diff --git a/app/__init__.py b/app/__init__.py index 7db149d..7d58b2f 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -6,33 +6,33 @@ from flask_session import Session from flask_wtf.csrf import CSRFProtect from config import config from flask_bootstrap import Bootstrap +import logging +from logging.handlers import RotatingFileHandler +import os +from datetime import datetime, timedelta +import glob -# 初始化扩展,但此时不传入 app +# 初始化扩展 db = SQLAlchemy() migrate = Migrate() login_manager = LoginManager() sess = Session() csrf = CSRFProtect() bootstrap = Bootstrap() -# login_manager 的基本配置 -login_manager.login_view = 'auth.login' # 后面我们会创建一个叫 'auth' 的蓝图 +login_manager.login_view = 'auth.login' def create_app(config_name='default'): - """ - 应用工厂函数 - :param config_name: 配置名称 ('development', 'production') - :return: Flask app instance - """ + """应用工厂函数,创建并配置Flask应用实例""" app = Flask(__name__) - # 1. 加载配置 + # 加载配置 app.config.from_object(config[config_name]) config[config_name].init_app(app) - - # 信任代理转发的头信息 + # 配置代理转发 from werkzeug.middleware.proxy_fix import ProxyFix app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1) - # 2. 初始化扩展 + + # 初始化扩展 db.init_app(app) migrate.init_app(app, db) login_manager.init_app(app) @@ -40,17 +40,36 @@ def create_app(config_name='default'): csrf.init_app(app) bootstrap.init_app(app) + # 配置日志 + if not os.path.exists('logs'): + os.mkdir('logs') + + # 清理过期日志 + log_retention_days = int(os.environ.get('LOG_RETENTION_DAYS', 7)) + cutoff_time = datetime.now() - timedelta(days=log_retention_days) + for log_file in glob.glob('logs/*.log*'): + if os.path.getmtime(log_file) < cutoff_time.timestamp(): + os.remove(log_file) + + file_handler = RotatingFileHandler('logs/pt_blacklist.log', maxBytes=10240000, backupCount=10) + file_handler.setFormatter(logging.Formatter( + '%(asctime)s %(levelname)s: %(message)s [in %(pathname)s:%(lineno)d]' + )) + file_handler.setLevel(logging.INFO) + app.logger.addHandler(file_handler) + app.logger.setLevel(logging.INFO) + app.logger.info('PT黑名单系统启动') + # 注册自定义过滤器 from .filters import translate_status, translate_reason app.jinja_env.filters['translate_status'] = translate_status app.jinja_env.filters['translate_reason'] = translate_reason - # 3. 注册蓝图 (Blueprint) - # 后面我们会在这里添加蓝图 + # 注册蓝图 from .routes import main as main_blueprint app.register_blueprint(main_blueprint) - + from .auth import auth as auth_blueprint app.register_blueprint(auth_blueprint, url_prefix='/auth') - + return app diff --git a/app/auth/routes.py b/app/auth/routes.py index a343839..7dea59e 100644 --- a/app/auth/routes.py +++ b/app/auth/routes.py @@ -1,4 +1,4 @@ -from flask import render_template, redirect, url_for, flash, request +from flask import render_template, redirect, url_for, flash, request, current_app from flask_login import login_user, logout_user, login_required, current_user from . import auth from .. import db @@ -7,6 +7,7 @@ from ..forms import LoginForm, RegistrationForm @auth.route('/register', methods=['GET', 'POST']) def register(): + """用户注册""" if current_user.is_authenticated: return redirect(url_for('main.index')) form = RegistrationForm() @@ -18,36 +19,43 @@ def register(): username=form.username.data, pt_site=form.pt_site.data, uid=form.uid.data, - status='pending' # 新用户需要管理员审核 + status='pending' ) user.set_password(form.password.data) db.session.add(user) db.session.commit() + current_app.logger.info(f'新用户注册: {user.username} ({user.email}) - 站点: {user.pt_site}') flash('注册申请已提交,请等待管理员审核。', 'info') return redirect(url_for('auth.login')) return render_template('auth/register.html', form=form) @auth.route('/login', methods=['GET', 'POST']) def login(): + """用户登录""" if current_user.is_authenticated: return redirect(url_for('main.index')) form = LoginForm() if form.validate_on_submit(): user = User.query.filter_by(email=form.email.data).first() if user is None or not user.check_password(form.password.data): + current_app.logger.warning(f'登录失败: {form.email.data} - 无效的邮箱或密码') flash('无效的邮箱或密码。', 'danger') return redirect(url_for('auth.login')) - + if user.status != 'active': + current_app.logger.warning(f'登录失败: {user.username} - 账户状态: {user.status}') flash(f'您的账户当前状态为 "{user.status}",无法登录。