fix(health): 患者摘要列表按 user_id 过滤

小程序 loadPatients() 现在只获取当前登录用户关联的患者，
不再返回整个租户的所有患者。修复 wx_7141 上传数据写到
错误 patient 记录下的问题。

- PatientListParams 增加 user_id 可选参数
- list_summaries 增加 user_id 过滤条件
- 小程序 getPatientSummaries 传入 userId
- auth store loadPatients 传入当前 user.id

apps/miniprogram/src/services/auth.ts

@@ -68,7 +68,9 @@ export interface PatientSummary {
 }
 
 /** 获取患者摘要列表（字段最小化，替代 getPatients） */
-export async function getPatientSummaries() {
+export async function getPatientSummaries(userId?: string) {
-  const res = await api.get<PaginatedData<PatientSummary>>('/health/patients/summary');
+  const params: Record<string, string> = {};
+  if (userId) params.user_id = userId;
+  const res = await api.get<PaginatedData<PatientSummary>>('/health/patients/summary', { params });
   return Array.isArray(res?.data) ? res.data : (Array.isArray(res) ? res : []);
 }

apps/miniprogram/src/stores/auth.ts

@@ -249,7 +249,8 @@ export const useAuthStore = create<AuthState>((set, get) => ({
 
   loadPatients: async () => {
     try {
-      const summaries = await authApi.getPatientSummaries();
+      const userId = get().user?.id;
+      const summaries = await authApi.getPatientSummaries(userId);
       const patients: authApi.PatientInfo[] = summaries.map((p) => ({
         id: p.id,
         name: p.name,

crates/erp-health/src/handler/patient_handler.rs

@@ -24,6 +24,9 @@ pub struct PatientListParams {
     pub page_size: Option<u64>,
     pub search: Option<String>,
     pub tag_id: Option<Uuid>,
+    /// Optional user_id filter — only return patients linked to this user.
+    /// Used by the mini-program to fetch only the logged-in user's own patients.
+    pub user_id: Option<Uuid>,
 }
 
 /// 分配医生请求
@@ -70,7 +73,9 @@ where
     require_permission(&ctx, "health.patient.list")?;
     let page = params.page.unwrap_or(1);
     let page_size = params.page_size.unwrap_or(20).min(100);
-    let result = patient_service::list_summaries(&state, ctx.tenant_id, page, page_size).await?;
+    let result =
+        patient_service::list_summaries(&state, ctx.tenant_id, page, page_size, params.user_id)
+            .await?;
     Ok(Json(ApiResponse::ok(result)))
 }
 

crates/erp-health/src/service/patient_service/crud.rs

@@ -552,19 +552,27 @@ pub async fn bind_by_phone(
 }
 
 /// 患者摘要列表 — 仅返回非敏感字段，供小程序切换/列表使用
+///
+/// When `user_id` is provided, only patients linked to that user are returned.
+/// This allows the mini-program to fetch only the logged-in user's own patients.
 pub async fn list_summaries(
     state: &HealthState,
     tenant_id: Uuid,
     page: u64,
     page_size: u64,
+    user_id: Option<Uuid>,
 ) -> HealthResult<PaginatedResponse<PatientSummary>> {
     let limit = page_size.min(100);
     let offset = page.saturating_sub(1) * limit;
 
-    let query = patient::Entity::find()
+    let mut query = patient::Entity::find()
         .filter(patient::Column::TenantId.eq(tenant_id))
         .filter(patient::Column::DeletedAt.is_null());
 
+    if let Some(uid) = user_id {
+        query = query.filter(patient::Column::UserId.eq(uid));
+    }
+
     let total = query.clone().count(&state.db).await?;
 
     let models = query