Add admin pinning and user favorites with role management

app/admin/page.tsx

@@ -4,8 +4,9 @@ import { AdminUserManager } from "@/components/AdminUserManager";
 import { CreatePostForm } from "@/components/CreatePostForm";
 import { cookieName, isAdminSession, verifySession } from "@/lib/auth";
 import { getDb } from "@/lib/mongo";
-import { buildOwnedPostFilter, serializePost } from "@/lib/posts";
+import { buildOwnedPostFilter, buildPinnedSort, serializePost } from "@/lib/posts";
 import { findUserById, getEffectiveDailyPostLimit, getShanghaiDayRange } from "@/lib/users";
+import { Post } from "@/types/post";
 
 export const dynamic = "force-dynamic";
 
@@ -13,11 +14,17 @@ type ManagedUser = {
   id: string;
   username: string;
   displayName: string;
-  role: "admin" | "user";
+  role: "user" | "sponsor" | "admin";
   dailyPostLimit: number;
   postCount: number;
   todayPostCount: number;
-  posts: Array<{ slug: string; title: string; createdAt: string }>;
+  posts: Array<{ slug: string; title: string; createdAt: string; isPinned?: boolean }>;
+};
+
+const ROLE_LABELS: Record<ManagedUser["role"], string> = {
+  user: "普通",
+  sponsor: "赞助",
+  admin: "管理员"
 };
 
 async function fetchRecentPosts(session: Awaited<ReturnType<typeof verifySession>>) {
@@ -25,7 +32,7 @@ async function fetchRecentPosts(session: Awaited<ReturnType<typeof verifySession
   const posts = await db
     .collection("posts")
     .find(buildOwnedPostFilter(session), { projection: { markdown: 0 } })
-    .sort({ createdAt: -1 })
+    .sort(buildPinnedSort())
     .limit(20)
     .toArray();
 
@@ -38,6 +45,33 @@ async function fetchRecentPosts(session: Awaited<ReturnType<typeof verifySession
   }));
 }
 
+async function fetchFavoritePosts(session: Awaited<ReturnType<typeof verifySession>>): Promise<Post[]> {
+  if (!session?.uid) {
+    return [];
+  }
+
+  const db = await getDb();
+  const favorites = await db
+    .collection("favorites")
+    .find({ ownerId: session.uid }, { projection: { postSlug: 1, createdAt: 1 } })
+    .sort({ createdAt: -1 })
+    .limit(20)
+    .toArray();
+
+  const slugs = favorites.map((item: any) => item.postSlug).filter(Boolean);
+  if (slugs.length === 0) {
+    return [];
+  }
+
+  const posts = await db
+    .collection("posts")
+    .find({ slug: { $in: slugs } }, { projection: { markdown: 0 } })
+    .toArray();
+
+  const postMap = new Map(posts.map((post: any) => [post.slug, serializePost(post)]));
+  return slugs.map((slug) => postMap.get(slug)).filter(Boolean) as Post[];
+}
+
 async function fetchAvailableTags(session: Awaited<ReturnType<typeof verifySession>>) {
   const db = await getDb();
   const tags = await db
@@ -90,8 +124,20 @@ async function fetchManagedUsers(): Promise<ManagedUser[]> {
 
   const posts = await db
     .collection("posts")
-    .find({}, { projection: { slug: 1, title: 1, createdAt: 1, ownerId: 1, author: 1 } })
+    .find(
-    .sort({ createdAt: -1 })
+      {},
+      {
+        projection: {
+          slug: 1,
+          title: 1,
+          createdAt: 1,
+          ownerId: 1,
+          author: 1,
+          isPinned: 1
+        }
+      }
+    )
+    .sort(buildPinnedSort())
     .toArray();
 
   const authorToUserId = new Map<string, string>();
@@ -104,7 +150,10 @@ async function fetchManagedUsers(): Promise<ManagedUser[]> {
 
   const postCountMap = new Map<string, number>();
   const todayCountMap = new Map<string, number>();
-  const postsByOwner = new Map<string, Array<{ slug: string; title: string; createdAt: string }>>();
+  const postsByOwner = new Map<
+    string,
+    Array<{ slug: string; title: string; createdAt: string; isPinned?: boolean }>
+  >();
 
   posts.forEach((post: any) => {
     const resolvedOwnerId =
@@ -115,7 +164,8 @@ async function fetchManagedUsers(): Promise<ManagedUser[]> {
     list.push({
       slug: post.slug,
       title: post.title ?? "未命名",
-      createdAt: post.createdAt ?? new Date().toISOString()
+      createdAt: post.createdAt ?? new Date().toISOString(),
+      isPinned: Boolean(post.isPinned)
     });
     postsByOwner.set(resolvedOwnerId, list);
     postCountMap.set(resolvedOwnerId, (postCountMap.get(resolvedOwnerId) ?? 0) + 1);
@@ -134,7 +184,10 @@ async function fetchManagedUsers(): Promise<ManagedUser[]> {
         id,
         username: user.username ?? "",
         displayName: user.displayName ?? user.username ?? "",
-        role: user.role === "admin" ? "admin" : "user",
+        role:
+          user.role === "admin" || user.role === "sponsor" || user.role === "user"
+            ? user.role
+            : "user",
         dailyPostLimit: getEffectiveDailyPostLimit(user),
         postCount: postCountMap.get(id) ?? 0,
         todayPostCount: todayCountMap.get(id) ?? 0,
@@ -148,9 +201,11 @@ export default async function AdminPage() {
   const token = cookies().get(cookieName)?.value;
   const session = await verifySession(token);
   const adminView = isAdminSession(session);
+  const roleLabel = ROLE_LABELS[(session?.role as ManagedUser["role"]) || "user"];
 