请联系管理员。', 'warning') return redirect(url_for('auth.login')) login_user(user, remember=form.remember_me.data) + current_app.logger.info(f'用户登录: {user.username} ({user.email})') return redirect(url_for('main.index')) return render_template('auth/login.html', form=form) @auth.route('/logout') @login_required def logout(): + """用户登出""" + current_app.logger.info(f'用户登出: {current_user.username}') logout_user() flash('您已成功登出。') return redirect(url_for('main.index')) diff --git a/app/decorators.py b/app/decorators.py index 0c4367e..ef7b174 100644 --- a/app/decorators.py +++ b/app/decorators.py @@ -1,27 +1,26 @@ +"""权限装饰器""" from functools import wraps from flask import abort from flask_login import current_user def admin_required(f): + """仅管理员可访问""" @wraps(f) def decorated_function(*args, **kwargs): if not current_user.is_authenticated or current_user.role != 'admin': - abort(403) # HTTP 403 Forbidden error + abort(403) return f(*args, **kwargs) return decorated_function -# === 修正后的通用权限装饰器 === def permission_required(*roles): + """指定角色可访问""" def decorator(f): @wraps(f) def decorated_function(*args, **kwargs): if not current_user.is_authenticated: - abort(401) # Unauthorized + abort(401) if current_user.role not in roles: - abort(403) # Forbidden + abort(403) return f(*args, **kwargs) - - # 正确的返回:返回包含了权限检查逻辑的包装函数 - return decorated_function # <--- 已修正 - + return decorated_function return decorator diff --git a/app/filters.py b/app/filters.py index 5662940..9386e8f 100644 --- a/app/filters.py +++ b/app/filters.py @@ -1,24 +1,16 @@ -# app/filters.py -# 状态翻译过滤器 +"""Jinja2模板过滤器""" STATUS_TRANSLATIONS = { - # 举报状态 'pending': '待审核', 'in_review': '审核中', 'approved': '已批准', 'rejected': '已驳回', 'revoked': '已撤销', 'overturned': '已推翻', - - # 申诉状态 'awaiting_admin_reply': '等待管理员回复', 'awaiting_user_reply': '等待用户回复', - - # 用户状态 'active': '正常', 'disabled': '已禁用', - - # 黑名单状态 'expired': '已过期' } @@ -39,9 +31,9 @@ REASON_TRANSLATIONS = { } def translate_status(status): - """将英文状态翻译为中文""" + """状态翻译过滤器""" return STATUS_TRANSLATIONS.get(status, status) def translate_reason(reason): - """将英文违规原因翻译为中文""" + """违规原因翻译过滤器""" return REASON_TRANSLATIONS.get(reason, reason) diff --git a/app/models.py b/app/models.py index eb8c4d6..f07557f 100644 --- a/app/models.py +++ b/app/models.py @@ -4,6 +4,7 @@ from werkzeug.security import generate_password_hash, check_password_hash from app import db, login_manager class PartnerSite(db.Model): + """合作PT站点模型""" __tablename__ = 'partner_sites' id = db.Column(db.Integer, primary_key=True) name = db.Column(db.String(100), unique=True, nullable=False, index=True) @@ -14,20 +15,23 @@ class PartnerSite(db.Model): def __repr__(self): return f'' + class User(UserMixin, db.Model): + """用户模型""" __tablename__ = 'users' id = db.Column(db.Integer, primary_key=True) username = db.Column(db.String(64), unique=True, index=True, nullable=False) email = db.Column(db.String(120), unique=True, index=True, nullable=False) password_hash = db.Column(db.String(256)) - role = db.Column(db.String(16), default='user', index=True) # 'user', 'admin', 'trust_user' - status = db.Column(db.String(16), default='pending', index=True) # 'pending', 'active', 'disabled' + role = db.Column(db.String(16), default='user', index=True) + status = db.Column(db.String(16), default='pending', index=True) created_at = db.Column(db.DateTime, default=datetime.utcnow) updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow) - pt_site = db.Column(db.String(100)) # 注册时填写的站点 - uid = db.Column(db.String(50)) # 注册时填写的 UID + pt_site = db.Column(db.String(100)) + uid = db.Column(db.String(50)) reports = db.relationship('Report', backref='reporter', lazy='dynamic') comments = db.relationship('Comment', back_populates='author', lazy='dynamic') + def set_password(self, password): self.password_hash = generate_password_hash(password) @@ -42,6 +46,7 @@ def load_user(user_id): return User.query.get(int(user_id)) class Report(db.Model): + """举报模型""" __tablename__ = 'reports' __table_args__ = ( db.Index('idx_report_status_created', 'status', 'created_at'), @@ -52,9 +57,9 @@ class Report(db.Model): reported_pt_site = db.Column(db.String(100), nullable=False) reported_username = db.Column(db.String(50)) reported_email = db.Column(db.String(120), index=True, nullable=False) - reason_category = db.Column(db.String(16), nullable=False) # 'cheating', 'trading', 'spam', 'abusive', 'radio', 'other' + reason_category = db.Column(db.String(16), nullable=False) description = db.Column(db.Text, nullable=False) - status = db.Column(db.String(16), index=True, default='pending') # 'pending', 'approved', 'rejected', 'revoked', 'overturned' + status = db.Column(db.String(16), index=True, default='pending') created_at = db.Column(db.DateTime, index=True, default=datetime.utcnow) updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow) comments = db.relationship('Comment', backref='report', lazy='dynamic', cascade='all, delete-orphan') @@ -65,11 +70,12 @@ class Report(db.Model): return f'' class Evidence(db.Model): + """证据模型""" __tablename__ = 'evidences' id = db.Column(db.Integer, primary_key=True) report_id = db.Column(db.Integer, db.ForeignKey('reports.id', ondelete='CASCADE'), nullable=False) - file_url = db.Column(db.String(1024), nullable=False) # 存储OSS或本地路径 - file_type = db.Column(db.String(16)) # 'image', 'zip', 'text', 'image_url' + file_url = db.Column(db.String(1024), nullable=False) + file_type = db.Column(db.String(16)) created_at = db.Column(db.DateTime, default=datetime.utcnow) updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow) @@ -77,6 +83,7 @@ class Evidence(db.Model): return f'' class Blacklist(db.Model): + """黑名单模型""" __tablename__ = 'blacklist' __table_args__ = ( db.Index('idx_blacklist_email_status', 'normalized_email', 'status'), @@ -86,18 +93,20 @@ class Blacklist(db.Model): id = db.Column(db.Integer, primary_key=True) username = db.Column(db.String(64), index=True) email = db.Column(db.String(120), index=True) - normalized_email = db.Column(db.String(120), index=True) # 归一化后的邮箱 + normalized_email = db.Column(db.String(120), index=True) pt_site = db.Column(db.String(100), index=True) uid = db.Column(db.String(50)) - report_id = db.Column(db.Integer, db.ForeignKey('reports.id'), unique=True) # 确保一个举报只对应一个黑名单条目 - status = db.Column(db.String(16), default='active', index=True) # 'active', 'revoked', 'expired' + report_id = db.Column(db.Integer, db.ForeignKey('reports.id'), unique=True) + status = db.Column(db.String(16), default='active', index=True) created_at = db.Column(db.DateTime, index=True, default=datetime.utcnow) updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow) appeals = db.relationship('Appeal', backref='blacklist_entry', lazy='dynamic') def __repr__(self): return f'' + class Comment(db.Model): + """评论模型""" __tablename__ = 'comments' id = db.Column(db.Integer, primary_key=True) body = db.Column(db.Text) @@ -105,26 +114,30 @@ class Comment(db.Model): author_id = db.Column(db.Integer, db.ForeignKey('users.id', ondelete='CASCADE')) report_id = db.Column(db.Integer, db.ForeignKey('reports.id', ondelete='CASCADE')) author = db.relationship('User', back_populates='comments') + class Appeal(db.Model): + """申诉模型""" __tablename__ = 'appeals' id = db.Column(db.Integer, primary_key=True) - reason = db.Column(db.Text, nullable=False) # 用户最初的申诉理由 - status = db.Column(db.String(32), nullable=False, default='awaiting_admin_reply', index=True) # 'awaiting_admin_reply', 'awaiting_user_reply', 'approved', 'rejected' + reason = db.Column(db.Text, nullable=False) + status = db.Column(db.String(32), nullable=False, default='awaiting_admin_reply', index=True) created_at = db.Column(db.DateTime, index=True, default=datetime.utcnow) updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow) - appealer_id = db.Column(db.Integer, db.ForeignKey('users.id', ondelete='CASCADE')) # 申诉人 - blacklist_entry_id = db.Column(db.Integer, db.ForeignKey('blacklist.id', ondelete='SET NULL')) # 关联的黑名单条目 + appealer_id = db.Column(db.Integer, db.ForeignKey('users.id', ondelete='CASCADE')) + blacklist_entry_id = db.Column(db.Integer, db.ForeignKey('blacklist.id', ondelete='SET NULL')) messages = db.relationship('AppealMessage', backref='appeal', lazy='dynamic', cascade='all, delete-orphan') appealer = db.relationship('User', backref='appeals') def __repr__(self): return f'' + class AppealMessage(db.Model): + """申诉消息模型""" __tablename__ = 'appeal_messages' id = db.Column(db.Integer, primary_key=True) body = db.Column(db.Text, nullable=False) created_at = db.Column(db.DateTime, index=True, default=datetime.utcnow) - author_id = db.Column(db.Integer, db.ForeignKey('users.id', ondelete='CASCADE')) # 消息发送者 + author_id = db.Column(db.Integer, db.ForeignKey('users.id', ondelete='CASCADE')) appeal_id = db.Column(db.Integer, db.ForeignKey('appeals.id', ondelete='CASCADE')) author = db.relationship('User', backref='appeal_messages') diff --git a/app/routes.py b/app/routes.py index 4b7a1fa..81d0b5b 100644 --- a/app/routes.py +++ b/app/routes.py @@ -1,8 +1,8 @@ -from flask import abort, Blueprint, render_template, request, flash,redirect, url_for +from flask import abort, Blueprint, render_template, request, flash, redirect, url_for, current_app from sqlalchemy import or_ from flask_login import login_required, current_user from app import db -from app.forms import SearchForm, ReportForm, ReportForm, UpdateUserForm, CommentForm, RevokeForm, AppealForm, AppealMessageForm, PartnerSiteForm +from app.forms import SearchForm, ReportForm, UpdateUserForm, CommentForm, RevokeForm, AppealForm, AppealMessageForm, PartnerSiteForm from app.models import Blacklist, Report, Evidence, User, Comment, AppealMessage, Appeal, PartnerSite from app.decorators import admin_required, permission_required from app.services.email_normalizer import normalize_email @@ -11,54 +11,54 @@ main = Blueprint('main', __name__) @main.route('/', methods=['GET', 'POST']) def index(): + """首页 - 黑名单查询""" form = SearchForm() search_result = None searched = False if form.validate_on_submit(): - # 在处理表单之前,检查用户是否已登录 if not current_user.is_authenticated: flash('请登录后才能使用查询功能。', 'warning') - # 重定向到登录页面,或者直接返回首页 return redirect(url_for('main.index')) - - # 如果用户已登录,则执行以下查询逻辑 + searched = True search_term = form.search_term.data normalized_email = normalize_email(search_term) - + search_result = Blacklist.query.join(Report).filter( or_( Blacklist.normalized_email == normalized_email, Blacklist.username == search_term ), Blacklist.status == 'active', - Report.status == 'approved' + Report.status == 'approved' ).first() - + if search_result: + current_app.logger.info(f'黑名单查询命中: {search_term} by {current_user.username}') flash(f'警告: 查询到与 "{search_term}" 相关的公开不良记录。详情如下。', 'warning') else: + current_app.logger.info(f'黑名单查询未命中: {search_term} by {current_user.username}') flash(f'未查询到与 "{search_term}" 相关的公开不良记录。', 'info') - + return render_template('index.html', form=form, search_result=search_result, searched=searched, Appeal=Appeal) @main.route('/report/new', methods=['GET', 'POST']) @login_required def create_report(): + """创建新举报""" form = ReportForm() active_sites = PartnerSite.query.filter_by(is_active=True).order_by(PartnerSite.name).all() form.reported_pt_site.choices = [(site.name, site.name) for site in active_sites] if form.validate_on_submit(): - # 检查是否已有针对该邮箱的活跃举报 existing_report = Report.query.filter_by( reported_email=form.reported_email.data, status='pending' ).first() if existing_report: + current_app.logger.warning(f'重复举报: {form.reported_email.data} by {current_user.username}') flash(f'该邮箱已有待审核的举报 (#{existing_report.id}),请勿重复提交。', 'warning') return render_template('create_report.html', form=form) - # 1. 创建 Report 对象 new_report = Report( reporter_id=current_user.id, reported_pt_site=form.reported_pt_site.data, @@ -69,59 +69,53 @@ def create_report(): status='pending' ) db.session.add(new_report) - - # 2. 处理证据链接 + urls_text = form.evidences.data - # 按行分割,并移除空白行和首尾空格 evidence_urls = [url.strip() for url in urls_text.strip().splitlines() if url.strip()] if not evidence_urls: flash('必须提供至少一个有效的证据链接。', 'danger') return render_template('create_report.html', form=form) - # 对每个 URL 进行简单的验证和保存 + valid_extensions = ('.png', '.jpg', '.jpeg', '.gif', '.bmp', '.webp') for url in evidence_urls: if url.lower().startswith(('http://', 'https://')) and url.lower().endswith(valid_extensions): evidence = Evidence( - file_url=url, - file_type='image_url', # 标记类型为图片链接 + file_url=url, + file_type='image_url', report=new_report ) db.session.add(evidence) else: - # 如果有任何一个链接格式不正确,则回滚并提示用户 db.session.rollback() + current_app.logger.error(f'无效证据链接: {url[:50]} by {current_user.username}') flash(f'链接 "{url[:50]}..." 