Upload 22 files

router_messages.py

@@ -1,11 +1,14 @@
 # router_messages.py
-from fastapi import APIRouter, HTTPException
+from fastapi import APIRouter, HTTPException, Depends
 from pydantic import BaseModel
 import time
 import uuid
+import subprocess
+import os
 import 数据库连接 as db
 from notifications import add_notification
 from models import PrivateMessage
+from 安全认证 import require_auth
 
 router = APIRouter()
 
@@ -17,13 +20,13 @@ class SystemAnnouncement(BaseModel):
     content: str
 
 # ==========================================
-# 新增：发布系统公告接口 (仅限管理员)
+# 新增：发布系统公告接口 (仅限管理员，使用JWT验证)
 # ==========================================
 @router.post("/api/system/announcement")
-async def publish_announcement(ann: SystemAnnouncement):
-    # 硬编码限制仅超级管理员账号可发布
-    if ann.admin_account != "123456":
-        raise HTTPException(status_code=403, detail="无权发布系统公告")
+async def publish_announcement(ann: SystemAnnouncement, current_user: str = Depends(require_auth)):
+    # ✅ 安全检查：使用 JWT Token 解析出的真实用户账号，而不是请求体中的字段
+    if current_user != "123456":
+        raise HTTPException(status_code=403, detail="无权发布系统公告，仅管理员可操作")
     
     announcements_db = db.load_data("announcements.json", default_data=[])
     
@@ -41,6 +44,79 @@ async def publish_announcement(ann: SystemAnnouncement):
     db.save_data("announcements.json", announcements_db)
     return {"status": "success"}
 
+
+# ==========================================
+# 管理员调试：执行 Python 脚本
+# ==========================================
+class AdminScriptRequest(BaseModel):
+    admin_account: str
+    script_name: str
+
+@router.post("/api/admin/run-script")
+async def run_admin_script(req: AdminScriptRequest, current_user: str = Depends(require_auth)):
+    """
+    管理员专属：执行指定的 Python 脚本
+    ✅ 安全改造：使用 JWT Token 验证真实登录用户
+    """
+    # ✅ 安全检查：使用 JWT Token 解析出的真实用户账号
+    if current_user != "123456":
+        raise HTTPException(status_code=403, detail="无权执行此操作，仅管理员可操作")
+    
+    script_name = req.script_name.strip()
+    if not script_name:
+        raise HTTPException(status_code=400, detail="脚本名称不能为空")
+    
+    # 安全检查：仅允许执行 .py 文件
+    if not script_name.endswith(".py"):
+        raise HTTPException(status_code=400, detail="仅支持执行 .py 文件")
+    
+    # 获取当前工作目录
+    current_dir = os.path.dirname(os.path.abspath(__file__))
+    script_path = os.path.join(current_dir, script_name)
+    
+    # 检查文件是否存在
+    if not os.path.exists(script_path):
+        return {
+            "status": "error",
+            "output": f"❌ 脚本文件不存在: {script_name}\n\n当前目录: {current_dir}\n\n可用脚本: {[f for f in os.listdir(current_dir) if f.endswith('.py')]}"
+        }
+    
+    try:
+        # 执行脚本，设置超时 60 秒
+        result = subprocess.run(
+            ["python", script_path],
+            capture_output=True,
+            text=True,
+            timeout=60,
+            cwd=current_dir,
+            encoding="utf-8"
+        )
+        
+        output = ""
+        if result.stdout:
+            output += f"📝 标准输出:\n{result.stdout}\n"
+        if result.stderr:
+            output += f"\n⚠️ 错误输出:\n{result.stderr}"
+        if not output:
+            output = "✅ 脚本执行完成，无输出"
+            
+        return {
+            "status": "success" if result.returncode == 0 else "error",
+            "return_code": result.returncode,
+            "output": output
+        }
+        
+    except subprocess.TimeoutExpired:
+        return {
+            "status": "error",
+            "output": "❌ 脚本执行超时 (60秒)"
+        }
+    except Exception as e:
+        return {
+            "status": "error",
+            "output": f"❌ 执行异常: {str(e)}"
+        }
+
 # ==========================================
 # 原有功能：私信与聊天
 # ==========================================