安全修复：加固CSRF与凭证保护并修复越权风险

db/users.py

@@ -25,6 +25,20 @@ _USER_LOOKUP_SQL = {
     "id": "SELECT * FROM users WHERE id = ?",
     "username": "SELECT * FROM users WHERE username = ?",
 }
+_USER_ADMIN_SAFE_COLUMNS = (
+    "id",
+    "username",
+    "email",
+    "email_verified",
+    "email_notify_enabled",
+    "kdocs_unit",
+    "kdocs_auto_upload",
+    "status",
+    "vip_expire_time",
+    "created_at",
+    "approved_at",
+)
+_USER_ADMIN_SAFE_COLUMNS_SQL = ", ".join(_USER_ADMIN_SAFE_COLUMNS)
 
 
 def _row_to_dict(row):
@@ -283,19 +297,63 @@ def get_user_by_username(username):
     return _get_user_by_field("username", username)
 
 
-def get_all_users():
-    """获取所有用户"""
+def _normalize_limit_offset(limit, offset, *, max_limit: int = 500):
+    normalized_limit = None
+    if limit is not None:
+        try:
+            normalized_limit = int(limit)
+        except (TypeError, ValueError):
+            normalized_limit = 50
+        normalized_limit = max(1, min(normalized_limit, max_limit))
+
+    try:
+        normalized_offset = int(offset or 0)
+    except (TypeError, ValueError):
+        normalized_offset = 0
+    normalized_offset = max(0, normalized_offset)
+
+    return normalized_limit, normalized_offset
+
+
+def get_users_count(*, status: str | None = None) -> int:
     with db_pool.get_db() as conn:
         cursor = conn.cursor()
-        cursor.execute("SELECT * FROM users ORDER BY created_at DESC")
+        if status:
+            cursor.execute("SELECT COUNT(*) AS count FROM users WHERE status = ?", (status,))
+        else:
+            cursor.execute("SELECT COUNT(*) AS count FROM users")
+        row = cursor.fetchone()
+        return int((row["count"] if row else 0) or 0)
+
+
+def get_all_users(*, limit=None, offset=0):
+    """获取所有用户"""
+    limit, offset = _normalize_limit_offset(limit, offset)
+    with db_pool.get_db() as conn:
+        cursor = conn.cursor()
+        sql = f"SELECT {_USER_ADMIN_SAFE_COLUMNS_SQL} FROM users ORDER BY created_at DESC"
+        params = []
+        if limit is not None:
+            sql += " LIMIT ? OFFSET ?"
+            params.extend([limit, offset])
+        cursor.execute(sql, params)
         return [dict(row) for row in cursor.fetchall()]
 
 
-def get_pending_users():
+def get_pending_users(*, limit=None, offset=0):
     """获取待审核用户"""
+    limit, offset = _normalize_limit_offset(limit, offset)
     with db_pool.get_db() as conn:
         cursor = conn.cursor()
-        cursor.execute("SELECT * FROM users WHERE status = 'pending' ORDER BY created_at DESC")
+        sql = (
+            f"SELECT {_USER_ADMIN_SAFE_COLUMNS_SQL} "
+            "FROM users WHERE status = 'pending' ORDER BY created_at DESC"
+        )
+        params = []
+        if limit is not None:
+            sql += " LIMIT ? OFFSET ?"
+            params.extend([limit, offset])
+        cursor.execute(sql, params)
         return [dict(row) for row in cursor.fetchall()]