Spaces:

ZHIWEI666
/

ComfyUI-Ranking-API

Running

App Files Files Community

ZHIWEI666 commited on Apr 8

Commit

7afc96b

verified ·

1 Parent(s): 83b860f

提升帖子更新安全

Browse files

Files changed (2) hide show

router_comments.py +8 -4
router_posts.py +33 -23

router_comments.py CHANGED Viewed

@@ -82,14 +82,16 @@ async def soft_delete_comment(item_id: str, comment_id: str, account: str = Depe
     item_comments = comments_db.get(item_id, [])
     target_comment = None
-    def find_comment(comments_list):
         """查找目标评论"""
         nonlocal target_comment
         for c in comments_list:
             if c["id"] == comment_id:
                 target_comment = c
                 return True
-            if "replies" in c and find_comment(c["replies"]):
                 return True
         return False
@@ -129,13 +131,15 @@ async def soft_delete_comment(item_id: str, comment_id: str, account: str = Depe
         raise HTTPException(status_code=403, detail="无权删除此评论")
     # 执行软删除
-    def mark_deleted(comments_list):
         for c in comments_list:
             if c["id"] == comment_id:
                 c["isDeleted"] = True
                 c["content"] = ""
                 return True
-            if "replies" in c and mark_deleted(c["replies"]):
                 return True
         return False

     item_comments = comments_db.get(item_id, [])
     target_comment = None
+    def find_comment(comments_list, depth=0):
         """查找目标评论"""
+        if depth > 20:  # 防止极端嵌套导致栈溢出
+            return False
         nonlocal target_comment
         for c in comments_list:
             if c["id"] == comment_id:
                 target_comment = c
                 return True
+            if "replies" in c and find_comment(c["replies"], depth + 1):
                 return True
         return False
         raise HTTPException(status_code=403, detail="无权删除此评论")
     # 执行软删除
+    def mark_deleted(comments_list, depth=0):
+        if depth > 20:  # 防止极端嵌套导致栈溢出
+            return False
         for c in comments_list:
             if c["id"] == comment_id:
                 c["isDeleted"] = True
                 c["content"] = ""
                 return True
+            if "replies" in c and mark_deleted(c["replies"], depth + 1):
                 return True
         return False

router_posts.py CHANGED Viewed

@@ -180,32 +180,42 @@ async def create_post(post: PostCreate, current_user: str = Depends(require_auth
 @router.put("/api/posts/{post_id}")
 async def update_post(post_id: str, update_data: PostUpdate, current_user: str = Depends(require_auth)):
     """
-    更新帖子（仅作者可操作）
     """
-    posts_db = db.load_data("posts.json", default_data=[])
-    for post in posts_db:
-        if post["id"] == post_id:
-            if post.get("author") != current_user:
-                raise HTTPException(status_code=403, detail="无权修改他人帖子")
-            if update_data.title is not None:
-                post["title"] = update_data.title
-            if update_data.content is not None:
-                post["content"] = update_data.content
-            if update_data.cover_image is not None:
-                post["cover_image"] = update_data.cover_image
-            if update_data.images is not None:
-                post["images"] = update_data.images[:9]
-            if update_data.is_original is not None:
-                post["is_original"] = update_data.is_original  # 🎨 更新原创作品标记
-            db.save_data("posts.json", posts_db)
-            # 🗂️ 清除排序缓存
-            sort_cache.invalidate("posts:")
-            return {"status": "success"}
-    raise HTTPException(status_code=404, detail="帖子不存在")
 @router.delete("/api/posts/{post_id}")
 async def delete_post(post_id: str, current_user: str = Depends(require_auth)):

 @router.put("/api/posts/{post_id}")
 async def update_post(post_id: str, update_data: PostUpdate, current_user: str = Depends(require_auth)):
     """
+    更新帖子（仅作者可操作，原子操作，并发安全）
     """
+    result_holder = {}
+    def updater(data):
+        for post in data:
+            if post["id"] == post_id:
+                if post.get("author") != current_user:
+                    result_holder["error"] = "forbidden"
+                    return False
+                # 更新字段
+                if update_data.title is not None:
+                    post["title"] = update_data.title
+                if update_data.content is not None:
+                    post["content"] = update_data.content
+                if update_data.cover_image is not None:
+                    post["cover_image"] = update_data.cover_image
+                if update_data.images is not None:
+                    post["images"] = update_data.images[:9]
+                if update_data.is_original is not None:
+                    post["is_original"] = update_data.is_original  # 🎨 更新原创作品标记
+                result_holder["post"] = post
+                return True
+        result_holder["error"] = "not_found"
+        return False
+    db.atomic_update("posts.json", updater, default_data=[])
+    if result_holder.get("error") == "forbidden":
+        raise HTTPException(status_code=403, detail="无权修改他人帖子")
+    if result_holder.get("error") == "not_found":
+        raise HTTPException(status_code=404, detail="帖子不存在")
+    # 🗂️ 清除排序缓存
+    sort_cache.invalidate("posts:")
+    return {"status": "success"}
 @router.delete("/api/posts/{post_id}")
 async def delete_post(post_id: str, current_user: str = Depends(require_auth)):