feat: fix the issue of jumping back to the login page after resetting password (#1288)

* fix: redirect to login page

* fix: front end router

* fix: front end router

* fix: signup page router

* fix: redirect to login page

.github/workflows/build.yml

@@ -125,26 +125,36 @@ jobs:
               
           fi
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: latest
+
       - name: Log in to Docker Hub
         uses: docker/login-action@v1
-        if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' &&steps.should_push.outputs.push=='true'
+        if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
-
       - name: Push to Docker Hub
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
         with:
           target: STANDARD
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: casbin/casdoor:${{steps.get-current-tag.outputs.tag }},casbin/casdoor:latest
 
       - name: Push All In One Version to Docker Hub
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
         with:
           target: ALLINONE
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: casbin/casdoor-all-in-one:${{steps.get-current-tag.outputs.tag }},casbin/casdoor-all-in-one:latest

.gitignore

@@ -27,3 +27,6 @@ logs/
 files/
 lastupdate.tmp
 commentsRouter*.go
+
+# ignore build result
+casdoor

Dockerfile

@@ -2,7 +2,7 @@ FROM node:16.13.0 AS FRONT
 WORKDIR /web
 COPY ./web .
 RUN yarn config set registry https://registry.npmmirror.com
-RUN yarn install && yarn run build
+RUN yarn install --frozen-lockfile --network-timeout 1000000 && yarn run build
 
 
 FROM golang:1.17.5 AS BACK
@@ -13,16 +13,29 @@ RUN ./build.sh
 
 FROM alpine:latest AS STANDARD
 LABEL MAINTAINER="https://casdoor.org/"
+ARG USER=casdoor
+ARG TARGETOS
+ARG TARGETARCH
+ENV BUILDX_ARCH="${TARGETOS:-linux}_${TARGETARCH:-amd64}"
 
 RUN sed -i 's/https/http/' /etc/apk/repositories
+RUN apk add --update sudo
 RUN apk add curl
 RUN apk add ca-certificates && update-ca-certificates
 
+RUN adduser -D $USER -u 1000 \
+    && echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/$USER \
+    && chmod 0440 /etc/sudoers.d/$USER \
+    && mkdir logs \
+    && chown -R $USER:$USER logs
+
+USER 1000
 WORKDIR /
-COPY --from=BACK /go/src/casdoor/server ./server
-COPY --from=BACK /go/src/casdoor/swagger ./swagger
-COPY --from=BACK /go/src/casdoor/conf/app.conf ./conf/app.conf
-COPY --from=FRONT /web/build ./web/build
+COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/server_${BUILDX_ARCH} ./server
+COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/swagger ./swagger
+COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/conf/app.conf ./conf/app.conf
+COPY --from=FRONT --chown=$USER:$USER /web/build ./web/build
+
 ENTRYPOINT ["/server"]
 
 
@@ -36,12 +49,15 @@ RUN apt update \
 
 FROM db AS ALLINONE
 LABEL MAINTAINER="https://casdoor.org/"
+ARG TARGETOS
+ARG TARGETARCH
+ENV BUILDX_ARCH="${TARGETOS:-linux}_${TARGETARCH:-amd64}"
 
 RUN apt update
 RUN apt install -y ca-certificates && update-ca-certificates
 
 WORKDIR /
-COPY --from=BACK /go/src/casdoor/server ./server
+COPY --from=BACK /go/src/casdoor/server_${BUILDX_ARCH} ./server
 COPY --from=BACK /go/src/casdoor/swagger ./swagger
 COPY --from=BACK /go/src/casdoor/docker-entrypoint.sh /docker-entrypoint.sh
 COPY --from=BACK /go/src/casdoor/conf/app.conf ./conf/app.conf

README.md

@@ -51,7 +51,7 @@
 ## Documentation
 
 - International: https://casdoor.org
-- Asian mirror: https://docs.casdoor.cn
+- Asian mirror: https://casdoor.cn
 
 ## Install
 
@@ -69,7 +69,7 @@ https://casdoor.org/docs/how-to-connect/overview
 
 ## Integrations
 
-https://casdoor.org/docs/integration/apisix
+https://casdoor.org/docs/category/integrations
 
 ## How to contact?
 

SECURITY.md

@@ -0,0 +1,9 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+We are grateful for security researchers and users reporting a vulnerability to us first. To ensure that your request is handled in a timely manner and we can keep users safe, please follow the below guidelines.
+
+- **Please do not report security vulnerabilities directly on GitHub.**
+
+- To report a vulnerability, please email [admin@casdoor.org](admin@casdoor.org).

authz/authz.go

@@ -15,12 +15,14 @@
 package authz
 
 import (
+	"fmt"
 	"strings"
 
 	"github.com/casbin/casbin/v2"
 	"github.com/casbin/casbin/v2/model"
 	xormadapter "github.com/casbin/xorm-adapter/v3"
 	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/object"
 	stringadapter "github.com/qiangmzsx/string-adapter/v2"
 )
 
@@ -138,6 +140,12 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o
 		}
 	}
 
+	userId := fmt.Sprintf("%s/%s", subOwner, subName)
+	user := object.GetUser(userId)
+	if user != nil && user.IsAdmin && (subOwner == objOwner || (objOwner == "admin" && subOwner == objName)) {
+		return true
+	}
+
 	res, err := Enforcer.Enforce(subOwner, subName, method, urlPath, objOwner, objName)
 	if err != nil {
 		panic(err)

build.sh

@@ -8,4 +8,5 @@ else
     echo "Google is blocked, Go proxy is enabled: GOPROXY=https://goproxy.cn,direct"
     export GOPROXY="https://goproxy.cn,direct"
 fi
-CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-w -s" -o server .
+CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-w -s" -o server_linux_amd64 .
+CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags="-w -s" -o server_linux_arm64 .

captcha/provider.go

@@ -14,6 +14,8 @@
 
 package captcha
 
+import "fmt"
+
 type CaptchaProvider interface {
 	VerifyCaptcha(token, clientSecret string) (bool, error)
 }
@@ -32,3 +34,12 @@ func GetCaptchaProvider(captchaType string) CaptchaProvider {
 	}
 	return nil
 }
+
+func VerifyCaptchaByCaptchaType(captchaType, token, clientSecret string) (bool, error) {
+	provider := GetCaptchaProvider(captchaType)
+	if provider == nil {
+		return false, fmt.Errorf("invalid captcha provider: %s", captchaType)
+	}
+
+	return provider.VerifyCaptcha(token, clientSecret)
+}

conf/app.conf

@@ -20,3 +20,4 @@ staticBaseUrl = "https://cdn.casbin.org"
 isDemoMode = false
 batchSize = 100
 ldapServerPort = 389
+languages = en,zh,es,fr,de,ja,ko,ru

controllers/account.go

@@ -64,6 +64,10 @@ type RequestForm struct {
 	RelayState   string `json:"relayState"`
 	SamlRequest  string `json:"samlRequest"`
 	SamlResponse string `json:"samlResponse"`
+
+	CaptchaType  string `json:"captchaType"`
+	CaptchaToken string `json:"captchaToken"`
+	ClientSecret string `json:"clientSecret"`
 }
 
 type Response struct {
@@ -98,7 +102,7 @@ type Captcha struct {
 // @router /signup [post]
 func (c *ApiController) Signup() {
 	if c.GetSessionUsername() != "" {
-		c.ResponseError("Please sign out first before signing up", c.GetSessionUsername())
+		c.ResponseError(c.T("SignUpErr.SignOutFirst"), c.GetSessionUsername())
 		return
 	}
 
@@ -111,21 +115,21 @@ func (c *ApiController) Signup() {
 
 	application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
 	if !application.EnableSignUp {
-		c.ResponseError("The application does not allow to sign up new account")
+		c.ResponseError(c.T("SignUpErr.DoNotAllowSignUp"))
 		return
 	}
 
 	organization := object.GetOrganization(fmt.Sprintf("%s/%s", "admin", form.Organization))
-	msg := object.CheckUserSignup(application, organization, form.Username, form.Password, form.Name, form.FirstName, form.LastName, form.Email, form.Phone, form.Affiliation)
+	msg := object.CheckUserSignup(application, organization, form.Username, form.Password, form.Name, form.FirstName, form.LastName, form.Email, form.Phone, form.Affiliation, c.GetAcceptLanguage())
 	if msg != "" {
 		c.ResponseError(msg)
 		return
 	}
 
 	if application.IsSignupItemVisible("Email") && application.GetSignupItemRule("Email") != "No verification" && form.Email != "" {
-		checkResult := object.CheckVerificationCode(form.Email, form.EmailCode)
+		checkResult := object.CheckVerificationCode(form.Email, form.EmailCode, c.GetAcceptLanguage())
 		if len(checkResult) != 0 {
-			c.ResponseError(fmt.Sprintf("Email: %s", checkResult))
+			c.ResponseError(c.T("EmailErr.EmailCheckResult"), checkResult)
 			return
 		}
 	}
@@ -133,9 +137,9 @@ func (c *ApiController) Signup() {
 	var checkPhone string
 	if application.IsSignupItemVisible("Phone") && form.Phone != "" {
 		checkPhone = fmt.Sprintf("+%s%s", form.PhonePrefix, form.Phone)
-		checkResult := object.CheckVerificationCode(checkPhone, form.PhoneCode)
+		checkResult := object.CheckVerificationCode(checkPhone, form.PhoneCode, c.GetAcceptLanguage())
 		if len(checkResult) != 0 {
-			c.ResponseError(fmt.Sprintf("Phone: %s", checkResult))
+			c.ResponseError(c.T("PhoneErr.PhoneCheckResult"), checkResult)
 			return
 		}
 	}
@@ -159,7 +163,7 @@ func (c *ApiController) Signup() {
 
 	initScore, err := getInitScore()
 	if err != nil {
-		c.ResponseError(fmt.Errorf("get init score failed, error: %w", err).Error())
+		c.ResponseError(fmt.Errorf(c.T("InitErr.InitScoreFailed"), err).Error())
 		return
 	}
 
@@ -205,7 +209,7 @@ func (c *ApiController) Signup() {
 
 	affected := object.AddUser(user)
 	if !affected {
-		c.ResponseError(fmt.Sprintf("Failed to create user, user information is invalid: %s", util.StructToJson(user)))
+		c.ResponseError(c.T("UserErr.InvalidInformation"), util.StructToJson(user))
 		return
 	}
 
@@ -241,8 +245,7 @@ func (c *ApiController) Logout() {
 	util.LogInfo(c.Ctx, "API: [%s] logged out", user)
 
 	application := c.GetSessionApplication()
-	c.SetSessionUsername("")
-	c.SetSessionData(nil)
+	c.ClearUserSession()
 
 	if application == nil || application.Name == "app-built-in" || application.HomepageUrl == "" {
 		c.ResponseOk(user)
@@ -309,7 +312,7 @@ func (c *ApiController) GetCaptcha() {
 	applicationId := c.Input().Get("applicationId")
 	isCurrentProvider := c.Input().Get("isCurrentProvider")
 
