24024
af7c11d7f9
- 新增图像生成接口,支持试用、积分和自定义API Key模式 - 实现生成图片结果异步上传至MinIO存储,带重试机制 - 优化积分预扣除和异常退还逻辑,保障用户积分准确 - 添加获取生成历史记录接口,支持时间范围和分页 - 提供本地字典配置接口,支持模型、比例、提示模板和尺寸 - 实现图片批量上传接口,支持S3兼容对象存储 feat(admin): 增加管理员角色管理与权限分配接口 - 实现角色列表查询、角色创建、更新及删除功能 - 增加权限列表查询接口 - 实现用户角色分配接口,便于统一管理用户权限 - 增加系统字典增删查改接口,支持分类过滤和排序 - 权限控制全面覆盖管理接口,保证安全访问 feat(auth): 完善用户登录注册及权限相关接口与页面 - 实现手机号验证码发送及校验功能,保障注册安全 - 支持手机号注册、登录及退出接口,集成日志记录 - 增加修改密码功能,验证原密码后更新 - 提供动态导航菜单接口,基于权限展示不同菜单 - 实现管理界面路由及日志、角色、字典管理页面访问权限控制 - 添加系统日志查询接口,支持关键词和等级筛选 feat(app): 初始化Flask应用并配置蓝图与数据库 - 创建应用程序工厂,加载配置,初始化数据库和Redis客户端 - 注册认证、API及管理员蓝图,整合路由 - 根路由渲染主页模板 - 应用上下文中自动创建数据库表,保证运行环境准备完毕 feat(database): 提供数据库创建与迁移支持脚本 - 新增数据库创建脚本,支持自动检测是否已存在 - 添加数据库表初始化脚本,支持创建和删除所有表 - 实现RBAC权限初始化,包含基础权限和角色创建 - 新增字段手动修复脚本,添加用户API Key和积分字段 - 强制迁移脚本支持清理连接和修复表结构,初始化默认数据及角色分配 feat(config): 新增系统配置参数 - 配置数据库、Redis、Session和MinIO相关参数 - 添加AI接口地址及试用Key配置 - 集成阿里云短信服务配置及开发模式相关参数 feat(extensions): 初始化数据库、Redis和MinIO客户端 - 创建全局SQLAlchemy数据库实例和Redis客户端 - 配置基于boto3的MinIO兼容S3客户端 chore(logs): 添加示例系统日志文件 - 记录用户请求、验证码发送成功与失败的日志信息
397 lines
13 KiB
Python
397 lines
13 KiB
Python
from __future__ import annotations
|
|
|
|
import collections.abc as cabc
|
|
import string
|
|
import typing as t
|
|
|
|
try:
|
|
from ._speedups import _escape_inner
|
|
except ImportError:
|
|
from ._native import _escape_inner
|
|
|
|
if t.TYPE_CHECKING:
|
|
import typing_extensions as te
|
|
|
|
|
|
class _HasHTML(t.Protocol):
|
|
def __html__(self, /) -> str: ...
|
|
|
|
|
|
class _TPEscape(t.Protocol):
|
|
def __call__(self, s: t.Any, /) -> Markup: ...
|
|
|
|
|
|
def escape(s: t.Any, /) -> Markup:
|
|
"""Replace the characters ``&``, ``<``, ``>``, ``'``, and ``"`` in
|
|
the string with HTML-safe sequences. Use this if you need to display
|
|
text that might contain such characters in HTML.
|
|
|
|
If the object has an ``__html__`` method, it is called and the
|
|
return value is assumed to already be safe for HTML.
|
|
|
|
:param s: An object to be converted to a string and escaped.
|
|
:return: A :class:`Markup` string with the escaped text.
|
|
"""
|
|
# If the object is already a plain string, skip __html__ check and string
|
|
# conversion. This is the most common use case.
|
|
# Use type(s) instead of s.__class__ because a proxy object may be reporting
|
|
# the __class__ of the proxied value.
|
|
if type(s) is str:
|
|
return Markup(_escape_inner(s))
|
|
|
|
if hasattr(s, "__html__"):
|
|
return Markup(s.__html__())
|
|
|
|
return Markup(_escape_inner(str(s)))
|
|
|
|
|
|
def escape_silent(s: t.Any | None, /) -> Markup:
|
|
"""Like :func:`escape` but treats ``None`` as the empty string.
|
|
Useful with optional values, as otherwise you get the string
|
|
``'None'`` when the value is ``None``.