-  const [recentPosts, availableTags, publishQuota, managedUsers] = await Promise.all([
+  const [recentPosts, favoritePosts, availableTags, publishQuota, managedUsers] = await Promise.all([
     fetchRecentPosts(session),
+    fetchFavoritePosts(session),
     fetchAvailableTags(session),
     fetchPublishQuota(session),
     adminView ? fetchManagedUsers() : Promise.resolve([] as ManagedUser[])
@@ -159,11 +214,24 @@ export default async function AdminPage() {
   return (
     <div className="space-y-6">
       <section className="rounded-2xl bg-white/80 p-5 shadow-sm ring-1 ring-slate-100">
-        <div className="space-y-2">
+        <div className="flex flex-wrap items-center justify-between gap-3">
-          <h1 className="text-2xl font-semibold text-slate-900">内容后台</h1>
+          <div className="space-y-2">
-          <p className="text-sm text-slate-500">
+            <h1 className="text-2xl font-semibold text-slate-900">内容后台</h1>
-            登录用户只能发布和修改自己的内容；删除内容、删除用户和设置发布额度仅管理员可操作。
+            <p className="text-sm text-slate-500">
-          </p>
+              登录用户可以发布、编辑自己的内容和管理自己的收藏；管理员额外拥有置顶、删帖、删用户和调整用户等级/额度的全部权限。
+            </p>
+          </div>
+          <div className="flex items-center gap-3">
+            <span className="rounded-full bg-slate-100 px-3 py-1 text-sm text-slate-700 ring-1 ring-slate-200">
+              {session?.name || "未登录"} · {roleLabel}
+            </span>
+            <a
+              href="/stats"
+              className="rounded-full bg-brand-50 px-4 py-2 text-sm font-medium text-brand-700 ring-1 ring-brand-100 hover:bg-brand-100"
+            >
+              查看统计
+            </a>
+          </div>
         </div>
       </section>
 
@@ -173,7 +241,21 @@ export default async function AdminPage() {
         todayCount={publishQuota.todayCount}
       />
 
-      <AdminPostList initialPosts={recentPosts} canDelete={false} />
+      <AdminPostList
+        initialPosts={recentPosts}
+        title="我的内容"
+        description="你只能编辑自己的内容；管理员可在这里快速置顶或删除自己的内容。"
+        canDelete={adminView}
+        canPin={adminView}
+      />
+
+      <AdminPostList
+        initialPosts={favoritePosts}
+        title="我的收藏"
+        description="收藏仅自己可见，方便回看喜欢的内容。"
+        emptyText="你还没有收藏任何内容。"
+        showEdit={false}
+      />
 
       {adminView ? <AdminUserManager initialUsers={managedUsers} currentUserId={session?.uid || ""} /> : null}
     </div>

app/api/admin/users/[userId]/route.ts

@@ -24,26 +24,49 @@ export async function PATCH(req: NextRequest, { params }: { params: { userId: st
   }
 
   const body = await req.json().catch(() => ({}));
-  const schema = z.object({
+  const schema = z
-    dailyPostLimit: z.number().int().min(0).max(1000)
+    .object({
-  });
+      dailyPostLimit: z.number().int().min(0).max(1000).optional(),
+      role: z.enum(["user", "sponsor", "admin"]).optional()
+    })
+    .refine((value) => value.dailyPostLimit !== undefined || value.role !== undefined, {
+      message: "至少需要提交一个要修改的字段"
+    });
   const parsed = schema.safeParse(body);
   if (!parsed.success) {
     return NextResponse.json({ error: parsed.error.flatten() }, { status: 400 });
   }
 
+  if (session.uid === params.userId && parsed.data.role && parsed.data.role !== "admin") {
+    return NextResponse.json({ error: "不能把当前登录管理员降级" }, { status: 400 });
+  }
+
   const db = await getDb();
+  const setPayload: Record<string, unknown> = {};
+  if (parsed.data.dailyPostLimit !== undefined) {
+    setPayload.dailyPostLimit = parsed.data.dailyPostLimit;
+  }
+  if (parsed.data.role) {
+    setPayload.role = parsed.data.role;
+  }
+
   const result = await db.collection("users").updateOne(
     { _id: new ObjectId(params.userId) },
-    { $set: { dailyPostLimit: parsed.data.dailyPostLimit } }
+    { $set: setPayload }
   );
   if (result.matchedCount === 0) {
     return NextResponse.json({ error: "用户不存在" }, { status: 404 });
   }
 
+  const updatedUser = await db.collection("users").findOne(
+    { _id: new ObjectId(params.userId) },
+    { projection: { dailyPostLimit: 1, role: 1 } }
+  );
+
   return NextResponse.json({
     ok: true,
-    dailyPostLimit: parsed.data.dailyPostLimit ?? DEFAULT_DAILY_POST_LIMIT
+    dailyPostLimit: updatedUser?.dailyPostLimit ?? DEFAULT_DAILY_POST_LIMIT,
+    role: updatedUser?.role ?? "user"
   });
 }
 
@@ -65,7 +88,7 @@ export async function DELETE(req: NextRequest, { params }: { params: { userId: s
     return NextResponse.json({ error: "用户不存在" }, { status: 404 });
   }
 
-  await db.collection("posts").deleteMany({
+  const postFilter = {
     $or: [
       { ownerId: params.userId },
       {
@@ -79,6 +102,19 @@ export async function DELETE(req: NextRequest, { params }: { params: { userId: s
         ]
       }
     ]
+  };
+
+  const ownedPosts = await db
+    .collection("posts")
+    .find(postFilter, { projection: { slug: 1 } })
+    .toArray();
+
+  await db.collection("posts").deleteMany(postFilter);
+  await db.collection("favorites").deleteMany({
+    $or: [
+      { ownerId: params.userId },
+      { postSlug: { $in: ownedPosts.map((post: any) => post.slug).filter(Boolean) } }
+    ]
   });
   await db.collection("users").deleteOne({ _id: new ObjectId(params.userId) });
 

app/api/login/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { z } from "zod";
-import { signSession, cookieName, isAdminName } from "@/lib/auth";
+import { cookieName, isAdminName, resolveUserRole, signSession } from "@/lib/auth";
 import { getDb } from "@/lib/mongo";
 import { verifyPassword } from "@/lib/password";
 