-	captchaProvider, err := object.GetCaptchaProviderByApplication(applicationId, isCurrentProvider)
+	captchaProvider, err := object.GetCaptchaProviderByApplication(applicationId, isCurrentProvider, c.GetAcceptLanguage())
 	if err != nil {
 		c.ResponseError(err.Error())
 		return

controllers/application.go

@@ -86,7 +86,7 @@ func (c *ApiController) GetUserApplication() {
 	id := c.Input().Get("id")
 	user := object.GetUser(id)
 	if user == nil {
-		c.ResponseError(fmt.Sprintf("The user: %s doesn't exist", id))
+		c.ResponseError(fmt.Sprintf(c.T("UserErr.DoNotExist"), id))
 		return
 	}
 
@@ -107,7 +107,7 @@ func (c *ApiController) GetOrganizationApplications() {
 	organization := c.Input().Get("organization")
 
 	if organization == "" {
-		c.ResponseError("Parameter organization is missing")
+		c.ResponseError(c.T("ParameterErr.OrgMissingErr"))
 		return
 	}
 

controllers/auth.go

@@ -23,6 +23,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/casdoor/casdoor/captcha"
+
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/idp"
 	"github.com/casdoor/casdoor/object"
@@ -56,7 +58,7 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		return
 	}
 	if !allowed {
-		c.ResponseError("Unauthorized operation")
+		c.ResponseError(c.T("AuthErr.Unauthorized"))
 		return
 	}
 
@@ -75,10 +77,10 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		codeChallenge := c.Input().Get("code_challenge")
 
 		if challengeMethod != "S256" && challengeMethod != "null" && challengeMethod != "" {
-			c.ResponseError("Challenge method should be S256")
+			c.ResponseError(c.T("AuthErr.ChallengeMethodErr"))
 			return
 		}
-		code := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, c.Ctx.Request.Host)
+		code := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, c.Ctx.Request.Host, c.GetAcceptLanguage())
 		resp = codeToResponse(code)
 
 		if application.EnableSigninSession || application.HasPromptPage() {
@@ -151,7 +153,7 @@ func (c *ApiController) GetApplicationLogin() {
 	scope := c.Input().Get("scope")
 	state := c.Input().Get("state")
 
-	msg, application := object.CheckOAuthLogin(clientId, responseType, redirectUri, scope, state)
+	msg, application := object.CheckOAuthLogin(clientId, responseType, redirectUri, scope, state, c.GetAcceptLanguage())
 	application = object.GetMaskedApplication(application, "")
 	if msg != "" {
 		c.ResponseError(msg, application)
@@ -196,7 +198,7 @@ func (c *ApiController) Login() {
 	if form.Username != "" {
 		if form.Type == ResponseTypeLogin {
 			if c.GetSessionUsername() != "" {
-				c.ResponseError("Please sign out first before signing in", c.GetSessionUsername())
+				c.ResponseError(c.T("LoginErr.SignOutFirst"), c.GetSessionUsername())
 				return
 			}
 		}
@@ -218,11 +220,11 @@ func (c *ApiController) Login() {
 				if user != nil && util.GetMaskedEmail(user.Email) == form.Username {
 					form.Username = user.Email
 				}
-				checkResult = object.CheckVerificationCode(form.Username, form.Code)
+				checkResult = object.CheckVerificationCode(form.Username, form.Code, c.GetAcceptLanguage())
 			} else {
 				verificationCodeType = "phone"
 				if len(form.PhonePrefix) == 0 {
-					responseText := fmt.Sprintf("%s%s", verificationCodeType, "No phone prefix")
+					responseText := fmt.Sprintf(c.T("PhoneErr.NoPrefix"), verificationCodeType)
 					c.ResponseError(responseText)
 					return
 				}
@@ -230,7 +232,7 @@ func (c *ApiController) Login() {
 					form.Username = user.Phone
 				}
 				checkPhone := fmt.Sprintf("+%s%s", form.PhonePrefix, form.Username)
-				checkResult = object.CheckVerificationCode(checkPhone, form.Code)
+				checkResult = object.CheckVerificationCode(checkPhone, form.Code, c.GetAcceptLanguage())
 			}
 			if len(checkResult) != 0 {
 				responseText := fmt.Sprintf("%s%s", verificationCodeType, checkResult)
@@ -247,12 +249,31 @@ func (c *ApiController) Login() {
 
 			user = object.GetUserByFields(form.Organization, form.Username)
 			if user == nil {
-				c.ResponseError(fmt.Sprintf("The user: %s/%s doesn't exist", form.Organization, form.Username))
+				c.ResponseError(fmt.Sprintf(c.T("LoginErr.UserDoNotExist"), form.Organization, form.Username))
 				return
 			}
 		} else {
+			application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
+			if application == nil {
+				c.ResponseError(fmt.Sprintf("The application: %s does not exist", form.Application))
+				return
+			}
+
+			if object.CheckToEnableCaptcha(application) {
+				isHuman, err := captcha.VerifyCaptchaByCaptchaType(form.CaptchaType, form.CaptchaToken, form.ClientSecret)
+				if err != nil {
+					c.ResponseError(err.Error())
+					return
+				}
+
+				if !isHuman {
+					c.ResponseError("Turing test failed.")
+					return
+				}
+			}
+
 			password := form.Password
-			user, msg = object.CheckUserPassword(form.Organization, form.Username, password)
+			user, msg = object.CheckUserPassword(form.Organization, form.Username, password, c.GetAcceptLanguage())
 		}
 
 		if msg != "" {
@@ -260,7 +281,7 @@ func (c *ApiController) Login() {
 		} else {
 			application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
 			if application == nil {
-				c.ResponseError(fmt.Sprintf("The application: %s does not exist", form.Application))
+				c.ResponseError(fmt.Sprintf(c.T("LoginErr.AppDoNotExist"), form.Application))
 				return
 			}
 
@@ -274,7 +295,7 @@ func (c *ApiController) Login() {
 	} else if form.Provider != "" {
 		application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
 		if application == nil {
-			c.ResponseError(fmt.Sprintf("The application: %s does not exist", form.Application))
+			c.ResponseError(fmt.Sprintf(c.T("LoginErr.AppDoNotExist"), form.Application))
 			return
 		}
 
@@ -282,7 +303,7 @@ func (c *ApiController) Login() {
 		provider := object.GetProvider(fmt.Sprintf("admin/%s", form.Provider))
 		providerItem := application.GetProviderItem(provider.Name)
 		if !providerItem.IsProviderVisible() {
-			c.ResponseError(fmt.Sprintf("The provider: %s is not enabled for the application", provider.Name))
+			c.ResponseError(fmt.Sprintf(c.T("ProviderErr.ProviderNotEnabled"), provider.Name))
 			return
 		}
 
@@ -306,14 +327,14 @@ func (c *ApiController) Login() {
 
 			idProvider := idp.GetIdProvider(provider.Type, provider.SubType, clientId, clientSecret, provider.AppId, form.RedirectUri, provider.Domain, provider.CustomAuthUrl, provider.CustomTokenUrl, provider.CustomUserInfoUrl)
 			if idProvider == nil {
-				c.ResponseError(fmt.Sprintf("The provider type: %s is not supported", provider.Type))
+				c.ResponseError(fmt.Sprintf(c.T("ProviderErr.ProviderNotSupported"), provider.Type))
 				return
 			}
 
 			setHttpClient(idProvider, provider.Type)
 
 			if form.State != conf.GetConfigString("authState") && form.State != application.Name {
-				c.ResponseError(fmt.Sprintf("state expected: \"%s\", but got: \"%s\"", conf.GetConfigString("authState"), form.State))
+				c.ResponseError(fmt.Sprintf(c.T("AuthErr.AuthStateWrong"), conf.GetConfigString("authState"), form.State))
 				return
 			}
 
@@ -325,13 +346,13 @@ func (c *ApiController) Login() {
 			}
 
 			if !token.Valid() {
-				c.ResponseError("Invalid token")
+				c.ResponseError(c.T("TokenErr.InvalidToken"))
 				return
 			}
 
 			userInfo, err = idProvider.GetUserInfo(token)
 			if err != nil {
-				c.ResponseError(fmt.Sprintf("Failed to login in: %s", err.Error()))
+				c.ResponseError(fmt.Sprintf(c.T("LoginErr.LoginFail"), err.Error()))
 				return
 			}
 		}
@@ -348,7 +369,7 @@ func (c *ApiController) Login() {
 				// Sign in via OAuth (want to sign up but already have account)
 
 				if user.IsForbidden {
-					c.ResponseError("the user is forbidden to sign in, please contact the administrator")
+					c.ResponseError(c.T("LoginErr.UserIsForbidden"))
 				}
 
 				resp = c.HandleLoggedIn(application, user, &form)
@@ -360,12 +381,12 @@ func (c *ApiController) Login() {
 			} else if provider.Category == "OAuth" {
 				// Sign up via OAuth
 				if !application.EnableSignUp {
-					c.ResponseError(fmt.Sprintf("The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support", provider.Type, userInfo.Username, userInfo.DisplayName))
+					c.ResponseError(fmt.Sprintf(c.T("LoginErr.AppNotEnableSignUp"), provider.Type, userInfo.Username, userInfo.DisplayName))
 					return
 				}
 
 				if !providerItem.CanSignUp {
-					c.ResponseError(fmt.Sprintf("The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %s, please use another way to sign up", provider.Type, userInfo.Username, userInfo.DisplayName, provider.Type))
+					c.ResponseError(fmt.Sprintf(c.T("LoginErr.ProviderCanNotSignUp"), provider.Type, userInfo.Username, userInfo.DisplayName, provider.Type))
 					return
 				}
 
@@ -386,7 +407,7 @@ func (c *ApiController) Login() {
 				properties["no"] = strconv.Itoa(len(object.GetUsers(application.Organization)) + 2)
 				initScore, err := getInitScore()
 				if err != nil {
-					c.ResponseError(fmt.Errorf("get init score failed, error: %w", err).Error())
+					c.ResponseError(fmt.Errorf(c.T("InitErr.InitScoreFailed"), err).Error())
 					return
 				}
 
@@ -413,7 +434,7 @@ func (c *ApiController) Login() {
 
 				affected := object.AddUser(user)
 				if !affected {
-					c.ResponseError(fmt.Sprintf("Failed to create user, user information is invalid: %s", util.StructToJson(user)))
+					c.ResponseError(fmt.Sprintf(c.T("LoginErr.InvalidUserInformation"), util.StructToJson(user)))
 					return
 				}
 
@@ -438,13 +459,13 @@ func (c *ApiController) Login() {
 		} else { // form.Method != "signup"
 			userId := c.GetSessionUsername()
 			if userId == "" {
-				c.ResponseError("The account does not exist", userInfo)
+				c.ResponseError(c.T("LoginErr.AccountDoNotExist"), userInfo)
 				return
 			}
 
 			oldUser := object.GetUserByField(application.Organization, provider.Type, userInfo.Id)
 			if oldUser != nil {
-				c.ResponseError(fmt.Sprintf("The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)", provider.Type, userInfo.Username, userInfo.DisplayName, oldUser.Name, oldUser.DisplayName))
+				c.ResponseError(fmt.Sprintf(c.T("LoginErr.OldUser"), provider.Type, userInfo.Username, userInfo.DisplayName, oldUser.Name, oldUser.DisplayName))
 				return
 			}
 
