From d70b027f20d66d302c30c7371928e08f695b2c87 Mon Sep 17 00:00:00 2001 From: iven Date: Thu, 21 May 2026 22:38:29 +0800 Subject: [PATCH] =?UTF-8?q?fix(health):=20=E5=85=A8=20handler=20page=5Fsiz?= =?UTF-8?q?e=20=E4=B8=8A=E9=99=90=20100=20=E9=98=B2=E6=AD=A2=20DoS?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 22 个 handler 文件统一添加 .min(100) 限制分页大小 --- crates/erp-health/src/handler/alert_handler.rs | 2 +- .../erp-health/src/handler/alert_rule_handler.rs | 2 +- .../src/handler/appointment_handler.rs | 4 ++-- .../src/handler/ble_gateway_handler.rs | 2 +- .../erp-health/src/handler/care_plan_handler.rs | 4 ++-- crates/erp-health/src/handler/consent_handler.rs | 2 +- .../src/handler/critical_alert_handler.rs | 2 +- crates/erp-health/src/handler/device_handler.rs | 2 +- .../src/handler/device_reading_handler.rs | 4 ++-- .../erp-health/src/handler/diagnosis_handler.rs | 2 +- crates/erp-health/src/handler/doctor_handler.rs | 2 +- .../erp-health/src/handler/follow_up_handler.rs | 4 ++-- .../src/handler/follow_up_template_handler.rs | 2 +- .../src/handler/medication_record_handler.rs | 2 +- .../src/handler/medication_reminder_handler.rs | 2 +- crates/erp-health/src/handler/patient_handler.rs | 2 +- crates/erp-health/src/handler/points_handler.rs | 16 ++++++++-------- crates/erp-health/src/handler/shift_handler.rs | 2 +- 18 files changed, 29 insertions(+), 29 deletions(-) diff --git a/crates/erp-health/src/handler/alert_handler.rs b/crates/erp-health/src/handler/alert_handler.rs index ea2d73c..73a8864 100644 --- a/crates/erp-health/src/handler/alert_handler.rs +++ b/crates/erp-health/src/handler/alert_handler.rs @@ -33,7 +33,7 @@ where { require_permission(&ctx, "health.alerts.list")?; let page = query.page.unwrap_or(1); - let page_size = query.page_size.unwrap_or(20); + let page_size = query.page_size.unwrap_or(20).min(100); let (items, total) = alert_service::list_alerts( &state, diff --git a/crates/erp-health/src/handler/alert_rule_handler.rs b/crates/erp-health/src/handler/alert_rule_handler.rs index 7c39661..adfa48b 100644 --- a/crates/erp-health/src/handler/alert_rule_handler.rs +++ b/crates/erp-health/src/handler/alert_rule_handler.rs @@ -36,7 +36,7 @@ where { require_permission(&ctx, "health.alert-rules.list")?; let page = query.page.unwrap_or(1); - let page_size = query.page_size.unwrap_or(20); + let page_size = query.page_size.unwrap_or(20).min(100); let (items, total) = alert_rule_service::list_rules( &state, diff --git a/crates/erp-health/src/handler/appointment_handler.rs b/crates/erp-health/src/handler/appointment_handler.rs index 050116f..e4680b9 100644 --- a/crates/erp-health/src/handler/appointment_handler.rs +++ b/crates/erp-health/src/handler/appointment_handler.rs @@ -62,7 +62,7 @@ where { require_permission(&ctx, "health.appointment.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = appointment_service::list_appointments( &state, ctx.tenant_id, @@ -148,7 +148,7 @@ where { require_permission(&ctx, "health.appointment.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = appointment_service::list_schedules( &state, ctx.tenant_id, diff --git a/crates/erp-health/src/handler/ble_gateway_handler.rs b/crates/erp-health/src/handler/ble_gateway_handler.rs index 68a6a09..c9929a7 100644 --- a/crates/erp-health/src/handler/ble_gateway_handler.rs +++ b/crates/erp-health/src/handler/ble_gateway_handler.rs @@ -138,7 +138,7 @@ where { require_permission(&ctx, "health.ble-gateways.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = ble_gateway_service::list_bindings(&state, ctx.tenant_id, gateway_id, page, page_size) .await?; diff --git a/crates/erp-health/src/handler/care_plan_handler.rs b/crates/erp-health/src/handler/care_plan_handler.rs index 092b4f9..a68eeb0 100644 --- a/crates/erp-health/src/handler/care_plan_handler.rs +++ b/crates/erp-health/src/handler/care_plan_handler.rs @@ -118,7 +118,7 @@ where { require_permission(&ctx, "health.care-plan.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = care_plan_service::list_care_plan_items(&state, ctx.tenant_id, plan_id, page, page_size) .await?; @@ -211,7 +211,7 @@ where { require_permission(&ctx, "health.care-plan.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = care_plan_service::list_care_plan_outcomes(&state, ctx.tenant_id, plan_id, page, page_size) .await?; diff --git a/crates/erp-health/src/handler/consent_handler.rs b/crates/erp-health/src/handler/consent_handler.rs index 825b8e3..5de0675 100644 --- a/crates/erp-health/src/handler/consent_handler.rs +++ b/crates/erp-health/src/handler/consent_handler.rs @@ -35,7 +35,7 @@ where { require_permission(&ctx, "health.consent.