修复CoreApiController逻辑错误，增加参数字段校验

stmms-biz/src/main/java/cn/com/qmth/stmms/biz/exam/model/ExamStudent.java

@@ -29,8 +29,6 @@ public class ExamStudent implements Serializable {
 
     public static final String SPLIT = ";";
 
-    public static final int SECRET_NUMBER_LENGTH = 8;
-
     public static final int SECRET_NUMBER_START = 10000000;
 
     public static final int SECRET_NUMBER_END = 99999999;

stmms-biz/src/main/java/cn/com/qmth/stmms/biz/exam/query/ExamStudentSearchQuery.java

@@ -12,6 +12,8 @@ public class ExamStudentSearchQuery extends BaseQuery<ExamStudent> {
 
     private Integer examId;
 
+    private Integer schoolId;
+
     private String campusName;
 
     private String name;
@@ -88,6 +90,10 @@ public class ExamStudentSearchQuery extends BaseQuery<ExamStudent> {
         setSort(new Sort(Direction.ASC, "examNumber"));
     }
 
+    public void orderByExamIdDesc() {
+        setSort(new Sort(Direction.DESC, "examId"));
+    }
+
     public Integer getExamId() {
         return examId;
     }
@@ -96,6 +102,14 @@ public class ExamStudentSearchQuery extends BaseQuery<ExamStudent> {
         this.examId = examId;
     }
 
+    public Integer getSchoolId() {
+        return schoolId;
+    }
+
+    public void setSchoolId(Integer schoolId) {
+        this.schoolId = schoolId;
+    }
+
     public String getName() {
         return name;
     }

stmms-biz/src/main/java/cn/com/qmth/stmms/biz/exam/service/impl/ExamStudentServiceImpl.java

@@ -470,6 +470,9 @@ public class ExamStudentServiceImpl extends BaseQueryService<ExamStudent> implem
                 if (query.getExamId() > 0) {
                     predicates.add(cb.equal(root.get("examId"), query.getExamId()));
                 }
+                if (query.getSchoolId() != null) {
+                    predicates.add(cb.equal(root.get("schoolId"), query.getSchoolId()));
+                }
                 if (StringUtils.isNotBlank(query.getIds())) {
                     String[] ids = query.getIds().split(",");
                     List<String> list = new ArrayList<String>();

stmms-web/src/main/java/cn/com/qmth/stmms/api/controller/BaseApiController.java

@@ -38,4 +38,29 @@ public class BaseApiController extends BaseController {
         obj.accumulate("success", success);
         return obj;
     }
+
+    protected String validate(String name, String value, boolean required, int maxLength) {
+        value = StringUtils.trimToNull(value);
+        if (required && value == null) {
+            throw ApiException.QUERY_PARAM_ERROR.replaceMessage(name + " is required");
+        }
+        if (value != null && maxLength > 0 && value.length() > maxLength) {
+            throw ApiException.QUERY_PARAM_ERROR.replaceMessage(name + " length exceed " + maxLength);
+        }
+        return value;
+    }
+
+    protected String validate(String value, boolean notBlank, int maxLength) {
+        if (value == null) {
+            return null;
+        }
+        value = value.trim();
+        if (notBlank && value.length() == 0) {
+            return null;
+        }
+        if (maxLength > 0 && value.length() > maxLength) {
+            return null;
+        }
+        return value;
+    }
 }

stmms-web/src/main/java/cn/com/qmth/stmms/api/controller/CoreController.java

@@ -6,7 +6,11 @@ import cn.com.qmth.stmms.biz.exam.model.ExamStudent;
 import cn.com.qmth.stmms.biz.exam.query.ExamStudentSearchQuery;
 import cn.com.qmth.stmms.biz.exam.service.ExamService;
 import cn.com.qmth.stmms.biz.exam.service.ExamStudentService;
+import cn.com.qmth.stmms.common.annotation.RoleRequire;
 import cn.com.qmth.stmms.common.domain.ApiUser;
+import cn.com.qmth.stmms.common.enums.ExamStatus;
+import cn.com.qmth.stmms.common.enums.ExamType;
+import cn.com.qmth.stmms.common.enums.Role;
 import cn.com.qmth.stmms.common.enums.SubjectiveStatus;
 import cn.com.qmth.stmms.common.utils.DateUtils;
 import cn.com.qmth.stmms.common.utils.RequestUtils;
@@ -25,9 +29,11 @@ import java.text.DecimalFormat;
 import java.util.Date;
 
