From e6d3dfaa989556f7c77407cab28c45622b0b0e10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Fri, 13 Mar 2026 22:55:48 +0000
Subject: [PATCH] feat: plans export require download=1 safety valve

---
 app/Http/Controllers/Admin/PlanController.php |  5 +++
 resources/views/admin/plans/index.blade.php   |  1 +
 ...AdminPlanExportDownloadSafetyValveTest.php | 33 +++++++++++++++++++
 tests/Feature/AdminPlanExportTest.php         |  2 +-
 4 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 tests/Feature/AdminPlanExportDownloadSafetyValveTest.php

diff --git a/app/Http/Controllers/Admin/PlanController.php b/app/Http/Controllers/Admin/PlanController.php
index d7b27c3..e753170 100644
--- a/app/Http/Controllers/Admin/PlanController.php
+++ b/app/Http/Controllers/Admin/PlanController.php
@@ -22,6 +22,11 @@ class PlanController extends Controller
     {
         $this->ensurePlatformAdmin($request);
 
+        // 安全阀：必须显式声明 download=1，避免浏览器预取/误触发导致频繁导出
+        if ((string) $request->query('download', '') !== '1') {
+            abort(400, 'download=1 required');
+        }
+
         $filters = [
             'status' => trim((string) $request->query('status', '')),
             'billing_cycle' => trim((string) $request->query('billing_cycle', '')),
diff --git a/resources/views/admin/plans/index.blade.php b/resources/views/admin/plans/index.blade.php
index 5ab8f15..caf5db9 100644
--- a/resources/views/admin/plans/index.blade.php
+++ b/resources/views/admin/plans/index.blade.php
@@ -45,6 +45,7 @@
     <h3>工具</h3>
     <div class="grid-2">
         <form method="get" action="/admin/plans/export">
+            <input type="hidden" name="download" value="1">
             <input type="hidden" name="status" value="{{ $filters['status'] ?? '' }}">
             <input type="hidden" name="published" value="{{ $filters['published'] ?? '' }}">
             <input type="hidden" name="billing_cycle" value="{{ $filters['billing_cycle'] ?? '' }}">
diff --git a/tests/Feature/AdminPlanExportDownloadSafetyValveTest.php b/tests/Feature/AdminPlanExportDownloadSafetyValveTest.php
new file mode 100644
index 0000000..cf2526b
--- /dev/null
+++ b/tests/Feature/AdminPlanExportDownloadSafetyValveTest.php
@@ -0,0 +1,33 @@
+<?php
+
+namespace Tests\Feature;
+
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+
+class AdminPlanExportDownloadSafetyValveTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function loginAsPlatformAdmin(): void
+    {
+        $this->seed();
+
+        $this->post('/admin/login', [
+            'email' => 'platform.admin@demo.local',
+            'password' => 'Platform@123456',
+        ])->assertRedirect('/admin');
+    }
+
+    public function test_export_should_require_download_flag(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $this->get('/admin/plans/export')
+            ->assertStatus(400)
+            ->assertSee('download=1 required');
+
+        $this->get('/admin/plans/export?download=1')
+            ->assertOk();
+    }
+}
diff --git a/tests/Feature/AdminPlanExportTest.php b/tests/Feature/AdminPlanExportTest.php
index 54fe669..b1c7a42 100644
--- a/tests/Feature/AdminPlanExportTest.php
+++ b/tests/Feature/AdminPlanExportTest.php
@@ -36,7 +36,7 @@ class AdminPlanExportTest extends TestCase
             'description' => '用于导出断言',
         ]);
 
-        $res = $this->get('/admin/plans/export');
+        $res = $this->get('/admin/plans/export?download=1');
 
         $res->assertOk();
         $res->assertHeader('content-type', 'text/csv; charset=UTF-8');