feat: 增强公告管理功能，强制按当前用户归属筛选，添加权限检查以确保用户只能操作自己的公告

src/main/java/com/gameplatform/server/controller/admin/AnnouncementController.java

@@ -98,24 +98,30 @@ public class AnnouncementController {
             @Parameter(description = "页码", example = "1") @RequestParam(defaultValue = "1") int page,
             @Parameter(description = "每页大小", example = "20") @RequestParam(defaultValue = "20") int size,
             @Parameter(description = "按启用状态筛选，不传则获取全部") @RequestParam(required = false) Boolean enabled,
-            @Parameter(description = "按归属ID筛选") @RequestParam(required = false) Integer belongId) {
+            @Parameter(description = "按归属ID筛选") @RequestParam(required = false) Integer belongId,
+            Authentication authentication) {
         
+        // 强制按当前用户归属筛选，忽略外部传入的belongId
+        Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null);
+        if (claims == null) {
+            return ResponseEntity.badRequest().build();
+        }
+        Long userId = claims.get("userId", Long.class);
+        if (userId == null) {
+            return ResponseEntity.badRequest().build();
+        }
+        Integer selfBelongId = userId.intValue();
+
         int offset = (page - 1) * size;
         List<Announcement> announcements;
         long total;
         
-        if (belongId != null && enabled != null) {
+        if (enabled != null) {
-            announcements = announcementService.getAnnouncementsByBelongIdAndEnabled(belongId, enabled, size, offset);
+            announcements = announcementService.getAnnouncementsByBelongIdAndEnabled(selfBelongId, enabled, size, offset);
-            total = announcementService.getAnnouncementCountByBelongIdAndEnabled(belongId, enabled);
+            total = announcementService.getAnnouncementCountByBelongIdAndEnabled(selfBelongId, enabled);
-        } else if (belongId != null) {
-            announcements = announcementService.getAnnouncementsByBelongId(belongId, size, offset);
-            total = announcementService.getAnnouncementCountByBelongId(belongId);
-        } else if (enabled != null) {
-            announcements = announcementService.getAnnouncementsByEnabled(enabled, size, offset);
-            total = announcementService.getAnnouncementCountByEnabled(enabled);
         } else {
-            announcements = announcementService.getAllAnnouncements(size, offset);
+            announcements = announcementService.getAnnouncementsByBelongId(selfBelongId, size, offset);
-            total = announcementService.getAnnouncementCount();
+            total = announcementService.getAnnouncementCountByBelongId(selfBelongId);
         }
         
         List<AnnouncementResponse> responses = announcements.stream()
@@ -134,9 +140,18 @@ public class AnnouncementController {
     @GetMapping("/{id}")
     @Operation(summary = "获取公告详情", description = "根据ID获取公告详细信息")
     public ResponseEntity<AnnouncementResponse> getAnnouncementById(
-            @Parameter(description = "公告ID", example = "1") @PathVariable Long id) {
+            @Parameter(description = "公告ID", example = "1") @PathVariable Long id,
+            Authentication authentication) {
+        Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null);
+        if (claims == null) {
+            return ResponseEntity.notFound().build();
+        }
+        Long userId = claims.get("userId", Long.class);
+        if (userId == null) {
+            return ResponseEntity.notFound().build();
+        }
         Announcement announcement = announcementService.getAnnouncementById(id);
-        if (announcement == null) {
+        if (announcement == null || announcement.getBelongId() == null || !announcement.getBelongId().equals(userId.intValue())) {
             return ResponseEntity.notFound().build();
         }
         return ResponseEntity.ok(AnnouncementConverter.toResponse(announcement));
@@ -150,10 +165,21 @@ public class AnnouncementController {
             Authentication authentication) {
         
         // 检查公告是否存在
-        if (!announcementService.announcementExists(id)) {
+        Announcement existing = announcementService.getAnnouncementById(id);
+        if (existing == null) {
             return ResponseEntity.notFound().build();
         }
-        
+
+        // 所有操作仅限本人公告
+        Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null);
+        if (claims == null) {
+            return ResponseEntity.notFound().build();
+        }
+        Long userId = claims.get("userId", Long.class);
+        if (userId == null || existing.getBelongId() == null || !existing.getBelongId().equals(userId.intValue())) {
+            return ResponseEntity.notFound().build();
+        }
+
         if (request.getTitle() != null && request.getTitle().trim().isEmpty()) {
             return ResponseEntity.badRequest().body(new Object() {
                 public final boolean success = false;
@@ -168,19 +194,10 @@ public class AnnouncementController {
             });
         }
         
