Server：解决远程函数对比版本错误；解决批量新增可能被绕过权限和参数校验；删除已被废弃的 Operation

TommyLemon · TommyLemon · commit 79f177868445 · 2020-03-02T00:41:18.000+08:00
diff --git a/APIJSON-Java-Server/APIJSONBoot/src/main/java/apijson/demo/server/DemoObjectParser.java b/APIJSON-Java-Server/APIJSONBoot/src/main/java/apijson/demo/server/DemoObjectParser.java
@@ -24,8 +24,8 @@
 import zuo.biao.apijson.RequestMethod;
 import zuo.biao.apijson.StringUtil;
 import zuo.biao.apijson.server.AbstractObjectParser;
+import zuo.biao.apijson.server.AbstractParser;
 import zuo.biao.apijson.server.Join;
-import zuo.biao.apijson.server.Parser;
 import zuo.biao.apijson.server.SQLConfig;
 
 
@@ -59,7 +59,7 @@ public DemoObjectParser setMethod(RequestMethod method) {
 	}
 
 	@Override
-	public DemoObjectParser setParser(Parser<?> parser) {
+	public DemoObjectParser setParser(AbstractParser<?> parser) {
 		super.setParser(parser);
 		return this;
 	}
diff --git a/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/JSONRequest.java b/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/JSONRequest.java
@@ -69,7 +69,7 @@ public JSONRequest setTag(String tag) {
 	 * @param version
 	 * @return
 	 */
-	public JSONRequest setVersion(String version) {
+	public JSONRequest setVersion(Integer version) {
 		return puts(KEY_VERSION, version);
 	}
 	/**set "format":format in outermost layer
diff --git a/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/AbstractObjectParser.java b/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/AbstractObjectParser.java
@@ -21,6 +21,7 @@
 import static zuo.biao.apijson.RequestMethod.PUT;
 import static zuo.biao.apijson.server.SQLConfig.TYPE_ITEM;
 
+import java.rmi.ServerException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
@@ -36,6 +37,7 @@
 import com.alibaba.fastjson.JSONArray;
 import com.alibaba.fastjson.JSONObject;
 
+import zuo.biao.apijson.JSONResponse;
 import zuo.biao.apijson.Log;
 import zuo.biao.apijson.NotNull;
 import zuo.biao.apijson.RequestMethod;
@@ -52,8 +54,8 @@ public abstract class AbstractObjectParser implements ObjectParser {
 	private static final String TAG = "AbstractObjectParser";
 
 	@NotNull
-	protected Parser<?> parser;
-	public AbstractObjectParser setParser(Parser<?> parser) {
+	protected AbstractParser<?> parser;
+	public AbstractObjectParser setParser(AbstractParser<?> parser) {
 		this.parser = parser;
 		return this;
 	}
@@ -233,43 +235,53 @@ public AbstractObjectParser parse() throws Exception {
 					key = entry.getKey();
 
