fix: patch P0 security vulnerabilities and critical UX issues across 6 modules

Security: Add admin/layout.tsx auth guard; Add requirePermission() to 12 admin pages Dashboard: Fix StudentStatsGrid rendering; Fix teacher greeting; Add loading/error boundaries; Fix col-span; Add metadata Announcements: Fix audience filtering; Add user detail page; Trigger notifications on publish; Pass classes data; Add loading.tsx Messages: Implement soft delete; Add unread badge with polling; Add notification dropdown polling; Add keyword search; Add quiet hours DND Management: Add loading/error for 9 admin routes; Fix admin-classes-view to use Select for school/grade Profile/Settings: Add loading/error; Fix parent role routing; Create ParentSettingsView; Integrate AiProviderSettingsCard; Add Tab URL persistence; Add logout confirm; Add avatar; Fix Progress arbitrary class Schema: Add senderDeletedAt/receiverDeletedAt to messages; Add quietHours to notificationPreferences; Add uniqueIndex import Docs: Update architecture docs 004/005
2026-06-22 13:57:31 +08:00
parent 5ff7ab9e72
commit a4d096a6fc
81 changed files with 2145 additions and 124 deletions
--- a/src/modules/messaging/data-access.ts
+++ b/src/modules/messaging/data-access.ts
@@ -16,7 +16,7 @@ import "server-only"

 import { cache } from "react"
 import { createId } from "@paralleldrive/cuid2"
-import { and, count, desc, eq, inArray, or, type SQL } from "drizzle-orm"
+import { and, count, desc, eq, inArray, isNull, like, or, type SQL } from "drizzle-orm"

 import { db } from "@/shared/db"
 import {
@@ -86,13 +86,28 @@ export const getMessages = cache(
    const offset = (page - 1) * pageSize

    const conds: SQL[] = []
-    if (params.type === "inbox") conds.push(eq(messages.receiverId, params.userId))
-    else if (params.type === "sent") conds.push(eq(messages.senderId, params.userId))
-    else {
-      const cond = or(eq(messages.receiverId, params.userId), eq(messages.senderId, params.userId))
+    if (params.type === "inbox") {
+      conds.push(eq(messages.receiverId, params.userId))
+      conds.push(isNull(messages.receiverDeletedAt))
+    } else if (params.type === "sent") {
+      conds.push(eq(messages.senderId, params.userId))
+      conds.push(isNull(messages.senderDeletedAt))
+    } else {
+      // all: 仅返回当前用户未删除的消息（发送方未删 或 接收方未删）
+      const cond = or(
+        and(eq(messages.receiverId, params.userId), isNull(messages.receiverDeletedAt)),
+        and(eq(messages.senderId, params.userId), isNull(messages.senderDeletedAt))
+      )
      if (cond) conds.push(cond)
    }

+    // 关键词搜索（匹配 subject 或 content）
+    if (params.keyword && params.keyword.trim().length > 0) {
+      const kw = `%${params.keyword.trim()}%`
+      const kwCond = or(like(messages.subject, kw), like(messages.content, kw))
+      if (kwCond) conds.push(kwCond)
+    }
+
    const where = and(...conds)
    const [rows, [totalRow]] = await Promise.all([
      db.select().from(messages).where(where).orderBy(desc(messages.createdAt)).limit(pageSize).offset(offset),
@@ -111,7 +126,15 @@ export const getMessageById = cache(
    const [row] = await db
      .select()
      .from(messages)
-      .where(and(eq(messages.id, id), or(eq(messages.senderId, userId), eq(messages.receiverId, userId))))
+      .where(
+        and(
+          eq(messages.id, id),
+          or(
+            and(eq(messages.senderId, userId), isNull(messages.senderDeletedAt)),
+            and(eq(messages.receiverId, userId), isNull(messages.receiverDeletedAt))
+          )
+        )
+      )
      .limit(1)
    if (!row) return null
    const nameMap = await resolveUserNames([row.senderId, row.receiverId])
@@ -155,16 +178,23 @@ export async function markMessageAsRead(id: string, userId: string): Promise<voi
 }

 export async function deleteMessage(id: string, userId: string): Promise<void> {
+  const now = new Date()
+  // 软删除：发送方删除设置 senderDeletedAt，接收方删除设置 receiverDeletedAt，互不影响
  await db
-    .delete(messages)
-    .where(and(eq(messages.id, id), or(eq(messages.senderId, userId), eq(messages.receiverId, userId))))
+    .update(messages)
+    .set({ senderDeletedAt: now })
+    .where(and(eq(messages.id, id), eq(messages.senderId, userId)))
+  await db
+    .update(messages)
+    .set({ receiverDeletedAt: now })
+    .where(and(eq(messages.id, id), eq(messages.receiverId, userId)))
 }

 export const getUnreadMessageCount = cache(async (userId: string): Promise<number> => {
  const [row] = await db
    .select({ value: count() })
    .from(messages)
-    .where(and(eq(messages.receiverId, userId), eq(messages.isRead, false)))
+    .where(and(eq(messages.receiverId, userId), eq(messages.isRead, false), isNull(messages.receiverDeletedAt)))
  return Number(row?.value ?? 0)
 })