Skip to content

Commit cbde4b4

Browse files
TommyLemonTommyLemon
committed
Structure新增校验userId和userId{}的值的类型;JSONObject内KEY_ID,KEY_USER_ID等的值可自定义
1 parent 588876c commit cbde4b4

File tree

2 files changed

+76
-42
lines changed

2 files changed

+76
-42
lines changed

APIJSON-Java-Server/APIJSON-Eclipse/APIJSONLibrary/src/main/java/zuo/biao/apijson/JSONObject.java

Lines changed: 20 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -84,8 +84,10 @@ public static boolean isTableKey(String key) {
8484
//JSONObject内关键词 key <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
8585

8686

87-
public static final String KEY_ID = "id";
88-
public static final String KEY_ID_IN = KEY_ID + "{}";
87+
public static String KEY_ID = "id";
88+
public static String KEY_ID_IN = KEY_ID + "{}";
89+
public static String KEY_USER_ID = "userId";
90+
public static String KEY_USER_ID_IN = KEY_USER_ID + "{}";
8991

9092
/**set "id":id in Table layer
9193
* @param id
@@ -94,13 +96,28 @@ public static boolean isTableKey(String key) {
9496
public JSONObject setId(Long id) {
9597
return puts(KEY_ID, id);
9698
}
97-
/**set id{}:[] in Table layer
99+
/**set "id{}":[] in Table layer
98100
* @param list
99101
* @return
100102
*/
101103
public JSONObject setIdIn(List<Object> list) {
102104
return puts(KEY_ID_IN, list);
103105
}
106+
107+
/**set "userId":userId in Table layer
108+
* @param id
109+
* @return
110+
*/
111+
public JSONObject setUserId(Long id) {
112+
return puts(KEY_USER_ID, id);
113+
}
114+
/**set "userId{}":[] in Table layer
115+
* @param list
116+
* @return
117+
*/
118+
public JSONObject setUserIdIn(List<Object> list) {
119+
return puts(KEY_USER_ID_IN, list);
120+
}
104121

105122

106123
//@key关键字都放这个类 <<<<<<<<<<<<<<<<<<<<<<

APIJSON-Java-Server/APIJSON-Eclipse/APIJSONLibrary/src/main/java/zuo/biao/apijson/server/Structure.java

Lines changed: 56 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515
package zuo.biao.apijson.server;
1616

1717
import static zuo.biao.apijson.JSONObject.KEY_ID;
18-
import static zuo.biao.apijson.JSONObject.KEY_ID_IN;
18+
import static zuo.biao.apijson.JSONObject.KEY_USER_ID;
1919
import static zuo.biao.apijson.server.Operation.ADD;
2020
import static zuo.biao.apijson.server.Operation.DISALLOW;
2121
import static zuo.biao.apijson.server.Operation.NECESSARY;
@@ -82,7 +82,6 @@ public static JSONObject parseRequest(@NotNull final RequestMethod method, final
8282
return null;
8383
}
8484