|
|
|
|
>>> escape(None)
|
|
Markup('None')
|
|
>>> escape_silent(None)
|
|
Markup('')
|
|
"""
|
|
if s is None:
|
|
return Markup()
|
|
|
|
return escape(s)
|
|
|
|
|
|
def soft_str(s: t.Any, /) -> str:
|
|
"""Convert an object to a string if it isn't already. This preserves
|
|
a :class:`Markup` string rather than converting it back to a basic
|
|
string, so it will still be marked as safe and won't be escaped
|
|
again.
|
|
|
|
>>> value = escape("<User 1>")
|
|
>>> value
|
|
Markup('<User 1>')
|
|
>>> escape(str(value))
|
|
Markup('&lt;User 1&gt;')
|
|
>>> escape(soft_str(value))
|
|
Markup('<User 1>')
|
|
"""
|
|
if not isinstance(s, str):
|
|
return str(s)
|
|
|
|
return s
|
|
|
|
|
|
class Markup(str):
|
|
"""A string that is ready to be safely inserted into an HTML or XML
|
|
document, either because it was escaped or because it was marked
|
|
safe.
|
|
|
|
Passing an object to the constructor converts it to text and wraps
|
|
it to mark it safe without escaping. To escape the text, use the
|
|
:meth:`escape` class method instead.
|
|
|
|
>>> Markup("Hello, <em>World</em>!")
|
|
Markup('Hello, <em>World</em>!')
|
|
>>> Markup(42)
|
|
Markup('42')
|
|
>>> Markup.escape("Hello, <em>World</em>!")
|
|
Markup('Hello <em>World</em>!')
|
|
|
|
This implements the ``__html__()`` interface that some frameworks
|
|
use. Passing an object that implements ``__html__()`` will wrap the
|
|
output of that method, marking it safe.
|
|
|
|
>>> class Foo:
|
|
... def __html__(self):
|
|
... return '<a href="/foo">foo</a>'
|
|
...
|
|
>>> Markup(Foo())
|
|
Markup('<a href="/foo">foo</a>')
|
|
|
|
This is a subclass of :class:`str`. It has the same methods, but
|
|
escapes their arguments and returns a ``Markup`` instance.
|
|
|
|
>>> Markup("<em>%s</em>") % ("foo & bar",)
|
|
Markup('<em>foo & bar</em>')
|
|
>>> Markup("<em>Hello</em> ") + "<foo>"
|
|
Markup('<em>Hello</em> <foo>')
|
|
"""
|
|
|
|
__slots__ = ()
|
|
|
|
def __new__(
|
|
cls, object: t.Any = "", encoding: str | None = None, errors: str = "strict"
|
|
) -> te.Self:
|
|
if hasattr(object, "__html__"):
|
|
object = object.__html__()
|
|
|
|
if encoding is None:
|
|
return super().__new__(cls, object)
|
|
|
|
return super().__new__(cls, object, encoding, errors)
|
|
|
|
def __html__(self, /) -> te.Self:
|
|
return self
|
|
|
|
def __add__(self, value: str | _HasHTML, /) -> te.Self:
|
|
if isinstance(value, str) or hasattr(value, "__html__"):
|
|
return self.__class__(super().__add__(self.escape(value)))
|
|
|
|
return NotImplemented
|
|
|
|
def __radd__(self, value: str | _HasHTML, /) -> te.Self:
|
|
if isinstance(value, str) or hasattr(value, "__html__"):
|
|
return self.escape(value).__add__(self)
|
|
|
|
return NotImplemented
|
|
|
|
def __mul__(self, value: t.SupportsIndex, /) -> te.Self:
|
|
return self.__class__(super().__mul__(value))
|
|
|
|
def __rmul__(self, value: t.SupportsIndex, /) -> te.Self:
|
|
return self.__class__(super().__mul__(value))
|
|
|
|
def __mod__(self, value: t.Any, /) -> te.Self:
|
|
if isinstance(value, tuple):
|
|
# a tuple of arguments, each wrapped
|
|
value = tuple(_MarkupEscapeHelper(x, self.escape) for x in value)
|
|
elif hasattr(type(value), "__getitem__") and not isinstance(value, str):
|
|
# a mapping of arguments, wrapped
|
|
value = _MarkupEscapeHelper(value, self.escape)
|
|
else:
|
|
# a single argument, wrapped with the helper and a tuple
|
|
value = (_MarkupEscapeHelper(value, self.escape),)
|
|
|
|
return self.__class__(super().__mod__(value))
|
|
|
|
def __repr__(self, /) -> str:
|
|
return f"{self.__class__.__name__}({super().__repr__()})"
|
|
|
|
def join(self, iterable: cabc.Iterable[str | _HasHTML], /) -> te.Self:
|
|
return self.__class__(super().join(map(self.escape, iterable)))
|
|
|
|
def split( # type: ignore[override]
|
|
self, /, sep: str | None = None, maxsplit: t.SupportsIndex = -1
|
|
) -> list[te.Self]:
|
|
return [self.__class__(v) for v in super().split(sep, maxsplit)]
|
|
|
|
def rsplit( # type: ignore[override]
|
|
self, /, sep: str | None = None, maxsplit: t.SupportsIndex = -1
|
|
) -> list[te.Self]:
|
|
return [self.__class__(v) for v in super().rsplit(sep, maxsplit)]
|
|
|
|
def splitlines( # type: ignore[override]
|
|
self, /, keepends: bool = False
|
|
) -> list[te.Self]:
|
|
return [self.__class__(v) for v in super().splitlines(keepends)]
|
|
|
|
def unescape(self, /) -> str:
|
|
"""Convert escaped markup back into a text string. This replaces
|
|
HTML entities with the characters they represent.