@@ -465,7 +486,7 @@ func (c *ApiController) Login() {
 			// user already signed in to Casdoor, so let the user click the avatar button to do the quick sign-in
 			application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
 			if application == nil {
-				c.ResponseError(fmt.Sprintf("The application: %s does not exist", form.Application))
+				c.ResponseError(fmt.Sprintf(c.T("LoginErr.AppDoNotExist"), form.Application))
 				return
 			}
 
@@ -477,7 +498,7 @@ func (c *ApiController) Login() {
 			record.User = user.Name
 			util.SafeGoroutine(func() { object.AddRecord(record) })
 		} else {
-			c.ResponseError(fmt.Sprintf("unknown authentication type (not password or provider), form = %s", util.StructToJson(form)))
+			c.ResponseError(fmt.Sprintf(c.T("LoginErr.UnknownAuthentication"), util.StructToJson(form)))
 			return
 		}
 	}
@@ -489,7 +510,7 @@ func (c *ApiController) Login() {
 func (c *ApiController) GetSamlLogin() {
 	providerId := c.Input().Get("id")
 	relayState := c.Input().Get("relayState")
-	authURL, method, err := object.GenerateSamlLoginUrl(providerId, relayState)
+	authURL, method, err := object.GenerateSamlLoginUrl(providerId, relayState, c.GetAcceptLanguage())
 	if err != nil {
 		c.ResponseError(err.Error())
 	}

controllers/base.go

@@ -63,8 +63,7 @@ func (c *ApiController) GetSessionUsername() string {
 	if sessionData != nil &&
 		sessionData.ExpireTime != 0 &&
 		sessionData.ExpireTime < time.Now().Unix() {
-		c.SetSessionUsername("")
-		c.SetSessionData(nil)
+		c.ClearUserSession()
 		return ""
 	}
 
@@ -85,13 +84,17 @@ func (c *ApiController) GetSessionApplication() *object.Application {
 	return application
 }
 
+func (c *ApiController) ClearUserSession() {
+	c.SetSessionUsername("")
+	c.SetSessionData(nil)
+}
+
 func (c *ApiController) GetSessionOidc() (string, string) {
 	sessionData := c.GetSessionData()
 	if sessionData != nil &&
 		sessionData.ExpireTime != 0 &&
 		sessionData.ExpireTime < time.Now().Unix() {
-		c.SetSessionUsername("")
-		c.SetSessionData(nil)
+		c.ClearUserSession()
 		return "", ""
 	}
 	scopeValue := c.GetSession("scope")

controllers/cas.go

@@ -210,7 +210,7 @@ func (c *RootController) SamlValidate() {
 	}
 
 	if !strings.HasPrefix(target, service) {
-		c.ResponseError(fmt.Sprintf("service %s and %s do not match", target, service))
+		c.ResponseError(fmt.Sprintf(c.T("CasErr.ServiceDoNotMatch"), target, service))
 		return
 	}
 

controllers/enforcer.go

@@ -23,7 +23,7 @@ import (
 func (c *ApiController) Enforce() {
 	userId := c.GetSessionUsername()
 	if userId == "" {
-		c.ResponseError("Please sign in first")
+		c.ResponseError(c.T("EnforcerErr.SignInFirst"))
 		return
 	}
 
@@ -41,7 +41,7 @@ func (c *ApiController) Enforce() {
 func (c *ApiController) BatchEnforce() {
 	userId := c.GetSessionUsername()
 	if userId == "" {
-		c.ResponseError("Please sign in first")
+		c.ResponseError(c.T("EnforcerErr.SignInFirst"))
 		return
 	}
 
@@ -59,7 +59,7 @@ func (c *ApiController) BatchEnforce() {
 func (c *ApiController) GetAllObjects() {
 	userId := c.GetSessionUsername()
 	if userId == "" {
-		c.ResponseError("Please sign in first")
+		c.ResponseError(c.T("EnforcerErr.SignInFirst"))
 		return
 	}
 
@@ -70,7 +70,7 @@ func (c *ApiController) GetAllObjects() {
 func (c *ApiController) GetAllActions() {
 	userId := c.GetSessionUsername()
 	if userId == "" {
-		c.ResponseError("Please sign in first")
+		c.ResponseError(c.T("EnforcerErr.SignInFirst"))
 		return
 	}
 
@@ -81,7 +81,7 @@ func (c *ApiController) GetAllActions() {
 func (c *ApiController) GetAllRoles() {
 	userId := c.GetSessionUsername()
 	if userId == "" {
-		c.ResponseError("Please sign in first")
+		c.ResponseError(c.T("EnforcerErr.SignInFirst"))
 		return
 	}
 

controllers/ldap.go

@@ -52,7 +52,7 @@ func (c *ApiController) GetLdapUser() {
 	ldapServer := LdapServer{}
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &ldapServer)
 	if err != nil || util.IsStrsEmpty(ldapServer.Host, ldapServer.Admin, ldapServer.Passwd, ldapServer.BaseDn) {
-		c.ResponseError("Missing parameter")
+		c.ResponseError(c.T("ParameterErr.Missing"))
 		return
 	}
 
@@ -120,7 +120,7 @@ func (c *ApiController) GetLdap() {
 	id := c.Input().Get("id")
 
 	if util.IsStrsEmpty(id) {
-		c.ResponseError("Missing parameter")
+		c.ResponseError(c.T("ParameterErr.Missing"))
 		return
 	}
 
@@ -136,17 +136,17 @@ func (c *ApiController) AddLdap() {
 	var ldap object.Ldap
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &ldap)
 	if err != nil {
-		c.ResponseError("Missing parameter")
+		c.ResponseError(c.T("ParameterErr.Missing"))
 		return
 	}
 
 	if util.IsStrsEmpty(ldap.Owner, ldap.ServerName, ldap.Host, ldap.Admin, ldap.Passwd, ldap.BaseDn) {
-		c.ResponseError("Missing parameter")
+		c.ResponseError(c.T("ParameterErr.Missing"))
 		return
 	}
 
 	if object.CheckLdapExist(&ldap) {
-		c.ResponseError("Ldap server exist")
+		c.ResponseError(c.T("LdapErr.ServerExisted"))
 		return
 	}
 
@@ -171,7 +171,7 @@ func (c *ApiController) UpdateLdap() {
 	var ldap object.Ldap
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &ldap)
 	if err != nil || util.IsStrsEmpty(ldap.Owner, ldap.ServerName, ldap.Host, ldap.Admin, ldap.Passwd, ldap.BaseDn) {
-		c.ResponseError("Missing parameter")
+		c.ResponseError(c.T("ParameterErr.Missing"))
 		return
 	}
 

controllers/ldapserver.go

@@ -49,7 +49,7 @@ func handleBind(w ldapserver.ResponseWriter, m *ldapserver.Message) {
 			return
 		}
 		bindpassword := string(r.AuthenticationSimple())
-		binduser, err := object.CheckUserPassword(bindorg, bindusername, bindpassword)
+		binduser, err := object.CheckUserPassword(bindorg, bindusername, bindpassword, "en")
 		if err != "" {
 			log.Printf("Bind failed User=%s, Pass=%#v, ErrMsg=%s", string(r.Name()), r.Authentication(), err)
 			res.SetResultCode(ldapserver.LDAPResultInvalidCredentials)

controllers/link.go

@@ -47,7 +47,7 @@ func (c *ApiController) Unlink() {
 
 	if user.Id != unlinkedUser.Id && !user.IsGlobalAdmin {
 		// if the user is not the same as the one we are unlinking, we need to make sure the user is the global admin.
-		c.ResponseError("You are not the global admin, you can't unlink other users")
+		c.ResponseError(c.T("AuthErr.CanNotUnlinkUsers"))
 		return
 	}
 
@@ -55,23 +55,23 @@ func (c *ApiController) Unlink() {
 		// if the user is unlinking themselves, should check the provider can be unlinked, if not, we should return an error.
 		application := object.GetApplicationByUser(user)
 		if application == nil {
-			c.ResponseError("You can't unlink yourself, you are not a member of any application")
+			c.ResponseError(c.T("AuthErr.CanNotLinkMySelf"))
 			return
 		}
 
 		if len(application.Providers) == 0 {
-			c.ResponseError("This application has no providers")
+			c.ResponseError(c.T("ApplicationErr.HasNoProviders"))
 			return
 		}
 
 		provider := application.GetProviderItemByType(providerType)
 		if provider == nil {
-			c.ResponseError("This application has no providers of type " + providerType)
+			c.ResponseError(c.T("ApplicationErr.HasNoProvidersOfType") + providerType)
 			return
 		}
 
 		if !provider.CanUnlink {
-			c.ResponseError("This provider can't be unlinked")
+			c.ResponseError(c.T("ProviderErr.CanNotBeUnlinked"))
 			return
 		}
 
@@ -84,7 +84,7 @@ func (c *ApiController) Unlink() {
 	value := object.GetUserField(&unlinkedUser, providerType)
 
 	if value == "" {
-		c.ResponseError("Please link first", value)
+		c.ResponseError(c.T("ProviderErr.LinkFirstErr"), value)
 		return
 	}
 

controllers/organization.go

@@ -133,11 +133,12 @@ func (c *ApiController) GetDefaultApplication() {
 	userId := c.GetSessionUsername()
 	id := c.Input().Get("id")
 
-	application := object.GetMaskedApplication(object.GetDefaultApplication(id), userId)
-	if application == nil {
-		c.ResponseError("Please set a default application for this organization")
+	application, err := object.GetDefaultApplication(id)
+	if err != nil {
+		c.ResponseError(err.Error())
 		return
 	}
 