 					try {
-						if (value instanceof JSONObject && key.startsWith("@") == false && key.endsWith("@") == false) {//JSONObject，往下一级提取
+						if (value instanceof JSONObject && key.startsWith("@") == false && key.endsWith("@") == false) { //JSONObject，往下一级提取
 							if (childMap != null) {//添加到childMap，最后再解析
 								childMap.put(key, (JSONObject)value);
 							}
-							else {//直接解析并替换原来的，[]:{} 内必须直接解析，否则会因为丢掉count等属性，并且total@:"/[]/total"必须在[]:{} 后！
+							else { //直接解析并替换原来的，[]:{} 内必须直接解析，否则会因为丢掉count等属性，并且total@:"/[]/total"必须在[]:{} 后！
 								response.put(key, onChildParse(index, key, (JSONObject)value));
 								index ++;
 							}
-						} else if (value instanceof JSONArray && method == POST &&
-										key.startsWith("@") == false && key.endsWith("@") == false) {//JSONArray，批量新增，往下一级提取
-							JSONArray valueArray = (JSONArray)value;
-
-							for (int i = 0; i < valueArray.size(); i++) {
-								if (childMap != null) {//添加到childMap，最后再解析
-									childMap.put(key, valueArray.getJSONObject(i));
-								}
-								else {//直接解析并替换原来的，[]:{} 内必须直接解析，否则会因为丢掉count等属性，并且total@:"/[]/total"必须在[]:{} 后！
-									JSONObject result = (JSONObject)onChildParse(index, key, valueArray.getJSONObject(i));
-									//合并结果
-									JSONObject before = (JSONObject)response.get(key);
-									if(result.get("code").equals(200)){
-										if(before!=null){
-											before.put("count",before.getInteger("count")+result.getInteger("count"));
-											response.put(key, before);
-										}else{
-											response.put(key, result);
-										}
-									} else {
-										//只要有一条失败，则抛出异常，全部失败
-										throw new RuntimeException(key + "," + valueArray.getJSONObject(i) +",新增失败!");
-									}
+						}
+						else if (method == PUT && value instanceof JSONArray
+								&& (whereList == null || whereList.contains(key) == false)) { //PUT JSONArray
+							onPUTArrayParse(key, (JSONArray) value);
+						}
+						else if (method == POST && value instanceof JSONArray && key.endsWith("[]") && JSONRequest.isTableKey(key.substring(0, key.length() - 2))) { //JSONArray，批量新增，往下一级提取
+							String childKey = key.substring(0, key.length() - 2);
+							JSONArray valueArray = (JSONArray) value;
+
+							int allCount = 0;
+							JSONArray ids = new JSONArray();
+							
+							int version = parser.getVersion();
+							int maxUpdateCount = parser.getMaxUpdateCount();
+
+							for (int i = 0; i < valueArray.size(); i++) { //只要有一条失败，则抛出异常，全部失败
+								//TODO 改成一条多 VALUES 的 SQL 性能更高，报错也更会更好处理，更人性化
+								JSONRequest req = new JSONRequest(childKey, valueArray.getJSONObject(i));
+
+								//parser.getMaxSQLCount() ? 可能恶意调用接口，把数据库拖死
+								JSONObject result = (JSONObject) onChildParse(0, "" + i, parser.parseCorrectRequest(method, childKey, version, "", req, maxUpdateCount, parser));
+								result = result.getJSONObject(childKey);
+//
+								boolean success = JSONResponse.isSuccess(result);
+								int count = result == null ? null : result.getIntValue(JSONResponse.KEY_COUNT);
+
+								if (success == false || count != 1) { //如果 code = 200 但 count != 1，不能算成功，掩盖了错误为不好排查问题
+									throw new ServerException("批量新增失败！" + key + "/" +  i + "：" + (success ? "成功但 count != 1 ！" : (result == null ? "null" : result.getString(JSONResponse.KEY_MSG))));
 								}
+								
+								allCount += count;
+								ids.add(result.get(JSONResponse.KEY_ID));
 							}
-							index ++;
-						} else if (method == PUT && value instanceof JSONArray
-								&& (whereList == null || whereList.contains(key) == false)) {//PUT JSONArray
-							onPUTArrayParse(key, (JSONArray) value);
+
+							JSONObject allResult = AbstractParser.newSuccessResult();
+							allResult.put(JSONResponse.KEY_ID_IN, ids);
+							allResult.put(JSONResponse.KEY_COUNT, allCount);
+
+							response.put(key, allResult); //不按原样返回，避免数据量过大
 						}
 						else {//JSONArray或其它Object，直接填充
 							if (onParse(key, value) == false) {
diff --git a/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/AbstractParser.java b/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/AbstractParser.java
@@ -120,7 +120,7 @@ public AbstractParser<T> setMethod(RequestMethod method) {
 		this.transactionIsolation = RequestMethod.isQueryMethod(method) ? Connection.TRANSACTION_NONE : Connection.TRANSACTION_REPEATABLE_READ;
 		return this;
 	}
-	
+
 	protected int version;
 	@Override
 	public int getVersion() {
@@ -131,7 +131,7 @@ public AbstractParser<T> setVersion(int version) {
 		this.version = version;
 		return this;
 	}
-	
+
 	protected String tag;
 	@Override
 	public String getTag() {
@@ -462,8 +462,40 @@ public static JSONObject parseRequest(String request) throws Exception {
 	}
 
