fix: patch P0 security vulnerabilities and critical UX issues across 6 modules

Security: Add admin/layout.tsx auth guard; Add requirePermission() to 12 admin pages Dashboard: Fix StudentStatsGrid rendering; Fix teacher greeting; Add loading/error boundaries; Fix col-span; Add metadata Announcements: Fix audience filtering; Add user detail page; Trigger notifications on publish; Pass classes data; Add loading.tsx Messages: Implement soft delete; Add unread badge with polling; Add notification dropdown polling; Add keyword search; Add quiet hours DND Management: Add loading/error for 9 admin routes; Fix admin-classes-view to use Select for school/grade Profile/Settings: Add loading/error; Fix parent role routing; Create ParentSettingsView; Integrate AiProviderSettingsCard; Add Tab URL persistence; Add logout confirm; Add avatar; Fix Progress arbitrary class Schema: Add senderDeletedAt/receiverDeletedAt to messages; Add quietHours to notificationPreferences; Add uniqueIndex import Docs: Update architecture docs 004/005
2026-06-22 13:57:31 +08:00
parent 5ff7ab9e72
commit a4d096a6fc
81 changed files with 2145 additions and 124 deletions
--- a/src/modules/messaging/actions.ts
+++ b/src/modules/messaging/actions.ts
@@ -18,11 +18,13 @@ import {
  markMessageAsRead,
  deleteMessage,
  getRecipients,
+  getUnreadMessageCount,
 } from "./data-access"
 import {
  getNotifications,
  markNotificationAsRead,
  markAllNotificationsAsRead,
+  getUnreadNotificationCount,
 } from "@/modules/notifications/data-access"
 import {
  getNotificationPreferences,
@@ -129,7 +131,7 @@ export async function deleteMessageAction(messageId: string): Promise<ActionStat
 }

 export async function getMessagesAction(
-  params: { type: MessageType; page?: number; pageSize?: number }
+  params: { type: MessageType; page?: number; pageSize?: number; keyword?: string }
 ): Promise<ActionState<{ items: Message[]; total: number; page: number; pageSize: number; totalPages: number }>> {
  try {
    const ctx = await requirePermission(Permissions.MESSAGE_READ)
@@ -179,6 +181,30 @@ export async function getRecipientsAction(): Promise<ActionState<RecipientOption
  }
 }

+export async function getUnreadMessageCountAction(): Promise<ActionState<number>> {
+  try {
+    const ctx = await requirePermission(Permissions.MESSAGE_READ)
+    const count = await getUnreadMessageCount(ctx.userId)
+    return { success: true, data: count }
+  } catch (e) {
+    if (e instanceof PermissionDeniedError) return { success: false, message: e.message }
+    if (e instanceof Error) return { success: false, message: e.message }
+    return { success: false, message: "Unexpected error" }
+  }
+}
+
+export async function getUnreadNotificationCountAction(): Promise<ActionState<number>> {
+  try {
+    const ctx = await requirePermission(Permissions.MESSAGE_READ)
+    const count = await getUnreadNotificationCount(ctx.userId)
+    return { success: true, data: count }
+  } catch (e) {
+    if (e instanceof PermissionDeniedError) return { success: false, message: e.message }
+    if (e instanceof Error) return { success: false, message: e.message }
+    return { success: false, message: "Unexpected error" }
+  }
+}
+
 export async function getNotificationsAction(
  params?: { page?: number; pageSize?: number; unreadOnly?: boolean }
 ): Promise<ActionState<{ items: Notification[]; total: number; page: number; pageSize: number; totalPages: number }>> {
@@ -242,6 +268,13 @@ export async function updateNotificationPreferencesAction(

    // 从 FormData 中解析布尔值（checkbox 提交 "on" 或不提交）
    const parseBool = (key: string): boolean => formData.get(key) === "on"
+    // 从 FormData 中解析时间字符串（"HH:mm"），空字符串转为 null
+    const parseTime = (key: string): string | null => {
+      const v = formData.get(key)
+      if (typeof v !== "string") return null
+      const trimmed = v.trim()
+      return trimmed.length > 0 ? trimmed : null
+    }

    const parsed = UpdateNotificationPreferencesSchema.safeParse({
      emailEnabled: parseBool("emailEnabled"),
@@ -252,6 +285,9 @@ export async function updateNotificationPreferencesAction(
      announcementNotifications: parseBool("announcementNotifications"),
      messageNotifications: parseBool("messageNotifications"),
      attendanceNotifications: parseBool("attendanceNotifications"),
+      quietHoursEnabled: parseBool("quietHoursEnabled"),
+      quietHoursStart: parseTime("quietHoursStart"),
+      quietHoursEnd: parseTime("quietHoursEnd"),
    })

    if (!parsed.success) {
--- a/src/modules/messaging/components/message-list.tsx
+++ b/src/modules/messaging/components/message-list.tsx
@@ -1,18 +1,20 @@
 "use client"