@@ -19,6 +19,7 @@ export async function POST(req: NextRequest) {
   const { username, password } = parsed.data;
   const db = await getDb();
   const user = await db.collection("users").findOne({ usernameLower: username.toLowerCase() });
+
   if (
     !user ||
     typeof user.passwordSalt !== "string" ||
@@ -29,12 +30,8 @@ export async function POST(req: NextRequest) {
   }
 
   const name = user.displayName || user.username || username;
-  const role =
+  const storedRole = resolveUserRole(user.role);
-    user.role === "admin" || user.role === "user"
+  const role = storedRole || (isAdminName(user.username) || isAdminName(name) ? "admin" : "user");
-      ? user.role
-      : isAdminName(user.username) || isAdminName(name)
-        ? "admin"
-        : "user";
   const exp = Date.now() + 24 * 60 * 60 * 1000;
   const token = await signSession({
     role,
@@ -44,7 +41,8 @@ export async function POST(req: NextRequest) {
     name,
     username: user.username || username
   });
-  const res = NextResponse.json({ ok: true, name });
+
+  const res = NextResponse.json({ ok: true, name, role });
   res.cookies.set(cookieName, token, {
     httpOnly: true,
     sameSite: "lax",

app/api/posts/[slug]/favorite/route.ts

@@ -0,0 +1,60 @@
+import { NextRequest, NextResponse } from "next/server";
+import { cookieName, verifySession } from "@/lib/auth";
+import { getDb } from "@/lib/mongo";
+
+async function getSessionFromRequest(req: NextRequest) {
+  const token = req.cookies.get(cookieName)?.value;
+  return verifySession(token);
+}
+
+async function countFavorites(postSlug: string) {
+  const db = await getDb();
+  return db.collection("favorites").countDocuments({ postSlug });
+}
+
+export async function POST(req: NextRequest, { params }: { params: { slug: string } }) {
+  const session = await getSessionFromRequest(req);
+  if (!session?.uid) {
+    return NextResponse.json({ error: "请先登录后再收藏" }, { status: 401 });
+  }
+
+  const db = await getDb();
+  const post = await db.collection("posts").findOne({ slug: params.slug }, { projection: { _id: 1 } });
+  if (!post) {
+    return NextResponse.json({ error: "内容不存在" }, { status: 404 });
+  }
+
+  await db.collection("favorites").updateOne(
+    { ownerId: session.uid, postSlug: params.slug },
+    {
+      $setOnInsert: {
+        ownerId: session.uid,
+        postSlug: params.slug,
+        createdAt: new Date().toISOString()
+      }
+    },
+    { upsert: true }
+  );
+
+  return NextResponse.json({
+    ok: true,
+    isFavorited: true,
+    favoriteCount: await countFavorites(params.slug)
+  });
+}
+
+export async function DELETE(req: NextRequest, { params }: { params: { slug: string } }) {
+  const session = await getSessionFromRequest(req);
+  if (!session?.uid) {
+    return NextResponse.json({ error: "请先登录后再取消收藏" }, { status: 401 });
+  }
+
+  const db = await getDb();
+  await db.collection("favorites").deleteOne({ ownerId: session.uid, postSlug: params.slug });
+
+  return NextResponse.json({
+    ok: true,
+    isFavorited: false,
+    favoriteCount: await countFavorites(params.slug)
+  });
+}

app/api/posts/[slug]/pin/route.ts

@@ -0,0 +1,55 @@
+import { NextRequest, NextResponse } from "next/server";
+import { cookieName, verifySession } from "@/lib/auth";
+import { getDb } from "@/lib/mongo";
+import { canPinPost } from "@/lib/posts";
+
+async function getSessionFromRequest(req: NextRequest) {
+  const token = req.cookies.get(cookieName)?.value;
+  return verifySession(token);
+}
+
+async function getPost(slug: string) {
+  const db = await getDb();
+  const post = await db.collection("posts").findOne({ slug });
+  return { db, post };
+}
+
+export async function POST(req: NextRequest, { params }: { params: { slug: string } }) {
+  const session = await getSessionFromRequest(req);
+  const { db, post } = await getPost(params.slug);
+
+  if (!post) {
+    return NextResponse.json({ error: "内容不存在" }, { status: 404 });
+  }
+  if (!canPinPost(post, session)) {
+    return NextResponse.json({ error: "只有管理员可以置顶内容" }, { status: 403 });
+  }
+
+  const now = new Date().toISOString();
+  await db.collection("posts").updateOne(
+    { _id: post._id },
+    { $set: { isPinned: true, pinnedAt: now, updatedAt: now } }
+  );
+
+  return NextResponse.json({ ok: true, isPinned: true, pinnedAt: now });
+}
+
+export async function DELETE(req: NextRequest, { params }: { params: { slug: string } }) {
+  const session = await getSessionFromRequest(req);
+  const { db, post } = await getPost(params.slug);
+
+  if (!post) {
+    return NextResponse.json({ error: "内容不存在" }, { status: 404 });
+  }
+  if (!canPinPost(post, session)) {
+    return NextResponse.json({ error: "只有管理员可以取消置顶" }, { status: 403 });
+  }
+
+  const now = new Date().toISOString();
+  await db.collection("posts").updateOne(
+    { _id: post._id },
+    { $set: { isPinned: false, updatedAt: now }, $unset: { pinnedAt: "" } }
+  );
+
+  return NextResponse.json({ ok: true, isPinned: false });
+}

app/api/posts/[slug]/route.ts

@@ -84,5 +84,6 @@ export async function DELETE(req: NextRequest, { params }: { params: { slug: str
   }
 
   await db.collection("posts").deleteOne({ _id: existingPost._id });
+  await db.collection("favorites").deleteMany({ postSlug: params.slug });
   return NextResponse.json({ ok: true });
 }

app/api/posts/route.ts

@@ -3,6 +3,7 @@ import { z } from "zod";
 import { cookieName, verifySession } from "@/lib/auth";
 import { getDb } from "@/lib/mongo";
 import { DEFAULT_OPC_SIGNAL, OPC_SIGNAL_VALUES } from "@/lib/opc";
+import { buildPinnedSort, serializePost } from "@/lib/posts";
 import { generateSlug } from "@/lib/slug";
 import { findUserById, getEffectiveDailyPostLimit, getShanghaiDayRange } from "@/lib/users";
 
@@ -19,17 +20,11 @@ export async function GET() {
   const posts = await db
     .collection("posts")
     .find({}, { projection: { markdown: 0 } })
-    .sort({ createdAt: -1 })
+    .sort(buildPinnedSort())
     .limit(50)
     .toArray();
 
