Skip to content

Commit 81deca2

Browse files
TommyLemonTommyLemon
committed
Server:同步eclipse版至idea版
1 parent 7b32b5a commit 81deca2

File tree

3 files changed

+79
-54
lines changed

3 files changed

+79
-54
lines changed

APIJSON-Java-Server/APIJSON-Idea/src/main/java/zuo/biao/apijson/server/Parser.java

Lines changed: 23 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,6 @@
3030
import com.alibaba.fastjson.JSONObject;
3131

3232
import apijson.demo.server.Verifier;
33-
import apijson.demo.server.model.BaseModel;
3433
import apijson.demo.server.model.User;
3534
import zuo.biao.apijson.JSON;
3635
import zuo.biao.apijson.JSONResponse;
@@ -177,7 +176,7 @@ public JSONObject parseResponse(JSONObject request) {
177176
if (session != null && requestObject.getIntValue(JSONRequest.KEY_VERSION) <= 0) {
178177
requestObject.put(JSONRequest.KEY_VERSION, session.getAttribute(JSONRequest.KEY_VERSION));
179178
}
180-
179+
181180
requestObject = getCorrectRequest(requestMethod, requestObject);
182181
}
183182
} catch (Exception e) {
@@ -628,8 +627,9 @@ public JSONObject parseResponse(JSONRequest request) throws Exception {
628627
private JSONArray getArray(String parentPath, String name, final JSONObject request) throws Exception {
629628
Log.i(TAG, "\n\n\n getArray parentPath = " + parentPath
630629
+ "; name = " + name + "; request = " + JSON.toJSONString(request));
631-
if (RequestMethod.isGetMethod(requestMethod, true) == false) {
632-
throw new UnsupportedOperationException("key[]:{}只支持GET类方法!不允许传 " + name + ":{} !");
630+
//不能允许GETS,否则会被通过"[]":{"@role":"ADMIN"},"Table":{},"tag":"Table"绕过权限并能批量查询
631+
if (RequestMethod.isGetMethod(requestMethod, false) == false) {
632+
throw new UnsupportedOperationException("key[]:{}只支持GET方法!不允许传 " + name + ":{} !");
633633
}
634634
if (request == null || request.isEmpty()) {//jsonKey-jsonValue条件
635635
return null;
@@ -843,8 +843,25 @@ private Object getValueByPath(String valuePath) {
843843
}
844844
}
845845

846-
Log.i(TAG, "getValueByPath return parent == null ? valuePath : parent.get(keys[keys.length - 1]); >> ");
847-
return parent == null ? valuePath : parent.get(keys[keys.length - 1]);
846+
if (parent != null) {
847+
Log.i(TAG, "getValueByPath >> get from queryResultMap >> return parent.get(keys[keys.length - 1]);");
848+
target = parent.get(keys[keys.length - 1]); //值为null应该报错NotExistExeption,一般都是id关联,不可为null,否则可能绕过安全机制
849+
if (target != null) {
850+
Log.i(TAG, "getValueByPath >> getValue >> return target = " + target);
851+
return target;
852+
}
853+
}
854+
855+
856+
//从requestObject中取值
857+
target = getValue(requestObject, StringUtil.splitPath(valuePath));
858+
if (target != null) {
859+
Log.i(TAG, "getValueByPath >> getValue >> return target = " + target);
860+
return target;
861+
}
862+
863+
Log.i(TAG, "getValueByPath return valuePath;");
864+
return valuePath;
848865
}
849866

850867
//依赖引用关系 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

APIJSON-Java-Server/APIJSON-Idea/src/main/java/zuo/biao/apijson/server/Structure.java

Lines changed: 55 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,9 @@ private Structure() {}
7070

7171
static final String requestString = "{\"Comment\":{\"DISALLOW\": \"id\", \"NECESSARY\": \"userId,momentId,content\"}, \"ADD\":{\"Comment:to\":{}}}";
7272
static final String responseString = "{\"User\":{\"REMOVE\": \"phone\", \"REPLACE\":{\"sex\":2}, \"ADD\":{\"name\":\"api\"}}, \"PUT\":{\"Comment:to\":{}}}";
73-
73+
/**测试
74+
* @throws Exception
75+
*/
7476
public static void test() throws Exception {
7577
JSONObject request;
7678
try {
@@ -122,6 +124,10 @@ public static void test() throws Exception {
122124
}
123125

