安全修复：加固CSRF与凭证保护并修复越权风险

routes/admin_api/users_api.py

@@ -13,20 +13,52 @@ from services.state import safe_clear_user_logs, safe_remove_user_accounts
 # ==================== 用户管理/统计（管理员） ====================
 
 
+def _parse_optional_pagination(default_limit: int = 50, max_limit: int = 500) -> tuple[int | None, int]:
+    limit_raw = request.args.get("limit")
+    offset_raw = request.args.get("offset")
+    if (limit_raw is None) and (offset_raw is None):
+        return None, 0
+
+    try:
+        limit = int(limit_raw if limit_raw is not None else default_limit)
+    except (TypeError, ValueError):
+        limit = default_limit
+    limit = max(1, min(limit, max_limit))
+
+    try:
+        offset = int(offset_raw if offset_raw is not None else 0)
+    except (TypeError, ValueError):
+        offset = 0
+    offset = max(0, offset)
+    return limit, offset
+
+
 @admin_api_bp.route("/users", methods=["GET"])
 @admin_required
 def get_all_users():
     """获取所有用户"""
-    users = database.get_all_users()
-    return jsonify(users)
+    limit, offset = _parse_optional_pagination()
+    if limit is None:
+        users = database.get_all_users()
+        return jsonify(users)
+
+    users = database.get_all_users(limit=limit, offset=offset)
+    total = database.get_users_count()
+    return jsonify({"items": users, "total": total, "limit": limit, "offset": offset})
 
 
 @admin_api_bp.route("/users/pending", methods=["GET"])
 @admin_required
 def get_pending_users():
     """获取待审核用户"""
-    users = database.get_pending_users()
-    return jsonify(users)
+    limit, offset = _parse_optional_pagination(default_limit=30, max_limit=200)
+    if limit is None:
+        users = database.get_pending_users()
+        return jsonify(users)
+
+    users = database.get_pending_users(limit=limit, offset=offset)
+    total = database.get_users_count(status="pending")
+    return jsonify({"items": users, "total": total, "limit": limit, "offset": offset})
 
 
 @admin_api_bp.route("/users/<int:user_id>/approve", methods=["POST"])