-  return NextResponse.json(
+  return NextResponse.json(posts.map((post) => serializePost(post)));
-    posts.map((post) => ({
-      ...post,
-      author: post.author ?? "匿名",
-      _id: post._id?.toString()
-    }))
-  );
 }
 
 export async function POST(req: NextRequest) {
@@ -85,7 +80,8 @@ export async function POST(req: NextRequest) {
     slug,
     createdAt: now,
     updatedAt: now,
-    views: 0
+    views: 0,
+    isPinned: false
   });
 
   return NextResponse.json({ ok: true, slug, todayCount: todayCount + 1, limit });

app/api/register/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { z } from "zod";
-import { signSession, cookieName, isAdminName } from "@/lib/auth";
+import { cookieName, signSession } from "@/lib/auth";
 import { DEFAULT_DAILY_POST_LIMIT } from "@/lib/users";
 import { getDb } from "@/lib/mongo";
 import { hashPassword } from "@/lib/password";
@@ -13,6 +13,7 @@ export async function POST(req: NextRequest) {
     displayName: z.string().trim().min(2).max(32).optional()
   });
   const parsed = schema.safeParse(body);
+
   if (!parsed.success) {
     return NextResponse.json({ error: "用户名或密码格式不正确" }, { status: 400 });
   }
@@ -20,7 +21,6 @@ export async function POST(req: NextRequest) {
   const { username, password, displayName } = parsed.data;
   const usernameLower = username.toLowerCase();
   const resolvedDisplayName = displayName || username;
-  const role = isAdminName(username) || isAdminName(resolvedDisplayName) ? "admin" : "user";
   const db = await getDb();
 
   const exists = await db.collection("users").findOne({ usernameLower });
@@ -34,7 +34,7 @@ export async function POST(req: NextRequest) {
     username,
     usernameLower,
     displayName: resolvedDisplayName,
-    role,
+    role: "user" as const,
     dailyPostLimit: DEFAULT_DAILY_POST_LIMIT,
     passwordHash: hash,
     passwordSalt: salt,
@@ -42,18 +42,17 @@ export async function POST(req: NextRequest) {
   };
 
   const result = await db.collection("users").insertOne(doc);
-
-  const name = doc.displayName;
   const exp = Date.now() + 24 * 60 * 60 * 1000;
   const token = await signSession({
-    role,
+    role: doc.role,
     iat: Date.now(),
     exp,
     uid: result.insertedId?.toString(),
-    name,
+    name: doc.displayName,
     username
   });
-  const res = NextResponse.json({ ok: true, name });
+
+  const res = NextResponse.json({ ok: true, name: doc.displayName, role: doc.role });
   res.cookies.set(cookieName, token, {
     httpOnly: true,
     sameSite: "lax",

app/layout.tsx

@@ -15,6 +15,8 @@ export default async function RootLayout({ children }: { children: ReactNode })
   const token = cookies().get(cookieName)?.value;
   const session = await verifySession(token);
   const userName = session?.name ?? "访客";
+  const roleLabel =
+    session?.role === "admin" ? "管理员" : session?.role === "sponsor" ? "赞助" : "普通";
 
   return (
     <html lang="zh-CN">
@@ -47,7 +49,7 @@ export default async function RootLayout({ children }: { children: ReactNode })
               {session ? (
                 <div className="flex items-center gap-2">
                   <span className="rounded-full bg-slate-100 px-3 py-1 text-xs font-medium text-slate-700">
-                    {userName}
+                    {userName} · {roleLabel}
                   </span>
                   <LogoutButton />
                 </div>

app/p/[slug]/page.tsx

@@ -1,8 +1,12 @@
+import { cookies } from "next/headers";
+import Link from "next/link";
 import { notFound } from "next/navigation";
+import { FavoriteButton } from "@/components/FavoriteButton";
 import { MarkdownViewer } from "@/components/MarkdownViewer";
 import { SharePanel } from "@/components/SharePanel";
+import { cookieName, verifySession } from "@/lib/auth";
 import { getDb } from "@/lib/mongo";
-import { serializePost } from "@/lib/posts";
+import { canEditPost, serializePost } from "@/lib/posts";
 import { normalizeImageUrl } from "@/lib/normalize";
 import { getSiteUrl } from "@/lib/site";
 
@@ -20,15 +24,23 @@ async function fetchPost(slug: string) {
   }
 
   db.collection("posts").updateOne({ _id: doc._id }, { $inc: { views: 1 } }).catch(() => {});
-  return serializePost({ ...doc, views: (doc.views ?? 0) + 1 });
+  const favoriteCount = await db.collection("favorites").countDocuments({ postSlug: slug });
+  return serializePost({ ...doc, views: (doc.views ?? 0) + 1, favoriteCount });
 }
 
 export default async function PostPage({ params }: Props) {
+  const token = cookies().get(cookieName)?.value;
+  const session = await verifySession(token);
   const post = await fetchPost(params.slug);
   if (!post) {
     notFound();
   }
 
+  const db = await getDb();
+  const isFavorited = session?.uid
+    ? Boolean(await db.collection("favorites").findOne({ ownerId: session.uid, postSlug: post.slug }))
+    : false;
+  const canEdit = canEditPost(post, session);
   const coverUrl = normalizeImageUrl(post.cover);
   const shareUrl = `${getSiteUrl()}/p/${post.slug}`;
 
@@ -36,8 +48,33 @@ export default async function PostPage({ params }: Props) {
     <article className="rounded-2xl bg-white/80 p-6 shadow-sm ring-1 ring-slate-100">
       <div className="mb-4">
         <div className="flex flex-wrap items-center justify-between gap-3">
-          <h1 className="text-2xl font-semibold text-slate-900">{post.title}</h1>
+          <div className="space-y-2">
-          <SharePanel url={shareUrl} />
+            <div className="flex flex-wrap items-center gap-2">
+              {post.isPinned ? (
+                <span className="rounded-full bg-amber-50 px-2 py-1 text-xs font-medium text-amber-700 ring-1 ring-amber-100">
+                  置顶
+                </span>
+              ) : null}
+              <h1 className="text-2xl font-semibold text-slate-900">{post.title}</h1>
+            </div>
+          </div>
+          <div className="flex flex-wrap items-center gap-2">
+            {canEdit ? (
+              <Link
+                href={`/admin/edit/${post.slug}`}
+                className="rounded-full bg-brand-50 px-3 py-2 text-sm font-medium text-brand-700 ring-1 ring-brand-100 hover:bg-brand-100"
+              >
+                编辑
+              </Link>
+            ) : null}
+            <FavoriteButton
+              slug={post.slug}
+              initialFavorited={isFavorited}
+              initialCount={post.favoriteCount ?? 0}
+              canFavorite={Boolean(session?.uid)}
+            />
+            <SharePanel url={shareUrl} />
+          </div>
         </div>
         <p className="mt-2 text-sm text-slate-500">
           {post.author || "匿名"} |{" "}
@@ -45,6 +82,10 @@ export default async function PostPage({ params }: Props) {
             hour12: false,
             timeZone: "Asia/Shanghai"
           })}
+          {" · "}
+          浏览 {post.views ?? 0}
+          {" · "}
+          收藏 {post.favoriteCount ?? 0}
         </p>
         {coverUrl ? (
           <img

