iven
|
dbb74b6545
|
fix(diary): 系统性修复 DTO 输入验证 — 42 项审计发现中输入验证类全部修复
DTO 字段级验证:
- version 字段全部添加 range(min=0) 防止负数
- 标签内容验证: 单个标签最长 30 字符,不允许空白
- 班级码正则: 仅允许字母数字,拒绝特殊字符
- 贴纸包 price 添加 range(min=0) 防止负价格
- thumbnail_url/image_url 添加 length(max=500) 限制
- 同步请求 data payload 限制 1MB/条
Handler validate() 调用补齐:
- delete_journal: DeleteJournalReq 添加 Validate derive + handler 调用
- bind_child / unbind_child / delete_child_data: 补齐 req.validate() 调用
- join_class: 添加 validate_code() 字母数字检查
- sync_journals: 添加 validate_changes_data() payload 大小检查
审计覆盖: 5a-C01/02/03 + 5a-H02/03/04 + B-03 + 7b-C02
|
2026-06-07 12:55:50 +08:00 |
|
iven
|
8300822232
|
fix(diary): JournalResp 补充 assigned_topic_id 字段
Main Merge / backend (push) Has been cancelled
Main Merge / frontend (push) Has been cancelled
- dto.rs: JournalResp 添加 assigned_topic_id: Option<Uuid>
- journal_service model_to_resp: 映射 model.assigned_topic_id
- parent_handler journal_model_to_resp: 同步映射
Flutter 端 JournalEntry 已有 assignedTopicId,无需修改
测试: 84/84 通过
|
2026-06-03 17:46:50 +08:00 |
|
iven
|
38592d61ce
|
refactor(diary): Phase 3 质量提升 — 201 状态码 + OpenAPI 文档 + DiaryEvent 类型安全
Main Merge / backend (push) Has been cancelled
Main Merge / frontend (push) Has been cancelled
前端:
- fix(app): Isar native 文件直接导入 isar_database_native.dart,消除 5 个条件导出类型错误
- chore(app): build_runner 重新生成 .g.dart 文件 (102 outputs)
- fix(app): 移除 secure_token_store_factory 未使用的 kIsWeb import
后端:
- refactor(diary): 所有创建端点 POST 返回 201 Created (9 handler, 11 端点)
- feat(diary): DiaryApiDoc OpenApi derive — 42 路径 + 32 Schema 汇总到 Swagger
- feat(diary): DiaryEvent 枚举添加 event_type/payload/to_domain_event 方法 + 4 测试
测试: 84/84 erp-diary 通过, 509/509 全仓库通过, Flutter analyze 0 error
|
2026-06-03 17:06:03 +08:00 |
|
iven
|
c4b2de8294
|
fix(diary): 家长绑定改为两步验证 — 孩子确认后才生效
- bind_child: 创建 pending 状态绑定(不再自动 verified)
- validate_child_user: 验证目标用户存在且有 student 角色
- confirm_binding: 孩子确认后状态变为 verified,家长获得访问权限
- reject_binding: 孩子拒绝绑定请求
- list_pending_for_child: 孩子查看待确认绑定列表
- 新增 3 个 API 端点: /parent/pending, /bindings/{id}/confirm, /bindings/{id}/reject
- 防止未授权绑定(任何人不验证即可绑定孩子的漏洞)
审计 ID: S-10
|
2026-06-03 10:03:50 +08:00 |
|
iven
|
b81a972245
|
fix(diary): 为所有 DTO 添加 Validate derive + handler 调用 validate()
Main Merge / backend (push) Has been cancelled
Main Merge / frontend (push) Has been cancelled
DTO 验证规则:
- CreateJournalReq: title 1-200, tags ≤20
- UpdateJournalReq: title 1-200, tags ≤20
- CreateClassReq: name 1-50, school_name ≤100
- JoinClassReq: class_code = 6位
- UpdateClassReq: name 1-50, school_name ≤100
- SyncReq: changes ≤100 条
- CreateTopicReq: title 1-200, description ≤2000
- UpdateTopicReq: title 1-200, description ≤2000
- CreateCommentReq: content 1-1000
- CreateStickerPackReq: name 1-50, description ≤500
- UpdateStickerPackReq: name 1-50, description ≤500
- CreateStickerReq: name 1-30, image_url 1-500
- BindChildReq/DeleteChildDataReq: Validate derive (Uuid 已由 serde 验证)
Handler 调用: validate() 放在 require_permission() 之前(先验证输入再检查权限)
审计 ID: 5a-C01, 5a-C02, 5a-C03
|
2026-06-03 01:14:23 +08:00 |
|
iven
|
749ef55b89
|
feat: Week 4 收尾 + 架构治理 — 搜索/家长中心/Feature Flag/Docker/环境配置
Main Merge / backend (push) Has been cancelled
Main Merge / frontend (push) Has been cancelled
架构治理:
- Feature Flag 落地: Cargo.toml [features] default=["diary"] + main.rs cfg 条件编译
- 环境配置统一: AppConfig 类 + --dart-define 注入 + SSE 端口 8080→3000 修复
搜索替代方案 (无 FTS):
- SearchBloc + 标签/心情筛选接入后端 API
- JournalRepository 扩展 mood/tag 筛选参数
- 搜索页 UI 接入实际数据(替换占位文本)
家长中心最小集 (PIPL 合规):
- 后端: parent_service (绑定/查看/导出/删除/解绑) + parent_handler (6 个 API 端点)
- 前端: ParentBloc + ParentPage 功能完整实现
- 绑定孩子、只读查看日记、导出数据、删除数据、解绑
Docker 部署:
- verify.sh 健康检查脚本 (Axum/PG/Redis/OpenAPI 四项检查)
测试修复:
- home_bloc_test / calendar_bloc_test 适配 JournalRepository 新参数
验证: flutter test 84/84 pass, cargo test 76/76 pass, cargo check pass
|
2026-06-01 23:53:34 +08:00 |
|