llvy.ltd/casdoor
1
0
Fork 0
mirror of https://github.com/casdoor/casdoor.git synced 2025-07-01 18:40:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: get-user API respects org's account item's view rules now (#3882)

Browse Source
This commit is contained in:
DacongDA
2025-06-16 20:09:21 +08:00
committed by GitHub
parent 12cc0f429e
commit 6dc7b4d533
3 changed files with 121 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
controllers/user.go
View File

@ -197,8 +197,8 @@ func (c *ApiController) GetUser() {
return
}
var organization *object.Organization
if user != nil {
var organization *object.Organization
organization, err = object.GetOrganizationByUser(user)
if err != nil {
c.ResponseError(err.Error())
@ -237,6 +237,14 @@ func (c *ApiController) GetUser() {
return
}
if organization != nil && user != nil {
user, err = object.GetFilteredUser(user, c.IsAdmin(), c.IsAdminOrSelf(user), organization.AccountItems)
if err != nil {
c.ResponseError(err.Error())
return
}
}
c.ResponseOk(user)
}

56
object/user.go
View File

@ -661,6 +661,62 @@ func GetMaskedUser(user *User, isAdminOrSelf bool, errs ...error) (*User, error)
return user, nil
}
func GetFilteredUser(user *User, isAdmin bool, isAdminOrSelf bool, accountItems []*AccountItem) (*User, error) {
if accountItems == nil || len(accountItems) == 0 {
return user, nil
}
userFieldMap := map[string]int{}
reflectedUserField := reflect.TypeOf(User{})
for i := 0; i < reflectedUserField.NumField(); i++ {
userFieldMap[strings.ToLower(reflectedUserField.Field(i).Name)] = i
}
reflectedUser := reflect.ValueOf(user).Elem()
for _, accountItem := range accountItems {
if accountItem.ViewRule == "Public" {
continue
} else if accountItem.ViewRule == "Self" && isAdminOrSelf {
continue
} else if accountItem.ViewRule == "Admin" && isAdmin {
continue
}
lowerCaseAccountItemName := strings.ToLower(accountItem.Name)
lowerCaseAccountItemName = strings.ReplaceAll(lowerCaseAccountItemName, " ", "")
switch accountItem.Name {
case "Multi-factor authentication":
lowerCaseAccountItemName = strings.ToLower("PreferredMfaType")
case "User type":
lowerCaseAccountItemName = "type"
case "Country/Region":
lowerCaseAccountItemName = "region"
case "ID card info":
{
infoKeys := []string{"idCardWithPerson", "idCardFront", "idCardWithPerson"}
for _, infoKey := range infoKeys {
if _, ok := user.Properties[infoKey]; ok {
user.Properties[infoKey] = ""
}
}
continue
}
}
fieldIdx, ok := userFieldMap[lowerCaseAccountItemName]
if !ok {
continue
}
reflectedUser.Field(fieldIdx).SetZero()
}
return user, nil
}
func GetMaskedUsers(users []*User, errs ...error) ([]*User, error) {
if len(errs) > 0 && errs[0] != nil {
return nil, errs[0]