-import { useMemo, useState } from "react"
+import { useEffect, useMemo, useState } from "react"
 import Link from "next/link"
-import { Mail, MailOpen, Plus, Send, Inbox } from "lucide-react"
+import { Mail, MailOpen, Plus, Send, Inbox, Search, Loader2 } from "lucide-react"

 import { Badge } from "@/shared/components/ui/badge"
 import { Button } from "@/shared/components/ui/button"
 import { Card, CardContent, CardHeader } from "@/shared/components/ui/card"
 import { EmptyState } from "@/shared/components/ui/empty-state"
+import { Input } from "@/shared/components/ui/input"
 import { Tabs, TabsList, TabsTrigger } from "@/shared/components/ui/tabs"
 import { cn, formatDate } from "@/shared/lib/utils"
 import { usePermission } from "@/shared/hooks/use-permission"
 import { Permissions } from "@/shared/types/permissions"

+import { getMessagesAction } from "../actions"
 import type { Message, MessageType } from "../types"

 type Tab = "inbox" | "sent"
@@ -27,13 +29,49 @@ export function MessageList({
  initialType?: MessageType
 }) {
  const [tab, setTab] = useState<Tab>(initialType === "sent" ? "sent" : "inbox")
+  const [keyword, setKeyword] = useState("")
+  const [searchResults, setSearchResults] = useState<{ kw: string; tab: Tab; items: Message[] } | null>(null)
  const { hasPermission } = usePermission()
  const canSend = hasPermission(Permissions.MESSAGE_SEND)

+  // 防抖搜索：keyword 或 tab 变化时调用 getMessagesAction
+  useEffect(() => {
+    const kw = keyword.trim()
+    if (kw.length === 0) {
+      return
+    }
+
+    let cancelled = false
+    const timer = setTimeout(async () => {
+      if (cancelled) return
+      const res = await getMessagesAction({ type: tab, keyword: kw })
+      if (cancelled) return
+      if (res.success && res.data) {
+        setSearchResults({ kw, tab, items: res.data.items })
+      }
+    }, 400)
+
+    return () => {
+      cancelled = true
+      clearTimeout(timer)
+    }
+  }, [keyword, tab])
+
+  // 当前搜索结果是否匹配最新的 keyword 和 tab
+  const currentResults = searchResults && searchResults.kw === keyword.trim() && searchResults.tab === tab
+    ? searchResults.items
+    : null
+
+  // 搜索中：keyword 非空且尚无匹配结果
+  const searching = keyword.trim().length > 0 && currentResults === null
+
+  // 当 keyword 为空时使用 prop messages，否则使用搜索结果
+  const displayMessages = currentResults ?? messages
+
  const filtered = useMemo(() => {
-    if (tab === "inbox") return messages.filter((m) => m.receiverId === currentUserId)
-    return messages.filter((m) => m.senderId === currentUserId)
-  }, [messages, tab, currentUserId])
+    if (tab === "inbox") return displayMessages.filter((m) => m.receiverId === currentUserId)
+    return displayMessages.filter((m) => m.senderId === currentUserId)
+  }, [displayMessages, tab, currentUserId])

  return (
    <div className="space-y-6">
@@ -60,6 +98,21 @@ export function MessageList({
        ) : null}
      </div>

