From 95a4702e1e2df0cdcd55d032ebe7247ea8deac05 Mon Sep 17 00:00:00 2001
From: zhi <zhi@dev.hangman-lab.top>
Date: Wed, 11 Mar 2026 10:49:03 +0000
Subject: [PATCH] fix: remove user_id query requirement from notifications
 count/read-all

---
 app/api/routers/misc.py | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/app/api/routers/misc.py b/app/api/routers/misc.py
index 482d797..20fe36a 100644
--- a/app/api/routers/misc.py
+++ b/app/api/routers/misc.py
@@ -193,11 +193,11 @@ def list_notifications(unread_only: bool = False, limit: int = 50, db: Session =
 
 
 @router.get("/notifications/count", tags=["Notifications"])
-def notification_count(user_id: int, db: Session = Depends(get_db)):
+def notification_count(db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
     count = db.query(NotificationModel).filter(
-        NotificationModel.user_id == user_id, NotificationModel.is_read == False
+        NotificationModel.user_id == current_user.id, NotificationModel.is_read == False
     ).count()
-    return {"user_id": user_id, "unread": count}
+    return {"user_id": current_user.id, "count": count, "unread": count}
 
 
 @router.post("/notifications/{notification_id}/read", tags=["Notifications"])
@@ -205,18 +205,20 @@ def mark_read(notification_id: int, db: Session = Depends(get_db), current_user:
     n = db.query(NotificationModel).filter(NotificationModel.id == notification_id).first()
     if not n:
         raise HTTPException(status_code=404, detail="Notification not found")
+    if n.user_id != current_user.id and not current_user.is_admin:
+        raise HTTPException(status_code=403, detail="Forbidden")
     n.is_read = True
     db.commit()
     return {"status": "read"}
 
 
 @router.post("/notifications/read-all", tags=["Notifications"])
-def mark_all_read(user_id: int, db: Session = Depends(get_db)):
+def mark_all_read(db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
     db.query(NotificationModel).filter(
-        NotificationModel.user_id == user_id, NotificationModel.is_read == False
+        NotificationModel.user_id == current_user.id, NotificationModel.is_read == False
     ).update({"is_read": True})
     db.commit()
-    return {"status": "all_read"}
+    return {"status": "all_read", "user_id": current_user.id}
 
 
 # ============ Work Logs ============