代码审查

2025-06-06 12:09:50 +08:00 · 2025-06-06 12:09:50 +08:00 · 53d1725cd1
parent 805880300d
commit 53d1725cd1
2 changed files with 17 additions and 6 deletions
--- a/app/account_service.py
+++ b/app/account_service.py
@ -103,13 +103,18 @@ def login():


@accountService.route("/logout", methods=['GET', 'POST'])
+# def logout():
+#     '''
+#     登出
+#     :return: 重定位到主界面
+#     '''
+#     # 将session标记为登出状态
+#     session['logged_in'] = False
+#     return redirect(url_for('mainpage'))
+
+# 使用session.clear()替代部分字段删除.确保完全退出
 def logout():
-    '''
-    登出
-    :return: 重定位到主界面
-    '''
-    # 将session标记为登出状态
-    session['logged_in'] = False
+    session.clear()  # 彻底清除会话
    return redirect(url_for('mainpage'))


--- a/app/admin_service.py
+++ b/app/admin_service.py
@ -105,6 +105,12 @@ def article():

    return render_template("admin_manage_article.html", **context)

+#引入 flask_wtf.csrf.CSRFProtect 防止跨站请求伪造。
+# @adminService.route("/admin/user", methods=["POST"])
+# def update_user():
+#     # 添加CSRF保护（需配合Flask-WTF或Flask-SeaSurf）
+#     if not validate_csrf(request.form.get("csrf_token")):
+#         return "Invalid CSRF token", 403

@adminService.route("/admin/user", methods=["GET", "POST"])
 def user():