+      {/* 搜索框 */}
+      <div className="relative">
+        <Search className="text-muted-foreground absolute left-3 top-1/2 size-4 -translate-y-1/2" />
+        <Input
+          type="search"
+          placeholder="Search messages by subject or content..."
+          value={keyword}
+          onChange={(e) => setKeyword(e.target.value)}
+          className="pl-9"
+        />
+        {searching ? (
+          <Loader2 className="text-muted-foreground absolute right-3 top-1/2 size-4 -translate-y-1/2 animate-spin" />
+        ) : null}
+      </div>
+
      {filtered.length === 0 ? (
        <EmptyState
          title={tab === "inbox" ? "Inbox is empty" : "No sent messages"}
--- a/src/modules/messaging/components/notification-dropdown.tsx
+++ b/src/modules/messaging/components/notification-dropdown.tsx
@@ -20,6 +20,7 @@ import { cn, formatDate } from "@/shared/lib/utils"

 import {
  getNotificationsAction,
+  getUnreadNotificationCountAction,
  markAllNotificationsAsReadAction,
  markNotificationAsReadAction,
 } from "../actions"
@@ -40,16 +41,35 @@ export function NotificationDropdown() {

  useEffect(() => {
    let active = true
-    void (async () => {
+
+    const fetchNotifications = async () => {
      const res = await getNotificationsAction({ pageSize: 10 })
      if (!active) return
      if (res.success && res.data) {
        setNotifications(res.data.items)
-        setUnreadCount(res.data.items.filter((n) => !n.isRead).length)
      }
-    })()
+    }
+
+    const fetchUnreadCount = async () => {
+      const res = await getUnreadNotificationCountAction()
+      if (!active) return
+      if (res.success && typeof res.data === "number") {
+        setUnreadCount(res.data)
+      }
+    }
+
+    void fetchNotifications()
+    void fetchUnreadCount()
+
+    // 每 30 秒轮询刷新通知和未读计数
+    const timer = setInterval(() => {
+      void fetchNotifications()
+      void fetchUnreadCount()
+    }, 30_000)
+
    return () => {
      active = false
+      clearInterval(timer)
    }
  }, [])

--- a/src/modules/messaging/components/unread-message-badge.tsx
+++ b/src/modules/messaging/components/unread-message-badge.tsx
@@ -0,0 +1,51 @@
+"use client"
+
+import { useEffect, useState } from "react"
+
+import { Badge } from "@/shared/components/ui/badge"
+
+import { getUnreadMessageCountAction } from "../actions"
+
+/**
+ * 未读消息计数徽章
+ *
+ * 在侧边栏 Messages 导航项旁显示未读私信数。
+ * 每 60 秒轮询一次以保持计数更新。
+ */
+export function UnreadMessageBadge() {
+  const [count, setCount] = useState(0)
+
+  useEffect(() => {
+    let active = true
+
+    const fetchCount = async () => {
+      const res = await getUnreadMessageCountAction()
+      if (!active) return
+      if (res.success && typeof res.data === "number") {
+        setCount(res.data)
+      }
+    }
+
+    void fetchCount()
+
+    const timer = setInterval(() => {
+      void fetchCount()
+    }, 60_000)
+
+    return () => {
+      active = false
+      clearInterval(timer)
+    }
+  }, [])
+
+  if (count <= 0) return null
+
+  return (
+    <Badge
+      variant="destructive"
+      className="ml-auto flex h-5 min-w-5 items-center justify-center px-1.5 text-[10px]"
+    >
+      {count > 99 ? "99+" : count}
+    </Badge>
+  )
+}
--- a/src/modules/messaging/data-access.ts
+++ b/src/modules/messaging/data-access.ts
@@ -16,7 +16,7 @@ import "server-only"

 import { cache } from "react"
 import { createId } from "@paralleldrive/cuid2"
-import { and, count, desc, eq, inArray, or, type SQL } from "drizzle-orm"
+import { and, count, desc, eq, inArray, isNull, like, or, type SQL } from "drizzle-orm"

 import { db } from "@/shared/db"
 import {
@@ -86,13 +86,28 @@ export const getMessages = cache(
    const offset = (page - 1) * pageSize

    const conds: SQL[] = []
-    if (params.type === "inbox") conds.push(eq(messages.receiverId, params.userId))
-    else if (params.type === "sent") conds.push(eq(messages.senderId, params.userId))
-    else {
-      const cond = or(eq(messages.receiverId, params.userId), eq(messages.senderId, params.userId))
+    if (params.type === "inbox") {
+      conds.push(eq(messages.receiverId, params.userId))
+      conds.push(isNull(messages.receiverDeletedAt))
+    } else if (params.type === "sent") {
+      conds.push(eq(messages.senderId, params.userId))
+      conds.push(isNull(messages.senderDeletedAt))
+    } else {
+      // all: 仅返回当前用户未删除的消息（发送方未删 或 接收方未删）
+      const cond = or(
+        and(eq(messages.receiverId, params.userId), isNull(messages.receiverDeletedAt)),
+        and(eq(messages.senderId, params.userId), isNull(messages.senderDeletedAt))
+      )
      if (cond) conds.push(cond)
    }

