Server: 非开放请求不允许传远程函数；解决 Access 表里配置 name 和 alias 未成功实现表映射；完善远程函数调用在函数格式错误时的报错信息

TommyLemon · TommyLemon · commit a7988964060e · 2019-08-31T18:36:58.000+08:00
diff --git a/APIJSON-Java-Server/APIJSONBoot/src/main/java/apijson/demo/server/DemoSQLConfig.java b/APIJSON-Java-Server/APIJSONBoot/src/main/java/apijson/demo/server/DemoSQLConfig.java
@@ -21,8 +21,6 @@
 
 import com.alibaba.fastjson.JSONObject;
 
-import apijson.demo.server.model.Privacy;
-import apijson.demo.server.model.User;
 import zuo.biao.apijson.RequestMethod;
 import zuo.biao.apijson.server.AbstractSQLConfig;
 import zuo.biao.apijson.server.Join;
@@ -38,14 +36,15 @@ public class DemoSQLConfig extends AbstractSQLConfig {
 
 	public static final Callback SIMPLE_CALLBACK;
 
-	
+
 	static {
 		//TODO 默认模式名，改成你自己的
 		DEFAULT_SCHEMA = "sys";
-		
-		//表名映射，隐藏真实表名，对安全要求很高的表可以这么做
-		TABLE_KEY_MAP.put(User.class.getSimpleName(), "apijson_user");
-		TABLE_KEY_MAP.put(Privacy.class.getSimpleName(), "apijson_privacy");
+
+		//  由 DemoVerifier.init 方法读取数据库 Access 表来替代手动输入配置
+		//		//表名映射，隐藏真实表名，对安全要求很高的表可以这么做
+		//		TABLE_KEY_MAP.put(User.class.getSimpleName(), "apijson_user");
+		//		TABLE_KEY_MAP.put(Privacy.class.getSimpleName(), "apijson_privacy");
 
 		//主键名映射
 		SIMPLE_CALLBACK = new SimpleCallback() {
@@ -82,7 +81,7 @@ public String getUserIdKey(String database, String schema, String table) {
 	public String getDBVersion() {
 		return "5.7.22"; //"8.0.11"; //TODO 改成你自己的 MySQL 或 PostgreSQL 数据库版本号 //MYSQL 8 和 7 使用的 JDBC 配置不一样
 	}
-	
+
 	@Override
 	public String getDBUri() {
 		//TODO 改成你自己的，TiDB 默认端口为 4000
diff --git a/APIJSON-Java-Server/APIJSONBoot/src/main/java/apijson/demo/server/DemoVerifier.java b/APIJSON-Java-Server/APIJSONBoot/src/main/java/apijson/demo/server/DemoVerifier.java
@@ -146,6 +146,7 @@ public static JSONObject init(boolean shutdownWhenServerError) throws ServerExce
 				}
 			}
 
+			DemoSQLConfig.TABLE_KEY_MAP.put(alias, name);
 		}
 
 		Log.d(TAG, "init  for /> ACCESS_MAP.size() = " + ACCESS_MAP.size() + " >>>>>>>>>>>>>>>>>>>>>>>");
diff --git a/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/AbstractParser.java b/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/AbstractParser.java
@@ -591,7 +591,7 @@ public JSONObject parseCorrectRequest() throws Exception {
 
 		String tag = requestObject.getString(JSONRequest.KEY_TAG);
 		if (StringUtil.isNotEmpty(tag, true) == false) {
-			throw new IllegalArgumentException("请在最外层设置tag！一般是Table名，例如 \"tag\": \"User\" ");
+			throw new IllegalArgumentException("请在最外层设置 tag ！一般是 Table 名，例如 \"tag\": \"User\" ");
 		}
 		setTag(tag);
 
@@ -605,7 +605,7 @@ public JSONObject parseCorrectRequest() throws Exception {
 			error = e.getMessage();
 		}
 		if (object == null) {//empty表示随意操作  || object.isEmpty()) {
-			throw new UnsupportedOperationException("非开放请求必须是Request表中校验规则允许的操作！\n " + error);
+			throw new UnsupportedOperationException("非开放请求必须是后端 Request 表中校验规则允许的操作！\n " + error);
 		}
 
 		JSONObject target = null;
diff --git a/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/AbstractSQLConfig.java b/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/AbstractSQLConfig.java
@@ -2603,7 +2603,7 @@ else if (key.endsWith("}{")) {//被包含 EXISTS，或者说key对应值处于va
 		else if (key.endsWith("<>")) {//包含 json_contains，或者说value处于key对应值的范围内。查询时处理
 			key = key.substring(0, key.length() - 2);
 		} 
-		else if (key.endsWith("()")) {//方法，查询完后处理，先用一个Map<key,function>保存？
+		else if (key.endsWith("()")) {//方法，查询完后处理，先用一个Map<key,function>保存
 			key = key.substring(0, key.length() - 2);
 		} 
 		else if (key.endsWith("@")) {//引用，引用对象查询完后处理。fillTarget中暂时不用处理，因为非GET请求都是由给定的id确定，不需要引用
diff --git a/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/RemoteFunction.java b/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/RemoteFunction.java
@@ -125,7 +125,7 @@ public static FunctionBean parseFunction(@NotNull String function, @NotNull JSON
 