|
|
|
|
>>> Markup("Main » <em>About</em>").unescape()
|
|
'Main » <em>About</em>'
|
|
"""
|
|
from html import unescape
|
|
|
|
return unescape(str(self))
|
|
|
|
def striptags(self, /) -> str:
|
|
""":meth:`unescape` the markup, remove tags, and normalize
|
|
whitespace to single spaces.
|
|
|
|
>>> Markup("Main »\t<em>About</em>").striptags()
|
|
'Main » About'
|
|
"""
|
|
value = str(self)
|
|
|
|
# Look for comments then tags separately. Otherwise, a comment that
|
|
# contains a tag would end early, leaving some of the comment behind.
|
|
|
|
# keep finding comment start marks
|
|
while (start := value.find("<!--")) != -1:
|
|
# find a comment end mark beyond the start, otherwise stop
|
|
if (end := value.find("-->", start)) == -1:
|
|
break
|
|
|
|
value = f"{value[:start]}{value[end + 3 :]}"
|
|
|
|
# remove tags using the same method
|
|
while (start := value.find("<")) != -1:
|
|
if (end := value.find(">", start)) == -1:
|
|
break
|
|
|
|
value = f"{value[:start]}{value[end + 1 :]}"
|
|
|
|
# collapse spaces
|
|
value = " ".join(value.split())
|
|
return self.__class__(value).unescape()
|
|
|
|
@classmethod
|
|
def escape(cls, s: t.Any, /) -> te.Self:
|
|
"""Escape a string. Calls :func:`escape` and ensures that for
|
|
subclasses the correct type is returned.
|
|
"""
|
|
rv = escape(s)
|
|
|
|
if rv.__class__ is not cls:
|
|
return cls(rv)
|
|
|
|
return rv # type: ignore[return-value]
|
|
|
|
def __getitem__(self, key: t.SupportsIndex | slice, /) -> te.Self:
|
|
return self.__class__(super().__getitem__(key))
|
|
|
|
def capitalize(self, /) -> te.Self:
|
|
return self.__class__(super().capitalize())
|
|
|
|
def title(self, /) -> te.Self:
|
|
return self.__class__(super().title())
|
|
|
|
def lower(self, /) -> te.Self:
|
|
return self.__class__(super().lower())
|
|
|
|
def upper(self, /) -> te.Self:
|
|
return self.__class__(super().upper())
|
|
|
|
def replace(self, old: str, new: str, count: t.SupportsIndex = -1, /) -> te.Self:
|
|
return self.__class__(super().replace(old, self.escape(new), count))
|
|
|
|
def ljust(self, width: t.SupportsIndex, fillchar: str = " ", /) -> te.Self:
|
|
return self.__class__(super().ljust(width, self.escape(fillchar)))
|
|
|
|
def rjust(self, width: t.SupportsIndex, fillchar: str = " ", /) -> te.Self:
|
|
return self.__class__(super().rjust(width, self.escape(fillchar)))
|
|
|
|
def lstrip(self, chars: str | None = None, /) -> te.Self:
|
|
return self.__class__(super().lstrip(chars))
|
|
|
|
def rstrip(self, chars: str | None = None, /) -> te.Self:
|
|
return self.__class__(super().rstrip(chars))
|
|
|
|
def center(self, width: t.SupportsIndex, fillchar: str = " ", /) -> te.Self:
|
|
return self.__class__(super().center(width, self.escape(fillchar)))
|
|
|
|
def strip(self, chars: str | None = None, /) -> te.Self:
|
|
return self.__class__(super().strip(chars))
|
|
|
|
def translate(
|
|
self,
|
|
table: cabc.Mapping[int, str | int | None], # type: ignore[override]
|
|
/,
|
|
) -> str:
|
|
return self.__class__(super().translate(table))
|
|
|
|
def expandtabs(self, /, tabsize: t.SupportsIndex = 8) -> te.Self:
|
|
return self.__class__(super().expandtabs(tabsize))
|
|
|
|
def swapcase(self, /) -> te.Self:
|
|
return self.__class__(super().swapcase())
|
|
|
|
def zfill(self, width: t.SupportsIndex, /) -> te.Self:
|
|