-	c.ResponseOk(application)
+	maskedApplication := object.GetMaskedApplication(application, userId)
+	c.ResponseOk(maskedApplication)
 }

controllers/product.go

@@ -141,13 +141,13 @@ func (c *ApiController) BuyProduct() {
 
 	userId := c.GetSessionUsername()
 	if userId == "" {
-		c.ResponseError("Please login first")
+		c.ResponseError(c.T("LoginErr.LoginFirst"))
 		return
 	}
 
 	user := object.GetUser(userId)
 	if user == nil {
-		c.ResponseError(fmt.Sprintf("The user: %s doesn't exist", userId))
+		c.ResponseError(fmt.Sprintf(c.T("UserErr.DoNotExist"), userId))
 		return
 	}
 

controllers/provider.go

@@ -48,6 +48,30 @@ func (c *ApiController) GetProviders() {
 	}
 }
 
+// GetGlobalProviders
+// @Title GetGlobalProviders
+// @Tag Provider API
+// @Description get Global providers
+// @Success 200 {array} object.Provider The Response object
+// @router /get-global-providers [get]
+func (c *ApiController) GetGlobalProviders() {
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+	if limit == "" || page == "" {
+		c.Data["json"] = object.GetMaskedProviders(object.GetGlobalProviders())
+		c.ServeJSON()
+	} else {
+		limit := util.ParseInt(limit)
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetGlobalProviderCount(field, value)))
+		providers := object.GetMaskedProviders(object.GetPaginationGlobalProviders(paginator.Offset(), limit, field, value, sortField, sortOrder))
+		c.ResponseOk(providers, paginator.Nums())
+	}
+}
+
 // GetProvider
 // @Title GetProvider
 // @Tag Provider API

controllers/resource.go

@@ -113,7 +113,7 @@ func (c *ApiController) DeleteResource() {
 		return
 	}
 
-	err = object.DeleteFile(provider, resource.Name)
+	err = object.DeleteFile(provider, resource.Name, c.GetAcceptLanguage())
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@@ -145,7 +145,7 @@ func (c *ApiController) UploadResource() {
 	defer file.Close()
 
 	if username == "" || fullFilePath == "" {
-		c.ResponseError(fmt.Sprintf("username or fullFilePath is empty: username = %s, fullFilePath = %s", username, fullFilePath))
+		c.ResponseError(fmt.Sprintf(c.T("ResourceErr.UsernameOrFilePathEmpty"), username, fullFilePath))
 		return
 	}
 
@@ -205,7 +205,7 @@ func (c *ApiController) UploadResource() {
 		if user == nil {
 			user = object.GetUserNoCheck(username)
 			if user == nil {
-				c.ResponseError("user is nil for tag: \"avatar\"")
+				c.ResponseError(c.T("ResourceErr.UserIsNil"))
 				return
 			}
 		}

controllers/saml.go

@@ -25,7 +25,7 @@ func (c *ApiController) GetSamlMeta() {
 	paramApp := c.Input().Get("application")
 	application := object.GetApplication(paramApp)
 	if application == nil {
-		c.ResponseError(fmt.Sprintf("err: application %s not found", paramApp))
+		c.ResponseError(fmt.Sprintf(c.T("ApplicationErr.AppNotFound"), paramApp))
 		return
 	}
 	metadata, _ := object.GetSamlMeta(application, host)

controllers/service.go

@@ -81,7 +81,7 @@ func (c *ApiController) SendEmail() {
 	}
 
 	if util.IsStrsEmpty(emailForm.Title, emailForm.Content, emailForm.Sender) {
-		c.ResponseError(fmt.Sprintf("Empty parameters for emailForm: %v", emailForm))
+		c.ResponseError(fmt.Sprintf(c.T("EmailErr.EmptyParam"), emailForm))
 		return
 	}
 
@@ -93,7 +93,7 @@ func (c *ApiController) SendEmail() {
 	}
 
 	if len(invalidReceivers) != 0 {
-		c.ResponseError(fmt.Sprintf("Invalid Email receivers: %s", invalidReceivers))
+		c.ResponseError(fmt.Sprintf(c.T("EmailErr.InvalidReceivers"), invalidReceivers))
 		return
 	}
 
@@ -141,7 +141,7 @@ func (c *ApiController) SendSms() {
 	}
 
 	if len(invalidReceivers) != 0 {
-		c.ResponseError(fmt.Sprintf("Invalid phone receivers: %s", invalidReceivers))
+		c.ResponseError(fmt.Sprintf(c.T("PhoneErr.InvalidReceivers"), invalidReceivers))
 		return
 	}
 

controllers/system_info.go

@@ -40,7 +40,7 @@ func (c *ApiController) GetSystemInfo() {
 
 	user := object.GetUser(id)
 	if user == nil || !user.IsGlobalAdmin {
-		c.ResponseError("You are not authorized to access this resource")
+		c.ResponseError(c.T("ResourceErr.NotAuthorized"))
 		return
 	}
 

controllers/token.go

@@ -150,12 +150,12 @@ func (c *ApiController) GetOAuthCode() {
 	codeChallenge := c.Input().Get("code_challenge")
 
 	if challengeMethod != "S256" && challengeMethod != "null" && challengeMethod != "" {
-		c.ResponseError("Challenge method should be S256")
+		c.ResponseError(c.T("AuthErr.ChallengeMethodErr"))
 		return
 	}
 	host := c.Ctx.Request.Host
 
-	c.Data["json"] = object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, host)
+	c.Data["json"] = object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, host, c.GetAcceptLanguage())
 	c.ServeJSON()
 }
 
@@ -204,7 +204,7 @@ func (c *ApiController) GetOAuthToken() {
 	}
 	host := c.Ctx.Request.Host
 
-	c.Data["json"] = object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, username, password, host, tag, avatar)
+	c.Data["json"] = object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, username, password, host, tag, avatar, c.GetAcceptLanguage())
 	c.SetTokenErrorHttpStatus()
 	c.ServeJSON()
 }
@@ -290,7 +290,7 @@ func (c *ApiController) IntrospectToken() {
 		clientId = c.Input().Get("client_id")
 		clientSecret = c.Input().Get("client_secret")
 		if clientId == "" || clientSecret == "" {
-			c.ResponseError("empty clientId or clientSecret")
+			c.ResponseError(c.T("TokenErr.EmptyClientID"))
 			c.Data["json"] = &object.TokenError{
 				Error: object.InvalidRequest,
 			}
@@ -301,7 +301,7 @@ func (c *ApiController) IntrospectToken() {
 	}
 	application := object.GetApplicationByClientId(clientId)
 	if application == nil || application.ClientSecret != clientSecret {
-		c.ResponseError("invalid application or wrong clientSecret")
+		c.ResponseError(c.T("TokenErr.InvalidAppOrWrongClientSecret"))
 		c.Data["json"] = &object.TokenError{
 			Error: object.InvalidClient,
 		}

controllers/user.go

@@ -100,7 +100,7 @@ func (c *ApiController) GetUser() {
 	organization := object.GetOrganization(fmt.Sprintf("%s/%s", "admin", owner))
 	if !organization.IsProfilePublic {
 		requestUserId := c.GetSessionUsername()
-		hasPermission, err := object.CheckUserPermission(requestUserId, id, owner, false)
+		hasPermission, err := object.CheckUserPermission(requestUserId, id, owner, false, c.GetAcceptLanguage())
 		if !hasPermission {
 			c.ResponseError(err.Error())
 			return
@@ -149,7 +149,7 @@ func (c *ApiController) UpdateUser() {
 	}
 
 	if user.DisplayName == "" {
-		c.ResponseError("Display name cannot be empty")
+		c.ResponseError(c.T("UserErr.DisplayNameCanNotBeEmpty"))
 		return
 	}
 
@@ -183,6 +183,12 @@ func (c *ApiController) AddUser() {
 		return
 	}
 
+	msg := object.CheckUsername(user.Name, c.GetAcceptLanguage())
+	if msg != "" {
+		c.ResponseError(msg)
+		return
+	}
+
 	c.Data["json"] = wrapActionResponse(object.AddUser(&user))
 	c.ServeJSON()
 }
@@ -224,7 +230,7 @@ func (c *ApiController) GetEmailAndPhone() {
 
 	user := object.GetUserByFields(form.Organization, form.Username)
 	if user == nil {
-		c.ResponseError(fmt.Sprintf("The user: %s/%s doesn't exist", form.Organization, form.Username))
+		c.ResponseError(fmt.Sprintf(c.T("UserErr.DoNotExistInOrg"), form.Organization, form.Username))
 		return
 	}
 
@@ -265,7 +271,7 @@ func (c *ApiController) SetPassword() {
 	requestUserId := c.GetSessionUsername()
 	userId := fmt.Sprintf("%s/%s", userOwner, userName)
 
-	hasPermission, err := object.CheckUserPermission(requestUserId, userId, userOwner, true)
+	hasPermission, err := object.CheckUserPermission(requestUserId, userId, userOwner, true, c.GetAcceptLanguage())
 	if !hasPermission {
 		c.ResponseError(err.Error())
 		return
@@ -274,7 +280,7 @@ func (c *ApiController) SetPassword() {
 	targetUser := object.GetUser(userId)
 
 	if oldPassword != "" {
-		msg := object.CheckPassword(targetUser, oldPassword)
+		msg := object.CheckPassword(targetUser, oldPassword, c.GetAcceptLanguage())
 		if msg != "" {
 			c.ResponseError(msg)
 			return
@@ -282,12 +288,12 @@ func (c *ApiController) SetPassword() {
 	}
 
 	if strings.Contains(newPassword, " ") {
-		c.ResponseError("New password cannot contain blank space.")
+		c.ResponseError(c.T("SetPasswordErr.CanNotContainBlank"))
 		return
 	}
 
 	if len(newPassword) <= 5 {
-		c.ResponseError("New password must have at least 6 characters")
+		c.ResponseError(c.T("SetPasswordErr.LessThanSixCharacters"))
 		return
 	}
 
@@ -309,7 +315,7 @@ func (c *ApiController) CheckUserPassword() {
 		return
 	}
 
-	_, msg := object.CheckUserPassword(user.Owner, user.Name, user.Password)
+	_, msg := object.CheckUserPassword(user.Owner, user.Name, user.Password, c.GetAcceptLanguage())
 	if msg == "" {
 		c.ResponseOk()
 	} else {

controllers/user_upload.go

@@ -61,6 +61,6 @@ func (c *ApiController) UploadUsers() {
 	if affected {
 		c.ResponseOk()
 	} else {
-		c.ResponseError("Failed to import users")
+		c.ResponseError(c.T("UserErr.FailToImportUsers"))
 	}
 }

controllers/util.go

@@ -19,6 +19,7 @@ import (
 	"strconv"
 
 	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -48,6 +49,19 @@ func (c *ApiController) ResponseError(error string, data ...interface{}) {
 	c.ResponseJsonData(resp, data...)
 }
 