 @Controller("coreApiController")
-@RequestMapping("/api/core")
+@RequestMapping("/api")
 public class CoreController extends BaseApiController {
 
+    private static final int MAX_QUERY_PAGE_SIZE = 500;
+
     @Autowired
     private ExamService examService;
 
@@ -36,77 +42,137 @@ public class CoreController extends BaseApiController {
 
     @RequestMapping(value = "/exam/save", method = RequestMethod.POST)
     @ResponseBody
-    public JSONObject save(HttpServletRequest request, @RequestParam(required = false) Integer id,
+    @RoleRequire({ Role.SCHOOL_ADMIN, Role.SCHOOL_DEV })
+    public JSONObject examSave(HttpServletRequest request, @RequestParam(required = false) Integer id,
             @RequestParam(required = false) String code, @RequestParam String name,
             @RequestParam(required = false) String examTime) {
-        JSONObject result = new JSONObject();
         ApiUser user = RequestUtils.getApiUser(request);
-        if (id == null && code == null) {
-            Exam exam = new Exam();
-            exam.setName(exam.getName());
-            exam.setExamTime(DateUtils.parseDate(examTime));
-            exam = examService.save(exam);
-            result.accumulate("id", exam.getId());
-            result.accumulate("updateTime", DateUtils.formatDateTime(exam.getUpdateTime()));
-            return result;
-        }
-        Exam exam = null;
+        JSONObject result = new JSONObject();
+        //输入字段预处理并初步校验
+        code = validate("code", code, false, 32);
+        name = validate("name", name, true, 32);
+        Date time = DateUtils.parseDate(examTime);
+        Exam current = null;
         if (id != null) {
-            exam = examService.findById(id);
+            //根据id查找考试并校验
+            current = examService.findById(id);
+            if (current == null) {
+                throw ApiException.QUERY_PARAM_ERROR.replaceMessage("id invalid");
+            }
         } else if (code != null) {
-            exam = examService.findBySchoolAndCode(user.getSchoolId(), code);
-        }
-        if (exam != null && exam.getSchoolId().equals(user.getSchoolId())) {
-            exam.setName(name);
-            exam.setExamTime(DateUtils.parseDate(examTime));
-            exam = examService.save(exam);
-            result.accumulate("id", exam.getId());
-            result.accumulate("updateTime", DateUtils.formatDateTime(exam.getUpdateTime()));
-            return result;
+            //根据code查找考试并校验
+            current = examService.findBySchoolAndCode(user.getSchoolId(), code);
         } else {
+            throw ApiException.QUERY_PARAM_ERROR.replaceMessage("id/code both unexists");
+        }
+        if (current == null) {
+            //新建考试并校验考试时间
+            if (time == null) {
+                throw ApiException.QUERY_PARAM_ERROR.replaceMessage("examTime invalid");
+            }
+            current = new Exam();
+            current.setCode(code);
+            current.setSchoolId(user.getSchoolId());
+            current.setType(ExamType.SCAN_IMAGE);
+            current.setStatus(ExamStatus.START);
+            current.setCreateTime(new Date());
+        } else if (!current.getSchoolId().equals(user.getSchoolId()) || current.getStatus() != ExamStatus.START) {
             throw ApiException.EXAM_NOT_ACCESSIBLED;
         }
+        current.setName(name);
+        if (time != null) {
+            current.setExamTime(time);
+        }
+        current = examService.save(current);
+        result.accumulate("id", current.getId());
+        result.accumulate("updateTime", DateUtils.formatDateTime(current.getUpdateTime()));
+        return result;
     }
 