return self.__class__(super().zfill(width))
|
|
|
|
def casefold(self, /) -> te.Self:
|
|
return self.__class__(super().casefold())
|
|
|
|
def removeprefix(self, prefix: str, /) -> te.Self:
|
|
return self.__class__(super().removeprefix(prefix))
|
|
|
|
def removesuffix(self, suffix: str) -> te.Self:
|
|
return self.__class__(super().removesuffix(suffix))
|
|
|
|
def partition(self, sep: str, /) -> tuple[te.Self, te.Self, te.Self]:
|
|
left, sep, right = super().partition(sep)
|
|
cls = self.__class__
|
|
return cls(left), cls(sep), cls(right)
|
|
|
|
def rpartition(self, sep: str, /) -> tuple[te.Self, te.Self, te.Self]:
|
|
left, sep, right = super().rpartition(sep)
|
|
cls = self.__class__
|
|
return cls(left), cls(sep), cls(right)
|
|
|
|
def format(self, *args: t.Any, **kwargs: t.Any) -> te.Self:
|
|
formatter = EscapeFormatter(self.escape)
|
|
return self.__class__(formatter.vformat(self, args, kwargs))
|
|
|
|
def format_map(
|
|
self,
|
|
mapping: cabc.Mapping[str, t.Any], # type: ignore[override]
|
|
/,
|
|
) -> te.Self:
|
|
formatter = EscapeFormatter(self.escape)
|
|
return self.__class__(formatter.vformat(self, (), mapping))
|
|
|
|
def __html_format__(self, format_spec: str, /) -> te.Self:
|
|
if format_spec:
|
|
raise ValueError("Unsupported format specification for Markup.")
|
|
|
|
return self
|
|
|
|
|
|
class EscapeFormatter(string.Formatter):
|
|
__slots__ = ("escape",)
|
|
|
|
def __init__(self, escape: _TPEscape) -> None:
|
|
self.escape: _TPEscape = escape
|
|
super().__init__()
|
|
|
|
def format_field(self, value: t.Any, format_spec: str) -> str:
|
|
if hasattr(value, "__html_format__"):
|
|
rv = value.__html_format__(format_spec)
|
|
elif hasattr(value, "__html__"):
|
|
if format_spec:
|
|
raise ValueError(
|
|
f"Format specifier {format_spec} given, but {type(value)} does not"
|
|
" define __html_format__. A class that defines __html__ must define"
|
|
" __html_format__ to work with format specifiers."
|
|
)
|
|
rv = value.__html__()
|
|
else:
|
|
# We need to make sure the format spec is str here as
|
|
# otherwise the wrong callback methods are invoked.
|
|
rv = super().format_field(value, str(format_spec))
|
|
return str(self.escape(rv))
|
|
|
|
|
|
class _MarkupEscapeHelper:
|
|
"""Helper for :meth:`Markup.__mod__`."""
|
|
|
|
__slots__ = ("obj", "escape")
|
|
|
|
def __init__(self, obj: t.Any, escape: _TPEscape) -> None:
|
|
self.obj: t.Any = obj
|
|
self.escape: _TPEscape = escape
|
|
|
|
def __getitem__(self, key: t.Any, /) -> te.Self:
|
|
return self.__class__(self.obj[key], self.escape)
|
|
|
|
def __str__(self, /) -> str:
|
|
return str(self.escape(self.obj))
|
|
|
|
def __repr__(self, /) -> str:
|
|
return str(self.escape(repr(self.obj)))
|
|
|
|
def __int__(self, /) -> int:
|
|
return int(self.obj)
|
|
|
|
def __float__(self, /) -> float:
|
|
return float(self.obj)
|
|
|
|
|
|
def __getattr__(name: str) -> t.Any:
|
|
if name == "__version__":
|
|
import importlib.metadata
|
|
import warnings
|
|
|
|
warnings.warn(
|
|
"The '__version__' attribute is deprecated and will be removed in"
|
|
" MarkupSafe 3.1. Use feature detection, or"
|
|
' `importlib.metadata.version("markupsafe")`, instead.',
|
|
DeprecationWarning,
|
|
stacklevel=2,
|
|
)
|
|
return importlib.metadata.version("markupsafe")
|
|
|
|
raise AttributeError(name)
|