feat(health): 为所有 DTO 添加 sanitize 防止存储型 XSS
覆盖 patient/health_data/appointment/follow_up/consultation/doctor 6 个 DTO 模块共 14 个请求结构体,在 handler 层统一调用 sanitize。
This commit is contained in:
iven
@@ -81,6 +81,8 @@ where
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
require_permission(&ctx, "health.appointment.manage")?;
|
||||
let mut req = req;
|
||||
req.sanitize();
|
||||
let result = appointment_service::create_appointment(
|
||||
&state, ctx.tenant_id, Some(ctx.user_id), req,
|
||||
)
|
||||
@@ -113,10 +115,11 @@ where
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
require_permission(&ctx, "health.appointment.manage")?;
|
||||
let update_req = UpdateAppointmentStatusReq {
|
||||
let mut update_req = UpdateAppointmentStatusReq {
|
||||
status: req.status,
|
||||
cancel_reason: req.cancel_reason,
|
||||
};
|
||||
update_req.sanitize();
|
||||
let result = appointment_service::update_appointment_status(
|
||||
&state, ctx.tenant_id, id, Some(ctx.user_id), update_req, req.version,
|
||||
)
|
||||
|
||||
@@ -131,13 +131,14 @@ where
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
require_permission(&ctx, "health.consultation.manage")?;
|
||||
let msg_req = CreateMessageReq {
|
||||
let mut msg_req = CreateMessageReq {
|
||||
session_id: req.session_id,
|
||||
sender_id: ctx.user_id,
|
||||
sender_role: "doctor".to_string(),
|
||||
content_type: req.content_type,
|
||||
content: req.content,
|
||||
};
|
||||
msg_req.sanitize();
|
||||
let result = consultation_service::create_message(
|
||||
&state, ctx.tenant_id, Some(ctx.user_id), msg_req,
|
||||
)
|
||||
|
||||
@@ -62,6 +62,8 @@ where
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
require_permission(&ctx, "health.doctor.manage")?;
|
||||
let mut req = req;
|
||||
req.sanitize();
|
||||
let result = doctor_service::create_doctor(
|
||||
&state, ctx.tenant_id, Some(ctx.user_id), req,
|
||||
)
|
||||
@@ -94,8 +96,10 @@ where
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
require_permission(&ctx, "health.doctor.manage")?;
|
||||
let mut data = req.data;
|
||||
data.sanitize();
|
||||
let result = doctor_service::update_doctor(
|
||||
&state, ctx.tenant_id, id, Some(ctx.user_id), req.data, req.version,
|
||||
&state, ctx.tenant_id, id, Some(ctx.user_id), data, req.version,
|
||||
)
|
||||
.await?;
|
||||
Ok(Json(ApiResponse::ok(result)))
|
||||
|
||||
@@ -85,6 +85,8 @@ where
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
require_permission(&ctx, "health.follow-up.manage")?;
|
||||
let mut req = req;
|
||||
req.sanitize();
|
||||
let result = follow_up_service::create_task(
|
||||
&state, ctx.tenant_id, Some(ctx.user_id), req,
|
||||
)
|
||||
@@ -103,8 +105,10 @@ where
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
require_permission(&ctx, "health.follow-up.manage")?;
|
||||
let mut data = req.data;
|
||||
data.sanitize();
|
||||
let result = follow_up_service::update_task(
|
||||
&state, ctx.tenant_id, id, Some(ctx.user_id), req.data, req.version,
|
||||
&state, ctx.tenant_id, id, Some(ctx.user_id), data, req.version,
|
||||
)
|
||||
.await?;
|
||||
Ok(Json(ApiResponse::ok(result)))
|
||||
@@ -139,6 +143,8 @@ where
|
||||
if req.task_id != task_id {
|
||||
return Err(AppError::Validation("路径中的 task_id 与请求体不一致".to_string()));
|
||||
}
|
||||
let mut req = req;
|
||||
req.sanitize();
|
||||
let result = follow_up_service::create_record(
|
||||
&state, ctx.tenant_id, Some(ctx.user_id), req,
|
||||
)
|
||||
|
||||
@@ -80,6 +80,8 @@ where
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
require_permission(&ctx, "health.health-data.manage")?;
|
||||
let mut req = req;
|
||||
req.sanitize();
|
||||
let result = health_data_service::create_vital_signs(
|
||||
&state, ctx.tenant_id, patient_id, Some(ctx.user_id), req,
|
||||
)
|
||||
@@ -98,8 +100,10 @@ where
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