85-
//TODO globleRole要不要改成@role? 只允许服务端Request表中加上可控的ADMIN角色
8685
if (RequestRole.get(request.getString(JSONRequest.KEY_ROLE)) == RequestRole.ADMIN) {
8786
throw new IllegalArgumentException("角色设置错误!不允许在写操作Request中传 " + name +
8887
":{ " + JSONRequest.KEY_ROLE + ":admin } !");
@@ -105,43 +104,8 @@ public JSONObject onParseJSONObject(String key, JSONObject tobj, JSONObject robj
105104
}
106105
} else {
107106
if (RequestMethod.isQueryMethod(method) == false) {
108-
//单个修改或删除
109-
Object id = null;
110-
try {
111-
id = robj.getLong(KEY_ID); //如果必须传 id ,可在Request表中配置NECESSARY
112-
} catch (Exception e) {
113-
throw new IllegalArgumentException(method.name() + "请求," + name + "/" + key
114-
+ " 里面的 " + KEY_ID + ":value 中value的类型只能是 Long !");
115-
}
116-
117-
JSONArray idIn = null;
118-
try {
119-
idIn = robj.getJSONArray(KEY_ID_IN); //如果必须传 id{} ,可在Request表中配置NECESSARY
120-
} catch (Exception e) {
121-
throw new IllegalArgumentException(method.name() + "请求," + name + "/" + key
122-
+ " 里面的 " + KEY_ID_IN + ":value 中value的类型只能是 [Long] !");
123-
}
124-
if (idIn == null) {
125-
//批量修改或删除
126-
if (id == null) {
127-
throw new IllegalArgumentException(method.name() + "请求," + name + "/" + key
128-
+ " 里面 " + KEY_ID + " 和 " + KEY_ID_IN + " 至少传其中一个!");
129-
}
130-
} else {
131-
if (idIn.size() > 10) { //不允许一次操作10条以上记录
132-
throw new IllegalArgumentException(method.name() + "请求," + name + "/" + key
133-
+ " 里面的 " + KEY_ID_IN + ":[] 中[]的长度不能超过10!");
134-
}
135-
//解决 id{}: ["1' OR 1='1'))--"] 绕过id{}限制
136-
for (int i = 0; i < idIn.size(); i++) {
137-
try {
138-
idIn.getLong(i);
139-
} catch (Exception e) {
140-
throw new IllegalArgumentException(method.name() + "请求," + name + "/" + key
141-
+ " 里面的 " + KEY_ID_IN + ":[] 中所有项的类型都只能是Long!");
142-
}
143-
}
144-
}
107+
verifyId(method.name(), name, key, robj, KEY_ID, true);
108+
verifyId(method.name(), name, key, robj, KEY_USER_ID, false);
145109
}
146110
}
147111
}
@@ -151,8 +115,61 @@ public JSONObject onParseJSONObject(String key, JSONObject tobj, JSONObject robj
151115
});
152116

153117
}
118+
119+
/**
120+
* @param method
121+
* @param name
122+
* @param key
123+
* @param robj
124+
* @param idKey
125+
* @param atLeastOne 至少有一个不为null
126+
*/
127+
private static void verifyId(@NotNull String method, @NotNull String name, @NotNull String key
128+
, @NotNull JSONObject robj, @NotNull String idKey, boolean atLeastOne) {
129+
//单个修改或删除
130+
Object id = null;
131+
try {
132+
id = robj.getLong(idKey); //如果必须传 id ,可在Request表中配置NECESSARY
133+
} catch (Exception e) {
134+
throw new IllegalArgumentException(method + "请求," + name + "/" + key
135+
+ " 里面的 " + idKey + ":value 中value的类型只能是 Long !");
136+
}
137+
138+
//批量修改或删除
139+
String idInKey = idKey + "{}";
140+
141+
JSONArray idIn = null;
142+
try {
143+
idIn = robj.getJSONArray(idInKey); //如果必须传 id{} ,可在Request表中配置NECESSARY
144+
} catch (Exception e) {
145+
throw new IllegalArgumentException(method + "请求," + name + "/" + key
146+
+ " 里面的 " + idInKey + ":value 中value的类型只能是 [Long] !");
147+
}
148+
if (idIn == null) {
149+
if (atLeastOne && id == null) {
150+
throw new IllegalArgumentException(method + "请求," + name + "/" + key
151+
+ " 里面 " + idKey + " 和 " + idInKey + " 至少传其中一个!");
152+
}
153+
} else {
154+
if (idIn.size() > 10) { //不允许一次操作10条以上记录
155+
throw new IllegalArgumentException(method + "请求," + name + "/" + key
156+
+ " 里面的 " + idInKey + ":[] 中[]的长度不能超过10!");
157+
}
158+
//解决 id{}: ["1' OR 1='1'))--"] 绕过id{}限制
159+
//new ArrayList<Long>(idIn) 不能检查类型,Java泛型擦除问题,居然能把 ["a"] 赋值进去还不报错
160+
for (int i = 0; i < idIn.size(); i++) {
161+
try {
162+
idIn.getLong(i);
163+
} catch (Exception e) {
164+
throw new IllegalArgumentException(method + "请求," + name + "/" + key
165+
+ " 里面的 " + idInKey + ":[] 中所有项的类型都只能是Long!");
166+
}
167+
}
168+
}
169+
}
154170

155171

172+
156173
/**校验并将response转换为指定的内容和结构
157174
* @param method
158175
* @param name

0 commit comments

Comments
 (0)