+    // 关键词搜索（匹配 subject 或 content）
+    if (params.keyword && params.keyword.trim().length > 0) {
+      const kw = `%${params.keyword.trim()}%`
+      const kwCond = or(like(messages.subject, kw), like(messages.content, kw))
+      if (kwCond) conds.push(kwCond)
+    }
+
    const where = and(...conds)
    const [rows, [totalRow]] = await Promise.all([
      db.select().from(messages).where(where).orderBy(desc(messages.createdAt)).limit(pageSize).offset(offset),
@@ -111,7 +126,15 @@ export const getMessageById = cache(
    const [row] = await db
      .select()
      .from(messages)
-      .where(and(eq(messages.id, id), or(eq(messages.senderId, userId), eq(messages.receiverId, userId))))
+      .where(
+        and(
+          eq(messages.id, id),
+          or(
+            and(eq(messages.senderId, userId), isNull(messages.senderDeletedAt)),
+            and(eq(messages.receiverId, userId), isNull(messages.receiverDeletedAt))
+          )
+        )
+      )
      .limit(1)
    if (!row) return null
    const nameMap = await resolveUserNames([row.senderId, row.receiverId])
@@ -155,16 +178,23 @@ export async function markMessageAsRead(id: string, userId: string): Promise<voi
 }

 export async function deleteMessage(id: string, userId: string): Promise<void> {
+  const now = new Date()
+  // 软删除：发送方删除设置 senderDeletedAt，接收方删除设置 receiverDeletedAt，互不影响
  await db
-    .delete(messages)
-    .where(and(eq(messages.id, id), or(eq(messages.senderId, userId), eq(messages.receiverId, userId))))
+    .update(messages)
+    .set({ senderDeletedAt: now })
+    .where(and(eq(messages.id, id), eq(messages.senderId, userId)))
+  await db
+    .update(messages)
+    .set({ receiverDeletedAt: now })
+    .where(and(eq(messages.id, id), eq(messages.receiverId, userId)))
 }

 export const getUnreadMessageCount = cache(async (userId: string): Promise<number> => {
  const [row] = await db
    .select({ value: count() })
    .from(messages)
-    .where(and(eq(messages.receiverId, userId), eq(messages.isRead, false)))
+    .where(and(eq(messages.receiverId, userId), eq(messages.isRead, false), isNull(messages.receiverDeletedAt)))
  return Number(row?.value ?? 0)
 })

--- a/src/modules/messaging/schema.ts
+++ b/src/modules/messaging/schema.ts
@@ -24,7 +24,7 @@ export const MessageIdSchema = z.object({

 export type MessageIdInput = z.infer<typeof MessageIdSchema>

-/** 校验通知偏好更新表单（8 个布尔字段，来自 checkbox FormData） */
+/** 校验通知偏好更新表单（8 个布尔字段 + 免打扰时段，来自 checkbox/FormData） */
 export const UpdateNotificationPreferencesSchema = z.object({
  emailEnabled: z.boolean(),
  smsEnabled: z.boolean(),
@@ -34,6 +34,9 @@ export const UpdateNotificationPreferencesSchema = z.object({
  announcementNotifications: z.boolean(),
  messageNotifications: z.boolean(),
  attendanceNotifications: z.boolean(),
+  quietHoursEnabled: z.boolean(),
+  quietHoursStart: z.string().trim().regex(/^([01]\d|2[0-3]):[0-5]\d$/, "Invalid time format").nullable().optional(),
+  quietHoursEnd: z.string().trim().regex(/^([01]\d|2[0-3]):[0-5]\d$/, "Invalid time format").nullable().optional(),
 })

 export type UpdateNotificationPreferencesFormInput = z.infer<
--- a/src/modules/messaging/types.ts
+++ b/src/modules/messaging/types.ts
@@ -33,6 +33,7 @@ export interface GetMessagesParams {
  type: MessageType
  page?: number
  pageSize?: number
+  keyword?: string
 }

 export interface CreateMessageInput {