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = consent_service::list_consents(&state, ctx.tenant_id, patient_id, page, page_size).await?; Ok(Json(ApiResponse::ok(result))) diff --git a/crates/erp-health/src/handler/critical_alert_handler.rs b/crates/erp-health/src/handler/critical_alert_handler.rs index 935b82e..5dcbbfb 100644 --- a/crates/erp-health/src/handler/critical_alert_handler.rs +++ b/crates/erp-health/src/handler/critical_alert_handler.rs @@ -29,7 +29,7 @@ where { require_permission(&ctx, "health.critical-alerts.list")?; let page = query.page.unwrap_or(1); - let page_size = query.page_size.unwrap_or(20); + let page_size = query.page_size.unwrap_or(20).min(100); let (items, total) = critical_alert_service::list_pending_alerts(&state, ctx.tenant_id, page, page_size) diff --git a/crates/erp-health/src/handler/device_handler.rs b/crates/erp-health/src/handler/device_handler.rs index 0cb8095..448052f 100644 --- a/crates/erp-health/src/handler/device_handler.rs +++ b/crates/erp-health/src/handler/device_handler.rs @@ -48,7 +48,7 @@ where { require_permission(&ctx, "health.devices.list")?; let page = query.page.unwrap_or(1); - let page_size = query.page_size.unwrap_or(20); + let page_size = query.page_size.unwrap_or(20).min(100); let (items, total) = device_service::list_devices( &state, diff --git a/crates/erp-health/src/handler/device_reading_handler.rs b/crates/erp-health/src/handler/device_reading_handler.rs index 890ab65..c9019fa 100644 --- a/crates/erp-health/src/handler/device_reading_handler.rs +++ b/crates/erp-health/src/handler/device_reading_handler.rs @@ -76,7 +76,7 @@ where { require_permission(&ctx, "health.device-readings.list")?; let page = query.page.unwrap_or(1); - let page_size = query.page_size.unwrap_or(20); + let page_size = query.page_size.unwrap_or(20).min(100); let result = device_reading_service::query_device_readings( &state, ctx.tenant_id, @@ -109,7 +109,7 @@ where { require_permission(&ctx, "health.device-readings.list")?; let page = query.page.unwrap_or(1); - let page_size = query.page_size.unwrap_or(20); + let page_size = query.page_size.unwrap_or(20).min(100); let days = query.days.unwrap_or(7); let result = device_reading_service::query_hourly_readings( &state, diff --git a/crates/erp-health/src/handler/diagnosis_handler.rs b/crates/erp-health/src/handler/diagnosis_handler.rs index f46ee11..a33f95c 100644 --- a/crates/erp-health/src/handler/diagnosis_handler.rs +++ b/crates/erp-health/src/handler/diagnosis_handler.rs @@ -35,7 +35,7 @@ where { require_permission(&ctx, "health.health-data.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = diagnosis_service::list_diagnoses(&state, ctx.tenant_id, patient_id, page, page_size) .await?; diff --git a/crates/erp-health/src/handler/doctor_handler.rs b/crates/erp-health/src/handler/doctor_handler.rs index 847faa0..865b724 100644 --- a/crates/erp-health/src/handler/doctor_handler.rs +++ b/crates/erp-health/src/handler/doctor_handler.rs @@ -40,7 +40,7 @@ where { require_permission(&ctx, "health.doctor.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = doctor_service::list_doctors( &state, ctx.tenant_id, diff --git a/crates/erp-health/src/handler/follow_up_handler.rs b/crates/erp-health/src/handler/follow_up_handler.rs index f1c24f4..00f5ad5 100644 --- a/crates/erp-health/src/handler/follow_up_handler.rs +++ b/crates/erp-health/src/handler/follow_up_handler.rs @@ -119,7 +119,7 @@ where { require_permission(&ctx, "health.follow-up.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = follow_up_service::list_tasks( &state, ctx.tenant_id, @@ -239,7 +239,7 @@ where { require_permission(&ctx, "health.follow-up.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = follow_up_service::list_records( &state, ctx.tenant_id, diff --git a/crates/erp-health/src/handler/follow_up_template_handler.rs b/crates/erp-health/src/handler/follow_up_template_handler.rs index 48b4c1a..51a19cf 100644 --- a/crates/erp-health/src/handler/follow_up_template_handler.rs +++ b/crates/erp-health/src/handler/follow_up_template_handler.rs @@ -39,7 +39,7 @@ where { require_permission(&ctx, "health.follow-up-templates.