Skip to content

Commit e94c44f

Browse files
GETS/HEADS/PUT/DELETE 不允许前端传 @combine
Tencent#493 GETS/HEADS/PUT/DELETE 不允许前端传 @combine,目前在这里去掉了校验,需要在 AbstractVerifier 补上,这样就只能通过后端配置 @combine 了,既保证了功能,又保证了安全
1 parent 65c3053 commit e94c44f

1 file changed

Lines changed: 5 additions & 0 deletions

File tree

APIJSONORM/src/main/java/apijson/orm/AbstractParser.java

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@
3939
import apijson.orm.exception.CommonException;
4040
import apijson.orm.exception.UnsupportedDataTypeException;
4141

42+
import static apijson.JSONObject.KEY_COMBINE;
4243
import static apijson.JSONObject.KEY_EXPLAIN;
4344
import static apijson.RequestMethod.CRUD;
4445
import static apijson.RequestMethod.GET;
@@ -2192,6 +2193,10 @@ private JSONObject batchVerify(RequestMethod method, String tag, int version, St
21922193
RequestMethod _method = null;
21932194
if (request.get(key) instanceof JSONObject) {
21942195
_method = RequestMethod.valueOf(request.getJSONObject(key).getString(apijson.JSONObject.KEY_METHOD).toUpperCase());
2196+
String combine = request.getJSONObject(key).getString(KEY_COMBINE);
2197+
if (combine != null && (_method == RequestMethod.DELETE || _method == RequestMethod.GETS || _method == RequestMethod.HEADS)) {
2198+
throw new IllegalArgumentException(key + ":{} 里的 @combine:value 不合法!DELETE,GETS,HEADS 请求不允许传 @combine:value !");
2199+
}
21952200
} else {
21962201
if (keyObjectAttributesMap.get(key) == null) {
21972202
if (method == RequestMethod.CRUD) {

0 commit comments

Comments
 (0)