fix(health): 修复审计发现的 10 个 CRITICAL 问题

权限与安全: - 为全部 51 个 handler 端点添加 require_permission 权限检查 - 修复 CAS 预约操作中 doctor_id 为 None 时使用 Uuid::nil() 的问题状态机修复: - 预约初始状态从 "scheduled" 改为 "pending"（匹配设计规格） - 排班状态从 "active" 改为 "enabled" - 咨询会话添加 waiting→active 自动触发（首条消息时） - 新增 create_session 端点和 DTO 数据完整性: - doctor_profile 表添加 name 列（entity + migration + service） - lab_report/health_trend 的 json 列改为 json_binary（支持 GIN 索引） - 添加关键索引：patient.id_number UNIQUE、patient_tag UNIQUE、 doctor_schedule 唯一排班槽位、health_trend、doctor_profile.name - 随访记录完成后自动检查 next_follow_up_date 创建后续任务事件总线: - 实现 10 种核心事件发布（patient/appointment/follow_up/consultation/lab_report） - 实现 workflow.task.completed 和 message.sent 事件订阅框架种子数据: - 实现 seed_tenant_health（8 个默认患者标签） - 实现 soft_delete_tenant_data（16 张表级联软删除）
2026-04-23 23:25:53 +08:00
parent d6678d001e
commit 2e9eb55f2c
18 changed files with 423 additions and 31 deletions
--- a/crates/erp-health/src/handler/health_data_handler.rs
+++ b/crates/erp-health/src/handler/health_data_handler.rs
@@ -5,6 +5,7 @@ use utoipa::IntoParams;
 use uuid::Uuid;

 use erp_core::error::AppError;
+use erp_core::rbac::require_permission;
 use erp_core::types::{ApiResponse, PaginatedResponse, TenantContext};

 use crate::dto::health_data_dto::*;
@@ -53,6 +54,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.health-data.list")?;
    let page = params.page.unwrap_or(1);
    let page_size = params.page_size.unwrap_or(20);
    let result = health_data_service::list_vital_signs(
@@ -72,6 +74,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.health-data.manage")?;
    let result = health_data_service::create_vital_signs(
        &state, ctx.tenant_id, patient_id, Some(ctx.user_id), req,
    )
@@ -89,6 +92,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.health-data.manage")?;
    let result = health_data_service::update_vital_signs(
        &state, ctx.tenant_id, patient_id, vid, Some(ctx.user_id), req.data, req.version,
    )
@@ -105,6 +109,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.health-data.manage")?;
    health_data_service::delete_vital_signs(&state, ctx.tenant_id, vid, Some(ctx.user_id)).await?;
    Ok(Json(ApiResponse::ok(())))
 }
@@ -123,6 +128,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.health-data.list")?;
    let page = params.page.unwrap_or(1);
    let page_size = params.page_size.unwrap_or(20);
    let result = health_data_service::list_lab_reports(
@@ -142,6 +148,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.health-data.manage")?;
    let result = health_data_service::create_lab_report(
        &state, ctx.tenant_id, patient_id, Some(ctx.user_id), req,
    )
@@ -159,6 +166,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.health-data.manage")?;
    let result = health_data_service::update_lab_report(
        &state, ctx.tenant_id, rid, Some(ctx.user_id), req.data, req.version,
    )
@@ -175,6 +183,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.health-data.manage")?;
    health_data_service::delete_lab_report(&state, ctx.tenant_id, rid, Some(ctx.user_id)).await?;
    Ok(Json(ApiResponse::ok(())))
 }
@@ -193,6 +202,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.health-data.list")?;
    let page = params.page.unwrap_or(1);
    let page_size = params.page_size.unwrap_or(20);
    let result = health_data_service::list_health_records(
@@ -212,6 +222,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.health-data.manage")?;
    let result = health_data_service::create_health_record(
        &state, ctx.tenant_id, patient_id, Some(ctx.user_id), req,
    )
@@ -229,6 +240,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.health-data.manage")?;
    let result = health_data_service::update_health_record(
        &state, ctx.tenant_id, rid, Some(ctx.user_id), req.data, req.version,
    )
@@ -245,6 +257,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.health-data.manage")?;
    health_data_service::delete_health_record(&state, ctx.tenant_id, rid, Some(ctx.user_id)).await?;
    Ok(Json(ApiResponse::ok(())))
 }
@@ -263,6 +276,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.health-data.list")?;
    let page = params.page.unwrap_or(1);
    let page_size = params.page_size.unwrap_or(20);
    let result = health_data_service::list_trends(
@@ -282,6 +296,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.health-data.manage")?;
    let result = health_data_service::generate_trend(
        &state, ctx.tenant_id, patient_id, Some(ctx.user_id), req.period_start, req.period_end,
    )
@@ -299,6 +314,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.health-data.list")?;
    let result = health_data_service::get_indicator_timeseries(
        &state, ctx.tenant_id, patient_id, indicator, params.start_date, params.end_date,
    )