fix: 修复权限提升漏洞和添加安全头

安全修复:
- 创建 UserSelfUpdate schema，禁止用户修改自己的 role 和 is_active
- /users/me 端点现在使用 UserSelfUpdate 而非 UserUpdate

安全增强:
- 添加 SecurityHeadersMiddleware 中间件
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- X-XSS-Protection: 1; mode=block
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy: 禁用敏感功能
- Cache-Control: API响应不缓存

backend/app/schemas/user.py

@@ -38,7 +38,7 @@ class UserCreate(UserBase):
 
 
 class UserUpdate(BaseSchema):
-    """更新用户"""
+    """更新用户（管理员使用）"""
 
     email: Optional[EmailStr] = None
     phone: Optional[str] = Field(None, pattern=r"^1[3-9]\d{9}$")
@@ -52,6 +52,19 @@ class UserUpdate(BaseSchema):
     major: Optional[str] = Field(None, max_length=100)
 
 
+class UserSelfUpdate(BaseSchema):
+    """用户自己更新个人信息（不允许修改role和is_active）"""
+
+    email: Optional[EmailStr] = None
+    phone: Optional[str] = Field(None, pattern=r"^1[3-9]\d{9}$")
+    full_name: Optional[str] = Field(None, max_length=100)
+    avatar_url: Optional[str] = None
+    bio: Optional[str] = None
+    gender: Optional[str] = Field(None, pattern="^(male|female)$")
+    school: Optional[str] = Field(None, max_length=100)
+    major: Optional[str] = Field(None, max_length=100)
+
+
 class UserPasswordUpdate(BaseSchema):
     """更新密码"""