refactor(dashboard): V2 审计重构 — i18n 补齐 + 共享抽象 + 单测 + a11y

V2 审计报告（docs/architecture/audit/dashboard-audit-report-v2.md）发现并修复： - P0 i18n：10 个子组件硬编码字符串全部接入 next-intl（teacher-quick-actions / teacher-classes-card / teacher-homework-card / teacher-schedule / recent-submissions / teacher-grade-trends / student-grades-card / student-today-schedule-card / student-upcoming-assignments-card / admin-dashboard），新增 ~50 个翻译键 - P1 共享抽象：新增 DashboardGreetingHeader 组件，消除 teacher/student 头部 90% 重复代码，两个 Header 改为薄包装 - P2 单测：为 6 个纯函数添加 31 个单元测试（tests/integration/dashboard/dashboard-utils.test.ts） - P2 a11y：admin 表格 caption、teacher/student 视图语义化标签（header / section aria-label / aside aria-label） - 同步架构图 004/005
2026-06-22 17:01:00 +08:00
parent 10c668f36a
commit e997abaf5e
41 changed files with 1811 additions and 516 deletions
--- a/src/modules/lesson-preparation/data-access.ts
+++ b/src/modules/lesson-preparation/data-access.ts
@@ -1,7 +1,7 @@
 import "server-only";

 import { cache } from "react";
-import { and, desc, eq, like, or, sql, type SQL } from "drizzle-orm";
+import { and, desc, eq, inArray, like, or, sql, type SQL } from "drizzle-orm";
 import { createId } from "@paralleldrive/cuid2";

 import { db } from "@/shared/db";
@@ -32,23 +32,53 @@ import type {
 export { migrateV1ToV2, normalizeDocument, buildInitialContent };

 // ---- DataScope → 查询条件 ----
+// P0-3 修复：按 scope 类型精确过滤，避免教师越权查看全校 published 课案
 function buildScopeCondition(scope: DataScope, userId: string): SQL[] {
  switch (scope.type) {
    case "all":
      return [];
    case "owned":
      return [eq(lessonPlans.creatorId, userId)];
-    case "class_taught":
-    case "grade_managed":
-    case "class_members":
-    case "children":
-      // 教师看自己创建的 + published 的
+    case "class_taught": {
+      // 教师：自己创建的 + published 且属于自己教授学科的
+      const own = eq(lessonPlans.creatorId, userId);
+      const publishedFilter = sql<boolean>`(${lessonPlans.status} = 'published')`;
+      const subjectFilter =
+        scope.subjectIds && scope.subjectIds.length > 0
+          ? inArray(lessonPlans.subjectId, scope.subjectIds)
+          : sql<boolean>`true`;
      return [
        or(
-          eq(lessonPlans.creatorId, userId),
-          eq(lessonPlans.status, "published"),
+          own,
+          and(publishedFilter, subjectFilter),
        )!,
      ];
+    }
+    case "grade_managed": {
+      // 教研组长/年级主任：自己创建的 + published 且属于自己管理的年级
+      const own = eq(lessonPlans.creatorId, userId);
+      const publishedFilter = sql<boolean>`(${lessonPlans.status} = 'published')`;
+      const gradeFilter =
+        scope.gradeIds.length > 0
+          ? inArray(lessonPlans.gradeId, scope.gradeIds)
+          : sql<boolean>`false`;
+      return [
+        or(
+          own,
+          and(publishedFilter, gradeFilter),
+        )!,
+      ];
+    }
+    case "class_members": {
+      // 学生：仅查看 published 课案（需配合班级-课案关联表进一步收紧）
+      const publishedFilter = sql<boolean>`(${lessonPlans.status} = 'published')`;
+      return [publishedFilter];
+    }
+    case "children": {
+      // 家长：仅查看 published 课案（同学生）
+      const publishedFilter = sql<boolean>`(${lessonPlans.status} = 'published')`;
+      return [publishedFilter];
+    }
  }
 }