格式不正确或不是支持的图片格式。请提供以 http/https 开头,以 .png, .jpg 等结尾的图片链接。', 'danger') return render_template('create_report.html', form=form) - - # 3. 提交到数据库 + db.session.commit() + current_app.logger.info(f'新举报提交: #{new_report.id} - {form.reported_email.data} by {current_user.username}') flash('举报提交成功,请等待管理员审核。', 'success') return redirect(url_for('main.index')) - + return render_template('create_report.html', form=form) @main.route('/admin/reports') @login_required @permission_required('admin', 'trust_user') def report_list(): - # 获取页码,默认为第一页 + """举报列表(管理员/信任用户)""" page = request.args.get('page', 1, type=int) - # 查询举报,按创建时间倒序排列,并进行分页 - # 每页显示 20 条记录 query = Report.query if current_user.role == 'trust_user': query = query.filter_by(status='pending') reports_pagination = query.order_by(Report.created_at.desc()).paginate( page=page, per_page=20, error_out=False ) - return render_template( - 'admin/report_list.html', - reports=reports_pagination - ) + return render_template('admin/report_list.html', reports=reports_pagination) @main.route('/report/', methods=['GET', 'POST']) @login_required -@permission_required('admin', 'trust_user') # 允许 admin 和 trust_user 访问 +@permission_required('admin', 'trust_user') def report_detail(report_id): + """举报详情""" report = Report.query.get_or_404(report_id) if current_user.role == 'trust_user' and report.status != 'pending': flash('您无权查看已处理的举报。', 'warning') @@ -139,12 +133,11 @@ def report_detail(report_id): ) db.session.add(comment) db.session.commit() + current_app.logger.info(f'举报评论: #{report.id} by {current_user.username}') flash('你的审核建议已成功提交。', 'success') return redirect(url_for('main.report_detail', report_id=report.id)) - - comments = report.comments.order_by(Comment.created_at.desc()).all() - # 查找针对同一邮箱的其他举报 + comments = report.comments.order_by(Comment.created_at.desc()).all() related_reports = Report.query.filter( Report.reported_email == report.reported_email, Report.id != report.id @@ -158,12 +151,11 @@ def report_detail(report_id): comments=comments, related_reports=related_reports ) -# === 独立的举报处理视图 (仅限 Admin) === -# 这个视图只处理动作,不渲染页面。它接收来自详情页按钮的 POST 请求。 @main.route('/admin/report//process', methods=['POST']) @login_required @admin_required def process_report(report_id): + """处理举报(批准/驳回)""" report = Report.query.get_or_404(report_id) action = request.form.get('action') @@ -173,10 +165,8 @@ def process_report(report_id): if action == 'confirm': report.status = 'approved' - # 检查是否已在黑名单中 existing_blacklist = Blacklist.query.filter_by(report_id=report.id).first() if not existing_blacklist: - # 创建新的黑名单记录 new_blacklist_entry = Blacklist( email=report.reported_email, normalized_email=normalize_email(report.reported_email), @@ -187,7 +177,6 @@ def process_report(report_id): ) db.session.add(new_blacklist_entry) - # 自动处理同一邮箱的其他待审核举报 other_pending = Report.query.filter( Report.reported_email == report.reported_email, Report.id != report.id, @@ -203,7 +192,9 @@ def process_report(report_id): ) db.session.add(comment) + current_app.logger.info(f'举报批准: #{report.id} - {report.reported_email} by {current_user.username}') if other_pending: + current_app.logger.info(f'自动批准关联举报: {len(other_pending)}个') flash(f'举报已批准,并已将相关信息添加到黑名单。同时自动处理了 {len(other_pending)} 个相关举报。', 'success') else: flash('举报已批准,并已将相关信息添加到黑名单。', 'success') @@ -211,8 +202,8 @@ def process_report(report_id): flash('举报状态已更新为"批准"。该举报已在黑名单中,无需重复添加。', 'info') elif action == 'invalidate': report.status = 'rejected' - flash('举报状态已更新为“无效”。', 'success') - + current_app.logger.info(f'举报驳回: #{report.id} by {current_user.username}') + flash('举报状态已更新为"无效"。', 'success') else: flash('无效的操作。', 'danger') db.session.commit() @@ -221,44 +212,36 @@ def process_report(report_id): @login_required @admin_required def revoke_report(report_id): + """撤销已批准的举报""" report = Report.query.get_or_404(report_id) - # 只有已批准的举报才能被撤销 if report.status != 'approved': flash('错误:只有已批准的举报才能被撤销。', 'danger') return redirect(url_for('main.report_detail', report_id=report.id)) form = RevokeForm() if form.validate_on_submit(): - # 1. 