96
object/user_util.go
View File

@ -263,6 +263,18 @@ func ClearUserOAuthProperties(user *User, providerType string) (bool, error) {
return affected != 0, nil
}
func userVisible(isAdmin bool, item *AccountItem) bool {
if item == nil {
return false
}
if item.ViewRule == "Admin" && !isAdmin {
return false
}
return true
}
func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDisplayNameEmpty bool, lang string) (bool, string) {
organization, err := GetOrganizationByUser(oldUser)
if err != nil {
@ -273,7 +285,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if oldUser.Owner != newUser.Owner {
item := GetAccountItemByName("Organization", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Owner = oldUser.Owner
} else {
itemsChanged = append(itemsChanged, item)
@ -281,7 +293,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.Name != newUser.Name {
item := GetAccountItemByName("Name", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Name = oldUser.Name
} else {
itemsChanged = append(itemsChanged, item)
@ -289,7 +301,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.Id != newUser.Id {
item := GetAccountItemByName("ID", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Id = oldUser.Id
} else {
itemsChanged = append(itemsChanged, item)
@ -297,7 +309,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.DisplayName != newUser.DisplayName {
item := GetAccountItemByName("Display name", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.DisplayName = oldUser.DisplayName
} else {
if !allowDisplayNameEmpty && newUser.DisplayName == "" {
@ -309,7 +321,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.Avatar != newUser.Avatar {
item := GetAccountItemByName("Avatar", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Avatar = oldUser.Avatar
} else {
itemsChanged = append(itemsChanged, item)
@ -317,7 +329,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.Type != newUser.Type {
item := GetAccountItemByName("User type", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Type = oldUser.Type
} else {
itemsChanged = append(itemsChanged, item)
@ -326,7 +338,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
// The password is *** when not modified
if oldUser.Password != newUser.Password && newUser.Password != "***" {
item := GetAccountItemByName("Password", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Password = oldUser.Password
} else {
itemsChanged = append(itemsChanged, item)
@ -334,7 +346,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.Email != newUser.Email {
item := GetAccountItemByName("Email", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Email = oldUser.Email
} else {
itemsChanged = append(itemsChanged, item)
@ -342,7 +354,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.Phone != newUser.Phone {
item := GetAccountItemByName("Phone", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Phone = oldUser.Phone
} else {
itemsChanged = append(itemsChanged, item)
@ -350,7 +362,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.CountryCode != newUser.CountryCode {
item := GetAccountItemByName("Country code", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.CountryCode = oldUser.CountryCode
} else {
itemsChanged = append(itemsChanged, item)
@ -358,7 +370,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.Region != newUser.Region {
item := GetAccountItemByName("Country/Region", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Region = oldUser.Region
} else {
itemsChanged = append(itemsChanged, item)
@ -366,7 +378,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.Location != newUser.Location {
item := GetAccountItemByName("Location", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Location = oldUser.Location
} else {
itemsChanged = append(itemsChanged, item)
@ -374,7 +386,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.Affiliation != newUser.Affiliation {
item := GetAccountItemByName("Affiliation", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Affiliation = oldUser.Affiliation
} else {
itemsChanged = append(itemsChanged, item)
@ -382,7 +394,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.Title != newUser.Title {
item := GetAccountItemByName("Title", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Title = oldUser.Title
} else {
itemsChanged = append(itemsChanged, item)
@ -390,7 +402,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.Homepage != newUser.Homepage {
item := GetAccountItemByName("Homepage", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Homepage = oldUser.Homepage
} else {
itemsChanged = append(itemsChanged, item)
@ -398,7 +410,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.Bio != newUser.Bio {
item := GetAccountItemByName("Bio", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Bio = oldUser.Bio
} else {
itemsChanged = append(itemsChanged, item)
@ -406,7 +418,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.Tag != newUser.Tag {
item := GetAccountItemByName("Tag", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Tag = oldUser.Tag
} else {
itemsChanged = append(itemsChanged, item)
@ -414,7 +426,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.SignupApplication != newUser.SignupApplication {
item := GetAccountItemByName("Signup application", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.SignupApplication = oldUser.SignupApplication
} else {
itemsChanged = append(itemsChanged, item)
@ -423,7 +435,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if oldUser.Gender != newUser.Gender {
item := GetAccountItemByName("Gender", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Gender = oldUser.Gender
} else {
itemsChanged = append(itemsChanged, item)
@ -432,7 +444,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if oldUser.Birthday != newUser.Birthday {
item := GetAccountItemByName("Birthday", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Birthday = oldUser.Birthday
} else {
itemsChanged = append(itemsChanged, item)
@ -441,7 +453,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if oldUser.Education != newUser.Education {
