功能:
添加地址
删除地址
更新地址
地址列表
地址分页
地址详情
学习目标:
SpringMVC数据绑定中对象绑定
mybatis自动生成主键,配置和使用
巩固如何避免横向越权漏洞知识
数据表设计:
接口设计:
1.添加地址:
/shipping/add.do
Request参数
userId=1
receiverName=geely
receiverPhone=010
receiverMobile=18688888888
receiverProvince=北京
receiverCity=北京市
receiverAddress=中关村
receiverZip=100000
Response参数:
需要将新增成功地址shippingId返回
返回主键id(shippingId)的处理,可以借助Spring框架在insert句中新增返回配置
2.删除地址:
/shipping/del.do
参数:shippingId
横向越权问题:
这里可能会出现横向删除越权,我们接口是验证了用户是否登录,但是用户登录后,可以通过接口注入破解,传递其他用户的shippingId,而删除时没有再次验证登录用户当前的关联的身份,这会导致实现删除其他用户的收获地址.
解决策略:
删除时加入userId和shippingId联合验证删除,这里的userId一定要是从session中获取的用户
3.更新地址:
/shipping/update.do
参数:
id=1 shipping表中的主键id
receiverName=geely
receiverPhone=010
receiverMobile=18688888888
receiverProvince=北京
receiverCity=北京市
receiverAddress=中关村
receiverZip=100000
Tips:同样需要防止越权,userId需要从session获取,但是userId不加入更新的,只是做where条件.
4.查看某个具体地址详情
/shipping/select.do
参数:
shippingId shipping表中的主键id
响应:
"id": 4,
"userId": 13,
"receiverName": "geely",
"receiverPhone": "010",
"receiverMobile": "18688888888",
"receiverProvince": "北京",
"receiverCity": "北京市",
"receiverAddress": "中关村",
"receiverZip": "100000",
"createTime": 1485066385000,
"updateTime": 1485066385000
Tips:同样要注意越权问题,需要联合userId查询
5.地址列表
/shipping/list.do
参数:
pageNum(默认1),pageSize(默认10)
返回:
需要将所有的地址封装成lsit并通过pageHelper封装分页信息返回.
Tips:需要注意用户横向越权问题,联合userId查询
{ "status": 0, "data": { "pageNum": 1, "pageSize": 10, "size": 2, "orderBy": null, "startRow": 1, "endRow": 2, "total": 2, "pages": 1, "list": [
{ "id": 4, "userId": 13, "receiverName": "geely", "receiverPhone": "010", "receiverMobile": "18688888888", "receiverProvince": "北京", "receiverCity": "北京市", "receiverAddress": "中关村", "receiverZip": "100000", "createTime": 1485066385000, "updateTime": 1485066385000 },
{ "id": 5, "userId": 13, "receiverName": "AAA", "receiverPhone": "010", "receiverMobile": "18688888888", "receiverProvince": "北京", "receiverCity": "北京市", "receiverAddress": "中关村", "receiverZip": "100000", "createTime": 1485066392000, "updateTime": 1485075875000 }
], "firstPage": 1, "prePage": 0, "nextPage": 0, "lastPage": 1, "isFirstPage": true, "isLastPage": true, "hasPreviousPage": false, "hasNextPage": false, "navigatePages": 8, "navigatepageNums": [ 1 ] } }