fix: 申诉查看错误

app/routes.py

@@ -1,4 +1,4 @@
-from flask import Blueprint, render_template, request, flash,redirect, url_for
+from flask import abort, Blueprint, render_template, request, flash,redirect, url_for
 from sqlalchemy import or_
 from flask_login import login_required, current_user
 from app import db
@@ -144,12 +144,17 @@ def report_detail(report_id):
     )
 # === 独立的举报处理视图 (仅限 Admin) ===
 # 这个视图只处理动作，不渲染页面。它接收来自详情页按钮的 POST 请求。
-@main.route('/admin/report/<int:report_id>/process/<action>', methods=['POST'])
+@main.route('/admin/report/<int:report_id>/process', methods=['POST'])
 @login_required
-@admin_required # 严格限制为 admin
-def process_report(report_id, action):
+@admin_required
+def process_report(report_id):
     report = Report.query.get_or_404(report_id)
-    
+    action = request.form.get('action')
+
+    if action not in ['confirm', 'invalidate']:
+        flash('无效的操作。', 'danger')
+        return redirect(url_for('main.report_detail', report_id=report_id))
+
     if action == 'confirm':
         report.status = 'approved'
         # 检查是否已在黑名单中
@@ -276,10 +281,10 @@ def reject_user(user_id):
 def create_appeal(blacklist_id):
     blacklist_entry = Blacklist.query.get_or_404(blacklist_id)
     
-    # 安全检查：确保用户只能为自己的黑名单记录申诉
-    # 注意：请根据你的 User 模型修改 current_user.reported_uid
-    if not (hasattr(current_user, 'reported_uid') and current_user.reported_uid == blacklist_entry.uid) and not (current_user.email == blacklist_entry.email):
-        abort(403) # Forbidden
+    # 安全检查：确保用户只能为自己的黑名单记录申诉（邮箱匹配 或 UID+站点匹配）
+    if not (current_user.email == blacklist_entry.email or
+            (current_user.uid == blacklist_entry.uid and current_user.pt_site == blacklist_entry.pt_site)):
+        abort(403)
     # 检查是否已有进行中的申诉
     if blacklist_entry.appeals.filter(Appeal.status.in_(['awaiting_admin_reply', 'awaiting_user_reply'])).first():
         flash('您已有一个正在进行中的申诉，请勿重复提交。', 'warning')

app/templates/admin/report_detail.html

@@ -39,10 +39,14 @@
             <div class="card-header"><h5 class="mb-0">管理员操作</h5></div>
             <div class="card-body d-grid gap-2">
             {% if report.status == 'pending' or report.status == 'in_review' %}
-                <form action="{{ url_for('main.process_report', report_id=report.id, action='confirm') }}" method="POST" class="d-grid">
+                <form action="{{ url_for('main.process_report', report_id=report.id) }}" method="POST" class="d-grid">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
+                    <input type="hidden" name="action" value="confirm">
                     <button type="submit" class="btn btn-success">确认违规 (加入黑名单)</button>
                 </form>
-                <form action="{{ url_for('main.process_report', report_id=report.id, action='invalidate') }}" method="POST" class="d-grid">
+                <form action="{{ url_for('main.process_report', report_id=report.id) }}" method="POST" class="d-grid">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
+                    <input type="hidden" name="action" value="invalidate">
                     <button type="submit" class="btn btn-warning">举报无效</button>
                 </form>
             {% elif report.status == 'approved' %}

app/templates/appeal_detail.html

@@ -21,8 +21,12 @@
                 </p>
                 <hr>
                 <h6>针对黑名单记录</h6>
+                {% if appeal.blacklist_entry %}
                 <p class="mb-0"><strong>站点:</strong> {{ appeal.blacklist_entry.pt_site }}</p>
                 <p class="mb-0"><strong>UID:</strong> {{ appeal.blacklist_entry.uid }}</p>
+                {% else %}
+                <p class="mb-0 text-muted">黑名单记录已删除</p>
+                {% endif %}
             </div>
         </div>