     @RequestMapping(value = "/exam/student/save", method = RequestMethod.POST)
     @ResponseBody
-    public JSONObject studentSave(HttpServletRequest request, @RequestParam Integer examId,
+    @RoleRequire({ Role.SCHOOL_ADMIN, Role.SCHOOL_DEV })
+    public JSONObject examStudentSave(HttpServletRequest request, @RequestParam Integer examId,
             @RequestParam String examNumber, @RequestParam String studentCode, @RequestParam String name,
             @RequestParam String college, @RequestParam String className, @RequestParam String teacher,
             @RequestParam String subjectCode, @RequestParam String subjectName,
             @RequestParam(required = false) String packageCode, @RequestParam(required = false) String paperType,
             @RequestParam(required = false) String examSite, @RequestParam(required = false) String examRoom) {
+        ApiUser user = RequestUtils.getApiUser(request);
         Exam exam = examService.findById(examId);
-        if (exam == null) {
+        if (exam == null || !exam.getSchoolId().equals(user.getSchoolId()) || exam.getStatus() != ExamStatus.START) {
             throw ApiException.EXAM_NOT_ACCESSIBLED;
         }
+        examNumber = validate("examNumber", examNumber, true, 64);
         ExamStudent student = studentService.findByExamIdAndExamNumber(examId, examNumber);
         if (student == null) {
+            //新建考生
             student = new ExamStudent();
             student.setExamId(examId);
-            student.setExamNumber(examNumber);
-            student.setPackageCode(packageCode);
-
             student.setSchoolId(exam.getSchoolId());
+            student.setExamNumber(examNumber);
+            student.setPackageCode(validate("packageCode", packageCode, false, 64));
+            student.setStudentCode(validate("studentCode", studentCode, true, 64));
+            student.setName(validate("name", name, true, 32));
+            student.setSubjectCode(validate("subjectCode", subjectCode, true, 32));
+            student.setSubjectName(validate("subjectName", subjectName, true, 32));
+            student.setCollege(validate("college", college, true, 32));
+            student.setClassName(validate("className", className, true, 32));
+            student.setTeacher(validate("teacher", teacher, true, 32));
+            student.setPaperType(validate("paperType", paperType, false, 16));
+            student.setExamSite(validate("examSite", examSite, false, 32));
+            student.setExamRoom(validate("examRoom", examRoom, false, 32));
             student.setAbsent(false);
+            student.setManualAbsent(false);
             student.setUpload(false);
             student.setException(false);
+            student.setBreach(false);
             student.setSliceCount(0);
             student.setSheetCount(0);
             student.setObjectiveScore(0d);
             student.setSubjectiveScore(0d);
             student.setSubjectiveStatus(SubjectiveStatus.UNMARK);
+        } else {
+            //更新现有考生
+            name = validate(name, true, 32);
+            if (name != null) {
+                student.setName(name);
+            }
+            studentCode = validate(studentCode, true, 64);
+            if (studentCode != null) {
+                student.setStudentCode(studentCode);
+            }
+            subjectCode = validate(subjectCode, true, 32);
+            subjectName = validate(subjectName, true, 32);
+            if (subjectCode != null && subjectName != null) {
+                student.setSubjectCode(subjectCode);
+                student.setSubjectName(subjectName);
+            }
+            paperType = validate(paperType, true, 16);
+            if (paperType != null) {
+                student.setPaperType(paperType);
+            }
+            college = validate(college, true, 32);
+            if (college != null) {
+                student.setCollege(college);
+            }
+            className = validate(className, true, 32);
+            if (className != null) {
+                student.setClassName(className);
+            }
+            teacher = validate(teacher, true, 32);
+            if (teacher != null) {
+                student.setTeacher(teacher);
+            }
+            examSite = validate(examSite, false, 32);
+            if (examSite != null) {
+                student.setExamSite(examSite);
+            }
+            examRoom = validate(examRoom, false, 32);
+            if (examRoom != null) {
+                student.setExamRoom(examRoom);
+            }
         }
-        student.setStudentCode(studentCode);
-        student.setName(name);
-        student.setSubjectCode(subjectCode);
-        student.setSubjectName(subjectName);
-        student.setCollege(college);
-        student.setClassName(className);
-        student.setTeacher(teacher);
-        student.setPaperType(paperType);
-        student.setExamSite(examSite);
-        student.setExamRoom(examRoom);
         studentService.save(student);
         JSONObject result = new JSONObject();
         result.accumulate("updateTime", DateUtils.formatDateTime(new Date()));
@@ -115,20 +181,29 @@ public class CoreController extends BaseApiController {
 