 	@Override
-	public JSONObject parseCorrectRequest(JSONObject target) throws Exception {
-		return Structure.parseRequest(requestMethod, "", target, requestObject, getMaxUpdateCount(), this);
+	public JSONObject parseCorrectRequest(RequestMethod method, String tag, int version, String name, @NotNull JSONObject request
+			, int maxUpdateCount, SQLCreator creator) throws Exception {
+		
+		if (RequestMethod.isPublicMethod(method)) {
+			return request;//需要指定JSON结构的get请求可以改为post请求。一般只有对安全性要求高的才会指定，而这种情况用明文的GET方式几乎肯定不安全
+		}
+
+		if (StringUtil.isEmpty(tag, true)) {
+			throw new IllegalArgumentException("请在最外层设置 tag ！一般是 Table 名，例如 \"tag\": \"User\" ");
+		}
+
+		//获取指定的JSON结构 <<<<<<<<<<<<
+		JSONObject object = null;
+		String error = "";
+		try {
+			object = getStructure("Request", JSONRequest.KEY_TAG, tag, version);
+		} catch (Exception e) {
+			error = e.getMessage();
+		}
+		if (object == null) {//empty表示随意操作  || object.isEmpty()) {
+			throw new UnsupportedOperationException("非开放请求必须是后端 Request 表中校验规则允许的操作！\n " + error);
+		}
+
+		JSONObject target = null;
+		if (zuo.biao.apijson.JSONObject.isTableKey(tag) && object.containsKey(tag) == false) {//tag是table名
+			target = new JSONObject(true);
+			target.put(tag, object);
+		} else {
+			target = object;
+		}
+		//获取指定的JSON结构 >>>>>>>>>>>>>>
+
+		//JSONObject clone 浅拷贝没用，Structure.parse 会导致 structure 里面被清空，第二次从缓存里取到的就是 {}
+		return Structure.parseRequest(method, name, target, request, maxUpdateCount, creator);
 	}
 
 
@@ -585,41 +617,11 @@ else if (e instanceof NullPointerException) {
 	 */
 	@Override
 	public JSONObject parseCorrectRequest() throws Exception {
-		if (RequestMethod.isPublicMethod(requestMethod)) {
-			return requestObject;//需要指定JSON结构的get请求可以改为post请求。一般只有对安全性要求高的才会指定，而这种情况用明文的GET方式几乎肯定不安全
-		}
-
-		String tag = requestObject.getString(JSONRequest.KEY_TAG);
-		if (StringUtil.isNotEmpty(tag, true) == false) {
-			throw new IllegalArgumentException("请在最外层设置 tag ！一般是 Table 名，例如 \"tag\": \"User\" ");
-		}
-		setTag(tag);
-
-		int version = requestObject.getIntValue(JSONRequest.KEY_VERSION);
-
-		JSONObject object = null;
-		String error = "";
-		try {
-			object = getStructure("Request", JSONRequest.KEY_TAG, tag, version);
-		} catch (Exception e) {
-			error = e.getMessage();
-		}
-		if (object == null) {//empty表示随意操作  || object.isEmpty()) {
-			throw new UnsupportedOperationException("非开放请求必须是后端 Request 表中校验规则允许的操作！\n " + error);
-		}
-
-		JSONObject target = null;
-		if (zuo.biao.apijson.JSONObject.isTableKey(tag) && object.containsKey(tag) == false) {//tag是table名
-			target = new JSONObject(true);
-			target.put(tag, object);
-		} else {
-			target = object;
-		}
-		//获取指定的JSON结构 >>>>>>>>>>>>>>
-
+		setTag(requestObject.getString(JSONRequest.KEY_TAG));
+		setVersion(requestObject.getIntValue(JSONRequest.KEY_VERSION));
 		requestObject.remove(JSONRequest.KEY_TAG);
 		requestObject.remove(JSONRequest.KEY_VERSION);
-		return parseCorrectRequest((JSONObject) target.clone());
+		return parseCorrectRequest(requestMethod, tag, version, "", requestObject, getMaxUpdateCount(), this);
 	}
 