app/page.tsx

@@ -1,6 +1,6 @@
 import { PostCard } from "@/components/PostCard";
 import { getDb } from "@/lib/mongo";
-import { serializePost } from "@/lib/posts";
+import { buildPinnedSort, serializePost } from "@/lib/posts";
 import { buildSearchFilter } from "@/lib/search";
 import { Post } from "@/types/post";
 
@@ -32,7 +32,7 @@ async function fetchPosts(params: {
   const docs = await db
     .collection("posts")
     .find(filter, { projection: { markdown: 0 } })
-    .sort({ createdAt: -1 })
+    .sort(buildPinnedSort())
     .skip((page - 1) * PAGE_SIZE)
     .limit(PAGE_SIZE)
     .toArray();
@@ -83,7 +83,7 @@ export default async function HomePage({
       <div className="rounded-2xl bg-gradient-to-r from-brand-500 to-brand-700 p-6 text-white shadow-lg">
         <h1 className="text-2xl font-semibold">OPC Feed</h1>
         <p className="mt-2 text-sm text-white/80">
-          未登录用户可以浏览全部内容；登录用户只能发布和修改自己的内容。
+          未登录用户可以浏览全部内容；登录用户可以发布并修改自己的内容；置顶内容会优先展示。
         </p>
         {tag ? (
           <div className="mt-3 inline-flex items-center gap-2 rounded-full bg-white/15 px-3 py-1 text-xs font-medium">

app/tags/[tag]/page.tsx

@@ -1,6 +1,6 @@
 import { PostCard } from "@/components/PostCard";
 import { getDb } from "@/lib/mongo";
-import { serializePost } from "@/lib/posts";
+import { buildPinnedSort, serializePost } from "@/lib/posts";
 import { buildSearchFilter } from "@/lib/search";
 import { Post } from "@/types/post";
 
@@ -27,7 +27,7 @@ async function fetchTagPosts(params: {
   const docs = await db
     .collection("posts")
     .find(filter, { projection: { markdown: 0 } })
-    .sort({ createdAt: -1 })
+    .sort(buildPinnedSort())
     .skip((page - 1) * PAGE_SIZE)
     .limit(PAGE_SIZE)
     .toArray();
@@ -64,7 +64,7 @@ export default async function TagDetailPage({
     <div className="space-y-6">
       <div className="rounded-2xl bg-white/80 p-6 shadow-sm ring-1 ring-slate-100">
         <h1 className="text-2xl font-semibold">标签 / {tag}</h1>
-        <p className="mt-2 text-sm text-slate-500">共 {total} 条内容</p>
+        <p className="mt-2 text-sm text-slate-500">共 {total} 条内容，置顶内容会优先显示。</p>
       </div>
 
       <form

components/AdminPostList.tsx

@@ -8,13 +8,24 @@ type AdminPost = Post & { createdAtText?: string };
 
 export function AdminPostList({
   initialPosts,
-  canDelete = false
+  title = "最近内容",
+  description,
+  emptyText = "暂无内容。",
+  canDelete = false,
+  canPin = false,
+  showEdit = true
 }: {
   initialPosts: AdminPost[];
+  title?: string;
+  description?: string;
+  emptyText?: string;
   canDelete?: boolean;
+  canPin?: boolean;
+  showEdit?: boolean;
 }) {
   const [posts, setPosts] = useState<AdminPost[]>(initialPosts);
   const [tagQuery, setTagQuery] = useState("");
+  const [busySlug, setBusySlug] = useState<string | null>(null);
 
   const visiblePosts = useMemo(() => {
     const query = tagQuery.trim().toLowerCase();
@@ -25,33 +36,74 @@ export function AdminPostList({
   async function handleDelete(slug: string) {
     if (!window.confirm("确定要删除这条内容吗？此操作不可恢复。")) return;
 
-    const res = await fetch(`/api/posts/${slug}`, { method: "DELETE" });
+    setBusySlug(slug);
-    if (!res.ok) {
+    try {
-      const data = await res.json().catch(() => ({}));
+      const res = await fetch(`/api/posts/${slug}`, { method: "DELETE" });
-      alert(data.error || "删除失败");
+      if (!res.ok) {
-      return;
+        const data = await res.json().catch(() => ({}));
-    }
+        alert(data.error || "删除失败");
+        return;
+      }
 
-    setPosts((prev) => prev.filter((post) => post.slug !== slug));
+      setPosts((prev) => prev.filter((post) => post.slug !== slug));
+    } finally {
+      setBusySlug(null);
+    }
+  }
+
+  async function handleTogglePin(post: AdminPost) {
+    setBusySlug(post.slug);
+    try {
+      const res = await fetch(`/api/posts/${post.slug}/pin`, {
+        method: post.isPinned ? "DELETE" : "POST"
+      });
+      const data = await res.json().catch(() => ({}));
+
+      if (!res.ok) {
+        alert(data.error || "置顶操作失败");
+        return;
+      }
+
+      setPosts((prev) =>
+        [...prev]
+          .map((item) =>
+            item.slug === post.slug
+              ? {
+                  ...item,
+                  isPinned: Boolean(data.isPinned),
+                  pinnedAt: data.pinnedAt
+                }
+              : item
+          )
+          .sort((a, b) => {
+            const pinnedDiff = Number(Boolean(b.isPinned)) - Number(Boolean(a.isPinned));
+            if (pinnedDiff !== 0) return pinnedDiff;
+            const pinTimeDiff = (b.pinnedAt || "").localeCompare(a.pinnedAt || "");
+            if (pinTimeDiff !== 0) return pinTimeDiff;
+            return b.createdAt.localeCompare(a.createdAt);
+          })
+      );
+    } finally {
+      setBusySlug(null);
+    }
   }
 
   if (posts.length === 0) {
     return (
       <div className="rounded-2xl bg-white/80 p-4 text-sm text-slate-500 shadow-sm ring-1 ring-slate-100">
-        暂无内容。
+        {emptyText}
       </div>
     );
   }
 