124126

127+
128+
129+
130+
125131
/**从request提取target指定的内容
126132
* @param method
127133
* @param name
@@ -154,35 +160,35 @@ public JSONObject onParseJSONObject(String key, JSONObject tobj, JSONObject robj
154160
// Log.i(TAG, "parseRequest.parse.onParseJSONObject key = " + key + "; robj = " + robj);
155161
if (robj == null) {
156162
if (tobj != null) {//不允许不传Target中指定的Table
157-
throw new IllegalArgumentException(method.name() + "请求,请设置 " + key + " !");
163+
throw new IllegalArgumentException(method.name() + "请求,请在 " + name + " 内传 " + key + ":{} !");
158164
}
159165
} else if (zuo.biao.apijson.JSONObject.isTableKey(key)) {
160166
if (method == RequestMethod.POST) {
161167
if (robj.containsKey(KEY_ID)) {
162-
throw new IllegalArgumentException("POST请求, " + key + " 不能设置 " + KEY_ID + " !");
168+
throw new IllegalArgumentException("POST请求," + name + "/" + key + " 不能传 " + KEY_ID + " !");
163169
}
164170
} else {
165171
if (RequestMethod.isQueryMethod(method) == false) {
166172
//单个修改或删除
167173
Object id = robj.get(KEY_ID); //如果必须传 id ,可在Request表中配置necessary
168174
if (id != null) {
169175
if (id instanceof Number == false) {
170-
throw new IllegalArgumentException(method.name() + "请求, " + key
176+
throw new IllegalArgumentException(method.name() + "请求," + name + "/" + key
171177
+ " 里面的 " + KEY_ID_IN + ":value 中value的类型只能是Long!");
172178
}
173179
} else {
174180
//批量修改或删除
175181
Object arr = robj.get(KEY_ID_IN); //如果必须传 id{} ,可在Request表中配置necessary
176182
if (arr == null) {
177-
throw new IllegalArgumentException(method.name() + "请求, " + key
183+
throw new IllegalArgumentException(method.name() + "请求," + name + "/" + key
178184
+ " 里面 " + KEY_ID + " 和 " + KEY_ID_IN + " 必须传其中一个!");
179185
}
180186
if (arr instanceof JSONArray == false) {
181-
throw new IllegalArgumentException(method.name() + "请求, " + key
187+
throw new IllegalArgumentException(method.name() + "请求," + name + "/" + key
182188
+ " 里面的 " + KEY_ID_IN + ":value 中value的类型只能是 [Long] !");
183189
}
184190
if (((JSONArray)arr).size() > 10) { //不允许一次操作10条以上记录
185-
throw new IllegalArgumentException(method.name() + "请求, " + key
191+
throw new IllegalArgumentException(method.name() + "请求," + name + "/" + key
186192
+ " 里面的 " + KEY_ID_IN + ":[] 中[]的长度不能超过10!");
187193
}
188194
}
@@ -259,8 +265,6 @@ public static JSONObject parse(String name, JSONObject target, JSONObject real
259265
//获取配置>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
260266

261267

262-
Set<String> tableKeySet = new HashSet<String>();
263-
264268

265269
//移除字段<<<<<<<<<<<<<<<<<<<
266270
String[] removes = StringUtil.split(remove);
@@ -277,42 +281,17 @@ public static JSONObject parse(String name, JSONObject target, JSONObject real
277281
for (String s : necessaryList) {
278282
if (real.get(s) == null) {//可能传null进来,这里还会通过 real.containsKey(s) == false) {
279283
throw new IllegalArgumentException(name
280-
+ "不能缺少 " + s + " 等[" + necessary + "]内的任何字段!");
284+
+ " 里面不能缺少 " + s + " 等[" + necessary + "]内的任何字段!");
281285
}
282286
}
283287
//判断必要字段是否都有>>>>>>>>>>>>>>>>>>>
284288

285289

286-
Set<String> rkset = real.keySet();
287-
288-
//判断是否都有不允许的字段<<<<<<<<<<<<<<<<<<<
289-
List<String> disallowList = new ArrayList<String>();
290-
if ("!".equals(disallow)) {//所有非necessary,改成 !necessary 更好
291-
if (rkset != null) {
292-
for (String key : rkset) {//对@key放行,@role,@column,自定义@position等
293-
if (key != null && key.startsWith("@") == false && necessaryList.contains(key) == false) {
294-
disallowList.add(key);
295-
}
296-
}
297-
}
298-
} else {
299-
String[] disallows = StringUtil.split(disallow);
300-
if (disallows != null && disallows.length > 0) {
301-
disallowList.addAll(Arrays.asList(disallows));
302-
}
303-
}
304-
for (String s : disallowList) {
305-
if (real.containsKey(s)) {
306-
throw new IllegalArgumentException(name
307-
+ "不允许传 " + s + " 等" + StringUtil.getString(disallowList) + "内的任何字段!");
308-
}
309-
}
310-
//判断是否都有不允许的字段>>>>>>>>>>>>>>>>>>>
311-
290+
Set<String> objKeySet = new HashSet<String>(); //不能用tableKeySet,仅判断 Table:{} 会导致 key:{ Table:{} } 绕过判断
312291

