fix: harden uploads downloads and deployment config

2026-03-08 19:40:22 +08:00
parent aa2e6bbe95
commit c23c4ac1e3
7 changed files with 133 additions and 46 deletions
--- a/backend/app/api/upload.py
+++ b/backend/app/api/upload.py
@@ -1,13 +1,12 @@
-from fastapi import APIRouter, Depends, HTTPException, status, UploadFile, File, Form, Header
+from fastapi import APIRouter, Depends, HTTPException, status, UploadFile, File, Form, Header, Query
 from sqlalchemy.orm import Session
+from sqlalchemy import desc, or_
 from typing import Optional
 import os
 import uuid
 import shutil
 from datetime import datetime
 from PIL import Image
-import json
-
 from app.core.database import get_db
 from app.models.work import Work
 from app.models.user import User
@@ -51,6 +50,15 @@ def get_current_user(authorization: str = Header(None), db: Session = Depends(ge
    return user


+def _user_designer_aliases(user: User) -> list[str]:
+    aliases = []
+    for value in (getattr(user, "nickname", None), getattr(user, "phone", None)):
+        cleaned = str(value or "").strip()
+        if cleaned and cleaned not in aliases:
+            aliases.append(cleaned)
+    return aliases
+
+
 def generate_thumbnail(image_path: str, thumb_path: str, size=(400, 400)):
    """生成缩略图 - 修复透明 PNG 问题"""
    with Image.open(image_path) as img:
@@ -177,7 +185,7 @@ async def upload_work(
        
        # 解析标签 - 修复 Bug #3: tags 转字符串
        if tags:
-            tags_list = [tag.strip() for tag in tags.split(",")]
+            tags_list = [tag.strip() for tag in tags.split(",") if tag.strip()]
            tags_str = ",".join(tags_list)  # 转成逗号分隔的字符串
        else:
            tags_str = None
@@ -227,20 +235,22 @@ async def upload_work(

@router.get("/my", summary="我的上传")
 def get_my_uploads(
-    page: int = Form(1, ge=1),
-    page_size: int = Form(20, ge=1, le=100),
+    page: int = Query(1, ge=1),
+    page_size: int = Query(20, ge=1, le=100),
    current_user: User = Depends(get_current_user),
    db: Session = Depends(get_db)
 ):
    """获取当前用户的上传记录"""
-    from sqlalchemy import desc
-    
+    aliases = _user_designer_aliases(current_user)
    offset = (page - 1) * page_size
-    works = db.query(Work).filter(
-        Work.designer == current_user.phone
-    ).order_by(desc(Work.created_at)).offset(offset).limit(page_size).all()
-    
-    total = db.query(Work).filter(Work.designer == current_user.phone).count()
+    query = db.query(Work)
+    if aliases:
+        query = query.filter(or_(*[Work.designer == alias for alias in aliases]))
+    else:
+        query = query.filter(Work.id == -1)
+
+    works = query.order_by(desc(Work.created_at)).offset(offset).limit(page_size).all()
+    total = query.count()
    
    return {
        "total": total,