From bdb91aabead452026d20e58db3dffcd8469240ea Mon Sep 17 00:00:00 2001
From: yuliang_guo <anonymous@qq.com>
Date: Sat, 31 Jan 2026 11:01:35 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20SQL=E6=89=A7=E8=A1=8C=E5=99=A8=E4=BB=85?=
 =?UTF-8?q?=E5=85=81=E8=AE=B8=E7=AE=A1=E7=90=86=E5=91=98=E8=AE=BF=E9=97=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 所有SQL执行器端点改用 require_admin 权限校验
- /sql/execute - 执行SQL
- /sql/validate - 验证SQL
- /sql/tables - 获取表列表
- /sql/table/{name}/schema - 获取表结构
---
 backend/app/api/v1/sql_executor.py | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/backend/app/api/v1/sql_executor.py b/backend/app/api/v1/sql_executor.py
index c1231c7..69f6387 100644
--- a/backend/app/api/v1/sql_executor.py
+++ b/backend/app/api/v1/sql_executor.py
@@ -12,7 +12,7 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.engine.result import Result
 import structlog
 
-from app.core.deps import get_current_user, get_db
+from app.core.deps import get_current_user, get_db, require_admin
 try:
     from app.core.simple_auth import get_current_user_simple
 except ImportError:
@@ -57,7 +57,7 @@ def serialize_row(row: Any) -> Union[Dict[str, Any], Any]:
 @router.post("/execute", response_model=ResponseModel)
 async def execute_sql(
     request: Dict[str, Any],
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
     db: AsyncSession = Depends(get_db)
 ) -> ResponseModel:
     """
@@ -74,7 +74,7 @@ async def execute_sql(
             - 写入操作：返回影响的行数
     
     安全说明：
-        - 需要用户身份验证
+        - 需要管理员权限
         - 所有操作都会记录日志
         - 建议在生产环境中限制可执行的 SQL 类型
     """
@@ -196,11 +196,13 @@ async def execute_sql(
 @router.post("/validate", response_model=ResponseModel)
 async def validate_sql(
     request: Dict[str, Any],
-    current_user: User = Depends(get_current_user)
+    current_user: User = Depends(require_admin)
 ) -> ResponseModel:
     """
     验证 SQL 语句的语法（不执行）
     
+    权限：需要管理员权限
+    
     Args:
         request: 包含 sql 字段的请求
     
@@ -253,12 +255,14 @@ async def validate_sql(
 
 @router.get("/tables", response_model=ResponseModel)
 async def get_tables(
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
     db: AsyncSession = Depends(get_db)
 ) -> ResponseModel:
     """
     获取数据库中的所有表
     
+    权限：需要管理员权限
+    
     Returns:
         数据库表列表
     """
@@ -290,12 +294,14 @@ async def get_tables(
 @router.get("/table/{table_name}/schema", response_model=ResponseModel)
 async def get_table_schema(
     table_name: str,
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
     db: AsyncSession = Depends(get_db)
 ) -> ResponseModel:
     """
     获取指定表的结构信息
     
+    权限：需要管理员权限
+    
     Args:
         table_name: 表名