从黑名单中移除 blacklist_entry = Blacklist.query.filter_by(report_id=report.id).first() if blacklist_entry: db.session.delete(blacklist_entry) - - # 2. 更新举报状态 + report.status = 'revoked' - - # 3. 将撤销理由记录为一条特殊的评论(审计日志) revocation_comment = Comment( body=f"[系统操作:撤销批准]\n理由:{form.reason.data}", report=report, author=current_user._get_current_object() ) db.session.add(revocation_comment) - db.session.commit() + current_app.logger.warning(f'举报撤销: #{report.id} by {current_user.username} - 理由: {form.reason.data[:50]}') flash('举报已成功撤销,并已从黑名单中移除。', 'success') else: - # 如果表单验证失败(例如理由为空),显示错误信息 flash('撤销失败:' + ' '.join(form.reason.errors), 'danger') return redirect(url_for('main.report_detail', report_id=report.id)) @main.route('/admin/users') @login_required @admin_required def manage_users(): - # 查询所有非待审核的用户 + """用户管理""" users = User.query.filter(User.status != 'pending').order_by(User.created_at.desc()).all() - - # 为每个用户创建一个预填充了当前数据的表单实例 - # 这样在模板中可以直接渲染,并且下拉框会默认选中用户的当前角色/状态 forms = {} for user in users: forms[user.id] = UpdateUserForm(obj=user) @@ -267,13 +250,13 @@ def manage_users(): @login_required @admin_required def update_user(user_id): + """更新用户角色和状态""" if user_id == 1: flash('错误:禁止修改初始管理员账户的角色和状态。', 'danger') return redirect(url_for('main.manage_users')) user = User.query.get_or_404(user_id) - form = UpdateUserForm() # 创建一个空的表单来接收 POST 数据 + form = UpdateUserForm() if form.validate_on_submit(): - # 安全检查:防止管理员误操作禁用或降级自己 if user == current_user: if form.role.data != 'admin' or form.status.data != 'active': flash('警告:您不能禁用或降级自己的管理员账户。', 'danger') @@ -281,9 +264,9 @@ def update_user(user_id): user.role = form.role.data user.status = form.status.data db.session.commit() + current_app.logger.info(f'用户更新: {user.username} - 角色:{user.role} 状态:{user.status} by {current_user.username}') flash(f'用户 {user.username} 的信息已成功更新。', 'success') else: - # 如果表单验证失败,也给出提示 flash('更新失败,请检查提交的数据。', 'danger') return redirect(url_for('main.manage_users')) @@ -291,37 +274,47 @@ def update_user(user_id): @login_required @admin_required def pending_users(): + """待审核用户列表""" users_to_review = User.query.filter_by(status='pending').order_by(User.created_at.asc()).all() return render_template('admin/pending_users.html', users=users_to_review) + @main.route('/admin/user//approve', methods=['POST']) @login_required @admin_required def approve_user(user_id): + """批准用户注册""" user = User.query.get_or_404(user_id) user.status = 'active' db.session.commit() + current_app.logger.info(f'用户注册批准: {user.username} ({user.email}) by {current_user.username}') flash(f'用户 {user.username} 的注册申请已被批准。', 'success') return redirect(url_for('main.pending_users')) + @main.route('/admin/user//reject', methods=['POST']) @login_required @admin_required def reject_user(user_id): + """拒绝用户注册""" user = User.query.get_or_404(user_id) + username = user.username + email = user.email db.session.delete(user) db.session.commit() - flash(f'用户 {user.username} 的注册申请已被拒绝并删除。', 'success') + current_app.logger.info(f'用户注册拒绝: {username} ({email}) by {current_user.username}') + flash(f'用户 {username} 的注册申请已被拒绝并删除。', 'success') return redirect(url_for('main.pending_users')) @main.route('/appeal/create/', methods=['GET', 'POST']) @login_required def create_appeal(blacklist_id): + """创建申诉""" blacklist_entry = Blacklist.query.get_or_404(blacklist_id) - - # 安全检查:确保用户只能为自己的黑名单记录申诉(邮箱匹配 或 UID+站点匹配) + if not (current_user.email == blacklist_entry.email or (current_user.uid == blacklist_entry.uid and current_user.pt_site == blacklist_entry.pt_site)): + current_app.logger.warning(f'非法申诉尝试: 用户{current_user.username} 尝试申诉黑名单#{blacklist_id}') abort(403) - # 检查是否已有进行中的申诉 + if blacklist_entry.appeals.filter(Appeal.status.in_(['awaiting_admin_reply', 'awaiting_user_reply'])).first(): flash('您已有一个正在进行中的申诉,请勿重复提交。', 'warning') return redirect(url_for('main.index')) @@ -334,19 +327,18 @@ def