 
diff --git a/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/Operation.java b/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/Operation.java
@@ -48,14 +48,10 @@ public enum Operation {
 	 * 添加，当要被添加的对象不存在时
 	 */
 	INSERT,
-	@Deprecated
-	ADD, //用 INSERT 替代，和 RequestMethod.UPDATE 保持长度接近，最快在 4.0.0 移除，请尽快修改 Request 表 structure 字段对应值里的 PUT
 	/**
 	 * 强行放入，不存在时就添加，存在时就修改
 	 */
 	UPDATE,
-	@Deprecated
-	PUT, //用 UPDATE 替代，容易和 RequestMethod.PUT 混淆，最快在 4.0.0 移除，请尽快修改 Request 表 structure 字段对应值里的 PUT
 	/**
 	 * 替换，当要被替换的对象存在时
 	 */
diff --git a/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/Parser.java b/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/Parser.java
@@ -90,8 +90,9 @@ public interface Parser<T> {
 
 	JSONObject parseCorrectRequest() throws Exception;
 	
-	JSONObject parseCorrectRequest(JSONObject target) throws Exception;
-
+	JSONObject parseCorrectRequest(RequestMethod method, String tag, int version, String name, JSONObject request,
+			int maxUpdateCount, SQLCreator creator) throws Exception;
+	
 	JSONObject parseCorrectResponse(String table, JSONObject response) throws Exception;
 
 	JSONObject getStructure(String table, String key, String value, int version) throws Exception;
@@ -153,4 +154,5 @@ public interface Parser<T> {
 	void rollback(Savepoint savepoint) throws SQLException;
 	void commit() throws SQLException;
 	void close();
+
 }
diff --git a/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/RemoteFunction.java b/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/RemoteFunction.java
@@ -77,7 +77,7 @@ public static Object invoke(@NotNull RemoteFunction fun, @NotNull JSONObject req
 		}
 		
 		int v = row.getIntValue("version");
-		if (v < fun.getVersion()) {
+		if (fun.getVersion() < v) {
 			throw new UnsupportedOperationException("不允许 version = " + fun.getVersion() + " 的请求调用远程函数 " + fb.getMethod() + " ! 必须满足 version >= " + v + " !");
 		}
 		String t = row.getString("tag");
diff --git a/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/Structure.java b/APIJSON-Java-Server/APIJSONORM/src/main/java/zuo/biao/apijson/server/Structure.java
@@ -16,11 +16,9 @@
 
 import static zuo.biao.apijson.JSONObject.KEY_ID;
 import static zuo.biao.apijson.JSONObject.KEY_USER_ID;
-import static zuo.biao.apijson.server.Operation.ADD;
 import static zuo.biao.apijson.server.Operation.DISALLOW;
 import static zuo.biao.apijson.server.Operation.INSERT;
 import static zuo.biao.apijson.server.Operation.NECESSARY;
-import static zuo.biao.apijson.server.Operation.PUT;
 import static zuo.biao.apijson.server.Operation.REMOVE;
 import static zuo.biao.apijson.server.Operation.REPLACE;
 import static zuo.biao.apijson.server.Operation.TYPE;
@@ -230,30 +228,24 @@ public static JSONObject parse(String name, JSONObject target, JSONObject real
 		JSONObject type = target.getJSONObject(TYPE.name());
 		JSONObject verify = target.getJSONObject(VERIFY.name());
 		JSONObject insert = target.getJSONObject(INSERT.name());
-		JSONObject add = target.getJSONObject(ADD.name());
 		JSONObject update = target.getJSONObject(UPDATE.name());
-		JSONObject put = target.getJSONObject(PUT.name());
 		JSONObject replace = target.getJSONObject(REPLACE.name());
 
