From 127f5c5926b68a38221a28cc145c30c343573ab8 Mon Sep 17 00:00:00 2001
From: Viajero-tect <2737079298@qq.com>
Date: Thu, 13 Nov 2025 19:31:15 +0800
Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=E2=80=9C=E6=95=B0=E6=8D=AE?=
 =?UTF-8?q?=E7=BC=96=E8=BE=91=E2=80=9D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 db.sqlite3                            | Bin 131072 -> 131072 bytes
 elastic/templates/elastic/manage.html |  10 +--
 elastic/views.py                      | 103 ++++++++++++++++----------
 3 files changed, 70 insertions(+), 43 deletions(-)

diff --git a/db.sqlite3 b/db.sqlite3
index a324e3a1eb5f992fb93e14b0a62f110976e0fd57..c570c39a3ba8db49d407b1e67d7042b5f2188a97 100644
GIT binary patch
delta 535
zcmajcy-vbV7{>87#MrnHS2f1L5Et~E(=SR~YC#bw6sts7gnk_;P^c|XSOf-Vjk9_S
z7!$&6ICCG)!fG_^&+z-d?`TAgM%2?TIe*@h$oWTQ_8Or!<Vja_g1U!WrpqG3^qQQ*
z#{`4pwE?3yYk|?}zMQ@l9&lfg`a?Mv^V+tE2db|s87q;|8#n_+1pQ`NES7?rF7>55
zU2SCIu$L~fe!N-;EC8#*nVjbo5%aQer2)DV#ZDQeBtuEDZH#fY$zXs0Vxtg75q|(-
z9H2O2j|C`jG*1u_;(J9!+JJ?&UT00n00X)Aj3u}>9smt6)fO<9)SaU-Ty~A!^<DnE
zbh9#gX4XjBMqyYk-I{8m?w%)PM-@vR9Hx_U4tm^$5tzkmMZf&h$Re7dw+MnD!wVw3
z2roXjE01C4FeH<G&0~7L5cFyR2RmI2TOF%K3#jG9v{=t=tTyYSHdmu{PogH%*_8as
PpZq!<wI346|JBqF?sBB|

delta 535
zcmajcJ5Rz;7{>87#)K#daaCg+3~@nwPVMComvRXp)RtgTSt>2p0;d;RTDk}f&KhU+
zD_~6c9?pCZXJs`S_GkG0-*+;JOeT@XJ<@yHPm|vJ-Qp!4-4th@fKV$891xg2-3%I<
zu5;ZW<j@&t^SIS=?dS8?@_iSTKzS^Qsz7IaT5jCvb|_~hqu93Xd=9w%nozwBI(pjA
z6cd%clLVuSD`AwZmAaUdp`5;{THSgmUe<>}*p$qanm`C~rlYvUygHC8Di0~hBmhW2
z?vUb>3`#<D!qR}|d4h-&Un^=;gP~>{*zfsNfJZ@7Gc3pDXx|uEqs~zKq3#|}!B5xJ
zUf<=urInSDRSM2^%To~3Fm$n<#ZI~0&!~RR!&(vQ*+Qx|lo&-GRH;9WEJIQ37C{hX
zY)QnHvBk&E-9ro?ZHT0GW*Qye!nnsk*BLW*M;q6nsd)xKn1zGYW?j_wYP9Z2(b;@4
SCqJdrU#E*6YzXB4>gYGqW2)f*