     @RequestMapping(value = "/student/query", method = RequestMethod.POST)
     @ResponseBody
+    @RoleRequire({ Role.SCHOOL_ADMIN, Role.SCHOOL_DEV })
     public JSONArray studentQuery(HttpServletRequest request, @RequestParam String studentCode,
             @RequestParam(required = false) String subjectCode, @RequestParam(required = false) Date minExamTime) {
+        ApiUser user = RequestUtils.getApiUser(request);
         JSONArray array = new JSONArray();
+        studentCode = StringUtils.trimToNull(studentCode);
+        subjectCode = StringUtils.trimToNull(subjectCode);
+        if (studentCode == null) {
+            throw ApiException.QUERY_PARAM_ERROR.replaceMessage("studentCode invalid");
+        }
         ExamStudentSearchQuery query = new ExamStudentSearchQuery();
+        query.setSchoolId(user.getSchoolId());
         query.setStudentCode(studentCode);
         query.setSubjectCode(subjectCode);
+        query.orderByExamIdDesc();
         query = studentService.findByQuery(query);
         for (ExamStudent student : query.getResult()) {
             Exam exam = examService.findById(student.getExamId());
-            if (minExamTime != null && minExamTime.after(exam.getExamTime())) {
+            if (minExamTime != null && minExamTime.before(exam.getExamTime())) {
                 JSONObject obj = new JSONObject();
-                obj.accumulate("examId", student.getExamId());
-                obj.accumulate("examCode", StringUtils.trimToEmpty(exam.getCode()));
-                obj.accumulate("examTime", DateUtils.pastDays(exam.getExamTime()));
+                obj.accumulate("examId", exam.getId());
+                obj.accumulate("examCode", exam.getCode());
+                obj.accumulate("examTime", DateUtils.formatDateTime(exam.getExamTime()));
                 obj.accumulate("examNumber", student.getExamNumber());
                 obj.accumulate("name", student.getName());
                 obj.accumulate("subjectCode", student.getSubjectCode());
@@ -143,34 +218,38 @@ public class CoreController extends BaseApiController {
 
     @RequestMapping(value = "/exam/student/score", method = RequestMethod.POST)
     @ResponseBody
-    public JSONArray getScore(HttpServletRequest request, @RequestParam(required = false) Integer examId,
+    @RoleRequire({ Role.SCHOOL_ADMIN, Role.SCHOOL_DEV })
+    public JSONArray examStudentScore(HttpServletRequest request, @RequestParam(required = false) Integer examId,
             @RequestParam(required = false) String examCode, @RequestParam(required = false) String examNumber,
             @RequestParam(required = false) String studentCode, @RequestParam(required = false) String subjectCode,
             @RequestParam(required = false) String college, @RequestParam(required = false) String className,
             @RequestParam(required = false) String teacher,
             @RequestParam(required = false, defaultValue = "1") Integer pageNumber,
             @RequestParam(required = false, defaultValue = "100") Integer pageSize) {
+        ApiUser user = RequestUtils.getApiUser(request);
         if (examId == null && examCode == null) {
-            throw ApiException.EXAM_NOT_ACCESSIBLED;
+            throw ApiException.QUERY_PARAM_ERROR.replaceMessage("examId/examCode both unexists");
         }
         Exam exam = examService.findById(examId);
         if (exam == null) {
-            ApiUser user = RequestUtils.getApiUser(request);
             exam = examService.findBySchoolAndCode(user.getSchoolId(), examCode);
         }
-        if (exam == null) {
+        if (exam == null || !exam.getSchoolId().equals(user.getSchoolId())) {
             throw ApiException.EXAM_NOT_ACCESSIBLED;
         }
         JSONArray array = new JSONArray();
         ExamStudentSearchQuery query = new ExamStudentSearchQuery();
         query.setExamId(exam.getId());
-        query.setExamNumber(examNumber);
-        query.setStudentCode(studentCode);
-        query.setSubjectCode(subjectCode);
-        query.setCollege(college);
-        query.setClassName(className);
-        query.setTeacher(teacher);
+        query.setExamNumber(StringUtils.trimToNull(examNumber));
+        query.setStudentCode(StringUtils.trimToNull(studentCode));
+        query.setSubjectCode(StringUtils.trimToNull(subjectCode));
+        query.setCollege(StringUtils.trimToNull(college));
+        query.setClassName(StringUtils.trimToNull(className));
+        query.setTeacher(StringUtils.trimToNull(teacher));
+        query.setPageNumber(Math.max(1, pageNumber));
+        query.setPageSize(Math.min(MAX_QUERY_PAGE_SIZE, pageSize));
         query = studentService.findByQuery(query);
+        DecimalFormat df = new DecimalFormat("####.###");
         for (ExamStudent student : query.getResult()) {
             JSONObject obj = new JSONObject();
             obj.accumulate("examId", exam.getId());
@@ -182,7 +261,6 @@ public class CoreController extends BaseApiController {
             obj.accumulate("subjectName", student.getSubjectName());
             obj.accumulate("paperType", StringUtils.trimToEmpty(student.getPaperType()));
             obj.accumulate("status", getStatus(student));
-            DecimalFormat df = new DecimalFormat("####.###");
             obj.accumulate("totalScore", df.format(student.getTotalScore()));
             obj.accumulate("objectiveScore", df.format(student.getObjectiveScore()));
             obj.accumulate("subjectiveScore", df.format(student.getSubjectiveScore()));