292+
//解析内容<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
313293

314294
Set<Entry<String, Object>> set = new LinkedHashSet<>(target.entrySet());
315-
zuo.biao.apijson.server.Entry<String, String> pair;
316295
if (set.isEmpty() == false) {
317296

318297
String key;
@@ -332,10 +311,7 @@ public static JSONObject parse(String name, JSONObject target, JSONObject real
332311
if (tvalue instanceof JSONObject) {//JSONObject,往下一级提取
333312
tvalue = callback.onParseJSONObject(key, (JSONObject) tvalue, (JSONObject) rvalue);
334313

335-
pair = Pair.parseEntry(key, true);
336-
if (pair != null && zuo.biao.apijson.JSONObject.isTableKey(pair.getKey())) {
337-
tableKeySet.add(key);
338-
}
314+
objKeySet.add(key);
339315
} else if (tvalue instanceof JSONArray) {//JSONArray
340316
tvalue = callback.onParseJSONArray(key, (JSONArray) tvalue, (JSONArray) rvalue);
341317
} else {//其它Object
@@ -349,17 +325,49 @@ public static JSONObject parse(String name, JSONObject target, JSONObject real
349325

350326
}
351327

328+
//解析内容>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
329+
352330

353331

354-
//不允许操作未指定Table<<<<<<<<<<<<<<<<<<<<<<<<<
332+
Set<String> rkset = real.keySet(); //解析内容并没有改变rkset
333+
334+
//解析不允许的字段<<<<<<<<<<<<<<<<<<<
335+
List<String> disallowList = new ArrayList<String>();
336+
if ("!".equals(disallow)) {//所有非necessary,改成 !necessary 更好
337+
for (String key : rkset) {//对@key放行,@role,@column,自定义@position等
338+
if (key != null && key.startsWith("@") == false
339+
&& necessaryList.contains(key) == false && objKeySet.contains(key) == false) {
340+
disallowList.add(key);
341+
}
342+
}
343+
} else {
344+
String[] disallows = StringUtil.split(disallow);
345+
if (disallows != null && disallows.length > 0) {
346+
disallowList.addAll(Arrays.asList(disallows));
347+
}
348+
}
349+
//解析不允许的字段>>>>>>>>>>>>>>>>>>>
350+
351+
352+
//判断不允许传的key<<<<<<<<<<<<<<<<<<<<<<<<<
355353
for (String rk : rkset) {
356-
pair = Pair.parseEntry(rk, true);//非GET类操作不允许Table:alias别名
357-
if (pair != null && zuo.biao.apijson.JSONObject.isTableKey(pair.getKey())
358-
&& tableKeySet.contains(rk) == false) {
359-
throw new UnsupportedOperationException("不允许操作 " + rk + " !");
354+
if (disallowList.contains(rk)) { //不允许的字段
355+
throw new IllegalArgumentException(name
356+
+ " 里面不允许传 " + rk + " 等" + StringUtil.getString(disallowList) + "内的任何字段!");
357+
}
358+
359+
if (rk == null) { //无效的key
360+
real.remove(rk);
361+
continue;
362+
}
363+
364+
//不在target内的 key:{}
365+
if (rk.startsWith("@") == false && objKeySet.contains(rk) == false && real.get(rk) instanceof JSONObject) {
366+
throw new UnsupportedOperationException(name + " 里面不允许传 " + rk + ":{} !");
360367
}
361368
}
362-
//不允许操作未指定Table>>>>>>>>>>>>>>>>>>>>>>>>>
369+
//判断不允许传的key>>>>>>>>>>>>>>>>>>>>>>>>>
370+
363371

364372

365373
//校验与修改Request<<<<<<<<<<<<<<<<<

APIJSON-Java-Server/APIJSON-Idea/src/main/java/zuo/biao/apijson/server/sql/SQLConfig.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1313,7 +1313,7 @@ else if (key.endsWith("-")) {//缩减,PUT查询时处理
13131313
}
13141314

13151315
if (verifyName && StringUtil.isName(key.startsWith("@") ? key.substring(1) : key) == false) {
1316-
throw new IllegalArgumentException(TAG + "/" + method + " getRealKey: 字符 " + originKey + " 不合法!");
1316+
throw new IllegalArgumentException(method + "请求,字符 " + originKey + " 不合法!");
13171317
}
13181318

13191319
if (saveLogic && last != null) {

0 commit comments

Comments
 (0)