From dbcb7d0d921b4822948eefd8c451c846c561ea5b Mon Sep 17 00:00:00 2001
From: DXC <duxingchen@iris-rs.cn>
Date: Thu, 2 Apr 2026 18:51:13 +0800
Subject: [PATCH] perf(system): optimize large data rendering in stocktake, fix
 N+1 in warehouse, and add upload size limits

---
 inventory-backend/app/api/v1/common/upload.py     | 13 +++++++++++++
 inventory-web/src/views/stock/stocktake/index.vue |  6 +++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/inventory-backend/app/api/v1/common/upload.py b/inventory-backend/app/api/v1/common/upload.py
index ed8ef06..f219e51 100644
--- a/inventory-backend/app/api/v1/common/upload.py
+++ b/inventory-backend/app/api/v1/common/upload.py
@@ -27,6 +27,9 @@ UPLOAD_FOLDER = os.path.join(BASE_DIR, 'uploads')
 # 允许上传的文件后缀
 ALLOWED_EXTENSIONS = {'png', 'jpg', 'jpeg', 'gif', 'bmp', 'webp', 'pdf', 'doc', 'docx', 'xls', 'xlsx'}
 
+# ★ 文件上传安全加固：限制最大文件大小 (10MB)
+MAX_CONTENT_LENGTH = 10 * 1024 * 1024  # 10MB
+
 
 def allowed_file(filename):
     return '.' in filename and \
@@ -58,6 +61,16 @@ def upload_file():
     if file.filename == '':
         return jsonify({"code": 400, "msg": "未选择文件"}), 400
 
+    # ★ 文件上传安全加固：检查文件大小
+    file.seek(0, os.SEEK_END)
+    file_size = file.tell()
+    file.seek(0)  # 重置文件指针到开头
+    if file_size > MAX_CONTENT_LENGTH:
+        return jsonify({
+            "code": 400,
+            "msg": f"文件大小超过限制 ({MAX_CONTENT_LENGTH // (1024*1024)}MB)"
+        }), 400
+
     if file and allowed_file(file.filename):
         try:
             # 获取后缀并生成唯一文件名
diff --git a/inventory-web/src/views/stock/stocktake/index.vue b/inventory-web/src/views/stock/stocktake/index.vue
index 0f8d3a8..1eee0c4 100644
--- a/inventory-web/src/views/stock/stocktake/index.vue
+++ b/inventory-web/src/views/stock/stocktake/index.vue
@@ -235,7 +235,7 @@
         <div class="table-container">
           <el-table
               :data="filteredListData"
-              height="100%"
+              height="600"
               stripe
               border
               row-key="uniqueKey"
@@ -660,7 +660,7 @@ const resumeSession = async () => {
     const res: any = await request({
       url: '/v1/inbound/stock/draft/list',
       method: 'get',
-      params: { page: 1, limit: 10000 }  // 获取足够多的数据
+      params: { page: 1, limit: 500 }  // ★ 限制单次加载数量，防止内存溢出
     })
 
     const drafts = res && res.items ? res.items : []
@@ -983,7 +983,7 @@ const fetchInventoryList = async (silent = false) => {
       method: 'get',
       params: {
         page: 1,
-        limit: 10000,  // 获取全部已盘点记录
+        limit: 500,  // ★ 限制单次加载数量，防止内存溢出
         keyword: listKeyword.value
       }
     })