admin/012-kaopeilian
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: SQL执行器仅允许管理员访问
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source 
- 所有SQL执行器端点改用 require_admin 权限校验
- /sql/execute - 执行SQL
- /sql/validate - 验证SQL
- /sql/tables - 获取表列表
- /sql/table/{name}/schema - 获取表结构
This commit is contained in:
yuliang_guo
2026-01-31 11:01:35 +08:00
parent 79b55cfd12
commit bdb91aabea
1 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
backend/app/api/v1/sql_executor.py
View File

@@ -12,7 +12,7 @@ from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy.engine.result import Result
import structlog
from app.core.deps import get_current_user, get_db
from app.core.deps import get_current_user, get_db, require_admin
try:
from app.core.simple_auth import get_current_user_simple
except ImportError:
@@ -57,7 +57,7 @@ def serialize_row(row: Any) -> Union[Dict[str, Any], Any]:
@router.post("/execute", response_model=ResponseModel)
async def execute_sql(
request: Dict[str, Any],
current_user: User = Depends(get_current_user),
current_user: User = Depends(require_admin),
db: AsyncSession = Depends(get_db)
) -> ResponseModel:
"""
@@ -74,7 +74,7 @@ async def execute_sql(
- 写入操作:返回影响的行数
安全说明:
- 需要用户身份验证
- 需要管理员权限
- 所有操作都会记录日志
- 建议在生产环境中限制可执行的 SQL 类型
"""
@@ -196,11 +196,13 @@ async def execute_sql(
@router.post("/validate", response_model=ResponseModel)
async def validate_sql(
request: Dict[str, Any],
current_user: User = Depends(get_current_user)
current_user: User = Depends(require_admin)
) -> ResponseModel:
"""
验证 SQL 语句的语法(不执行)
权限:需要管理员权限
Args:
request: 包含 sql 字段的请求
@@ -253,12 +255,14 @@ async def validate_sql(
@router.get("/tables", response_model=ResponseModel)
async def get_tables(
current_user: User = Depends(get_current_user),
current_user: User = Depends(require_admin),
db: AsyncSession = Depends(get_db)
) -> ResponseModel:
"""
获取数据库中的所有表
权限:需要管理员权限
Returns:
数据库表列表
"""
@@ -290,12 +294,14 @@ async def get_tables(
@router.get("/table/{table_name}/schema", response_model=ResponseModel)
async def get_table_schema(
table_name: str,
current_user: User = Depends(get_current_user),
current_user: User = Depends(require_admin),
db: AsyncSession = Depends(get_db)
) -> ResponseModel:
"""
获取指定表的结构信息
权限:需要管理员权限
Args:
table_name: 表名