-  const summary = tagQuery
+  const summary = tagQuery ? `匹配 ${visiblePosts.length} / 共 ${posts.length} 条` : `共 ${posts.length} 条`;
-    ? `匹配 ${visiblePosts.length} / 共 ${posts.length} 条`
-    : `共 ${posts.length} 条`;
 
   return (
     <div className="space-y-3 rounded-2xl bg-white/80 p-4 shadow-sm ring-1 ring-slate-100">
       <div className="flex flex-wrap items-center justify-between gap-3">
         <div>
-          <h3 className="text-lg font-semibold">最近内容</h3>
+          <h3 className="text-lg font-semibold">{title}</h3>
+          {description ? <p className="mt-1 text-sm text-slate-500">{description}</p> : null}
           <p className="text-xs text-slate-400">{summary}</p>
         </div>
         <div className="flex items-center gap-2">
@@ -80,7 +132,12 @@ export function AdminPostList({
             className="flex flex-wrap items-center justify-between gap-3 rounded-xl border border-slate-100 bg-white/70 p-3"
           >
             <div>
-              <Link href={`/p/${post.slug}`} className="font-medium text-slate-900 hover:text-brand-600">
+              {post.isPinned ? (
+                <span className="mb-1 inline-flex rounded-full bg-amber-50 px-2 py-1 text-xs font-medium text-amber-700 ring-1 ring-amber-100">
+                  置顶
+                </span>
+              ) : null}
+              <Link href={`/p/${post.slug}`} className="block font-medium text-slate-900 hover:text-brand-600">
                 {post.title}
               </Link>
               <p className="text-xs text-slate-500">
@@ -103,17 +160,30 @@ export function AdminPostList({
               ) : null}
             </div>
             <div className="flex items-center gap-2">
-              <Link
+              {showEdit ? (
-                href={`/admin/edit/${post.slug}`}
+                <Link
-                className="rounded-full bg-brand-50 px-3 py-1 text-xs font-medium text-brand-700 ring-1 ring-brand-100 hover:bg-brand-100"
+                  href={`/admin/edit/${post.slug}`}
-              >
+                  className="rounded-full bg-brand-50 px-3 py-1 text-xs font-medium text-brand-700 ring-1 ring-brand-100 hover:bg-brand-100"
-                编辑
+                >
-              </Link>
+                  编辑
+                </Link>
+              ) : null}
+              {canPin ? (
+                <button
+                  type="button"
+                  disabled={busySlug === post.slug}
+                  onClick={() => handleTogglePin(post)}
+                  className="rounded-full bg-amber-50 px-3 py-1 text-xs font-medium text-amber-700 ring-1 ring-amber-100 hover:bg-amber-100 disabled:opacity-60"
+                >
+                  {post.isPinned ? "取消置顶" : "置顶"}
+                </button>
+              ) : null}
               {canDelete ? (
                 <button
                   type="button"
+                  disabled={busySlug === post.slug}
                   onClick={() => handleDelete(post.slug)}
-                  className="rounded-full bg-red-50 px-3 py-1 text-xs font-medium text-red-600 ring-1 ring-red-100 hover:bg-red-100"
+                  className="rounded-full bg-red-50 px-3 py-1 text-xs font-medium text-red-600 ring-1 ring-red-100 hover:bg-red-100 disabled:opacity-60"
                 >
                   删除
                 </button>

components/AdminUserManager.tsx

@@ -6,19 +6,26 @@ type ManagedPost = {
   slug: string;
   title: string;
   createdAt: string;
+  isPinned?: boolean;
 };
 
 type ManagedUser = {
   id: string;
   username: string;
   displayName: string;
-  role: "admin" | "user";
+  role: "user" | "sponsor" | "admin";
   dailyPostLimit: number;
   postCount: number;
   todayPostCount: number;
   posts: ManagedPost[];
 };
 
+const ROLE_OPTIONS: Array<{ value: ManagedUser["role"]; label: string }> = [
+  { value: "user", label: "普通" },
+  { value: "sponsor", label: "赞助" },
+  { value: "admin", label: "管理员" }
+];
+
 export function AdminUserManager({
   initialUsers,
   currentUserId
@@ -67,13 +74,46 @@ export function AdminUserManager({
     );
   }
 
-  async function handleSaveLimit(userId: string, dailyPostLimit: number) {
+  async function handleTogglePin(userId: string, slug: string, isPinned: boolean) {
+    const res = await fetch(`/api/posts/${slug}/pin`, {
+      method: isPinned ? "DELETE" : "POST"
+    });
+    const data = await res.json().catch(() => ({}));
+    if (!res.ok) {
+      alert(data.error || "置顶操作失败");
+      return;
+    }
+
+    setUsers((prev) =>
+      prev.map((user) =>
+        user.id !== userId
+          ? user
+          : {
+              ...user,
+              posts: [...user.posts]
+                .map((post) =>
+                  post.slug === slug ? { ...post, isPinned: Boolean(data.isPinned) } : post
+                )
+                .sort((a, b) => {
+                  const pinnedDiff = Number(Boolean(b.isPinned)) - Number(Boolean(a.isPinned));
+                  if (pinnedDiff !== 0) return pinnedDiff;
+                  return b.createdAt.localeCompare(a.createdAt);
+                })
+            }
+      )
+    );
+  }
+
+  async function handleSaveUser(
+    userId: string,
+    payload: { dailyPostLimit: number; role: ManagedUser["role"] }
+  ) {
     setSavingId(userId);
     try {
       const res = await fetch(`/api/admin/users/${userId}`, {
         method: "PATCH",
         headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ dailyPostLimit })
+        body: JSON.stringify(payload)
       });
       const data = await res.json().catch(() => ({}));
       if (!res.ok) {
@@ -83,7 +123,13 @@ export function AdminUserManager({
 
