fix: implement strict regex validation (no pure numbers, no special chars) on both frontend user creation form and backend auth service

inventory-backend/app/services/auth_service.py

@@ -205,6 +205,16 @@ class AuthService:
         if not cn_name or not pinyin_base:
             raise Exception("姓名和账号不能为空")
 
+        # 后端兜底正则校验：允许中英数，禁止纯数字，无特殊字符
+        import re
+        name_pattern = re.compile(r'^(?!\d+$)[a-zA-Z0-9\u4e00-\u9fa5]+$')
+
+        if not name_pattern.match(cn_name):
+            raise Exception("姓名格式错误：仅支持中英文和数字，不能为纯数字，且不支持特殊字符")
+
+        if not name_pattern.match(pinyin_base):
+            raise Exception("账号格式错误：仅支持中英文和数字，不能为纯数字，且不支持特殊字符")
+
         role_raw = data.get('role')
         role = role_raw.upper() if role_raw else None
 
@@ -220,7 +230,7 @@ class AuthService:
         if operator_role_upper == UserRole.SUPERVISOR and role == UserRole.SUPER_ADMIN:
             raise Exception("权限不足：主管无法创建超级管理员")
 
-        email = data.get('email', '')
+        email = data.get('email', '') or None  # 空字符串转 None，避免 unique 冲突
         if email and SysUser.query.filter_by(email=email).first():
             raise Exception("邮箱已被使用")