+func (c *ApiController) T(error string) string {
+	return i18n.Translate(c.GetAcceptLanguage(), error)
+}
+
+// GetAcceptLanguage ...
+func (c *ApiController) GetAcceptLanguage() string {
+	lang := c.Ctx.Request.Header.Get("Accept-Language")
+	if lang == "" {
+		lang = "en"
+	}
+	return lang[0:2]
+}
+
 // SetTokenErrorHttpStatus ...
 func (c *ApiController) SetTokenErrorHttpStatus() {
 	_, ok := c.Data["json"].(*object.TokenError)
@@ -69,7 +83,7 @@ func (c *ApiController) SetTokenErrorHttpStatus() {
 func (c *ApiController) RequireSignedIn() (string, bool) {
 	userId := c.GetSessionUsername()
 	if userId == "" {
-		c.ResponseError("Please sign in first")
+		c.ResponseError(c.T("LoginErr.LoginFirst"), "Please login first")
 		return "", false
 	}
 	return userId, true
@@ -84,7 +98,8 @@ func (c *ApiController) RequireSignedInUser() (*object.User, bool) {
 
 	user := object.GetUser(userId)
 	if user == nil {
-		c.ResponseError(fmt.Sprintf("The user: %s doesn't exist", userId))
+		c.ClearUserSession()
+		c.ResponseError(fmt.Sprintf(c.T("UserErr.DoNotExist"), userId))
 		return nil, false
 	}
 	return user, true
@@ -112,7 +127,7 @@ func (c *ApiController) GetProviderFromContext(category string) (*object.Provide
 	if providerName != "" {
 		provider := object.GetProvider(util.GetId(providerName))
 		if provider == nil {
-			c.ResponseError(fmt.Sprintf("The provider: %s is not found", providerName))
+			c.ResponseError(c.T("ProviderErr.ProviderNotFound"), providerName)
 			return nil, nil, false
 		}
 		return provider, nil, true
@@ -125,13 +140,13 @@ func (c *ApiController) GetProviderFromContext(category string) (*object.Provide
 
 	application, user := object.GetApplicationByUserId(userId)
 	if application == nil {
-		c.ResponseError(fmt.Sprintf("No application is found for userId: \"%s\"", userId))
+		c.ResponseError(fmt.Sprintf(c.T("ApplicationErr.AppNotFoundForUserID"), userId))
 		return nil, nil, false
 	}
 
 	provider := application.GetProviderByCategory(category)
 	if provider == nil {
-		c.ResponseError(fmt.Sprintf("No provider for category: \"%s\" is found for application: %s", category, application.Name))
+		c.ResponseError(fmt.Sprintf(c.T("ProviderErr.ProviderNotFoundForCategory"), category, application.Name))
 		return nil, nil, false
 	}
 

controllers/verification.go

@@ -50,23 +50,23 @@ func (c *ApiController) SendVerificationCode() {
 	remoteAddr := util.GetIPFromRequest(c.Ctx.Request)
 
 	if destType == "" {
-		c.ResponseError("Missing parameter: type.")
+		c.ResponseError(c.T("ParameterErr.Missing") + ": type.")
 		return
 	}
 	if dest == "" {
-		c.ResponseError("Missing parameter: dest.")
+		c.ResponseError(c.T("ParameterErr.Missing") + ": dest.")
 		return
 	}
 	if applicationId == "" {
-		c.ResponseError("Missing parameter: applicationId.")
+		c.ResponseError(c.T("ParameterErr.Missing") + ": applicationId.")
 		return
 	}
 	if !strings.Contains(applicationId, "/") {
-		c.ResponseError("Wrong parameter: applicationId.")
+		c.ResponseError(c.T("ParameterErr.Wrong") + ": applicationId.")
 		return
 	}
 	if checkType == "" {
-		c.ResponseError("Missing parameter: checkType.")
+		c.ResponseError(c.T("ParameterErr.Missing") + ": checkType.")
 		return
 	}
 
@@ -74,7 +74,7 @@ func (c *ApiController) SendVerificationCode() {
 
 	if captchaProvider != nil {
 		if checkKey == "" {
-			c.ResponseError("Missing parameter: checkKey.")
+			c.ResponseError(c.T("ParameterErr.Missing") + ": checkKey.")
 			return
 		}
 		isHuman, err := captchaProvider.VerifyCaptcha(checkKey, checkId)
@@ -84,7 +84,7 @@ func (c *ApiController) SendVerificationCode() {
 		}
 
 		if !isHuman {
-			c.ResponseError("Turing test failed.")
+			c.ResponseError(c.T("AuthErr.NotHuman"))
 			return
 		}
 	}
@@ -94,7 +94,7 @@ func (c *ApiController) SendVerificationCode() {
 	organization := object.GetOrganization(fmt.Sprintf("%s/%s", application.Owner, application.Organization))
 
 	if checkUser == "true" && user == nil && object.GetUserByFields(organization.Name, dest) == nil {
-		c.ResponseError("Please login first")
+		c.ResponseError(c.T("LoginErr.LoginFirst"))
 		return
 	}
 
@@ -110,7 +110,7 @@ func (c *ApiController) SendVerificationCode() {
 			dest = user.Email
 		}
 		if !util.IsEmailValid(dest) {
-			c.ResponseError("Invalid Email address")
+			c.ResponseError(c.T("EmailErr.EmailInvalid"))
 			return
 		}
 
@@ -121,11 +121,11 @@ func (c *ApiController) SendVerificationCode() {
 			dest = user.Phone
 		}
 		if !util.IsPhoneCnValid(dest) {
-			c.ResponseError("Invalid phone number")
+			c.ResponseError(c.T("PhoneErr.NumberInvalid"))
 			return
 		}
 		if organization == nil {
-			c.ResponseError("The organization doesn't exist.")
+			c.ResponseError(c.T("OrgErr.DoNotExist"))
 			return
 		}
 
@@ -157,7 +157,7 @@ func (c *ApiController) ResetEmailOrPhone() {
 	dest := c.Ctx.Request.Form.Get("dest")
 	code := c.Ctx.Request.Form.Get("code")
 	if len(dest) == 0 || len(code) == 0 || len(destType) == 0 {
-		c.ResponseError("Missing parameter.")
+		c.ResponseError(c.T("ParameterErr.Missing"))
 		return
 	}
 
@@ -166,11 +166,11 @@ func (c *ApiController) ResetEmailOrPhone() {
 	if destType == "phone" {
 		phoneItem := object.GetAccountItemByName("Phone", org)
 		if phoneItem == nil {
-			c.ResponseError("Unable to get the phone modify rule.")
+			c.ResponseError(c.T("PhoneErr.UnableGetModifyRule"))
 			return
 		}
 
-		if pass, errMsg := object.CheckAccountItemModifyRule(phoneItem, user); !pass {
+		if pass, errMsg := object.CheckAccountItemModifyRule(phoneItem, user, c.GetAcceptLanguage()); !pass {
 			c.ResponseError(errMsg)
 			return
 		}
@@ -183,16 +183,16 @@ func (c *ApiController) ResetEmailOrPhone() {
 	} else if destType == "email" {
 		emailItem := object.GetAccountItemByName("Email", org)
 		if emailItem == nil {
-			c.ResponseError("Unable to get the email modify rule.")
+			c.ResponseError(c.T("EmailErr.UnableGetModifyRule"))
 			return
 		}
 
-		if pass, errMsg := object.CheckAccountItemModifyRule(emailItem, user); !pass {
+		if pass, errMsg := object.CheckAccountItemModifyRule(emailItem, user, c.GetAcceptLanguage()); !pass {
 			c.ResponseError(errMsg)
 			return
 		}
 	}
-	if ret := object.CheckVerificationCode(checkDest, code); len(ret) != 0 {
+	if ret := object.CheckVerificationCode(checkDest, code, c.GetAcceptLanguage()); len(ret) != 0 {
 		c.ResponseError(ret)
 		return
 	}
@@ -205,7 +205,7 @@ func (c *ApiController) ResetEmailOrPhone() {
 		user.Phone = dest
 		object.SetUserField(user, "phone", user.Phone)
 	default:
-		c.ResponseError("Unknown type.")
+		c.ResponseError(c.T("ParameterErr.UnknownType"))
 		return
 	}
 
@@ -224,17 +224,17 @@ func (c *ApiController) VerifyCaptcha() {
 	captchaToken := c.Ctx.Request.Form.Get("captchaToken")
 	clientSecret := c.Ctx.Request.Form.Get("clientSecret")
 	if captchaToken == "" {
-		c.ResponseError("Missing parameter: captchaToken.")
+		c.ResponseError(c.T("ParameterErr.Missing") + ": captchaToken.")
 		return
 	}
 	if clientSecret == "" {
-		c.ResponseError("Missing parameter: clientSecret.")
+		c.ResponseError(c.T("ParameterErr.Missing") + ": clientSecret.")
 		return
 	}
 
 	provider := captcha.GetCaptchaProvider(captchaType)
 	if provider == nil {
-		c.ResponseError("Invalid captcha provider.")
+		c.ResponseError(c.T("ProviderErr.InvalidProvider"))
 		return
 	}
 

controllers/webauthn.go

@@ -35,7 +35,7 @@ func (c *ApiController) WebAuthnSignupBegin() {
 	webauthnObj := object.GetWebAuthnObject(c.Ctx.Request.Host)
 	user := c.getCurrentUser()
 	if user == nil {
-		c.ResponseError("Please login first.")
+		c.ResponseError(c.T("LoginErr.LoginFirst"))
 		return
 	}
 
@@ -66,13 +66,13 @@ func (c *ApiController) WebAuthnSignupFinish() {
 	webauthnObj := object.GetWebAuthnObject(c.Ctx.Request.Host)
 	user := c.getCurrentUser()
 	if user == nil {
-		c.ResponseError("Please login first.")
+		c.ResponseError(c.T("LoginErr.LoginFirst"))
 		return
 	}
 	sessionObj := c.GetSession("registration")
 	sessionData, ok := sessionObj.(webauthn.SessionData)
 	if !ok {
-		c.ResponseError("Please call WebAuthnSignupBegin first")
+		c.ResponseError(c.T("AuthErr.CallWebAuthnSigninBegin"))
 		return
 	}
 	c.Ctx.Request.Body = io.NopCloser(bytes.NewBuffer(c.Ctx.Input.RequestBody))
@@ -101,7 +101,7 @@ func (c *ApiController) WebAuthnSigninBegin() {
 	userName := c.Input().Get("name")
 	user := object.GetUserByFields(userOwner, userName)
 	if user == nil {
-		c.ResponseError(fmt.Sprintf("The user: %s/%s doesn't exist", userOwner, userName))
+		c.ResponseError(fmt.Sprintf(c.T("UserErr.DoNotExistInOrg"), userOwner, userName))
 		return
 	}
 	options, sessionData, err := webauthnObj.BeginLogin(user)
@@ -127,7 +127,7 @@ func (c *ApiController) WebAuthnSigninFinish() {
 	sessionObj := c.GetSession("authentication")
 	sessionData, ok := sessionObj.(webauthn.SessionData)
 	if !ok {
-		c.ResponseError("Please call WebAuthnSigninBegin first")
+		c.ResponseError(c.T("AuthErr.CallWebAuthnSigninBegin"))
 		return
 	}
 	c.Ctx.Request.Body = io.NopCloser(bytes.NewBuffer(c.Ctx.Input.RequestBody))

go.mod

@@ -4,6 +4,7 @@ go 1.16
 
 require (
 	github.com/RobotsAndPencils/go-saml v0.0.0-20170520135329-fb13cb52a46b
+	github.com/Unknwon/goconfig v1.0.0
 	github.com/alexedwards/argon2id v0.0.0-20211130144151-3585854a6387
 	github.com/aws/aws-sdk-go v1.44.4
 	github.com/beego/beego v1.12.11
@@ -47,7 +48,7 @@ require (
 	golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df // indirect
-	gopkg.in/ini.v1 v1.62.0 // indirect
+	gopkg.in/ini.v1 v1.67.0
 	gopkg.in/square/go-jose.v2 v2.6.0
 	gopkg.in/yaml.v2 v2.3.0 // indirect
 	xorm.io/core v0.7.2