 		String unique = StringUtil.getNoBlankString(target.getString(UNIQUE.name()));
 		String remove = StringUtil.getNoBlankString(target.getString(REMOVE.name()));
 		String necessary = StringUtil.getNoBlankString(target.getString(NECESSARY.name()));
 		String disallow = StringUtil.getNoBlankString(target.getString(DISALLOW.name()));
 
-		//不还原，传进来的target不应该是原来的
 		target.remove(TYPE.name());
 		target.remove(VERIFY.name());
 		target.remove(INSERT.name());
-		target.remove(ADD.name());
 		target.remove(UPDATE.name());
-		target.remove(PUT.name());
 		target.remove(REPLACE.name());
 
 		target.remove(UNIQUE.name());
 		target.remove(REMOVE.name());
 		target.remove(NECESSARY.name());
 		target.remove(DISALLOW.name());
-		//获取配置>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 
 
 
@@ -373,9 +365,7 @@ public static JSONObject parse(String name, JSONObject target, JSONObject real
 		real = operate(TYPE, type, real, creator);
 		real = operate(VERIFY, verify, real, creator);
 		real = operate(INSERT, insert, real, creator);
-		real = operate(ADD, add, real, creator);
 		real = operate(UPDATE, update, real, creator);
-		real = operate(PUT, put, real, creator);
 		real = operate(REPLACE, replace, real, creator);
 		//校验与修改Request>>>>>>>>>>>>>>>>>
 
@@ -390,6 +380,20 @@ public static JSONObject parse(String name, JSONObject target, JSONObject real
 		}
 		//校验重复>>>>>>>>>>>>>>>>>>>
 
+		
+		//还原 <<<<<<<<<<
+		target.put(TYPE.name(), type);
+		target.put(VERIFY.name(), verify);
+		target.put(INSERT.name(), insert);
+		target.put(UPDATE.name(), update);
+		target.put(REPLACE.name(), replace);
+
+		target.put(UNIQUE.name(), unique);
+		target.put(REMOVE.name(), remove);
+		target.put(NECESSARY.name(), necessary);
+		target.put(DISALLOW.name(), disallow);
+		//还原 >>>>>>>>>>
+		
 		Log.i(TAG, "parse  return real = " + JSON.toJSONString(real));
 		return real;
 	}
@@ -433,9 +437,6 @@ else if (opt == VERIFY) {
 			else if (opt == UPDATE) {
 				real.put(tk, tv);
 			}
-			else if (opt == PUT) {
-				real.put(tk, tv);
-			}
 			else {
 				if (real.containsKey(tk)) {
 					if (opt == REPLACE) {
@@ -446,9 +447,6 @@ else if (opt == PUT) {
 					if (opt == INSERT) {
 						real.put(tk, tv);
 					}
-					if (opt == ADD) {
-						real.put(tk, tv);
-					}
 				}
 			}
 		}

Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ public JSONRequest setTag(String tag) {`
`69`	`69`	`* @param version`
`70`	`70`	`* @return`
`71`	`71`	`*/`
`72`		`- public JSONRequest setVersion(String version) {`
	`72`	`+ public JSONRequest setVersion(Integer version) {`
`73`	`73`	`return puts(KEY_VERSION, version);`
`74`	`74`	`}`
`75`	`75`	`/**set "format":format in outermost layer`
Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ public static Object invoke(@NotNull RemoteFunction fun, @NotNull JSONObject req`
`77`	`77`	`}`
`78`	`78`
`79`	`79`	`int v = row.getIntValue("version");`
`80`		`- if (v < fun.getVersion()) {`
	`80`	`+ if (fun.getVersion() < v) {`
`81`	`81`	`throw new UnsupportedOperationException("不允许 version = " + fun.getVersion() + " 的请求调用远程函数 " + fb.getMethod() + " ! 必须满足 version >= " + v + " !");`
`82`	`82`	`}`
`83`	`83`	`String t = row.getString("tag");`