fix: patch P0 security vulnerabilities and critical UX issues across 6 modules

Security: Add admin/layout.tsx auth guard; Add requirePermission() to 12 admin pages Dashboard: Fix StudentStatsGrid rendering; Fix teacher greeting; Add loading/error boundaries; Fix col-span; Add metadata Announcements: Fix audience filtering; Add user detail page; Trigger notifications on publish; Pass classes data; Add loading.tsx Messages: Implement soft delete; Add unread badge with polling; Add notification dropdown polling; Add keyword search; Add quiet hours DND Management: Add loading/error for 9 admin routes; Fix admin-classes-view to use Select for school/grade Profile/Settings: Add loading/error; Fix parent role routing; Create ParentSettingsView; Integrate AiProviderSettingsCard; Add Tab URL persistence; Add logout confirm; Add avatar; Fix Progress arbitrary class Schema: Add senderDeletedAt/receiverDeletedAt to messages; Add quietHours to notificationPreferences; Add uniqueIndex import Docs: Update architecture docs 004/005
2026-06-22 13:57:31 +08:00
parent 5ff7ab9e72
commit a4d096a6fc
81 changed files with 2145 additions and 124 deletions
--- a/src/modules/announcements/data-access.ts
+++ b/src/modules/announcements/data-access.ts
@@ -1,7 +1,7 @@
 import "server-only"

 import { cache } from "react"
-import { and, desc, eq } from "drizzle-orm"
+import { and, desc, eq, or } from "drizzle-orm"

 import { db } from "@/shared/db"
 import { announcements, users } from "@/shared/db/schema"
@@ -61,6 +61,25 @@ export const getAnnouncements = cache(
      conditions.push(eq(announcements.type, params.type))
    }

+    // 受众过滤：当提供 audience 时，仅返回对该受众可见的公告
+    // (type = 'school') OR (type = 'grade' AND target_grade_id = audience.gradeId)
+    // OR (type = 'class' AND target_class_id = audience.classId)
+    if (params?.audience) {
+      const { gradeId, classId } = params.audience
+      const gradeClause = gradeId
+        ? and(eq(announcements.type, "grade"), eq(announcements.targetGradeId, gradeId))
+        : undefined
+      const classClause = classId
+        ? and(eq(announcements.type, "class"), eq(announcements.targetClassId, classId))
+        : undefined
+      const orClauses = [
+        eq(announcements.type, "school"),
+        gradeClause,
+        classClause,
+      ].filter((c): c is NonNullable<typeof c> => c !== undefined)
+      conditions.push(or(...orClauses))
+    }
+
    const rows = await db
      .select({
        id: announcements.id,