item := GetAccountItemByName("Education", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Education = oldUser.Education
} else {
itemsChanged = append(itemsChanged, item)
@ -450,7 +462,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if oldUser.IdCard != newUser.IdCard {
item := GetAccountItemByName("ID card", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.IdCard = oldUser.IdCard
} else {
itemsChanged = append(itemsChanged, item)
@ -459,7 +471,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if oldUser.IdCardType != newUser.IdCardType {
item := GetAccountItemByName("ID card type", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.IdCardType = oldUser.IdCardType
} else {
itemsChanged = append(itemsChanged, item)
@ -467,10 +479,13 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
oldUserPropertiesJson, _ := json.Marshal(oldUser.Properties)
if newUser.Properties == nil {
newUser.Properties = make(map[string]string)
}
newUserPropertiesJson, _ := json.Marshal(newUser.Properties)
if string(oldUserPropertiesJson) != string(newUserPropertiesJson) {
item := GetAccountItemByName("Properties", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Properties = oldUser.Properties
} else {
itemsChanged = append(itemsChanged, item)
@ -479,7 +494,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if oldUser.PreferredMfaType != newUser.PreferredMfaType {
item := GetAccountItemByName("Multi-factor authentication", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.PreferredMfaType = oldUser.PreferredMfaType
} else {
itemsChanged = append(itemsChanged, item)
@ -490,13 +505,14 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
oldUser.Groups = []string{}
}
oldUserGroupsJson, _ := json.Marshal(oldUser.Groups)
if newUser.Groups == nil {
newUser.Groups = []string{}
}
newUserGroupsJson, _ := json.Marshal(newUser.Groups)
if string(oldUserGroupsJson) != string(newUserGroupsJson) {
item := GetAccountItemByName("Groups", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Groups = oldUser.Groups
} else {
itemsChanged = append(itemsChanged, item)
@ -514,7 +530,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
newUserAddressJson, _ := json.Marshal(newUser.Address)
if string(oldUserAddressJson) != string(newUserAddressJson) {
item := GetAccountItemByName("Address", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Address = oldUser.Address
} else {
itemsChanged = append(itemsChanged, item)
@ -523,7 +539,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if newUser.FaceIds != nil {
item := GetAccountItemByName("Face ID", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.FaceIds = oldUser.FaceIds
} else {
itemsChanged = append(itemsChanged, item)
@ -532,7 +548,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if oldUser.IsAdmin != newUser.IsAdmin {
item := GetAccountItemByName("Is admin", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.IsAdmin = oldUser.IsAdmin
} else {
itemsChanged = append(itemsChanged, item)
@ -541,7 +557,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if oldUser.IsForbidden != newUser.IsForbidden {
item := GetAccountItemByName("Is forbidden", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.IsForbidden = oldUser.IsForbidden
} else {
itemsChanged = append(itemsChanged, item)
@ -549,7 +565,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.IsDeleted != newUser.IsDeleted {
item := GetAccountItemByName("Is deleted", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.IsDeleted = oldUser.IsDeleted
} else {
itemsChanged = append(itemsChanged, item)
@ -557,7 +573,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.NeedUpdatePassword != newUser.NeedUpdatePassword {
item := GetAccountItemByName("Need update password", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.NeedUpdatePassword = oldUser.NeedUpdatePassword
} else {
itemsChanged = append(itemsChanged, item)
@ -565,7 +581,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
}
if oldUser.IpWhitelist != newUser.IpWhitelist {
item := GetAccountItemByName("IP whitelist", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.IpWhitelist = oldUser.IpWhitelist
} else {
itemsChanged = append(itemsChanged, item)
@ -574,7 +590,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if oldUser.Balance != newUser.Balance {
item := GetAccountItemByName("Balance", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Balance = oldUser.Balance
} else {
itemsChanged = append(itemsChanged, item)
@ -583,7 +599,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if oldUser.Score != newUser.Score {
item := GetAccountItemByName("Score", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Score = oldUser.Score
} else {
itemsChanged = append(itemsChanged, item)
@ -592,7 +608,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if oldUser.Karma != newUser.Karma {
item := GetAccountItemByName("Karma", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Karma = oldUser.Karma
} else {
itemsChanged = append(itemsChanged, item)
@ -601,7 +617,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if oldUser.Language != newUser.Language {
item := GetAccountItemByName("Language", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Language = oldUser.Language
} else {
itemsChanged = append(itemsChanged, item)
@ -610,7 +626,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if oldUser.Ranking != newUser.Ranking {
item := GetAccountItemByName("Ranking", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Ranking = oldUser.Ranking
} else {
itemsChanged = append(itemsChanged, item)
@ -619,7 +635,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if oldUser.Currency != newUser.Currency {
item := GetAccountItemByName("Currency", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Currency = oldUser.Currency
} else {
itemsChanged = append(itemsChanged, item)
@ -628,7 +644,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, allowDis
if oldUser.Hash != newUser.Hash {
item := GetAccountItemByName("Hash", organization)
if item == nil {
if !userVisible(isAdmin, item) {
newUser.Hash = oldUser.Hash
} else {
itemsChanged = append(itemsChanged, item)