go.sum

@@ -61,6 +61,8 @@ github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go
 github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc=
 github.com/RobotsAndPencils/go-saml v0.0.0-20170520135329-fb13cb52a46b h1:EgJ6N2S0h1WfFIjU5/VVHWbMSVYXAluop97Qxpr/lfQ=
 github.com/RobotsAndPencils/go-saml v0.0.0-20170520135329-fb13cb52a46b/go.mod h1:3SAoF0F5EbcOuBD5WT9nYkbIJieBS84cUQXADbXeBsU=
+github.com/Unknwon/goconfig v1.0.0 h1:9IAu/BYbSLQi8puFjUQApZTxIHqSwrj5d8vpP8vTq4A=
+github.com/Unknwon/goconfig v1.0.0/go.mod h1:wngxua9XCNjvHjDiTiV26DaKDT+0c63QR6H5hjVUUxw=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -757,8 +759,8 @@ gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMy
 gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df h1:n7WqCuqOuCbNr617RXOY0AWRXxgwEyPp2z+p0+hgMuE=
 gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df/go.mod h1:LRQQ+SO6ZHR7tOkpBDuZnXENFzX8qRjMDMyPD6BRkCw=
 gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/ini.v1 v1.62.0 h1:duBzk771uxoUuOlyRLkHsygud9+5lrlGjdFBb4mSKDU=
-gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
+gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/mgo.v2 v2.0.0-20190816093944-a6b53ec6cb22/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA=
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
 gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=

i18n/generate_backend.go

@@ -0,0 +1,122 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package i18n
+
+import (
+	"log"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/Unknwon/goconfig"
+	"github.com/casdoor/casdoor/util"
+)
+
+var (
+	reI18nBackendObject    *regexp.Regexp
+	re18nBackendController *regexp.Regexp
+)
+
+func init() {
+	reI18nBackendObject, _ = regexp.Compile("i18n.Translate\\((.*?)\"\\)")
+	re18nBackendController, _ = regexp.Compile("c.T\\((.*?)\"\\)")
+}
+
+func GetAllI18nStrings(fileContent string, path string) []string {
+	res := []string{}
+	if strings.Contains(path, "object") {
+		matches := reI18nBackendObject.FindAllStringSubmatch(fileContent, -1)
+		if matches == nil {
+			return res
+		}
+		for _, match := range matches {
+			match := strings.Split(match[1], ",")
+			res = append(res, match[1][2:])
+		}
+	} else {
+		matches := re18nBackendController.FindAllStringSubmatch(fileContent, -1)
+		if matches == nil {
+			return res
+		}
+		for _, match := range matches {
+			res = append(res, match[1][1:])
+		}
+	}
+
+	return res
+}
+
+func getAllGoFilePaths() []string {
+	path := "../"
+
+	res := []string{}
+	err := filepath.Walk(path,
+		func(path string, info os.FileInfo, err error) error {
+			if err != nil {
+				return err
+			}
+
+			if !strings.HasSuffix(info.Name(), ".go") {
+				return nil
+			}
+
+			res = append(res, path)
+			// fmt.Println(path, info.Name())
+			return nil
+		})
+	if err != nil {
+		panic(err)
+	}
+
+	return res
+}
+
+func getErrName(paths []string) map[string]bool {
+	ErrName := make(map[string]bool)
+	for i := 0; i < len(paths); i++ {
+		content := util.ReadStringFromPath(paths[i])
+		words := GetAllI18nStrings(content, paths[i])
+		for i := 0; i < len(words); i++ {
+			ErrName[words[i]] = true
+		}
+	}
+	return ErrName
+}
+
+func writeToAllLanguageFiles(errName map[string]bool) {
+	languages := "en,zh,es,fr,de,ja,ko,ru"
+	languageArr := strings.Split(languages, ",")
+	var c [10]*goconfig.ConfigFile
+	for i := 0; i < len(languageArr); i++ {
+		var err error
+		c[i], err = goconfig.LoadConfigFile("../i18n/languages/" + "locale_" + languageArr[i] + ".ini")
+		if err != nil {
+			log.Println(err.Error())
+		}
+		for j := range errName {
+			parts := strings.Split(j, ".")
+			_, err := c[i].GetValue(parts[0], parts[1])
+			if err != nil {
+				c[i].SetValue(parts[0], parts[1], parts[1])
+			}
+		}
+		c[i].SetPrettyFormat(true)
+		err = goconfig.SaveConfigFile(c[i], "../i18n/languages/"+"locale_"+languageArr[i]+".ini")
+		if err != nil {
+			log.Println(err)
+		}
+	}
+}

i18n/generate_test.go

@@ -14,7 +14,10 @@
 
 package i18n
 
-import "testing"
+import (
+	"fmt"
+	"testing"
+)
 
 func applyToOtherLanguage(dataEn *I18nData, lang string) {
 	dataOther := readI18nFile(lang)
@@ -24,7 +27,7 @@ func applyToOtherLanguage(dataEn *I18nData, lang string) {
 	writeI18nFile(lang, dataEn)
 }
 
-func TestGenerateI18nStrings(t *testing.T) {
+func TestGenerateI18nStringsForFrontend(t *testing.T) {
 	dataEn := parseToData()
 	writeI18nFile("en", dataEn)
 
@@ -35,3 +38,17 @@ func TestGenerateI18nStrings(t *testing.T) {
 	applyToOtherLanguage(dataEn, "ru")
 	applyToOtherLanguage(dataEn, "zh")
 }
+
+func TestGenerateI18nStringsForBackend(t *testing.T) {
+	paths := getAllGoFilePaths()
+
+	errName := getErrName(paths)
+
+	writeToAllLanguageFiles(errName)
+
+	fmt.Println("Total Err Words:", len(errName))
+
+	for i := range errName {
+		fmt.Println(i)
+	}
+}

i18n/languages/locale_de.ini

@@ -0,0 +1,137 @@
+[ApplicationErr]
+AppNotFound = Application %s not found
+AppNotFoundForUserID = No application is found for userId: %s
+GrantTypeNotSupport = Grant_type: %s is not supported in this application
+HasNoProviders = This application has no providers
+HasNoProvidersOfType = This application has no providers of type
+InvalidID = Invalid application id
+
+[AuthErr]
+AuthStateWrong = State expected: %s, but got: %s
+ChallengeMethodErr = Challenge method should be S256
+CanNotUnlinkUsers = You are not the global admin, you can't unlink other users
+CanNotLinkMySelf = You can't unlink yourself, you are not a member of any application
+CallWebAuthnSigninBegin = Please call WebAuthnSigninBegin first
+NotHuman = Turing test failed.
+Unauthorized = Unauthorized operation
+WrongPasswordManyTimes = WrongPasswordManyTimes
+
+[CasErr]
+ServiceDoNotMatch = Service %s and %s do not match
+
+[EmailErr]
+ExistedErr = Email already exists
+EmptyErr = Email cannot be empty
+EmailInvalid = Email is invalid
+EmailCheckResult = Email: %s
+EmptyParam = Empty parameters for emailForm: %v
+InvalidReceivers = Invalid Email receivers: %s
+UnableGetModifyRule = Unable to get the email modify rule.
+
+[EnforcerErr]
+SignInFirst = Please sign in first
+
+[InitErr]
+InitScoreFailed = Get init score failed, error: %%w
+
+[LdapErr]
+MultipleAccounts = Multiple accounts with same uid, please check your ldap server
+PasswordWrong = Ldap user name or password incorrect
+ServerExisted = Ldap server exist
+
+[LoginErr]
+AppDoNotExist = The application: %s does not exist
+AppNotEnableSignUp = The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support
+AccountDoNotExist = The account does not exist
+InvalidUserInformation = Failed to create user, user information is invalid: %s
+LoginFirst = Please login first
+LoginFail = Failed to login in: %s
+NoPermission = You don't have the permission to do this
+OldUser = The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)
+ProviderCanNotSignUp = The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up
+SessionOutdated = Session outdated, please login again
+SignOutFirst = Please sign out first before signing in
+UserDoNotExist = The user: %s/%s doesn't exist
+UserIsForbidden = The user is forbidden to sign in, please contact the administrator
+UnknownAuthentication = Unknown authentication type (not password or provider), form = %s
+UnsupportedPasswordType = unsupported password type: %s
+
+[OrgErr]
+DoNotExist = Organization does not exist
+Immutable = The %s is immutable.
+OnlyAdmin = Only admin can modify the %s.
+UnknownModifyRule = Unknown modify rule %s.
+
+[ParameterErr]
+OrgMissingErr = Parameter organization is missing
+Missing = Missing parameter
+UnknownType = Unknown type
+Wrong = Wrong parameter
+
+[PhoneErr]
+CodeNotSent = Code has not been sent yet!
+CodeTimeOut = You should verify your code in %d min!
+ExistedErr = Phone already exists
+EmptyErr = Phone cannot be empty
+InvalidReceivers = Invalid phone receivers: %s
+NumberInvalid = Phone number is invalid
+NoPrefix = %s No phone prefix
+PhoneCheckResult = Phone: %s
+UnableGetModifyRule = Unable to get the phone modify rule.
+
+[ProviderErr]
+CanNotBeUnlinked = This provider can't be unlinked
+CategoryNotSAML = provider %s's category is not SAML
+DoNotExist = the provider: %s does not exist
+InvalidProvider = Invalid captcha provider.
+LinkFirstErr = Please link first
+ProviderNotEnabled = The provider: %s is not enabled for the application
+ProviderNotSupported = The provider type: %s is not supported
+ProviderNotFound = The provider: %s is not found
+ProviderNotFoundForCategory = No provider for category: %s is found for application: %s
+
+[ResourceErr]
+NotAuthorized = You are not authorized to access this resource
+UserIsNil = User is nil for tag: /"avatar/"
+UsernameOrFilePathEmpty = Username or fullFilePath is empty: username = %s, fullFilePath = %s
+
+[SetPasswordErr]
+CanNotContainBlank = New password cannot contain blank space.
+LessThanSixCharacters = New password must have at least 6 characters
+
+[SignUpErr]
+DoNotAllowSignUp = The application does not allow to sign up new account
+SignOutFirst = Please sign out first before signing up
+
+[StorageErr]
+ObjectKeyNotAllowed = The objectKey: %s is not allowed
+
+[TokenErr]
+EmptyClientID = Empty clientId or clientSecret
+InvalidToken = Invalid token
+InvalidAppOrWrongClientSecret = Invalid application or wrong clientSecret
+InvalidClientId = Invalid client_id
+RedirectURIDoNotExist = Redirect URI: %s doesn't exist in the allowed Redirect URI list
+
+[UserErr]
+AffiliationBlankErr = Affiliation cannot be blank
+DisplayNameBlankErr = DisplayName cannot be blank
+DisplayNameInvalid = DisplayName is not valid real name
+DisplayNameCanNotBeEmpty = Display name cannot be empty
+DoNotExist = The user: %s doesn't exist
+DoNotExistInOrg = The user: %s/%s doesn't exist
+DoNotExistSignUp = the user does not exist, please sign up first
+FirstNameBlankErr = FirstName cannot be blank
+FailToImportUsers = Failed to import users
+LastNameBlankErr = LastName cannot be blank
+NameLessThanTwoCharacters = Username must have at least 2 characters
+NameStartWithADigitErr = Username cannot start with a digit
+NameIsEmailErr = Username cannot be an email address
+NameCantainWhitSpaceErr = Username cannot contain white spaces
+NameExistedErr = Username already exists
+NameEmptyErr = Empty username.
+NameTooLang = Username is too long (maximum is 39 characters).
+NameFormatErr = The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.
+PasswordLessThanSixCharacters = Password must have at least 6 characters
+InvalidInformation = Invalid information
+