create_appeal(blacklist_id): ) db.session.add(appeal) db.session.commit() + current_app.logger.info(f'新申诉提交: #{appeal.id} - 黑名单#{blacklist_id} by {current_user.username}') flash('您的申诉已成功提交,请等待管理员审核。', 'success') - # 提交成功后,跳转到申诉详情页 return redirect(url_for('main.appeal_detail', appeal_id=appeal.id)) - - # 如果是 GET 请求,或表单验证失败,则渲染创建页面 + return render_template('create_appeal.html', form=form, entry=blacklist_entry) @main.route('/appeal/', methods=['GET', 'POST']) @login_required def appeal_detail(appeal_id): + """申诉详情和对话""" appeal = Appeal.query.get_or_404(appeal_id) - - # 权限检查:只有申诉人或管理员可以查看 - if appeal.appealer_id != current_user.id and not current_user.role=='admin': # 假设你有 MANAGE_REPORTS 权限 + + if appeal.appealer_id != current_user.id and not current_user.role=='admin': abort(403) form = AppealMessageForm() if form.validate_on_submit(): @@ -358,7 +350,6 @@ def appeal_detail(appeal_id): author_id=current_user.id, appeal_id=appeal.id ) - # 更新申诉状态 if current_user.role=='admin': appeal.status = 'awaiting_user_reply' else: @@ -366,16 +357,17 @@ def appeal_detail(appeal_id): db.session.add(msg) db.session.commit() + current_app.logger.info(f'申诉消息: #{appeal.id} by {current_user.username}') flash('消息已发送。', 'success') return redirect(url_for('main.appeal_detail', appeal_id=appeal.id)) messages = appeal.messages.order_by(AppealMessage.created_at.asc()).all() return render_template('appeal_detail.html', appeal=appeal, messages=messages, form=form) @main.route('/admin/appeals') @login_required -@permission_required('admin') # 或者你的管理权限 +@permission_required('admin') def appeal_list(): + """申诉列表(管理员)""" page = request.args.get('page', 1, type=int) - # 优先显示待处理的 appeals_pagination = Appeal.query.order_by( db.case( (Appeal.status == 'awaiting_admin_reply', 0), @@ -384,48 +376,48 @@ def appeal_list(): ), Appeal.updated_at.desc() ).paginate(page=page, per_page=20, error_out=False) - + return render_template('admin/appeal_list.html', appeals=appeals_pagination) + @main.route('/appeal//decide', methods=['POST']) @login_required -@permission_required('admin') # 必须是管理员 +@permission_required('admin') def decide_appeal(appeal_id): + """处理申诉(批准/驳回)""" appeal = Appeal.query.get_or_404(appeal_id) if appeal.status in ['approved', 'rejected']: flash('该申诉已处理,无法重复操作。', 'warning') return redirect(url_for('main.appeal_detail', appeal_id=appeal.id)) action = request.form.get('action') if action == 'approve': - # 批准申诉:删除黑名单记录,更新申诉状态 blacklist_entry = appeal.blacklist_entry - blacklist_entry.status = 'revoked' # 将黑名单条目状态改为"已撤销" - appeal.status = 'approved' # 同时更新申诉本身的状态 + blacklist_entry.status = 'revoked' + appeal.status = 'approved' if blacklist_entry.report: - # 使用 'overturned' (已推翻) 可能比 'revoked' 更能描述 Report 的状态 - blacklist_entry.report.status = 'overturned' + blacklist_entry.report.status = 'overturned' db.session.add(blacklist_entry.report) db.session.add(blacklist_entry) db.session.add(appeal) db.session.commit() - - # --- 修改结束 --- + current_app.logger.info(f'申诉批准: #{appeal.id} by {current_user.username}') flash(f'申诉 #{appeal.id} 已被批准,对应的黑名单条目已撤销。', 'success') - + elif action == 'reject': - # 驳回申诉:仅更新申诉状态 appeal.status = 'rejected' db.session.add(appeal) + db.session.commit() + current_app.logger.info(f'申诉驳回: #{appeal.id} by {current_user.username}') flash(f'已驳回申诉 #{appeal.id}。', 'info') else: flash('无效操作。', 'danger') return redirect(url_for('main.appeal_list')) - db.session.commit() return redirect(url_for('main.appeal_list')) @main.route('/my/reports') @login_required def my_reports(): + """我的举报列表""" page = request.args.get('page', 1, type=int) reports_pagination = Report.query.filter_by(reporter_id=current_user.id).order_by( Report.created_at.desc() @@ -435,6 +427,7 @@ def my_reports(): @main.route('/my/appeals') @login_required def my_appeals(): + """我的申诉列表""" page = request.args.get('page', 1, type=int) appeals_pagination = Appeal.query.filter_by(appealer_id=current_user.id).order_by( Appeal.created_at.desc() @@ -445,9 +438,9 @@ def my_appeals(): @login_required @admin_required def manage_sites(): + """站点管理""" form = PartnerSiteForm() if form.validate_on_submit(): - # ... (添加站点的逻辑保持不变) existing_site = PartnerSite.query.filter_by(name=form.name.data).first() if existing_site: flash('该站点名称已存在。', 'danger') @@ -455,32 +448,39 @@ def manage_sites(): new_site = PartnerSite(name=form.name.data, url=form.url.data) db.session.add(new_site) db.session.commit() + current_app.logger.info(f'新站点添加: {form.name.data} by {current_user.username}') flash(f'合作站点 "{form.name.data}" 已成功添加。', 'success') return redirect(url_for('main.manage_sites')) - + sites = PartnerSite.query.order_by(PartnerSite.name.asc()).all() return render_template('admin/manage_sites.html', sites=sites, form=form) -# 添加用于删除和切换状态的路由 + @main.route('/admin/site//delete', methods=['POST']) @login_required @admin_required def delete_site(site_id): + """删除站点""" site = PartnerSite.query.get_or_404(site_id) user_count = User.query.filter_by(pt_site=site.name).count() if user_count > 0: flash(f'无法删除站点 "{site.name}",因为已有 {user_count} 名用户关联到该站点。请先将其禁用。', 'danger') else: + site_name = site.name db.session.delete(site) db.session.commit() - flash(f'站点 "{site.name}" 已被删除。', 'success') + current_app.logger.info(f'站点删除: {site_name} by {current_user.username}') + flash(f'站点 "{site_name}" 已被删除。', 'success') return redirect(url_for('main.manage_sites')) + @main.route('/admin/site//toggle_active', methods=['POST']) @login_required @admin_required def toggle_site_active(site_id): + """切换站点启用状态""" site = PartnerSite.query.get_or_404(site_id) site.is_active = not site.is_active db.session.commit() status = "启用" if site.is_active else "禁用" + current_app.logger.info(f'站点状态切换: {site.name} - {status} by {current_user.username}') flash(f'站点 "{site.name}" 已被{status}。', 'success') return redirect(url_for('main.manage_sites')) \ No newline at end of file diff --git a/config.py b/config.py index bf98951..0552c26 100644 --- a/config.py +++ b/config.py @@ -1,22 +1,18 @@ +"""应用配置""" import os from dotenv import load_dotenv import redis -# 加载 .env 文件中的环境变量 basedir = os.path.abspath(os.path.dirname(__file__)) load_dotenv(os.path.join(basedir, '.env')) class Config: - """基础配置类""" + """基础配置""" SECRET_KEY = os.environ.get('SECRET_KEY') or 'a-hard-to-guess-string' SQLALCHEMY_TRACK_MODIFICATIONS = False - - # CSRF 配置 WTF_CSRF_ENABLED = True WTF_CSRF_TIME_LIMIT = None WTF_CSRF_CHECK_DEFAULT = False - - # Session 配置 SESSION_TYPE = 'redis' SESSION_PERMANENT = False SESSION_USE_SIGNER = True @@ -29,7 +25,6 @@ class Config: class DevelopmentConfig(Config): """开发环境配置""" DEBUG = True - # 数据库 URI DB_USER = os.environ.get('DB_USER') DB_PASSWORD = os.environ.get('DB_PASSWORD') DB_HOST = os.environ.get('DB_HOST') @@ -39,15 +34,12 @@ class DevelopmentConfig(Config): class ProductionConfig(Config): """生产环境配置""" DEBUG = False - # 数据库 URI DB_USER = os.environ.get('DB_USER') DB_PASSWORD = os.environ.get('DB_PASSWORD') DB_HOST = os.environ.get('DB_HOST') DB_NAME = os.environ.get('DB_NAME') SQLALCHEMY_DATABASE_URI = f'mysql+pymysql://{DB_USER}:{DB_PASSWORD}@{DB_HOST}/{DB_NAME}' - -# 方便地通过字典来选择配置 config = { 'development': DevelopmentConfig, 'production': ProductionConfig, diff --git a/run.py b/run.py index 980b6fa..463708b 100644 --- a/run.py +++ b/run.py @@ -1,3 +1,4 @@ +"""应用启动入口""" import os import click from app import create_app, db @@ -13,23 +14,23 @@ def make_shell_context(): @click.argument("username") @click.argument("email") @click.argument("password") -@click.option("--admin", is_flag=True, help="Flag to create an admin user.") +@click.option("--admin", is_flag=True, help="创建管理员用户") def create_user(username, email, password, admin): - """Creates a new user.""" + """创建新用户""" if User.query.filter_by(email=email).first(): - print(f"Error: Email {email} already exists.") + print(f"错误: 邮箱 {email} 已存在") return if User.query.filter_by(username=username).first(): - print(f"Error: Username {username} already exists.") + print(f"错误: 用户名 {username} 已存在") return - + user = User(username=username, email=email, status='active') user.set_password(password) if admin: user.role = 'admin' - + db.session.add(user) db.session.commit() - print(f"User {username} created successfully.") + print(f"用户 {username} 创建成功") if admin: - print("Role: Admin") + print("角色: 管理员")