fix(health): 修复审计发现的 10 个 CRITICAL 问题

权限与安全: - 为全部 51 个 handler 端点添加 require_permission 权限检查 - 修复 CAS 预约操作中 doctor_id 为 None 时使用 Uuid::nil() 的问题状态机修复: - 预约初始状态从 "scheduled" 改为 "pending"（匹配设计规格） - 排班状态从 "active" 改为 "enabled" - 咨询会话添加 waiting→active 自动触发（首条消息时） - 新增 create_session 端点和 DTO 数据完整性: - doctor_profile 表添加 name 列（entity + migration + service） - lab_report/health_trend 的 json 列改为 json_binary（支持 GIN 索引） - 添加关键索引：patient.id_number UNIQUE、patient_tag UNIQUE、 doctor_schedule 唯一排班槽位、health_trend、doctor_profile.name - 随访记录完成后自动检查 next_follow_up_date 创建后续任务事件总线: - 实现 10 种核心事件发布（patient/appointment/follow_up/consultation/lab_report） - 实现 workflow.task.completed 和 message.sent 事件订阅框架种子数据: - 实现 seed_tenant_health（8 个默认患者标签） - 实现 soft_delete_tenant_data（16 张表级联软删除）
2026-04-23 23:25:53 +08:00
parent d6678d001e
commit 2e9eb55f2c
18 changed files with 423 additions and 31 deletions
--- a/crates/erp-health/src/handler/appointment_handler.rs
+++ b/crates/erp-health/src/handler/appointment_handler.rs
@@ -5,6 +5,7 @@ use utoipa::IntoParams;
 use uuid::Uuid;

 use erp_core::error::AppError;
+use erp_core::rbac::require_permission;
 use erp_core::types::{ApiResponse, PaginatedResponse, TenantContext};

 use crate::dto::appointment_dto::*;
@@ -59,6 +60,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.appointment.list")?;
    let page = params.page.unwrap_or(1);
    let page_size = params.page_size.unwrap_or(20);
    let result = appointment_service::list_appointments(
@@ -78,6 +80,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.appointment.manage")?;
    let result = appointment_service::create_appointment(
        &state, ctx.tenant_id, Some(ctx.user_id), req,
    )
@@ -95,6 +98,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.appointment.manage")?;
    let update_req = UpdateAppointmentStatusReq {
        status: req.status,
        cancel_reason: req.cancel_reason,
@@ -115,6 +119,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.appointment.list")?;
    let page = params.page.unwrap_or(1);
    let page_size = params.page_size.unwrap_or(20);
    let result = appointment_service::list_schedules(
@@ -133,6 +138,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.appointment.manage")?;
    let result = appointment_service::create_schedule(
        &state, ctx.tenant_id, Some(ctx.user_id), req,
    )
@@ -150,6 +156,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.appointment.manage")?;
    let result = appointment_service::update_schedule(
        &state, ctx.tenant_id, id, Some(ctx.user_id), req.data, req.version,
    )
@@ -166,6 +173,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.appointment.list")?;
    let result = appointment_service::calendar_view(
        &state, ctx.tenant_id, params.start_date, params.end_date, params.doctor_id,
    )