fix(health): 全 handler page_size 上限 100 防止 DoS

22 个 handler 文件统一添加 .min(100) 限制分页大小

crates/erp-health/src/handler/points_handler.rs

@@ -91,7 +91,7 @@ where
     require_permission(&ctx, "health.points.list")?;
     let patient_id = resolve_patient_id(&state, ctx.tenant_id, ctx.user_id).await?;
     let page = params.page.unwrap_or(1);
-    let page_size = params.page_size.unwrap_or(20);
+    let page_size = params.page_size.unwrap_or(20).min(100);
     let result =
         points_service::list_transactions(&state, ctx.tenant_id, patient_id, page, page_size)
             .await?;
@@ -110,7 +110,7 @@ where
 {
     require_permission(&ctx, "health.points.list")?;
     let p = page.page.unwrap_or(1);
-    let ps = page.page_size.unwrap_or(20);
+    let ps = page.page_size.unwrap_or(20).min(100);
     let result =
         points_service::list_products(&state, ctx.tenant_id, params.product_type, p, ps).await?;
     Ok(Json(ApiResponse::ok(result)))
@@ -159,7 +159,7 @@ where
     require_permission(&ctx, "health.points.list")?;
     let patient_id = resolve_patient_id(&state, ctx.tenant_id, ctx.user_id).await?;
     let page = params.page.unwrap_or(1);
-    let page_size = params.page_size.unwrap_or(20);
+    let page_size = params.page_size.unwrap_or(20).min(100);
     let result =
         points_service::list_orders(&state, ctx.tenant_id, patient_id, page, page_size).await?;
     Ok(Json(ApiResponse::ok(result)))
@@ -182,7 +182,7 @@ where
     // 患者端端点：验证当前用户有关联的患者档案
     let _patient_id = resolve_patient_id(&state, ctx.tenant_id, ctx.user_id).await?;
     let page = params.page.unwrap_or(1);
-    let page_size = params.page_size.unwrap_or(20);
+    let page_size = params.page_size.unwrap_or(20).min(100);
     let result =
         points_service::list_offline_events(&state, ctx.tenant_id, page, page_size).await?;
     Ok(Json(ApiResponse::ok(result)))
@@ -318,7 +318,7 @@ where
 {
     require_permission(&ctx, "health.points.list")?;
     let p = page.page.unwrap_or(1);
-    let ps = page.page_size.unwrap_or(20);
+    let ps = page.page_size.unwrap_or(20).min(100);
     let result = points_service::admin_list_products(
         &state,
         ctx.tenant_id,
@@ -406,7 +406,7 @@ where
 {
     require_permission(&ctx, "health.points.list")?;
     let page = params.page.unwrap_or(1);
-    let page_size = params.page_size.unwrap_or(20);
+    let page_size = params.page_size.unwrap_or(20).min(100);
     // 管理端查看所有订单 — 不按 patient_id 过滤
     let result = points_service::admin_list_orders(&state, ctx.tenant_id, page, page_size).await?;
     Ok(Json(ApiResponse::ok(result)))
@@ -498,7 +498,7 @@ where
 {
     require_permission(&ctx, "health.points.list")?;
     let page = params.page.unwrap_or(1);
-    let page_size = params.page_size.unwrap_or(20);
+    let page_size = params.page_size.unwrap_or(20).min(100);
     let result = points_service::admin_list_offline_events(
         &state,
         ctx.tenant_id,
@@ -579,7 +579,7 @@ where
 {
     require_permission(&ctx, "health.points.list")?;
     let page = params.page.unwrap_or(1);
-    let page_size = params.page_size.unwrap_or(20);
+    let page_size = params.page_size.unwrap_or(20).min(100);
     let result =
         points_service::list_transactions(&state, ctx.tenant_id, patient_id, page, page_size)
             .await?;