llvy.ltd/casdoor
1
0
Fork 0
mirror of https://github.com/casdoor/casdoor.git synced 2025-07-03 04:10:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

Show access secret if isAdminOrSelf is true in get-user and get-account APIs

Browse Source
This commit is contained in:
Yang Luo
2023-07-19 19:14:53 +08:00
parent 5c441d195c
commit 38f031bc86
5 changed files with 26 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
controllers/account.go
View File

@ -380,7 +380,8 @@ func (c *ApiController) GetAccount() {
return return
} }
u, err := object.GetMaskedUser(user) isAdminOrSelf := c.IsAdminOrSelf(user)
u, err := object.GetMaskedUser(user, isAdminOrSelf)
if err != nil { if err != nil {
c.ResponseError(err.Error()) c.ResponseError(err.Error())
return return

12
controllers/base.go
View File

@ -55,6 +55,18 @@ func (c *ApiController) IsAdmin() bool {
return isGlobalAdmin || user.IsAdmin return isGlobalAdmin || user.IsAdmin
} }
func (c *ApiController) IsAdminOrSelf(user2 *object.User) bool {
isGlobalAdmin, user := c.isGlobalAdmin()
if isGlobalAdmin || (user != nil && user.IsAdmin) {
return true
}
if user.Owner == user2.Owner && user.Name == user2.Name {
return true
}
return false
}
func (c *ApiController) isGlobalAdmin() (bool, *object.User) { func (c *ApiController) isGlobalAdmin() (bool, *object.User) {
username := c.GetSessionUsername() username := c.GetSessionUsername()
if strings.HasPrefix(username, "app/") { if strings.HasPrefix(username, "app/") {

3
controllers/user.go
View File

@ -208,7 +208,8 @@ func (c *ApiController) GetUser() {
return return
} }
maskedUser, err := object.GetMaskedUser(user) isAdminOrSelf := c.IsAdminOrSelf(user)
maskedUser, err := object.GetMaskedUser(user, isAdminOrSelf)
if err != nil { if err != nil {
c.ResponseError(err.Error()) c.ResponseError(err.Error())
return return

3
object/record.go
View File

@ -161,7 +161,8 @@ func SendWebhooks(record *Record) error {
if matched { if matched {
if webhook.IsUserExtended { if webhook.IsUserExtended {
user, err := GetMaskedUser(getUser(record.Organization, record.User)) user, err := getUser(record.Organization, record.User)
user, err = GetMaskedUser(user, false, err)
if err != nil { if err != nil {
return err return err
} }

12
object/user.go
View File

@ -418,7 +418,7 @@ func GetUserNoCheck(id string) (*User, error) {
return getUser(owner, name) return getUser(owner, name)
} }
func GetMaskedUser(user *User, errs ...error) (*User, error) { func GetMaskedUser(user *User, isAdminOrSelf bool, errs ...error) (*User, error) {
if len(errs) > 0 && errs[0] != nil { if len(errs) > 0 && errs[0] != nil {
return nil, errs[0] return nil, errs[0]
} }
@ -430,9 +430,13 @@ func GetMaskedUser(user *User, errs ...error) (*User, error) {
if user.Password != "" { if user.Password != "" {
user.Password = "***" user.Password = "***"
} }
if user.AccessSecret != "" {
user.AccessSecret = "***" if !isAdminOrSelf {
if user.AccessSecret != "" {
user.AccessSecret = "***"
}
} }
if user.ManagedAccounts != nil { if user.ManagedAccounts != nil {
for _, manageAccount := range user.ManagedAccounts { for _, manageAccount := range user.ManagedAccounts {
manageAccount.Password = "***" manageAccount.Password = "***"
@ -456,7 +460,7 @@ func GetMaskedUsers(users []*User, errs ...error) ([]*User, error) {
var err error var err error
for _, user := range users { for _, user := range users {
user, err = GetMaskedUser(user) user, err = GetMaskedUser(user, false)
if err != nil { if err != nil {
return nil, err return nil, err
} }