       setUsers((prev) =>
         prev.map((user) =>
-          user.id === userId ? { ...user, dailyPostLimit: data.dailyPostLimit ?? dailyPostLimit } : user
+          user.id === userId
+            ? {
+                ...user,
+                dailyPostLimit: data.dailyPostLimit ?? payload.dailyPostLimit,
+                role: data.role ?? payload.role
+              }
+            : user
         )
       );
     } finally {
@@ -109,7 +155,9 @@ export function AdminUserManager({
       <div className="flex flex-wrap items-center justify-between gap-3">
         <div>
           <h3 className="text-lg font-semibold text-slate-900">用户管理</h3>
-          <p className="text-sm text-slate-500">按用户名搜索，删除指定内容、删除用户，并设置每日发布额度。</p>
+          <p className="text-sm text-slate-500">
+            可按用户名搜索，设置用户等级与每日发布额度，并删除用户或其指定内容。
+          </p>
         </div>
         <input
           value={query}
@@ -130,8 +178,9 @@ export function AdminUserManager({
               currentUserId={currentUserId}
               saving={savingId === user.id}
               onDeletePost={handleDeletePost}
+              onTogglePin={handleTogglePin}
               onDeleteUser={handleDeleteUser}
-              onSaveLimit={handleSaveLimit}
+              onSaveUser={handleSaveUser}
             />
           ))
         )}
@@ -151,17 +200,23 @@ function AdminUserCard({
   currentUserId,
   saving,
   onDeletePost,
+  onTogglePin,
   onDeleteUser,
-  onSaveLimit
+  onSaveUser
 }: {
   user: ManagedUser;
   currentUserId: string;
   saving: boolean;
   onDeletePost: (slug: string) => Promise<void>;
+  onTogglePin: (userId: string, slug: string, isPinned: boolean) => Promise<void>;
   onDeleteUser: (userId: string) => Promise<void>;
-  onSaveLimit: (userId: string, dailyPostLimit: number) => Promise<void>;
+  onSaveUser: (
+    userId: string,
+    payload: { dailyPostLimit: number; role: ManagedUser["role"] }
+  ) => Promise<void>;
 }) {
   const [limit, setLimit] = useState(user.dailyPostLimit);
+  const [role, setRole] = useState<ManagedUser["role"]>(user.role);
 
   return (
     <div className="rounded-2xl border border-slate-100 bg-white/70 p-4">
@@ -171,11 +226,23 @@ function AdminUserCard({
             {user.displayName} <span className="text-sm font-normal text-slate-500">(@{user.username})</span>
           </h4>
           <p className="mt-1 text-sm text-slate-500">
-            角色：{user.role === "admin" ? "管理员" : "用户"} | 总发布：{user.postCount} | 今日发布：{user.todayPostCount}
+            角色：{ROLE_OPTIONS.find((item) => item.value === user.role)?.label || "普通"} | 总发布：
+            {user.postCount} | 今日发布：{user.todayPostCount}
           </p>
         </div>
 
         <div className="flex flex-wrap items-center gap-2">
+          <select
+            value={role}
+            onChange={(e) => setRole(e.target.value as ManagedUser["role"])}
+            className="rounded-full border border-slate-200 bg-white px-3 py-2 text-sm shadow-inner focus:border-brand-500 focus:outline-none"
+          >
+            {ROLE_OPTIONS.map((option) => (
+              <option key={option.value} value={option.value}>
+                {option.label}
+              </option>
+            ))}
+          </select>
           <input
             type="number"
             min={0}
@@ -186,10 +253,10 @@ function AdminUserCard({
           <button
             type="button"
             disabled={saving}
-            onClick={() => onSaveLimit(user.id, limit)}
+            onClick={() => onSaveUser(user.id, { dailyPostLimit: limit, role })}
             className="rounded-full bg-brand-50 px-3 py-2 text-xs font-medium text-brand-700 ring-1 ring-brand-100 hover:bg-brand-100 disabled:opacity-60"
           >
-            保存额度
+            保存设置
           </button>
           {user.id !== currentUserId ? (
             <button
@@ -213,7 +280,12 @@ function AdminUserCard({
               className="flex flex-wrap items-center justify-between gap-3 rounded-xl border border-slate-100 bg-white px-3 py-2"
             >
               <div>
-                <a href={`/p/${post.slug}`} className="text-sm font-medium text-slate-900 hover:text-brand-600">
+                {post.isPinned ? (
+                  <span className="mb-1 inline-flex rounded-full bg-amber-50 px-2 py-1 text-xs font-medium text-amber-700 ring-1 ring-amber-100">
+                    置顶
+                  </span>
+                ) : null}
+                <a href={`/p/${post.slug}`} className="block text-sm font-medium text-slate-900 hover:text-brand-600">
                   {post.title}
                 </a>
                 <p className="text-xs text-slate-500">
@@ -223,13 +295,22 @@ function AdminUserCard({
                   })}
                 </p>
               </div>
-              <button
+              <div className="flex items-center gap-2">
-                type="button"
+                <button
-                onClick={() => onDeletePost(post.slug)}
+                  type="button"
-                className="rounded-full bg-red-50 px-3 py-1 text-xs font-medium text-red-600 ring-1 ring-red-100 hover:bg-red-100"
+                  onClick={() => onTogglePin(user.id, post.slug, Boolean(post.isPinned))}
-              >
+                  className="rounded-full bg-amber-50 px-3 py-1 text-xs font-medium text-amber-700 ring-1 ring-amber-100 hover:bg-amber-100"
-                删除内容
+                >
-              </button>
+                  {post.isPinned ? "取消置顶" : "置顶"}
+                </button>
+                <button
+                  type="button"
+                  onClick={() => onDeletePost(post.slug)}
+                  className="rounded-full bg-red-50 px-3 py-1 text-xs font-medium text-red-600 ring-1 ring-red-100 hover:bg-red-100"
+                >
+                  删除内容
+                </button>
+              </div>
             </div>
           ))
         )}

