fix(server): Phase 1.2 核心功能修复 — C1/C2/H4/H6

- feat(diary): 新增 list_all_classes 管理端 API (GET /diary/classes/all)
- feat(diary): 新增班级更新 API (PUT /diary/classes/{id}) — 名称/学校名编辑
- feat(diary): 新增班级停用 API (PATCH /diary/classes/{id}/deactivate)
- feat(diary): 新增班级码重置 API (POST /diary/classes/{id}/reset-code)
- fix(db): 补充权限 seed — student 获得 update/delete, teacher 获得 comment.delete
- refactor(diary): 删除 comment_service 中废弃的 contains_sensitive_words 死代码
- test(diary): 77 测试全部通过

crates/erp-diary/src/handler/class_handler.rs

@@ -8,7 +8,7 @@ use erp_core::error::AppError;
 use erp_core::rbac::require_permission;
 use erp_core::types::{ApiResponse, TenantContext};
 
-use crate::dto::{ClassMemberResp, ClassResp, CreateClassReq, JoinClassReq};
+use crate::dto::{ClassMemberResp, ClassResp, CreateClassReq, JoinClassReq, ResetClassCodeResp, UpdateClassReq};
 use crate::service::class_service::ClassService;
 use crate::state::DiaryState;
 
@@ -190,3 +190,152 @@ where
     let resp = ClassService::my_classes(ctx.tenant_id, ctx.user_id, &state.db).await?;
     Ok(Json(ApiResponse::ok(resp)))
 }
+
+#[utoipa::path(
+    get,
+    path = "/api/v1/diary/classes/all",
+    responses(
+        (status = 200, description = "成功", body = ApiResponse<Vec<ClassResp>>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "班级管理"
+)]
+/// GET /api/v1/diary/classes/all
+///
+/// 获取租户下所有班级（管理端用）。需要 `diary.class.manage` 权限。
+pub async fn list_all_classes<S>(
+    State(state): State<DiaryState>,
+    Extension(ctx): Extension<TenantContext>,
+) -> Result<Json<ApiResponse<Vec<ClassResp>>>, AppError>
+where
+    DiaryState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "diary.class.manage")?;
+
+    let resp = ClassService::list_all_classes(ctx.tenant_id, &state.db).await?;
+    Ok(Json(ApiResponse::ok(resp)))
+}
+
+#[utoipa::path(
+    put,
+    path = "/api/v1/diary/classes/{id}",
+    params(("id" = Uuid, Path, description = "班级ID")),
+    request_body = UpdateClassReq,
+    responses(
+        (status = 200, description = "更新成功", body = ApiResponse<ClassResp>),
+        (status = 400, description = "验证失败"),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "班级不存在"),
+        (status = 409, description = "版本冲突"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "班级管理"
+)]
+/// PUT /api/v1/diary/classes/:id
+///
+/// 更新班级信息。需要 `diary.class.manage` 权限（仅班级创建者可编辑）。
+pub async fn update_class<S>(
+    State(state): State<DiaryState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(id): Path<Uuid>,
+    Json(req): Json<UpdateClassReq>,
+) -> Result<Json<ApiResponse<ClassResp>>, AppError>
+where
+    DiaryState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "diary.class.manage")?;
+
+    if let Some(ref name) = req.name {
+        if name.trim().is_empty() {
+            return Err(AppError::Validation("班级名称不能为空".to_string()));
+        }
+    }
+
+    let resp = ClassService::update_class(
+        ctx.tenant_id,
+        ctx.user_id,
+        id,
+        req.name,
+        req.school_name,
+        req.version,
+        &state.db,
+    )
+    .await?;
+
+    Ok(Json(ApiResponse::ok(resp)))
+}
+
+#[utoipa::path(
+    patch,
+    path = "/api/v1/diary/classes/{id}/deactivate",
+    params(("id" = Uuid, Path, description = "班级ID")),
+    responses(
+        (status = 200, description = "停用成功", body = ApiResponse<ClassResp>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "班级不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "班级管理"
+)]
+/// PATCH /api/v1/diary/classes/:id/deactivate
+///
+/// 停用班级。需要 `diary.class.manage` 权限（仅班级创建者可停用）。
+pub async fn deactivate_class<S>(
+    State(state): State<DiaryState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(id): Path<Uuid>,
+) -> Result<Json<ApiResponse<ClassResp>>, AppError>
+where
+    DiaryState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "diary.class.manage")?;
+
+    let resp = ClassService::deactivate_class(
+        ctx.tenant_id,
+        ctx.user_id,
+        id,
+        &state.db,
+        &state.event_bus,
+    )
+    .await?;
+
+    Ok(Json(ApiResponse::ok(resp)))
+}
+
+#[utoipa::path(
+    post,
+    path = "/api/v1/diary/classes/{id}/reset-code",
+    params(("id" = Uuid, Path, description = "班级ID")),
+    responses(
+        (status = 200, description = "重置成功", body = ApiResponse<ResetClassCodeResp>),
+        (status = 401, description = "未授权"),
+        (status = 403, description = "权限不足"),
+        (status = 404, description = "班级不存在"),
+    ),
+    security(("bearer_auth" = [])),
+    tag = "班级管理"
+)]
+/// POST /api/v1/diary/classes/:id/reset-code
+///
+/// 重置班级码。需要 `diary.class.manage` 权限（仅班级创建者可重置）。
+pub async fn reset_class_code<S>(
+    State(state): State<DiaryState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(id): Path<Uuid>,
+) -> Result<Json<ApiResponse<ResetClassCodeResp>>, AppError>
+where
+    DiaryState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "diary.class.manage")?;
+
+    let resp = ClassService::reset_class_code(ctx.tenant_id, ctx.user_id, id, &state.db).await?;
+    Ok(Json(ApiResponse::ok(resp)))
+}