 		int start = function.indexOf("(");
 		int end = function.lastIndexOf(")");
-		String method = end != function.length() - 1 ? null : function.substring(0, start);
+		String method = (start <= 0 || end != function.length() - 1) ? null : function.substring(0, start);
 		if (StringUtil.isEmpty(method, true)) {
 			throw new IllegalArgumentException("字符 " + function + " 不合法！函数的名称 function 不能为空，"
 					+ "且必须为 function(key0,key1,...) 这种单函数格式！"
diff --git a/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/Structure.java b/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/Structure.java
@@ -351,9 +351,16 @@ public static JSONObject parse(String name, JSONObject target, JSONObject real
 				real.remove(rk);
 				continue;
 			}
+			
+			Object rv = real.get(rk);
+
+			//不允许传远程函数，只能后端配置
+			if (rk.endsWith("()") && rv instanceof String) {
+				throw new UnsupportedOperationException(rk + " 不合法！非开放请求不允许传远程函数 key():\"fun()\" ！");
+			}
 
 			//不在target内的 key:{}
-			if (rk.startsWith("@") == false && objKeySet.contains(rk) == false && real.get(rk) instanceof JSONObject) {
+			if (rk.startsWith("@") == false && objKeySet.contains(rk) == false && rv instanceof JSONObject) {
 				throw new UnsupportedOperationException(name + " 里面不允许传 " + rk + ":{} ！");
 			}
 		}

Original file line number	Diff line number	Diff line change
`@@ -146,6 +146,7 @@ public static JSONObject init(boolean shutdownWhenServerError) throws ServerExce`
`146`	`146`	`}`
`147`	`147`	`}`
`148`	`148`
	`149`	`+ DemoSQLConfig.TABLE_KEY_MAP.put(alias, name);`
`149`	`150`	`}`
`150`	`151`
`151`	`152`	`Log.d(TAG, "init for /> ACCESS_MAP.size() = " + ACCESS_MAP.size() + " >>>>>>>>>>>>>>>>>>>>>>>");`
Original file line number	Diff line number	Diff line change
`@@ -591,7 +591,7 @@ public JSONObject parseCorrectRequest() throws Exception {`
`591`	`591`
`592`	`592`	`String tag = requestObject.getString(JSONRequest.KEY_TAG);`
`593`	`593`	`if (StringUtil.isNotEmpty(tag, true) == false) {`
`594`		`- throw new IllegalArgumentException("请在最外层设置tag！一般是Table名，例如 \"tag\": \"User\" ");`
	`594`	`+ throw new IllegalArgumentException("请在最外层设置 tag ！一般是 Table 名，例如 \"tag\": \"User\" ");`
`595`	`595`	`}`
`596`	`596`	`setTag(tag);`
`597`	`597`
`@@ -605,7 +605,7 @@ public JSONObject parseCorrectRequest() throws Exception {`
`605`	`605`	`error = e.getMessage();`
`606`	`606`	`}`
`607`	`607`	`if (object == null) {//empty表示随意操作 \|\| object.isEmpty()) {`
`608`		`- throw new UnsupportedOperationException("非开放请求必须是Request表中校验规则允许的操作！\n " + error);`
	`608`	`+ throw new UnsupportedOperationException("非开放请求必须是后端 Request 表中校验规则允许的操作！\n " + error);`
`609`	`609`	`}`
`610`	`610`
`611`	`611`	`JSONObject target = null;`
Original file line number	Diff line number	Diff line change
`@@ -2603,7 +2603,7 @@ else if (key.endsWith("}{")) {//被包含 EXISTS，或者说key对应值处于va`
`2603`	`2603`	`else if (key.endsWith("<>")) {//包含 json_contains，或者说value处于key对应值的范围内。查询时处理`
`2604`	`2604`	`key = key.substring(0, key.length() - 2);`
`2605`	`2605`	`}`
`2606`		`- else if (key.endsWith("()")) {//方法，查询完后处理，先用一个Map<key,function>保存？`
	`2606`	`+ else if (key.endsWith("()")) {//方法，查询完后处理，先用一个Map<key,function>保存`
`2607`	`2607`	`key = key.substring(0, key.length() - 2);`
`2608`	`2608`	`}`
`2609`	`2609`	`else if (key.endsWith("@")) {//引用，引用对象查询完后处理。fillTarget中暂时不用处理，因为非GET请求都是由给定的id确定，不需要引用`
Original file line number	Diff line number	Diff line change
`@@ -351,9 +351,16 @@ public static JSONObject parse(String name, JSONObject target, JSONObject real`
`351`	`351`	`real.remove(rk);`
`352`	`352`	`continue;`
`353`	`353`	`}`
	`354`	`+`
	`355`	`+ Object rv = real.get(rk);`
	`356`	`+`
	`357`	`+ //不允许传远程函数，只能后端配置`
	`358`	`+ if (rk.endsWith("()") && rv instanceof String) {`
	`359`	`+ throw new UnsupportedOperationException(rk + " 不合法！非开放请求不允许传远程函数 key():\"fun()\" ！");`
	`360`	`+ }`
`354`	`361`
`355`	`362`	`//不在target内的 key:{}`
`356`		`- if (rk.startsWith("@") == false && objKeySet.contains(rk) == false && real.get(rk) instanceof JSONObject) {`
	`363`	`+ if (rk.startsWith("@") == false && objKeySet.contains(rk) == false && rv instanceof JSONObject) {`
`357`	`364`	`throw new UnsupportedOperationException(name + " 里面不允许传 " + rk + ":{} ！");`
`358`	`365`	`}`
`359`	`366`	`}`