fix(n+1): 批量查询替代循环单查

- IsAdminBootstrapRequired: userRepo.GetByID 循环 → GetByIDs 批量 - AssignRoles: roleRepo.GetByID 循环 → GetByIDs 批量 - 在 userRepositoryInterface 补充 GetByIDs 方法签名
2026-05-08 08:05:26 +08:00
parent 9b1cea246e
commit 2a18a6fb47
39 changed files with 3169 additions and 393 deletions
--- a/internal/api/router/router.go
+++ b/internal/api/router/router.go
@@ -122,7 +122,10 @@ func (r *Router) Setup() *gin.Engine {
 		)
 	}

-	r.engine.Static("/uploads", "./uploads")
+	// P0 安全修复：/uploads 目录不再公开暴露，改为需要认证后才能访问
+	uploadsGroup := r.engine.Group("/uploads", r.authMiddleware.Required())
+	uploadsGroup.Static("", "./uploads")
+
 	r.engine.GET("/swagger/*any", ginSwagger.WrapHandler(swaggerFiles.Handler))

 	if r.ipFilterMiddleware != nil {