Upload 2 files

router_comments.py

@@ -1,10 +1,11 @@
 # router_comments.py
-from fastapi import APIRouter, HTTPException
+from fastapi import APIRouter, HTTPException, Depends
 import time
 import uuid
 import 数据库连接 as db
 from notifications import add_notification
 from models import InteractionToggle, CommentCreate
+from 安全认证 import require_auth, is_admin
 
 router = APIRouter()
 
@@ -67,17 +68,72 @@ async def post_comment(comment: CommentCreate):
     return {"status": "success", "data": new_comment}
 
 @router.delete("/api/comments/{item_id}/{comment_id}")
-async def soft_delete_comment(item_id: str, comment_id: str, author: str):
+async def soft_delete_comment(item_id: str, comment_id: str, account: str = Depends(require_auth)):
+    """
+    软删除评论
+    权限规则：评论作者可删除自己的评论，帖子/内容作者可删除其帖子下的评论，管理员可删除任何评论
+    """
     comments_db = db.load_data("comments.json", default_data={})
+    items_db = db.load_data("items.json", default_data=[])
+    posts_db = db.load_data("posts.json", default_data=[])
+    users_db = db.load_data("users.json", default_data={})
+    
     item_comments = comments_db.get(item_id, [])
-    def find_and_delete(comments_list):
+    target_comment = None
+    
+    def find_comment(comments_list):
+        """查找目标评论"""
+        nonlocal target_comment
         for c in comments_list:
             if c["id"] == comment_id:
-                if c["author"] != author: raise HTTPException(status_code=403, detail="无权删除他人的评论")
-                c["isDeleted"] = True; c["content"] = ""; return True
-            if "replies" in c and find_and_delete(c["replies"]): return True
+                target_comment = c
+                return True
+            if "replies" in c and find_comment(c["replies"]):
+                return True
         return False
-    if find_and_delete(item_comments):
-        db.save_data("comments.json", comments_db)
-        return {"status": "success"}
-    raise HTTPException(status_code=404, detail="找不到该评论")
+    
+    if not find_comment(item_comments):
+        raise HTTPException(status_code=404, detail="找不到该评论")
+    
+    # 权限检查
+    is_comment_author = target_comment["author"] == account
+    is_admin_user = is_admin(account)
+    
+    # 检查是否为内容作者（帖子作者或资源作者）
+    is_content_author = False
+    # 检查是否为帖子作者
+    for post in posts_db:
+        if post["id"] == item_id and post.get("author") == account:
+            is_content_author = True
+            break
+    # 检查是否为资源作者
+    if not is_content_author:
+        for item in items_db:
+            if item["id"] == item_id and item.get("author") == account:
+                is_content_author = True
+                break
+    # 检查是否为个人主页留言板作者
+    if not is_content_author:
+        if item_id in users_db and item_id == account:
+            is_content_author = True
+    
+    # 权限判断：评论作者、内容作者或管理员可删除
+    if not (is_comment_author or is_content_author or is_admin_user):
+        raise HTTPException(status_code=403, detail="无权删除此评论")
+    
+    # 执行软删除
+    def mark_deleted(comments_list):
+        for c in comments_list:
+            if c["id"] == comment_id:
+                c["isDeleted"] = True
+                c["content"] = ""
+                return True
+            if "replies" in c and mark_deleted(c["replies"]):
+                return True
+        return False
+    
+    mark_deleted(item_comments)
+    comments_db[item_id] = item_comments
+    db.save_data("comments.json", comments_db)
+    
+    return {"status": "success"}

router_items.py

@@ -9,7 +9,8 @@ import urllib.error
 import json
 import 数据库连接 as db
 from models import ItemCreate, ItemUpdate
-from 安全认证 import require_auth
+from 安全认证 import require_auth, check_ownership
+from 数据库连接 import invalidate_cache
 
 router = APIRouter()
 
@@ -284,4 +285,35 @@ async def check_github_updates():
 async def get_item_version(item_id: str):
     """获取单个资源的最新版本号"""
     versions_db = db.load_data("versions.json", default_data={})
-    return {"status": "success", "version": versions_db.get(item_id, "")}
+    return {"status": "success", "version": versions_db.get(item_id, "")}
+
+@router.delete("/api/items/{item_id}")
+async def delete_item(item_id: str, current_user: str = Depends(require_auth)):
+    """
+    删除内容（仅作者或管理员可操作）
+    """
+    items_db = db.load_data("items.json", default_data=[])
+    comments_db = db.load_data("comments.json", default_data={})
+    
+    for i, item in enumerate(items_db):
+        if item["id"] == item_id:
+            # 🔒 权限检查：仅作者或管理员可删除
+            if not check_ownership(item, current_user, owner_field="author", allow_admin=True):
+                raise HTTPException(status_code=403, detail="无权删除他人发布的内容")
+            
+            # 1. 从 items.json 中删除该条目
+            items_db.pop(i)
+            db.save_data("items.json", items_db)
+            
+            # 2. 清理关联评论：从 comments.json 中删除该内容的所有评论
+            if item_id in comments_db:
+                del comments_db[item_id]
+                db.save_data("comments.json", comments_db)
+            
+            # 3. 清理缓存：使 items.json 和 comments.json 的缓存失效
+            invalidate_cache("items.json")
+            invalidate_cache("comments.json")
+            
+            return {"status": "success", "message": "内容已删除"}
+    
+    raise HTTPException(status_code=404, detail="找不到该内容记录")