From e94c44fb14e3098cef80eac420cca336808095c4 Mon Sep 17 00:00:00 2001
From: cloudAndMonkey <xieyun.xie@gmail.com>
Date: Mon, 9 Jan 2023 10:10:07 +0800
Subject: [PATCH 1/2] =?UTF-8?q?GETS/HEADS/PUT/DELETE=20=E4=B8=8D=E5=85=81?=
 =?UTF-8?q?=E8=AE=B8=E5=89=8D=E7=AB=AF=E4=BC=A0=20@combine?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https://github.com/Tencent/APIJSON/pull/493
GETS/HEADS/PUT/DELETE 不允许前端传 @combine，目前在这里去掉了校验，需要在 AbstractVerifier 补上，这样就只能通过后端配置 @combine 了，既保证了功能，又保证了安全
---
 APIJSONORM/src/main/java/apijson/orm/AbstractParser.java | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/APIJSONORM/src/main/java/apijson/orm/AbstractParser.java b/APIJSONORM/src/main/java/apijson/orm/AbstractParser.java
index 2d89677a..f12f4c5e 100755
--- a/APIJSONORM/src/main/java/apijson/orm/AbstractParser.java
+++ b/APIJSONORM/src/main/java/apijson/orm/AbstractParser.java
@@ -39,6 +39,7 @@
 import apijson.orm.exception.CommonException;
 import apijson.orm.exception.UnsupportedDataTypeException;
 
+import static apijson.JSONObject.KEY_COMBINE;
 import static apijson.JSONObject.KEY_EXPLAIN;
 import static apijson.RequestMethod.CRUD;
 import static apijson.RequestMethod.GET;
@@ -2192,6 +2193,10 @@ private JSONObject batchVerify(RequestMethod method, String tag, int version, St
 					RequestMethod  _method = null;
 					if (request.get(key) instanceof JSONObject) {
 						_method = RequestMethod.valueOf(request.getJSONObject(key).getString(apijson.JSONObject.KEY_METHOD).toUpperCase());
+						String combine = request.getJSONObject(key).getString(KEY_COMBINE);
+						if (combine != null && (_method == RequestMethod.DELETE || _method == RequestMethod.GETS || _method == RequestMethod.HEADS)) {
+							throw new IllegalArgumentException(key + ":{} 里的 @combine:value 不合法！DELETE,GETS,HEADS 请求不允许传 @combine:value !");
+						}
 					} else {
 						if (keyObjectAttributesMap.get(key) == null) {
 							if (method == RequestMethod.CRUD) {

From 8bf7195b90bf968bb3eba6497fa6a6f6de58ba93 Mon Sep 17 00:00:00 2001
From: cloudAndMonkey <xieyun.xie@gmail.com>
Date: Mon, 9 Jan 2023 14:58:30 +0800
Subject: [PATCH 2/2] =?UTF-8?q?=E6=9B=B4=E6=AD=A3=EF=BC=8C=E5=BC=80?=
 =?UTF-8?q?=E6=94=BE=E8=AF=B7=E6=B1=82=20GET=E3=80=81HEAD=20=E6=89=8D?=
 =?UTF-8?q?=E5=85=81=E8=AE=B8=E4=BC=A0=20@combine:value?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 APIJSONORM/src/main/java/apijson/orm/AbstractParser.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/APIJSONORM/src/main/java/apijson/orm/AbstractParser.java b/APIJSONORM/src/main/java/apijson/orm/AbstractParser.java
index f12f4c5e..b4499ee2 100755
--- a/APIJSONORM/src/main/java/apijson/orm/AbstractParser.java
+++ b/APIJSONORM/src/main/java/apijson/orm/AbstractParser.java
@@ -2194,8 +2194,8 @@ private JSONObject batchVerify(RequestMethod method, String tag, int version, St
 					if (request.get(key) instanceof JSONObject) {
 						_method = RequestMethod.valueOf(request.getJSONObject(key).getString(apijson.JSONObject.KEY_METHOD).toUpperCase());
 						String combine = request.getJSONObject(key).getString(KEY_COMBINE);
-						if (combine != null && (_method == RequestMethod.DELETE || _method == RequestMethod.GETS || _method == RequestMethod.HEADS)) {
-							throw new IllegalArgumentException(key + ":{} 里的 @combine:value 不合法！DELETE,GETS,HEADS 请求不允许传 @combine:value !");
+						if (combine != null && RequestMethod.isPublicMethod(_method) == false) {
+							throw new IllegalArgumentException(key + ":{} 里的 @combine:value 不合法！开放请求 GET、HEAD 才允许传 @combine:value !");
 						}
 					} else {
 						if (keyObjectAttributesMap.get(key) == null) {