iven/hms
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(health): 三次审计批次A修复 — 7个CRITICAL问题
Some checks failed
CI / rust-check (push) Has been cancelled
Details
CI / rust-test (push) Has been cancelled
Details
CI / frontend-build (push) Has been cancelled
Details
CI / security-audit (push) Has been cancelled
Details

Browse Source 
- C-1: create_record handler 添加 Path(task_id) 提取,校验路径与body一致
- C-2: appointment CAS+INSERT 包裹在数据库事务中,防止幽灵占位
- C-3: appointment 取消释放名额添加 current_appointments > 0 下限保护
- C-4: create_lab_report 添加 patient_id 存在校验
- C-5: create_health_record 添加 patient_id 校验 + record_type 默认值 "routine"→"checkup"
- C-6: health_data update 操作添加 patient_id 归属校验(vital_signs/lab_report/health_record)
- C-7: follow_up_type 校验值改为设计规格定义的 phone/face_to_face/online
- 修复 article_service.rs 编译错误(未使用import + 缺少QuerySelect + 错误变体)
This commit is contained in:
iven
2026-04-24 00:46:11 +08:00
parent affb3a5578
commit ee9a5c4da1
6 changed files with 151 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
crates/erp-health/src/handler/follow_up_handler.rs
View File

@@ -108,6 +108,7 @@ where
pub async fn create_record<S>(
State(state): State<HealthState>,
Extension(ctx): Extension<TenantContext>,
Path(task_id): Path<Uuid>,
Json(req): Json<CreateFollowUpRecordReq>,
) -> Result<Json<ApiResponse<FollowUpRecordResp>>, AppError>
where
@@ -115,6 +116,9 @@ where
S: Clone + Send + Sync + 'static,
{
require_permission(&ctx, "health.follow-up.manage")?;
if req.task_id != task_id {
return Err(AppError::Validation("路径中的 task_id 与请求体不一致".to_string()));
}
let result = follow_up_service::create_record(
&state, ctx.tenant_id, Some(ctx.user_id), req,
)

6
crates/erp-health/src/handler/health_data_handler.rs
View File

@@ -168,7 +168,7 @@ where
{
require_permission(&ctx, "health.health-data.manage")?;
let result = health_data_service::update_lab_report(
&state, ctx.tenant_id, rid, Some(ctx.user_id), req.data, req.version,
&state, ctx.tenant_id, _patient_id, rid, Some(ctx.user_id), req.data, req.version,
)
.await?;
Ok(Json(ApiResponse::ok(result)))
@@ -233,7 +233,7 @@ where
pub async fn update_health_record<S>(
State(state): State<HealthState>,
Extension(ctx): Extension<TenantContext>,
Path((_patient_id, rid)): Path<(Uuid, Uuid)>,
Path((patient_id, rid)): Path<(Uuid, Uuid)>,
Json(req): Json<UpdateHealthRecordWithVersion>,
) -> Result<Json<ApiResponse<HealthRecordResp>>, AppError>
where
@@ -242,7 +242,7 @@ where
{
require_permission(&ctx, "health.health-data.manage")?;
let result = health_data_service::update_health_record(
&state, ctx.tenant_id, rid, Some(ctx.user_id), req.data, req.version,
&state, ctx.tenant_id, patient_id, rid, Some(ctx.user_id), req.data, req.version,
)
.await?;
Ok(Json(ApiResponse::ok(result)))