fix: validate parameter and nil in func updateUser (#1714)

* fix: validate parameter and nil in func updateUser

* fix: delete blank line

controllers/user.go

@@ -138,10 +138,6 @@ func (c *ApiController) UpdateUser() {
 	id := c.Input().Get("id")
 	columnsStr := c.Input().Get("columns")
 
-	if id == "" {
-		id = c.GetSessionUsername()
-	}
-
 	var user object.User
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &user)
 	if err != nil {
@@ -149,10 +145,27 @@ func (c *ApiController) UpdateUser() {
 		return
 	}
 
-	if msg := object.CheckUpdateUser(object.GetUser(id), &user, c.GetAcceptLanguage()); msg != "" {
+	if id == "" {
+		id = c.GetSessionUsername()
+		if id == "" {
+			c.ResponseError(c.T("general:Missing parameter"))
+			return
+		}
+	}
+	oldUser := object.GetUser(id)
+	if oldUser == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), id))
+		return
+	}
+
+	if msg := object.CheckUpdateUser(oldUser, &user, c.GetAcceptLanguage()); msg != "" {
 		c.ResponseError(msg)
 		return
 	}
+	if pass, err := checkPermissionForUpdateUser(oldUser, &user, c); !pass {
+		c.ResponseError(err)
+		return
+	}
 
 	columns := []string{}
 	if columnsStr != "" {
@@ -161,11 +174,6 @@ func (c *ApiController) UpdateUser() {
 
 	isGlobalAdmin := c.IsGlobalAdmin()
 
-	if pass, err := checkPermissionForUpdateUser(id, user, c); !pass {
-		c.ResponseError(err)
-		return
-	}
-
 	affected := object.UpdateUser(id, &user, columns, isGlobalAdmin)
 	if affected {
 		object.UpdateUserToOriginalDatabase(&user)

controllers/user_util.go

@@ -20,8 +20,7 @@ import (
 	"github.com/casdoor/casdoor/object"
 )
 
-func checkPermissionForUpdateUser(userId string, newUser object.User, c *ApiController) (bool, string) {
-	oldUser := object.GetUser(userId)
+func checkPermissionForUpdateUser(oldUser, newUser *object.User, c *ApiController) (bool, string) {
 	organization := object.GetOrganizationByUser(oldUser)
 	var itemsChanged []*object.AccountItem