From 4de1c41131642ef5732a51eca5c2eac6409212b4 Mon Sep 17 00:00:00 2001
From: Hera Zhao <hera@euphon.net>
Date: Fri, 10 Apr 2026 10:29:03 +0000
Subject: [PATCH] =?UTF-8?q?fix:=20=E6=9D=83=E9=99=90=E5=8F=98=E6=9B=B4?=
 =?UTF-8?q?=E5=90=8E=E4=B8=8D=E6=98=BE=E7=A4=BA=E6=97=A7=E9=80=9A=E7=9F=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 新增 role_changed_at 字段，改权限时记录时间
- 通知查询用 MAX(注册时间, 权限变更时间) 过滤
- 确保新增权限的用户只看到变更之后的通知

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 backend/database.py |  2 ++
 backend/main.py     | 14 +++++++++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/backend/database.py b/backend/database.py
index 56bf3bc..bda3ef6 100644
--- a/backend/database.py
+++ b/backend/database.py
@@ -163,6 +163,8 @@ def init_db():
         c.execute("ALTER TABLE users ADD COLUMN brand_bg TEXT")
     if "brand_align" not in user_cols:
         c.execute("ALTER TABLE users ADD COLUMN brand_align TEXT DEFAULT 'center'")
+    if "role_changed_at" not in user_cols:
+        c.execute("ALTER TABLE users ADD COLUMN role_changed_at TEXT")
 
     # Migration: add tags to user_diary
     diary_cols = [row[1] for row in c.execute("PRAGMA table_info(user_diary)").fetchall()]
diff --git a/backend/main.py b/backend/main.py
index 877d234..84b14f9 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -1029,7 +1029,7 @@ def update_user(user_id: int, body: UserUpdate, user=Depends(require_role("admin
         if body.role == "admin":
             conn.close()
             raise HTTPException(403, "不能将用户设为管理员")
-        conn.execute("UPDATE users SET role = ? WHERE id = ?", (body.role, user_id))
+        conn.execute("UPDATE users SET role = ?, role_changed_at = datetime('now') WHERE id = ?", (body.role, user_id))
     if body.display_name is not None:
         conn.execute("UPDATE users SET display_name = ? WHERE id = ?", (body.display_name, user_id))
     log_audit(conn, user["id"], "update_user", "user", user_id, None,
@@ -1493,15 +1493,19 @@ def get_notifications(user=Depends(get_current_user)):
     if not user["id"]:
         return []
     conn = get_db()
-    # Only show notifications created after user registration
-    user_created = conn.execute("SELECT created_at FROM users WHERE id = ?", (user["id"],)).fetchone()
-    created_at = user_created["created_at"] if user_created else "2000-01-01"
+    # Only show notifications after user registration or last role change (whichever is later)
+    user_row = conn.execute("SELECT created_at, role_changed_at FROM users WHERE id = ?", (user["id"],)).fetchone()
+    cutoff = "2000-01-01"
+    if user_row:
+        cutoff = user_row["created_at"] or cutoff
+        if user_row["role_changed_at"] and user_row["role_changed_at"] > cutoff:
+            cutoff = user_row["role_changed_at"]
     rows = conn.execute(
         "SELECT id, title, body, is_read, created_at FROM notifications "
         "WHERE (target_user_id = ? OR (target_user_id IS NULL AND (target_role = ? OR target_role = 'all'))) "
         "AND created_at >= ? "
         "ORDER BY is_read ASC, id DESC LIMIT 200",
-        (user["id"], user["role"], created_at)
+        (user["id"], user["role"], cutoff)
     ).fetchall()
     conn.close()
     return [dict(r) for r in rows]