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = follow_up_template_service::list_templates( &state, ctx.tenant_id, diff --git a/crates/erp-health/src/handler/medication_record_handler.rs b/crates/erp-health/src/handler/medication_record_handler.rs index 919d68c..9dc91c7 100644 --- a/crates/erp-health/src/handler/medication_record_handler.rs +++ b/crates/erp-health/src/handler/medication_record_handler.rs @@ -29,7 +29,7 @@ where { require_permission(&ctx, "health.medication-records.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = medication_record_service::list_medications( &state, ctx.tenant_id, diff --git a/crates/erp-health/src/handler/medication_reminder_handler.rs b/crates/erp-health/src/handler/medication_reminder_handler.rs index 510375c..1085aae 100644 --- a/crates/erp-health/src/handler/medication_reminder_handler.rs +++ b/crates/erp-health/src/handler/medication_reminder_handler.rs @@ -28,7 +28,7 @@ where { require_permission(&ctx, "health.medication-reminders.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = medication_reminder_service::list_reminders( &state, ctx.tenant_id, diff --git a/crates/erp-health/src/handler/patient_handler.rs b/crates/erp-health/src/handler/patient_handler.rs index 8c80beb..04a54cb 100644 --- a/crates/erp-health/src/handler/patient_handler.rs +++ b/crates/erp-health/src/handler/patient_handler.rs @@ -44,7 +44,7 @@ where { require_permission(&ctx, "health.patient.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = patient_service::list_patients( &state, ctx.tenant_id, diff --git a/crates/erp-health/src/handler/points_handler.rs b/crates/erp-health/src/handler/points_handler.rs index 919d801..99d7221 100644 --- a/crates/erp-health/src/handler/points_handler.rs +++ b/crates/erp-health/src/handler/points_handler.rs @@ -91,7 +91,7 @@ where require_permission(&ctx, "health.points.list")?; let patient_id = resolve_patient_id(&state, ctx.tenant_id, ctx.user_id).await?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = points_service::list_transactions(&state, ctx.tenant_id, patient_id, page, page_size) .await?; @@ -110,7 +110,7 @@ where { require_permission(&ctx, "health.points.list")?; let p = page.page.unwrap_or(1); - let ps = page.page_size.unwrap_or(20); + let ps = page.page_size.unwrap_or(20).min(100); let result = points_service::list_products(&state, ctx.tenant_id, params.product_type, p, ps).await?; Ok(Json(ApiResponse::ok(result))) @@ -159,7 +159,7 @@ where require_permission(&ctx, "health.points.list")?; let patient_id = resolve_patient_id(&state, ctx.tenant_id, ctx.user_id).await?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = points_service::list_orders(&state, ctx.tenant_id, patient_id, page, page_size).await?; Ok(Json(ApiResponse::ok(result))) @@ -182,7 +182,7 @@ where // 患者端端点:验证当前用户有关联的患者档案 let _patient_id = resolve_patient_id(&state, ctx.tenant_id, ctx.user_id).await?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = points_service::list_offline_events(&state, ctx.tenant_id, page, page_size).await?; Ok(Json(ApiResponse::ok(result))) @@ -318,7 +318,7 @@ where { require_permission(&ctx, "health.points.list")?; let p = page.page.unwrap_or(1); - let ps = page.page_size.unwrap_or(20); + let ps = page.page_size.unwrap_or(20).min(100); let result = points_service::admin_list_products( &state, ctx.tenant_id, @@ -406,7 +406,7 @@ where { require_permission(&ctx, "health.points.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); // 管理端查看所有订单 — 不按 patient_id 过滤 let result = points_service::admin_list_orders(&state, ctx.tenant_id, page, page_size).await?; Ok(Json(ApiResponse::ok(result))) @@ -498,7 +498,7 @@ where { require_permission(&ctx, "health.points.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = points_service::admin_list_offline_events( &state, ctx.tenant_id, @@ -579,7 +579,7 @@ where { require_permission(&ctx, "health.points.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = points_service::list_transactions(&state, ctx.tenant_id, patient_id, page, page_size) .await?; diff --git a/crates/erp-health/src/handler/shift_handler.rs b/crates/erp-health/src/handler/shift_handler.rs index 0d7e63a..149ce21 100644 --- a/crates/erp-health/src/handler/shift_handler.rs +++ b/crates/erp-health/src/handler/shift_handler.rs @@ -118,7 +118,7 @@ where { require_permission(&ctx, "health.shifts.list")?; let page = params.page.unwrap_or(1); - let page_size = params.page_size.unwrap_or(20); + let page_size = params.page_size.unwrap_or(20).min(100); let result = shift_service::list_assignments(&state, ctx.tenant_id, shift_id, page, page_size).await?; Ok(Json(ApiResponse::ok(result)))