|
30 | 30 | import com.alibaba.fastjson.JSONObject; |
31 | 31 |
|
32 | 32 | import apijson.demo.server.Verifier; |
33 | | -import apijson.demo.server.model.BaseModel; |
34 | 33 | import apijson.demo.server.model.User; |
35 | 34 | import zuo.biao.apijson.JSON; |
36 | 35 | import zuo.biao.apijson.JSONResponse; |
@@ -177,7 +176,7 @@ public JSONObject parseResponse(JSONObject request) { |
177 | 176 | if (session != null && requestObject.getIntValue(JSONRequest.KEY_VERSION) <= 0) { |
178 | 177 | requestObject.put(JSONRequest.KEY_VERSION, session.getAttribute(JSONRequest.KEY_VERSION)); |
179 | 178 | } |
180 | | - |
| 179 | + |
181 | 180 | requestObject = getCorrectRequest(requestMethod, requestObject); |
182 | 181 | } |
183 | 182 | } catch (Exception e) { |
@@ -628,8 +627,9 @@ public JSONObject parseResponse(JSONRequest request) throws Exception { |
628 | 627 | private JSONArray getArray(String parentPath, String name, final JSONObject request) throws Exception { |
629 | 628 | Log.i(TAG, "\n\n\n getArray parentPath = " + parentPath |
630 | 629 | + "; name = " + name + "; request = " + JSON.toJSONString(request)); |
631 | | - if (RequestMethod.isGetMethod(requestMethod, true) == false) { |
632 | | - throw new UnsupportedOperationException("key[]:{}只支持GET类方法!不允许传 " + name + ":{} !"); |
| 630 | + //不能允许GETS,否则会被通过"[]":{"@role":"ADMIN"},"Table":{},"tag":"Table"绕过权限并能批量查询 |
| 631 | + if (RequestMethod.isGetMethod(requestMethod, false) == false) { |
| 632 | + throw new UnsupportedOperationException("key[]:{}只支持GET方法!不允许传 " + name + ":{} !"); |
633 | 633 | } |
634 | 634 | if (request == null || request.isEmpty()) {//jsonKey-jsonValue条件 |
635 | 635 | return null; |
|
0 commit comments