fix: 权限变更后不显示旧通知

- 新增 role_changed_at 字段，改权限时记录时间 - 通知查询用 MAX(注册时间, 权限变更时间) 过滤 - 确保新增权限的用户只看到变更之后的通知 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 10:29:03 +00:00
parent 36bdec1d16
commit 4de1c41131
2 changed files with 11 additions and 5 deletions
--- a/backend/main.py
+++ b/backend/main.py
@@ -1029,7 +1029,7 @@ def update_user(user_id: int, body: UserUpdate, user=Depends(require_role("admin
        if body.role == "admin":
            conn.close()
            raise HTTPException(403, "不能将用户设为管理员")
-        conn.execute("UPDATE users SET role = ? WHERE id = ?", (body.role, user_id))
+        conn.execute("UPDATE users SET role = ?, role_changed_at = datetime('now') WHERE id = ?", (body.role, user_id))
    if body.display_name is not None:
        conn.execute("UPDATE users SET display_name = ? WHERE id = ?", (body.display_name, user_id))
    log_audit(conn, user["id"], "update_user", "user", user_id, None,
@@ -1493,15 +1493,19 @@ def get_notifications(user=Depends(get_current_user)):
    if not user["id"]:
        return []
    conn = get_db()
-    # Only show notifications created after user registration
-    user_created = conn.execute("SELECT created_at FROM users WHERE id = ?", (user["id"],)).fetchone()
-    created_at = user_created["created_at"] if user_created else "2000-01-01"
+    # Only show notifications after user registration or last role change (whichever is later)
+    user_row = conn.execute("SELECT created_at, role_changed_at FROM users WHERE id = ?", (user["id"],)).fetchone()
+    cutoff = "2000-01-01"
+    if user_row:
+        cutoff = user_row["created_at"] or cutoff
+        if user_row["role_changed_at"] and user_row["role_changed_at"] > cutoff:
+            cutoff = user_row["role_changed_at"]
    rows = conn.execute(
        "SELECT id, title, body, is_read, created_at FROM notifications "
        "WHERE (target_user_id = ? OR (target_user_id IS NULL AND (target_role = ? OR target_role = 'all'))) "
        "AND created_at >= ? "
        "ORDER BY is_read ASC, id DESC LIMIT 200",
-        (user["id"], user["role"], created_at)
+        (user["id"], user["role"], cutoff)
    ).fetchall()
    conn.close()
    return [dict(r) for r in rows]