fix(health): 修复审计发现的 10 个 CRITICAL 问题

权限与安全: - 为全部 51 个 handler 端点添加 require_permission 权限检查 - 修复 CAS 预约操作中 doctor_id 为 None 时使用 Uuid::nil() 的问题状态机修复: - 预约初始状态从 "scheduled" 改为 "pending"（匹配设计规格） - 排班状态从 "active" 改为 "enabled" - 咨询会话添加 waiting→active 自动触发（首条消息时） - 新增 create_session 端点和 DTO 数据完整性: - doctor_profile 表添加 name 列（entity + migration + service） - lab_report/health_trend 的 json 列改为 json_binary（支持 GIN 索引） - 添加关键索引：patient.id_number UNIQUE、patient_tag UNIQUE、 doctor_schedule 唯一排班槽位、health_trend、doctor_profile.name - 随访记录完成后自动检查 next_follow_up_date 创建后续任务事件总线: - 实现 10 种核心事件发布（patient/appointment/follow_up/consultation/lab_report） - 实现 workflow.task.completed 和 message.sent 事件订阅框架种子数据: - 实现 seed_tenant_health（8 个默认患者标签） - 实现 soft_delete_tenant_data（16 张表级联软删除）
2026-04-23 23:25:53 +08:00
parent d6678d001e
commit 2e9eb55f2c
18 changed files with 423 additions and 31 deletions
--- a/crates/erp-health/src/handler/patient_handler.rs
+++ b/crates/erp-health/src/handler/patient_handler.rs
@@ -5,6 +5,7 @@ use utoipa::IntoParams;
 use uuid::Uuid;

 use erp_core::error::AppError;
+use erp_core::rbac::require_permission;
 use erp_core::types::{ApiResponse, PaginatedResponse, TenantContext};

 use crate::dto::patient_dto::{
@@ -38,6 +39,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.patient.list")?;
    let page = params.page.unwrap_or(1);
    let page_size = params.page_size.unwrap_or(20);
    let result = patient_service::list_patients(
@@ -56,6 +58,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.patient.manage")?;
    let result = patient_service::create_patient(
        &state, ctx.tenant_id, Some(ctx.user_id), req,
    )
@@ -72,6 +75,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.patient.list")?;
    let result = patient_service::get_patient(&state, ctx.tenant_id, id).await?;
    Ok(Json(ApiResponse::ok(result)))
 }
@@ -86,6 +90,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.patient.manage")?;
    let version = req.version;
    let update = UpdatePatientReq {
        name: req.name,
@@ -116,6 +121,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.patient.manage")?;
    patient_service::delete_patient(&state, ctx.tenant_id, id, Some(ctx.user_id)).await?;
    Ok(Json(ApiResponse::ok(())))
 }
@@ -130,6 +136,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.patient.manage")?;
    patient_service::manage_patient_tags(&state, ctx.tenant_id, id, req, Some(ctx.user_id)).await?;
    Ok(Json(ApiResponse::ok(())))
 }
@@ -143,6 +150,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.patient.list")?;
    let result = patient_service::get_health_summary(&state, ctx.tenant_id, id).await?;
    Ok(Json(ApiResponse::ok(result)))
 }
@@ -156,6 +164,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.patient.list")?;
    let result = patient_service::list_family_members(&state, ctx.tenant_id, id).await?;
    Ok(Json(ApiResponse::ok(result)))
 }
@@ -170,6 +179,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.patient.manage")?;
    let result = patient_service::create_family_member(
        &state, ctx.tenant_id, id, Some(ctx.user_id), req,
    )
@@ -187,6 +197,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.patient.manage")?;
    let version = req.version;
    let update = FamilyMemberReq {
        name: req.name,
@@ -211,6 +222,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.patient.manage")?;
    patient_service::delete_family_member(
        &state, ctx.tenant_id, patient_id, member_id, Some(ctx.user_id),
    )
@@ -228,6 +240,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.patient.manage")?;
    patient_service::assign_doctor(
        &state,
        ctx.tenant_id,
@@ -249,6 +262,7 @@ where
    HealthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    require_permission(&ctx, "health.patient.manage")?;
    patient_service::remove_doctor(&state, ctx.tenant_id, patient_id, doctor_id).await?;
    Ok(Json(ApiResponse::ok(())))
 }