require_permission(&ctx, "health.health-data.manage")?;
|
||||
let mut data = req.data;
|
||||
data.sanitize();
|
||||
let result = health_data_service::update_vital_signs(
|
||||
&state, ctx.tenant_id, patient_id, vid, Some(ctx.user_id), req.data, req.version,
|
||||
&state, ctx.tenant_id, patient_id, vid, Some(ctx.user_id), data, req.version,
|
||||
)
|
||||
.await?;
|
||||
Ok(Json(ApiResponse::ok(result)))
|
||||
@@ -155,6 +159,8 @@ where
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
require_permission(&ctx, "health.health-data.manage")?;
|
||||
let mut req = req;
|
||||
req.sanitize();
|
||||
let result = health_data_service::create_lab_report(
|
||||
&state, ctx.tenant_id, patient_id, Some(ctx.user_id), req,
|
||||
)
|
||||
@@ -173,8 +179,10 @@ where
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
require_permission(&ctx, "health.health-data.manage")?;
|
||||
let mut data = req.data;
|
||||
data.sanitize();
|
||||
let result = health_data_service::update_lab_report(
|
||||
&state, ctx.tenant_id, _patient_id, rid, Some(ctx.user_id), req.data, req.version,
|
||||
&state, ctx.tenant_id, _patient_id, rid, Some(ctx.user_id), data, req.version,
|
||||
)
|
||||
.await?;
|
||||
Ok(Json(ApiResponse::ok(result)))
|
||||
@@ -230,6 +238,8 @@ where
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
require_permission(&ctx, "health.health-data.manage")?;
|
||||
let mut req = req;
|
||||
req.sanitize();
|
||||
let result = health_data_service::create_health_record(
|
||||
&state, ctx.tenant_id, patient_id, Some(ctx.user_id), req,
|
||||
)
|
||||
@@ -248,8 +258,10 @@ where
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
require_permission(&ctx, "health.health-data.manage")?;
|
||||
let mut data = req.data;
|
||||
data.sanitize();
|
||||
let result = health_data_service::update_health_record(
|
||||
&state, ctx.tenant_id, patient_id, rid, Some(ctx.user_id), req.data, req.version,
|
||||
&state, ctx.tenant_id, patient_id, rid, Some(ctx.user_id), data, req.version,
|
||||
)
|
||||
.await?;
|
||||
Ok(Json(ApiResponse::ok(result)))
|
||||
|
||||
@@ -64,6 +64,8 @@ where
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
require_permission(&ctx, "health.patient.manage")?;
|
||||
let mut req = req;
|
||||
req.sanitize();
|
||||
let result = patient_service::create_patient(
|
||||
&state, ctx.tenant_id, Some(ctx.user_id), req,
|
||||
)
|
||||
@@ -97,7 +99,7 @@ where
|
||||
{
|
||||
require_permission(&ctx, "health.patient.manage")?;
|
||||
let version = req.version;
|
||||
let update = UpdatePatientReq {
|
||||
let mut update = UpdatePatientReq {
|
||||
name: req.name,
|
||||
gender: req.gender,
|
||||
birth_date: req.birth_date,
|
||||
@@ -112,6 +114,7 @@ where
|
||||
status: req.status,
|
||||
verification_status: req.verification_status,
|
||||
};
|
||||
update.sanitize();
|
||||
let result = patient_service::update_patient(
|
||||
&state, ctx.tenant_id, id, Some(ctx.user_id), update, version,
|
||||
)
|
||||
@@ -188,6 +191,8 @@ where
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
require_permission(&ctx, "health.patient.manage")?;
|
||||
let mut req = req;
|
||||
req.sanitize();
|
||||
let result = patient_service::create_family_member(
|
||||
&state, ctx.tenant_id, id, Some(ctx.user_id), req,
|
||||
)
|
||||
@@ -207,13 +212,14 @@ where
|
||||
{
|
||||
require_permission(&ctx, "health.patient.manage")?;
|
||||
let version = req.version;
|
||||
let update = FamilyMemberReq {
|
||||
let mut update = FamilyMemberReq {
|
||||
name: req.name,
|
||||
relationship: req.relationship,
|
||||
phone: req.phone,
|
||||
birth_date: req.birth_date,
|
||||
notes: req.notes,
|
||||
};
|
||||
update.sanitize();
|
||||
let result = patient_service::update_family_member(
|
||||
&state, ctx.tenant_id, _patient_id, member_id, Some(ctx.user_id), update, version,
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user