-2">
+        <Skeleton className="h-8 w-48" />
+        <Skeleton className="h-4 w-64" />
+      </div>
+
+      <div className="flex items-center gap-3">
+        <Skeleton className="h-9 w-[180px]" />
+      </div>
+
+      <div className="grid grid-cols-1 gap-4 md:grid-cols-2 lg:grid-cols-3">
+        {Array.from({ length: 6 }).map((_, i) => (
+          <Card key={i}>
+            <CardHeader className="flex flex-row items-start justify-between gap-2 space-y-0">
+              <Skeleton className="h-5 w-3/4" />
+              <Skeleton className="h-5 w-16" />
+            </CardHeader>
+            <CardContent className="space-y-2">
+              <Skeleton className="h-4 w-full" />
+              <Skeleton className="h-4 w-full" />
+              <Skeleton className="h-4 w-2/3" />
+              <div className="flex items-center gap-2 pt-2">
+                <Skeleton className="h-5 w-16" />
+                <Skeleton className="h-3 w-32" />
+              </div>
+            </CardContent>
+          </Card>
+        ))}
+      </div>
+    </div>
+  )
+}
--- a/src/app/(dashboard)/announcements/page.tsx
+++ b/src/app/(dashboard)/announcements/page.tsx
@@ -1,17 +1,88 @@
+import type { Metadata } from "next"
+
 import { requirePermission } from "@/shared/lib/auth-guard"
 import { Permissions } from "@/shared/types/permissions"
 import { getAnnouncements } from "@/modules/announcements/data-access"
 import { AnnouncementList } from "@/modules/announcements/components/announcement-list"
+import {
+  getStudentActiveClassId,
+  getStudentActiveGradeId,
+  getClassGradeId,
+} from "@/modules/classes/data-access"

 export const dynamic = "force-dynamic"

-export const metadata = {
+export const metadata: Metadata = {
  title: "Announcements",
 }

+/**
+ * 根据当前用户身份解析受众信息（gradeId / classId）。
+ * - admin：返回 null（管理端可见所有公告）
+ * - student / teacher：使用首个 classId 并查询其 gradeId
+ * - grade_head / teaching_head：使用首个 gradeId
+ * - parent：使用首个孩子的活跃班级信息
+ * - 其他：返回 null（仅显示 school 类型公告由 audience.gradeId/classId 均缺失时的兜底处理）
+ */
+async function resolveAudience(ctx: {
+  userId: string
+  dataScope:
+    | { type: "all" }
+    | { type: "owned"; userId: string }
+    | { type: "class_members"; classIds: string[] }
+    | { type: "grade_managed"; gradeIds: string[] }
+    | { type: "class_taught"; classIds: string[]; subjectIds?: string[] }
+    | { type: "children"; childrenIds: string[] }
+}): Promise<{ gradeId?: string; classId?: string } | null> {
+  const { dataScope } = ctx
+
+  if (dataScope.type === "all") return null
+
+  if (dataScope.type === "grade_managed") {
+    const gradeId = dataScope.gradeIds[0]
+    return gradeId ? { gradeId } : null
+  }
+
+  if (dataScope.type === "class_members" || dataScope.type === "class_taught") {
+    const classId = dataScope.classIds[0]
+    if (!classId) return null
+    const gradeId = await getClassGradeId(classId)
+    return { classId, gradeId: gradeId ?? undefined }
+  }
+
+  if (dataScope.type === "children") {
+    const childId = dataScope.childrenIds[0]
+    if (!childId) return null
+    const [classId, gradeId] = await Promise.all([
+      getStudentActiveClassId(childId),
+      getStudentActiveGradeId(childId),
+    ])
+    return {
+      classId: classId ?? undefined,
+      gradeId: gradeId ?? undefined,
+    }
+  }
+
+  // owned / 其他：尝试用当前 userId 查询（兼容 student 角色直接访问）
+  const [classId, gradeId] = await Promise.all([
+    getStudentActiveClassId(ctx.userId),
+    getStudentActiveGradeId(ctx.userId),
+  ])
+  if (!classId && !gradeId) return null
+  return {
+    classId: classId ?? undefined,
+    gradeId: gradeId ?? undefined,
+  }
+}
+
 export default async function AnnouncementsPage() {
-  await requirePermission(Permissions.ANNOUNCEMENT_READ)
-  const announcements = await getAnnouncements({ status: "published" })
+  const ctx = await requirePermission(Permissions.ANNOUNCEMENT_READ)
+  const audience = await resolveAudience(ctx)
+
+  const announcements = await getAnnouncements({
+    status: "published",
+    audience: audience ?? undefined,
+  })

  return (
    <div className="flex h-full flex-col space-y-8 p-8">
@@ -21,7 +92,10 @@ export default async function AnnouncementsPage() {
          Stay up to date with the latest school announcements.
        </p>
      </div>
-      <AnnouncementList announcements={announcements} />
+      <AnnouncementList
+        announcements={announcements}
+        detailHrefBuilder={(id) => `/announcements/${id}`}
+      />
    </div>
  )
 }