fix: harden uploads downloads and deployment config

2026-03-08 19:40:22 +08:00
parent aa2e6bbe95
commit c23c4ac1e3
7 changed files with 133 additions and 46 deletions
--- a/backend/app/api/works.py
+++ b/backend/app/api/works.py
@@ -4,11 +4,13 @@ from sqlalchemy.orm import Session
 from sqlalchemy import desc
 from typing import List
 import os
+import mimetypes
 from app.core.database import get_db
 from app.models.work import Work
 from app.models.order import Order, OrderStatus
 from app.models.user import User
 from app.core.security import decode_access_token
+from app.core.config import settings
 from app.schemas.work import WorkResponse, WorkListResponse

 router = APIRouter(prefix="/works", tags=["作品"])
@@ -137,9 +139,10 @@ def download_work(
        )
    
    # 构建原图文件路径
-    # 假设原图存储在 uploads/original/ 目录下
-    file_path = work.original_image.lstrip('/')
-    full_path = os.path.join(os.getcwd(), file_path)
+    relative_path = work.original_image.lstrip("/")
+    if relative_path.startswith("uploads/"):
+        relative_path = relative_path[len("uploads/"):]
+    full_path = os.path.join(settings.UPLOAD_DIR, relative_path)
    
    # 检查文件是否存在
    if not os.path.exists(full_path):
@@ -150,8 +153,9 @@ def download_work(
    
    # 返回文件
    filename = os.path.basename(full_path)
+    media_type = mimetypes.guess_type(filename)[0] or "application/octet-stream"
    return FileResponse(
        path=full_path,
        filename=filename,
-        media_type='application/octet-stream'
+        media_type=media_type
    )