收货地址模块

版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/xiao__jia__jia/article/details/82182319

                                             收货地址模块

门户_收货地址接口：
https://gitee.com/imooccode/happymmallwiki/wikis/%E9%97%A8%E6%88%B7_%E6%94%B6%E8%B4%A7%E5%9C%B0%E5%9D%80%E6%8E%A5%E5%8F%A3?sort_id=9916

SpringMVC数据绑定中对象绑定

 @RequestMapping("add.do")
    @ResponseBody
    public ServerResponse add(HttpSession session,Shipping shipping){
        User user = (User)session.getAttribute(Const.CURRENT_USER);
        if(user ==null){
            return ServerResponse.createByErrorCodeMessage(ResponseCode.NEED_LOGIN.getCode(),ResponseCode.NEED_LOGIN.getDesc());
        }
        return iShippingService.add(user.getId(),shipping);
    }

mybatis自动生成主键、配置和使用

<insert id="insert" parameterType="com.mmall.pojo.Shipping" useGeneratedKeys="true" keyProperty="id">
    insert into mmall_shipping (id, user_id, receiver_name, 
      receiver_phone, receiver_mobile, receiver_province, 
      receiver_city, receiver_district, receiver_address, 
      receiver_zip, create_time, update_time
      )
    values (#{id,jdbcType=INTEGER}, #{userId,jdbcType=INTEGER}, #{receiverName,jdbcType=VARCHAR}, 
      #{receiverPhone,jdbcType=VARCHAR}, #{receiverMobile,jdbcType=VARCHAR}, #{receiverProvince,jdbcType=VARCHAR}, 
      #{receiverCity,jdbcType=VARCHAR}, #{receiverDistrict,jdbcType=VARCHAR}, #{receiverAddress,jdbcType=VARCHAR}, 
      #{receiverZip,jdbcType=VARCHAR}, now(), now()
      )
  </insert>

返回新插入对象的id主键

public ServerResponse add(Integer userId, Shipping shipping){
        shipping.setUserId(userId);
        int rowCount = shippingMapper.insert(shipping);
        if(rowCount > 0){
            Map result = Maps.newHashMap();
            result.put("shippingId",shipping.getId());
            return ServerResponse.createBySuccess("新建地址成功",result);
        }
        return ServerResponse.createByErrorMessage("新建地址失败");
    }

如何避免横向越权漏洞的巩固
因为shippingId 和userId没有绑定在一起，可能会出现横向越权的情况。如果userId通过登录验证，shippingId参数可以自己修改，会删除到别人的shippingId
 

public ServerResponse<String> del(Integer userId, Integer shippingId) {
   int resultCount = shippingMapper.deleteByPrimaryKey(shippingId);
}

<delete id="deleteByPrimaryKey" parameterType="java.lang.Integer" >
  delete from mmall_shipping
  where id = #{id,jdbcType=INTEGER}
</delete>

得修改为：

 <delete id="deleteByShippingIdUserId" parameterType="map">
    DELETE  FROM  mmall_shipping
    where id = #{shippingId}
    and user_id = #{userId}
  </delete>