i18n/languages/locale_en.ini

@@ -0,0 +1,137 @@
+[ApplicationErr]
+AppNotFound = Application %s not found
+AppNotFoundForUserID = No application is found for userId: %s
+GrantTypeNotSupport = Grant_type: %s is not supported in this application
+HasNoProviders = This application has no providers
+HasNoProvidersOfType = This application has no providers of type
+InvalidID = Invalid application id
+
+[AuthErr]
+AuthStateWrong = State expected: %s, but got: %s
+ChallengeMethodErr = Challenge method should be S256
+CanNotUnlinkUsers = You are not the global admin, you can't unlink other users
+CanNotLinkMySelf = You can't unlink yourself, you are not a member of any application
+CallWebAuthnSigninBegin = Please call WebAuthnSigninBegin first
+NotHuman = Turing test failed.
+WrongPasswordManyTimes = You have entered the wrong password too many times, please wait for %d minutes %d seconds and try again
+Unauthorized = Unauthorized operation
+
+[CasErr]
+ServiceDoNotMatch = Service %s and %s do not match
+
+[EmailErr]
+ExistedErr = Email already exists
+EmptyErr = Email cannot be empty
+EmailInvalid = Email is invalid
+EmailCheckResult = Email: %s
+EmptyParam = Empty parameters for emailForm: %v
+InvalidReceivers = Invalid Email receivers: %s
+UnableGetModifyRule = Unable to get the email modify rule.
+
+[EnforcerErr]
+SignInFirst = Please sign in first
+
+[InitErr]
+InitScoreFailed = Get init score failed, error: %%w
+
+[LdapErr]
+MultipleAccounts = Multiple accounts with same uid, please check your ldap server
+PasswordWrong = Ldap user name or password incorrect
+ServerExisted = Ldap server exist
+
+[LoginErr]
+AppDoNotExist = The application: %s does not exist
+AppNotEnableSignUp = The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support
+AccountDoNotExist = The account does not exist
+InvalidUserInformation = Failed to create user, user information is invalid: %s
+LoginFirst = Please login first
+LoginFail = Failed to login in: %s
+NoPermission = You don't have the permission to do this
+OldUser = The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)
+ProviderCanNotSignUp = The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up
+SessionOutdated = Session outdated, please login again
+SignOutFirst = Please sign out first before signing in
+UserDoNotExist = The user: %s/%s doesn't exist
+UserIsForbidden = The user is forbidden to sign in, please contact the administrator
+UnknownAuthentication = Unknown authentication type (not password or provider), form = %s
+UnsupportedPasswordType = unsupported password type: %s
+
+[OrgErr]
+DoNotExist = Organization does not exist
+Immutable = The %s is immutable.
+OnlyAdmin = Only admin can modify the %s.
+UnknownModifyRule = Unknown modify rule %s.
+
+[ParameterErr]
+OrgMissingErr = Parameter organization is missing
+Missing = Missing parameter
+UnknownType = Unknown type
+Wrong = Wrong parameter
+
+[PhoneErr]
+CodeNotSent = Code has not been sent yet!
+CodeTimeOut = You should verify your code in %d min!
+ExistedErr = Phone already exists
+EmptyErr = Phone cannot be empty
+InvalidReceivers = Invalid phone receivers: %s
+NumberInvalid = Phone number is invalid
+NoPrefix = %s No phone prefix
+PhoneCheckResult = Phone: %s
+UnableGetModifyRule = Unable to get the phone modify rule.
+
+[ProviderErr]
+CanNotBeUnlinked = This provider can't be unlinked
+CategoryNotSAML = provider %s's category is not SAML
+DoNotExist = the provider: %s does not exist
+InvalidProvider = Invalid captcha provider.
+LinkFirstErr = Please link first
+ProviderNotEnabled = The provider: %s is not enabled for the application
+ProviderNotSupported = The provider type: %s is not supported
+ProviderNotFound = The provider: %s is not found
+ProviderNotFoundForCategory = No provider for category: %s is found for application: %s
+
+[ResourceErr]
+NotAuthorized = You are not authorized to access this resource
+UserIsNil = User is nil for tag: /"avatar/"
+UsernameOrFilePathEmpty = Username or fullFilePath is empty: username = %s, fullFilePath = %s
+
+[SetPasswordErr]
+CanNotContainBlank = New password cannot contain blank space.
+LessThanSixCharacters = New password must have at least 6 characters
+
+[SignUpErr]
+DoNotAllowSignUp = The application does not allow to sign up new account
+SignOutFirst = Please sign out first before signing up
+
+[StorageErr]
+ObjectKeyNotAllowed = The objectKey: %s is not allowed
+
+[TokenErr]
+EmptyClientID = Empty clientId or clientSecret
+InvalidToken = Invalid token
+InvalidAppOrWrongClientSecret = Invalid application or wrong clientSecret
+InvalidClientId = Invalid client_id
+RedirectURIDoNotExist = Redirect URI: %s doesn't exist in the allowed Redirect URI list
+
+[UserErr]
+AffiliationBlankErr = Affiliation cannot be blank
+DisplayNameBlankErr = DisplayName cannot be blank
+DisplayNameInvalid = DisplayName is not valid real name
+DisplayNameCanNotBeEmpty = Display name cannot be empty
+DoNotExist = The user: %s doesn't exist
+DoNotExistInOrg = The user: %s/%s doesn't exist
+DoNotExistSignUp = the user does not exist, please sign up first
+FirstNameBlankErr = FirstName cannot be blank
+FailToImportUsers = Failed to import users
+LastNameBlankErr = LastName cannot be blank
+NameLessThanTwoCharacters = Username must have at least 2 characters
+NameStartWithADigitErr = Username cannot start with a digit
+NameIsEmailErr = Username cannot be an email address
+NameCantainWhitSpaceErr = Username cannot contain white spaces
+NameExistedErr = Username already exists
+NameEmptyErr = Empty username.
+NameTooLang = Username is too long (maximum is 39 characters).
+NameFormatErr = The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.
+PasswordLessThanSixCharacters = Password must have at least 6 characters
+InvalidInformation = Invalid information
+

i18n/languages/locale_es.ini

@@ -0,0 +1,137 @@
+[ApplicationErr]
+AppNotFound = Application %s not found
+AppNotFoundForUserID = No application is found for userId: %s
+GrantTypeNotSupport = Grant_type: %s is not supported in this application
+HasNoProviders = This application has no providers
+HasNoProvidersOfType = This application has no providers of type
+InvalidID = Invalid application id
+
+[AuthErr]
+AuthStateWrong = State expected: %s, but got: %s
+ChallengeMethodErr = Challenge method should be S256
+CanNotUnlinkUsers = You are not the global admin, you can't unlink other users
+CanNotLinkMySelf = You can't unlink yourself, you are not a member of any application
+CallWebAuthnSigninBegin = Please call WebAuthnSigninBegin first
+NotHuman = Turing test failed.
+Unauthorized = Unauthorized operation
+WrongPasswordManyTimes = WrongPasswordManyTimes
+
+[CasErr]
+ServiceDoNotMatch = Service %s and %s do not match
+
+[EmailErr]
+ExistedErr = Email already exists
+EmptyErr = Email cannot be empty
+EmailInvalid = Email is invalid
+EmailCheckResult = Email: %s
+EmptyParam = Empty parameters for emailForm: %v
+InvalidReceivers = Invalid Email receivers: %s
+UnableGetModifyRule = Unable to get the email modify rule.
+
+[EnforcerErr]
+SignInFirst = Please sign in first
+
+[InitErr]
+InitScoreFailed = Get init score failed, error: %%w
+
+[LdapErr]
+MultipleAccounts = Multiple accounts with same uid, please check your ldap server
+PasswordWrong = Ldap user name or password incorrect
+ServerExisted = Ldap server exist
+
+[LoginErr]
+AppDoNotExist = The application: %s does not exist
+AppNotEnableSignUp = The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support
+AccountDoNotExist = The account does not exist
+InvalidUserInformation = Failed to create user, user information is invalid: %s
+LoginFirst = Please login first
+LoginFail = Failed to login in: %s
+NoPermission = You don't have the permission to do this
+OldUser = The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)
+ProviderCanNotSignUp = The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up
+SessionOutdated = Session outdated, please login again
+SignOutFirst = Please sign out first before signing in
+UserDoNotExist = The user: %s/%s doesn't exist
+UserIsForbidden = The user is forbidden to sign in, please contact the administrator
+UnknownAuthentication = Unknown authentication type (not password or provider), form = %s
+UnsupportedPasswordType = unsupported password type: %s
+
+[OrgErr]
+DoNotExist = Organization does not exist
+Immutable = The %s is immutable.
+OnlyAdmin = Only admin can modify the %s.
+UnknownModifyRule = Unknown modify rule %s.
+
+[ParameterErr]
+OrgMissingErr = Parameter organization is missing
+Missing = Missing parameter
+UnknownType = Unknown type
+Wrong = Wrong parameter
+
+[PhoneErr]
+CodeNotSent = Code has not been sent yet!
+CodeTimeOut = You should verify your code in %d min!
+ExistedErr = Phone already exists
+EmptyErr = Phone cannot be empty
+InvalidReceivers = Invalid phone receivers: %s
+NumberInvalid = Phone number is invalid
+NoPrefix = %s No phone prefix
+PhoneCheckResult = Phone: %s
+UnableGetModifyRule = Unable to get the phone modify rule.
+
+[ProviderErr]
+CanNotBeUnlinked = This provider can't be unlinked
+CategoryNotSAML = provider %s's category is not SAML
+DoNotExist = the provider: %s does not exist
+InvalidProvider = Invalid captcha provider.
+LinkFirstErr = Please link first
+ProviderNotEnabled = The provider: %s is not enabled for the application
+ProviderNotSupported = The provider type: %s is not supported
+ProviderNotFound = The provider: %s is not found
+ProviderNotFoundForCategory = No provider for category: %s is found for application: %s
+
+[ResourceErr]
+NotAuthorized = You are not authorized to access this resource
+UserIsNil = User is nil for tag: /"avatar/"
+UsernameOrFilePathEmpty = Username or fullFilePath is empty: username = %s, fullFilePath = %s
+
+[SetPasswordErr]
+CanNotContainBlank = New password cannot contain blank space.
+LessThanSixCharacters = New password must have at least 6 characters
+
+[SignUpErr]
+DoNotAllowSignUp = The application does not allow to sign up new account
+SignOutFirst = Please sign out first before signing up
+
+[StorageErr]
+ObjectKeyNotAllowed = The objectKey: %s is not allowed
+
+[TokenErr]
+EmptyClientID = Empty clientId or clientSecret
+InvalidToken = Invalid token
+InvalidAppOrWrongClientSecret = Invalid application or wrong clientSecret
+InvalidClientId = Invalid client_id
+RedirectURIDoNotExist = Redirect URI: %s doesn't exist in the allowed Redirect URI list
+
+[UserErr]
+AffiliationBlankErr = Affiliation cannot be blank
+DisplayNameBlankErr = DisplayName cannot be blank
+DisplayNameInvalid = DisplayName is not valid real name
+DisplayNameCanNotBeEmpty = Display name cannot be empty
+DoNotExist = The user: %s doesn't exist
+DoNotExistInOrg = The user: %s/%s doesn't exist
+DoNotExistSignUp = the user does not exist, please sign up first
+FirstNameBlankErr = FirstName cannot be blank
+FailToImportUsers = Failed to import users
+LastNameBlankErr = LastName cannot be blank
+NameLessThanTwoCharacters = Username must have at least 2 characters
+NameStartWithADigitErr = Username cannot start with a digit
+NameIsEmailErr = Username cannot be an email address
+NameCantainWhitSpaceErr = Username cannot contain white spaces
+NameExistedErr = Username already exists
+NameEmptyErr = Empty username.
+NameTooLang = Username is too long (maximum is 39 characters).
+NameFormatErr = The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.
+PasswordLessThanSixCharacters = Password must have at least 6 characters
+InvalidInformation = Invalid information
+

