Skip to content

Commit b3c5814

Browse files
TommyLemonTommyLemon
committed
Server:@ROLE:ONWER请求的userId和登录userId不符时抛异常
1 parent 54ef707 commit b3c5814

File tree

2 files changed

+17
-12
lines changed

2 files changed

+17
-12
lines changed

APIJSON-Java-Server/APIJSON-Eclipse/src/main/java/apijson/demo/server/Verifier.java

Lines changed: 15 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -126,7 +126,10 @@ public static boolean verify(SQLConfig config, User visitor) throws Exception {
126126
return true;
127127
}
128128
RequestRole role = config.getRole();
129-
129+
if (role == null) {
130+
role = RequestRole.UNKNOWN;
131+
}
132+
130133
long userId = visitor == null ? 0 : visitor.getId();
131134
//TODO 暂时去掉,方便测试
132135
if (role != RequestRole.UNKNOWN) {//未登录的角色
@@ -143,9 +146,7 @@ public static boolean verify(SQLConfig config, User visitor) throws Exception {
143146
String userIdkey = Controller.USER_.equals(config.getTable()) || Controller.PRIVACY_.equals(config.getTable())
144147
? Controller.ID : Controller.USER_ID;
145148

146-
if (role == null) {
147-
role = RequestRole.UNKNOWN;
148-
}
149+
Number requestId;
149150
switch (role) {
150151
case LOGIN://verifyRole通过就行
151152
break;
@@ -160,7 +161,7 @@ public static boolean verify(SQLConfig config, User visitor) throws Exception {
160161
}
161162

162163
//key!{}:[] 或 其它没有明确id的条件 等 可以和key{}:list组合。类型错误就报错
163-
Number requestId = (Number) config.getWhere(userIdkey, true);//JSON里数值不能保证是Long,可能是Integer
164+
requestId = (Number) config.getWhere(userIdkey, true);//JSON里数值不能保证是Long,可能是Integer
164165
JSONArray requestIdArray = (JSONArray) config.getWhere(userIdkey + "{}", true);//不能是 &{}, |{} 不要传,直接{}
165166
if (requestId != null) {
166167
if (requestIdArray == null) {
@@ -181,16 +182,18 @@ public static boolean verify(SQLConfig config, User visitor) throws Exception {
181182
throw new UnsupportedDataTypeException(table + ".id类型错误,id类型必须是Long!");
182183
}
183184
if (list.contains(new Long("" + id)) == false) {//Integer等转为Long才能正确判断。强转崩溃
184-
if (method == null) {
185-
method = GET;
186-
}
187185
throw new IllegalAccessException(userIdkey + " = " + id + " 的 " + table
188186
+ " 不允许 " + role.name() + " 用户的 " + method.name() + " 请求!");
189187
}
190188
}
191189
}
192190
break;
193191
case OWNER:
192+
requestId = (Number) config.getWhere(userIdkey, true);//JSON里数值不能保证是Long,可能是Integer
193+
if (requestId != null && requestId.longValue() != userId) {
194+
throw new IllegalAccessException(userIdkey + " = " + requestId + " 的 " + table
195+
+ " 不允许 " + role.name() + " 用户的 " + method.name() + " 请求!");
196+
}
194197
config.addWhere(userIdkey, userId);
195198
break;
196199
case ADMIN://这里不好做,在特定接口内部判断? TODO /get/admin + 固定秘钥 Parser#noVerify,之后全局跳过验证
@@ -253,9 +256,9 @@ public static void verifyLogin(Long userId) throws Exception {
253256
throw new NotLoggedInException("未登录,请登录后再操作!");
254257
}
255258
}
256-
257-
258-
259+
260+
261+
259262
/**验证是否重复
260263
* @param table
261264
* @param key
@@ -296,7 +299,7 @@ public static void verifyRepeat(String table, String key, Object value, long exc
296299
throw new ConflictException(key + ": " + value + " 已经存在,不能重复!");
297300
}
298301
}
299-
302+
300303

301304
/**获取来访用户的id
302305
* @author Lemon

APIJSON-Java-Server/APIJSON-Eclipse/src/main/java/zuo/biao/apijson/server/sql/SQLConfig.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -160,6 +160,7 @@ public SQLConfig(RequestMethod method, int count, int page) {
160160
setPage(page);
161161
}
162162

163+
@NotNull
163164
public RequestMethod getMethod() {
164165
if (method == null) {
165166
method = GET;
@@ -182,6 +183,7 @@ public SQLConfig setId(long id) {
182183
}
183184

184185
public RequestRole getRole() {
186+
//不能 @NotNull , Parser#getSQLObject 内当getRole() == null时填充默认值
185187
return role;
186188
}
187189
public SQLConfig setRole(String roleName) {

0 commit comments

Comments
 (0)