iven/hms
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(health+server+mp): 审计 P0 批次修复 — 积分冲突/文章草稿泄露/商城空白/模板ID配置化
Some checks failed
CI / rust-check (push) Has been cancelled
Details
CI / rust-test (push) Has been cancelled
Details
CI / frontend-build (push) Has been cancelled
Details
CI / security-audit (push) Has been cancelled
Details

Browse Source 
P0-1: 微信模板 ID 从硬编码空字符串改为环境变量注入
  - wechat-templates.ts 读取 process.env.TARO_APP_WX_TEMPLATE_*
  - defineConstants 新增 5 个模板 ID 编译时注入

P0-2: 积分商城 Tab 空白降级
  - mall/index.tsx 在 currentPatient 为 null 时先调用 loadPatients()
  - 仍无档案才显示空状态引导,而非直接阻断

P0-3: 消除 erp-points 重复路由冲突
  - 从 erp-server 移除 erp-points 模块注册和路由 merge
  - 积分功能统一由 erp-health /health/points/* 提供
  - erp-points crate 保留但不参与编译

P0-4: 文章列表按角色过滤防止草稿泄露
  - list_articles handler: 非管理权限强制 status=published
  - get_article service: 新增 is_admin 参数控制状态过滤
This commit is contained in:
iven
2026-04-29 15:11:05 +08:00
parent facc8b0d24
commit dffa2dd47d
9 changed files with 46 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
crates/erp-health/src/handler/article_handler.rs
View File

@@ -2,7 +2,7 @@ use axum::Extension;
use axum::extract::{FromRef, Json, Path, Query, State};
use erp_core::error::AppError;
use erp_core::rbac::require_permission;
use erp_core::rbac::{require_any_permission, require_permission};
use erp_core::types::{ApiResponse, PaginatedResponse, TenantContext};
use crate::dto::article_dto::{ArticleListItem, ArticleListParams, ArticleResp, CreateArticleReq, ReviewArticleReq, UpdateArticleReq};
@@ -21,9 +21,15 @@ where
require_permission(&ctx, "health.articles.list")?;
let page = params.page.unwrap_or(1);
let page_size = params.page_size.unwrap_or(20);
// 非管理权限用户只能查看已发布文章,防止草稿泄露
let status = if require_any_permission(&ctx, &["health.articles.manage", "health.articles.review"]).is_ok() {
params.status
} else {
Some("published".to_string())
};
let result = article_service::list_articles(
&state, ctx.tenant_id, page, page_size,
params.category, params.status, params.category_id, params.tag_id, params.keyword,
params.category, status, params.category_id, params.tag_id, params.keyword,
)
.await?;
Ok(Json(ApiResponse::ok(result)))
@@ -39,7 +45,8 @@ where
S: Clone + Send + Sync + 'static,
{
require_permission(&ctx, "health.articles.list")?;
let result = article_service::get_article(&state, ctx.tenant_id, id).await?;
let is_admin = require_any_permission(&ctx, &["health.articles.manage", "health.articles.review"]).is_ok();
let result = article_service::get_article(&state, ctx.tenant_id, id, is_admin).await?;
Ok(Json(ApiResponse::ok(result)))
}