diff --git a/elastic/templates/elastic/manage.html b/elastic/templates/elastic/manage.html
index 9a969a1..b8f4a89 100644
--- a/elastic/templates/elastic/manage.html
+++ b/elastic/templates/elastic/manage.html
@@ -36,8 +36,8 @@
     </thead>
     <tbody>
       {% for it in items %}
-      <tr data-id="{{ it._id }}" data-writer="{{ it.writer_id }}" data-image="{{ it.image }}">
-        <td style="max-width:140px; word-break:break-all;">{{ it._id }}</td>
+      <tr data-id="{{ it.id }}" data-writer="{{ it.writer_id }}" data-image="{{ it.image }}">
+        <td style="max-width:140px; word-break:break-all;">{{ it.id }}</td>
         <td>
           {% if it.image %}
           <img src="/media/{{ it.image }}" onerror="this.src='';" />
@@ -49,8 +49,8 @@
         </td>
         <td>{{ it.writer_id }}</td>
         <td>
-          <button class="btn btn-primary" onclick="openEdit('{{ it._id }}')">编辑</button>
-          <button class="btn btn-danger" onclick="doDelete('{{ it._id }}')">删除</button>
+          <button class="btn btn-primary" onclick="openEdit('{{ it.id }}')">编辑</button>
+          <button class="btn btn-danger" onclick="doDelete('{{ it.id }}')">删除</button>
         </td>
       </tr>
       {% endfor %}
@@ -173,4 +173,4 @@ function doDelete(id){
 }
 </script>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/elastic/views.py b/elastic/views.py
index 4dd13de..261b39c 100644
--- a/elastic/views.py
+++ b/elastic/views.py
@@ -10,6 +10,7 @@ from django.conf import settings
 from django.http import JsonResponse
 from django.shortcuts import render
 from django.views.decorators.http import require_http_methods
+from django.views.decorators.csrf import ensure_csrf_cookie
 from django.views.decorators.csrf import csrf_exempt
 from .es_connect import (
     create_index_with_mapping, 
@@ -95,8 +96,17 @@ def get_all_data(request):
 @require_http_methods(["DELETE"])
 @csrf_exempt
 def delete_data(request, doc_id):
-    """删除数据"""
+    """删除数据（需登录；管理员或作者本人）"""
+    if not request.session.get("user_id"):
+        return JsonResponse({"status": "error", "message": "未登录"}, status=401)
     try:
+        existing = get_by_id(doc_id)
+        if not existing:
+            return JsonResponse({"status": "error", "message": "数据不存在"}, status=404)
+        is_admin = (request.session.get("permission", 1) == 0)
+        is_owner = str(existing.get("writer_id", "")) == str(request.session.get("user_id"))
+        if not (is_admin or is_owner):
+            return JsonResponse({"status": "error", "message": "无权限"}, status=403)
         success = delete_by_id(doc_id)
         if success:
             return JsonResponse({"status": "success", "message": "数据删除成功"})
@@ -109,10 +119,35 @@ def delete_data(request, doc_id):
 @require_http_methods(["PUT"])
 @csrf_exempt
 def update_data(request, doc_id):
-    """更新数据"""
+    """更新数据（需登录；管理员或作者本人）"""
+    if not request.session.get("user_id"):
+        return JsonResponse({"status": "error", "message": "未登录"}, status=401)
     try:
-        data = json.loads(request.body.decode('utf-8'))
-        success = update_by_id(doc_id, data)
+        payload = json.loads(request.body.decode('utf-8'))
+    except Exception:
+        return JsonResponse({"status": "error", "message": "JSON无效"}, status=400)
+    try:
+        existing = get_by_id(doc_id)
+        if not existing:
+            return JsonResponse({"status": "error", "message": "数据不存在"}, status=404)
+        is_admin = (request.session.get("permission", 1) == 0)
+        is_owner = str(existing.get("writer_id", "")) == str(request.session.get("user_id"))
+        if not (is_admin or is_owner):
+            return JsonResponse({"status": "error", "message": "无权限"}, status=403)
+
+        updated = {}
+        if "writer_id" in payload:
+            updated["writer_id"] = payload["writer_id"]
+        if "image" in payload:
+            updated["image"] = payload["image"]
+        if "data" in payload:
+            v = payload["data"]
+            if isinstance(v, dict):
+                updated["data"] = json.dumps(v, ensure_ascii=False)
+            else:
+                updated["data"] = str(v)
+
+        success = update_by_id(doc_id, updated)
         if success:
             return JsonResponse({"status": "success", "message": "数据更新成功"})
         else:
@@ -265,13 +300,15 @@ def ocr_and_extract_info(image_path: str):
     return parse_response(response_text)
 
 
-# 上传页面
 @require_http_methods(["GET"])
 def upload_page(request):
-    # if not request.session.get("user_id"):
-    #     from django.shortcuts import redirect
-    #     return redirect("/accounts/login/")
-    return render(request, "elastic/upload.html")
+    session_user_id = request.session.get("user_id")
+    if session_user_id is None:
+        from django.shortcuts import redirect
+        return redirect("/accounts/login/")
+    user_id_qs = request.GET.get("user_id")
+    context = {"user_id": user_id_qs or session_user_id}
+    return render(request, "elastic/upload.html", context)
 
 
 # 上传并识别（不入库）
@@ -341,36 +378,26 @@ def confirm(request):
 
 
 @require_http_methods(["GET"])
+@ensure_csrf_cookie
 def manage_page(request):
-    if not request.session.get("user_id"):
+    session_user_id = request.session.get("user_id")
+    if session_user_id is None:
         from django.shortcuts import redirect
         return redirect("/accounts/login/")
-    if request.session.get("permission", 1) != 0:
-        from django.http import HttpResponseForbidden
-        return HttpResponseForbidden("forbidden")
-    results = search_all()
-    return render(request, "elastic/manage.html", {"items": results})
-
-
-@require_http_methods(["GET"])
-def manage_page(request):
-    if not request.session.get("user_id"):
-        from django.shortcuts import redirect
-        return redirect("/accounts/login/")
-    if request.session.get("permission", 1) != 0:
-        from django.http import HttpResponseForbidden
-        return HttpResponseForbidden("forbidden")
-    results = search_all()
-    expanded = []
-    for item in results:
-        try:
-            data_obj = json.loads(item.get("data", "{}")) if isinstance(item.get("data"), str) else {}
-        except Exception:
-            data_obj = {}
-        expanded.append({
-            "_id": item.get("_id", ""),
-            "writer_id": item.get("writer_id", ""),
-            "image": item.get("image", ""),
-            "data": data_obj,
+    is_admin = (request.session.get("permission", 1) == 0)
+    raw_results = search_all()
+    if not is_admin:
+        uid = str(session_user_id)
+        raw_results = [r for r in raw_results if str(r.get("writer_id", "")) == uid]
+    # 规范化键，避免模板点号访问下划线前缀字段
+    results = []
+    for r in raw_results:
+        results.append({
+            "id": r.get("_id", ""),
+            "writer_id": r.get("writer_id", ""),
+            "image": r.get("image", ""),
+            "data": r.get("data", ""),
         })
-    return render(request, "elastic/manage.html", {"items": expanded})
+    user_id_qs = request.GET.get("user_id")
+    context = {"items": results, "user_id": user_id_qs or session_user_id}
+    return render(request, "elastic/manage.html", context)