components/FavoriteButton.tsx

@@ -0,0 +1,70 @@
+"use client";
+
+import Link from "next/link";
+import { useState } from "react";
+
+type FavoriteButtonProps = {
+  slug: string;
+  initialFavorited: boolean;
+  initialCount: number;
+  canFavorite: boolean;
+};
+
+export function FavoriteButton({
+  slug,
+  initialFavorited,
+  initialCount,
+  canFavorite
+}: FavoriteButtonProps) {
+  const [favorited, setFavorited] = useState(initialFavorited);
+  const [count, setCount] = useState(initialCount);
+  const [loading, setLoading] = useState(false);
+
+  async function handleToggle() {
+    if (loading) return;
+
+    setLoading(true);
+    try {
+      const res = await fetch(`/api/posts/${slug}/favorite`, {
+        method: favorited ? "DELETE" : "POST"
+      });
+      const data = await res.json().catch(() => ({}));
+
+      if (!res.ok) {
+        alert(data.error || "收藏操作失败");
+        return;
+      }
+
+      setFavorited(Boolean(data.isFavorited));
+      setCount(typeof data.favoriteCount === "number" ? data.favoriteCount : count);
+    } finally {
+      setLoading(false);
+    }
+  }
+
+  if (!canFavorite) {
+    return (
+      <Link
+        href={`/login?next=/p/${encodeURIComponent(slug)}`}
+        className="rounded-full bg-amber-50 px-3 py-2 text-sm font-medium text-amber-700 ring-1 ring-amber-100 hover:bg-amber-100"
+      >
+        登录后收藏
+      </Link>
+    );
+  }
+
+  return (
+    <button
+      type="button"
+      onClick={handleToggle}
+      disabled={loading}
+      className={`rounded-full px-3 py-2 text-sm font-medium ring-1 transition disabled:cursor-not-allowed disabled:opacity-60 ${
+        favorited
+          ? "bg-rose-50 text-rose-700 ring-rose-100 hover:bg-rose-100"
+          : "bg-slate-100 text-slate-700 ring-slate-200 hover:bg-slate-200"
+      }`}
+    >
+      {loading ? "处理中..." : `${favorited ? "已收藏" : "收藏"} · ${count}`}
+    </button>
+  );
+}

components/PostCard.tsx

@@ -14,6 +14,11 @@ export function PostCard({ post }: Props) {
     <article className="group rounded-2xl bg-white/80 p-4 shadow-sm ring-1 ring-slate-100 transition-[transform,box-shadow] duration-300 will-change-transform transform-gpu hover:shadow-lg hover:[transform:perspective(900px)_translateY(-4px)_rotateX(2deg)_rotateY(-2deg)]">
       <div className="flex items-start justify-between gap-3">
         <div className="space-y-1">
+          {post.isPinned ? (
+            <span className="inline-flex rounded-full bg-amber-50 px-2 py-1 text-xs font-medium text-amber-700 ring-1 ring-amber-100">
+              置顶
+            </span>
+          ) : null}
           <Link
             href={`/p/${post.slug}`}
             className="block text-lg font-semibold text-slate-900 transition group-hover:text-brand-600"

lib/auth.ts

@@ -6,6 +6,9 @@ const encoder = new TextEncoder();
 let cachedKey: CryptoKey | null = null;
 let cachedSecret: string | null = null;
 
+export const USER_ROLE_VALUES = ["user", "sponsor", "admin"] as const;
+export type UserRole = (typeof USER_ROLE_VALUES)[number];
+
 function getSecret() {
   const secret = process.env.SESSION_SECRET;
   if (!secret) {
@@ -15,7 +18,7 @@ function getSecret() {
 }
 
 export type SessionPayload = {
-  role: "admin" | "user";
+  role: UserRole;
   iat: number;
   exp?: number;
   uid?: string;
@@ -33,6 +36,10 @@ export function isAdminName(name?: string | null) {
   return Boolean(adminName && value && adminName === value);
 }
 
+export function resolveUserRole(value?: unknown): UserRole | null {
+  return USER_ROLE_VALUES.includes(value as UserRole) ? (value as UserRole) : null;
+}
+
 export function isAdminSession(session?: SessionPayload | null) {
   return session?.role === "admin";
 }
@@ -41,6 +48,7 @@ async function getHmacKey(secret: string) {
   if (cachedKey && cachedSecret === secret) {
     return cachedKey;
   }
+
   cachedSecret = secret;
   cachedKey = await crypto.subtle.importKey(
     "raw",
@@ -67,14 +75,17 @@ export async function signSession(payload: SessionPayload): Promise<string> {
 
 export async function verifySession(token?: string): Promise<SessionPayload | null> {
   if (!token) return null;
+
   const secret = getSecret();
   const [base, sig] = token.split(".");
   if (!base || !sig) return null;
+
   const check = await hmacSha256(base, secret);
   if (check !== sig) return null;
+
   try {
     const payload = JSON.parse(Buffer.from(base, "base64url").toString());
-    if (payload?.role !== "admin" && payload?.role !== "user") {
+    if (!resolveUserRole(payload?.role)) {
       return null;
     }
     if (typeof payload?.exp !== "number") {
@@ -83,6 +94,7 @@ export async function verifySession(token?: string): Promise<SessionPayload | nu
     if (Date.now() > payload.exp) {
       return null;
     }
+
     return payload;
   } catch {
     return null;

lib/posts.ts

@@ -78,6 +78,18 @@ export function canDeletePost(doc: any, session?: SessionPayload | null) {
   return Boolean(doc && isAdminSession(session));
 }
 
+export function canPinPost(doc: any, session?: SessionPayload | null) {
+  return Boolean(doc && isAdminSession(session));
+}
+
+export function buildPinnedSort() {
+  return {
+    isPinned: -1 as const,
+    pinnedAt: -1 as const,
+    createdAt: -1 as const
+  };
+}
+
 export function serializePost(doc: any): Post {
   return {
     _id: doc._id?.toString(),
@@ -91,6 +103,10 @@ export function serializePost(doc: any): Post {
     ownerId: doc.ownerId,
     createdAt: doc.createdAt ?? new Date().toISOString(),
     updatedAt: doc.updatedAt ?? doc.createdAt ?? new Date().toISOString(),
-    views: doc.views ?? 0
+    views: doc.views ?? 0,
+    isPinned: Boolean(doc.isPinned),
+    pinnedAt: doc.pinnedAt,
+    favoriteCount: typeof doc.favoriteCount === "number" ? doc.favoriteCount : undefined,
+    isFavorited: typeof doc.isFavorited === "boolean" ? doc.isFavorited : undefined
   };
 }

types/post.ts

@@ -11,4 +11,8 @@ export type Post = {
   createdAt: string;
   updatedAt: string;
   views?: number;
+  isPinned?: boolean;
+  pinnedAt?: string;
+  favoriteCount?: number;
+  isFavorited?: boolean;
 };