-        // 从JWT token中获取当前用户ID
-        if (authentication != null) {
-            Claims claims = (Claims) authentication.getDetails();
-            if (claims != null) {
-                Long userId = claims.get("userId", Long.class);
-                if (userId != null) {
-                    request.setBelongId(userId.intValue());
-                }
-            }
-        }
-        
         Announcement announcement = AnnouncementConverter.toEntity(request);
         announcement.setId(id);
+        // 禁止通过更新接口修改belongId
+        announcement.setBelongId(null);
         boolean success = announcementService.updateAnnouncement(announcement);
         final boolean finalSuccess = success;
         
@@ -193,10 +210,19 @@ public class AnnouncementController {
     @DeleteMapping("/{id}")
     @Operation(summary = "删除公告", description = "删除指定ID的公告")
     public ResponseEntity<Object> deleteAnnouncement(
-            @Parameter(description = "公告ID", example = "1") @PathVariable Long id) {
+            @Parameter(description = "公告ID", example = "1") @PathVariable Long id,
+            Authentication authentication) {
         
-        // 检查公告是否存在
+        Announcement existing = announcementService.getAnnouncementById(id);
-        if (!announcementService.announcementExists(id)) {
+        if (existing == null) {
+            return ResponseEntity.notFound().build();
+        }
+        Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null);
+        if (claims == null) {
+            return ResponseEntity.notFound().build();
+        }
+        Long userId = claims.get("userId", Long.class);
+        if (userId == null || existing.getBelongId() == null || !existing.getBelongId().equals(userId.intValue())) {
             return ResponseEntity.notFound().build();
         }
         
@@ -213,10 +239,19 @@ public class AnnouncementController {
     @Operation(summary = "更新公告启用状态", description = "启用或禁用指定公告")
     public ResponseEntity<Object> updateAnnouncementEnabled(
             @Parameter(description = "公告ID", example = "1") @PathVariable Long id,
-            @Parameter(description = "启用状态", example = "true") @RequestParam Boolean enabled) {
+            @Parameter(description = "启用状态", example = "true") @RequestParam Boolean enabled,
+            Authentication authentication) {
         
-        // 检查公告是否存在
+        Announcement existing = announcementService.getAnnouncementById(id);
-        if (!announcementService.announcementExists(id)) {
+        if (existing == null) {
+            return ResponseEntity.notFound().build();
+        }
+        Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null);
+        if (claims == null) {
+            return ResponseEntity.notFound().build();
+        }
+        Long userId = claims.get("userId", Long.class);
+        if (userId == null || existing.getBelongId() == null || !existing.getBelongId().equals(userId.intValue())) {
             return ResponseEntity.notFound().build();
         }
         
@@ -235,13 +270,18 @@ public class AnnouncementController {
     @GetMapping("/enabled")
     @Operation(summary = "获取启用的公告", description = "获取所有启用状态的公告，用于前端显示")
     public ResponseEntity<List<AnnouncementResponse>> getEnabledAnnouncements(
-            @Parameter(description = "按归属ID筛选") @RequestParam(required = false) Integer belongId) {
+            @Parameter(description = "按归属ID筛选") @RequestParam(required = false) Integer belongId,
-        List<Announcement> announcements;
+            Authentication authentication) {
-        if (belongId != null) {
+        Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null);
-            announcements = announcementService.getEnabledAnnouncementsByBelongId(belongId);
+        if (claims == null) {
-        } else {
+            return ResponseEntity.ok(List.of());
-            announcements = announcementService.getEnabledAnnouncements();
         }
+        Long userId = claims.get("userId", Long.class);
+        if (userId == null) {
+            return ResponseEntity.ok(List.of());
+        }
+        Integer selfBelongId = userId.intValue();
+        List<Announcement> announcements = announcementService.getEnabledAnnouncementsByBelongId(selfBelongId);
         List<AnnouncementResponse> responses = announcements.stream()
                 .map(AnnouncementConverter::toResponse)
                 .toList();