i18n/languages/locale_fr.ini

@@ -0,0 +1,137 @@
+[ApplicationErr]
+AppNotFound = Application %s not found
+AppNotFoundForUserID = No application is found for userId: %s
+GrantTypeNotSupport = Grant_type: %s is not supported in this application
+HasNoProviders = This application has no providers
+HasNoProvidersOfType = This application has no providers of type
+InvalidID = Invalid application id
+
+[AuthErr]
+AuthStateWrong = State expected: %s, but got: %s
+ChallengeMethodErr = Challenge method should be S256
+CanNotUnlinkUsers = You are not the global admin, you can't unlink other users
+CanNotLinkMySelf = You can't unlink yourself, you are not a member of any application
+CallWebAuthnSigninBegin = Please call WebAuthnSigninBegin first
+NotHuman = Turing test failed.
+Unauthorized = Unauthorized operation
+WrongPasswordManyTimes = WrongPasswordManyTimes
+
+[CasErr]
+ServiceDoNotMatch = Service %s and %s do not match
+
+[EmailErr]
+ExistedErr = Email already exists
+EmptyErr = Email cannot be empty
+EmailInvalid = Email is invalid
+EmailCheckResult = Email: %s
+EmptyParam = Empty parameters for emailForm: %v
+InvalidReceivers = Invalid Email receivers: %s
+UnableGetModifyRule = Unable to get the email modify rule.
+
+[EnforcerErr]
+SignInFirst = Please sign in first
+
+[InitErr]
+InitScoreFailed = Get init score failed, error: %%w
+
+[LdapErr]
+MultipleAccounts = Multiple accounts with same uid, please check your ldap server
+PasswordWrong = Ldap user name or password incorrect
+ServerExisted = Ldap server exist
+
+[LoginErr]
+AppDoNotExist = The application: %s does not exist
+AppNotEnableSignUp = The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support
+AccountDoNotExist = The account does not exist
+InvalidUserInformation = Failed to create user, user information is invalid: %s
+LoginFirst = Please login first
+LoginFail = Failed to login in: %s
+NoPermission = You don't have the permission to do this
+OldUser = The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)
+ProviderCanNotSignUp = The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up
+SessionOutdated = Session outdated, please login again
+SignOutFirst = Please sign out first before signing in
+UserDoNotExist = The user: %s/%s doesn't exist
+UserIsForbidden = The user is forbidden to sign in, please contact the administrator
+UnknownAuthentication = Unknown authentication type (not password or provider), form = %s
+UnsupportedPasswordType = unsupported password type: %s
+
+[OrgErr]
+DoNotExist = Organization does not exist
+Immutable = The %s is immutable.
+OnlyAdmin = Only admin can modify the %s.
+UnknownModifyRule = Unknown modify rule %s.
+
+[ParameterErr]
+OrgMissingErr = Parameter organization is missing
+Missing = Missing parameter
+UnknownType = Unknown type
+Wrong = Wrong parameter
+
+[PhoneErr]
+CodeNotSent = Code has not been sent yet!
+CodeTimeOut = You should verify your code in %d min!
+ExistedErr = Phone already exists
+EmptyErr = Phone cannot be empty
+InvalidReceivers = Invalid phone receivers: %s
+NumberInvalid = Phone number is invalid
+NoPrefix = %s No phone prefix
+PhoneCheckResult = Phone: %s
+UnableGetModifyRule = Unable to get the phone modify rule.
+
+[ProviderErr]
+CanNotBeUnlinked = This provider can't be unlinked
+CategoryNotSAML = provider %s's category is not SAML
+DoNotExist = the provider: %s does not exist
+InvalidProvider = Invalid captcha provider.
+LinkFirstErr = Please link first
+ProviderNotEnabled = The provider: %s is not enabled for the application
+ProviderNotSupported = The provider type: %s is not supported
+ProviderNotFound = The provider: %s is not found
+ProviderNotFoundForCategory = No provider for category: %s is found for application: %s
+
+[ResourceErr]
+NotAuthorized = You are not authorized to access this resource
+UserIsNil = User is nil for tag: /"avatar/"
+UsernameOrFilePathEmpty = Username or fullFilePath is empty: username = %s, fullFilePath = %s
+
+[SetPasswordErr]
+CanNotContainBlank = New password cannot contain blank space.
+LessThanSixCharacters = New password must have at least 6 characters
+
+[SignUpErr]
+DoNotAllowSignUp = The application does not allow to sign up new account
+SignOutFirst = Please sign out first before signing up
+
+[StorageErr]
+ObjectKeyNotAllowed = The objectKey: %s is not allowed
+
+[TokenErr]
+EmptyClientID = Empty clientId or clientSecret
+InvalidToken = Invalid token
+InvalidAppOrWrongClientSecret = Invalid application or wrong clientSecret
+InvalidClientId = Invalid client_id
+RedirectURIDoNotExist = Redirect URI: %s doesn't exist in the allowed Redirect URI list
+
+[UserErr]
+AffiliationBlankErr = Affiliation cannot be blank
+DisplayNameBlankErr = DisplayName cannot be blank
+DisplayNameInvalid = DisplayName is not valid real name
+DisplayNameCanNotBeEmpty = Display name cannot be empty
+DoNotExist = The user: %s doesn't exist
+DoNotExistInOrg = The user: %s/%s doesn't exist
+DoNotExistSignUp = the user does not exist, please sign up first
+FirstNameBlankErr = FirstName cannot be blank
+FailToImportUsers = Failed to import users
+LastNameBlankErr = LastName cannot be blank
+NameLessThanTwoCharacters = Username must have at least 2 characters
+NameStartWithADigitErr = Username cannot start with a digit
+NameIsEmailErr = Username cannot be an email address
+NameCantainWhitSpaceErr = Username cannot contain white spaces
+NameExistedErr = Username already exists
+NameEmptyErr = Empty username.
+NameTooLang = Username is too long (maximum is 39 characters).
+NameFormatErr = The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.
+PasswordLessThanSixCharacters = Password must have at least 6 characters
+InvalidInformation = Invalid information
+

i18n/languages/locale_ja.ini

@@ -0,0 +1,137 @@
+[ApplicationErr]
+AppNotFound = Application %s not found
+AppNotFoundForUserID = No application is found for userId: %s
+GrantTypeNotSupport = Grant_type: %s is not supported in this application
+HasNoProviders = This application has no providers
+HasNoProvidersOfType = This application has no providers of type
+InvalidID = Invalid application id
+
+[AuthErr]
+AuthStateWrong = State expected: %s, but got: %s
+ChallengeMethodErr = Challenge method should be S256
+CanNotUnlinkUsers = You are not the global admin, you can't unlink other users
+CanNotLinkMySelf = You can't unlink yourself, you are not a member of any application
+CallWebAuthnSigninBegin = Please call WebAuthnSigninBegin first
+NotHuman = Turing test failed.
+Unauthorized = Unauthorized operation
+WrongPasswordManyTimes = WrongPasswordManyTimes
+
+[CasErr]
+ServiceDoNotMatch = Service %s and %s do not match
+
+[EmailErr]
+ExistedErr = Email already exists
+EmptyErr = Email cannot be empty
+EmailInvalid = Email is invalid
+EmailCheckResult = Email: %s
+EmptyParam = Empty parameters for emailForm: %v
+InvalidReceivers = Invalid Email receivers: %s
+UnableGetModifyRule = Unable to get the email modify rule.
+
+[EnforcerErr]
+SignInFirst = Please sign in first
+
+[InitErr]
+InitScoreFailed = Get init score failed, error: %%w
+
+[LdapErr]
+MultipleAccounts = Multiple accounts with same uid, please check your ldap server
+PasswordWrong = Ldap user name or password incorrect
+ServerExisted = Ldap server exist
+
+[LoginErr]
+AppDoNotExist = The application: %s does not exist
+AppNotEnableSignUp = The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support
+AccountDoNotExist = The account does not exist
+InvalidUserInformation = Failed to create user, user information is invalid: %s
+LoginFirst = Please login first
+LoginFail = Failed to login in: %s
+NoPermission = You don't have the permission to do this
+OldUser = The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)
+ProviderCanNotSignUp = The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up
+SessionOutdated = Session outdated, please login again
+SignOutFirst = Please sign out first before signing in
+UserDoNotExist = The user: %s/%s doesn't exist
+UserIsForbidden = The user is forbidden to sign in, please contact the administrator
+UnknownAuthentication = Unknown authentication type (not password or provider), form = %s
+UnsupportedPasswordType = unsupported password type: %s
+
+[OrgErr]
+DoNotExist = Organization does not exist
+Immutable = The %s is immutable.
+OnlyAdmin = Only admin can modify the %s.
+UnknownModifyRule = Unknown modify rule %s.
+
+[ParameterErr]
+OrgMissingErr = Parameter organization is missing
+Missing = Missing parameter
+UnknownType = Unknown type
+Wrong = Wrong parameter
+
+[PhoneErr]
+CodeNotSent = Code has not been sent yet!
+CodeTimeOut = You should verify your code in %d min!
+ExistedErr = Phone already exists
+EmptyErr = Phone cannot be empty
+InvalidReceivers = Invalid phone receivers: %s
+NumberInvalid = Phone number is invalid
+NoPrefix = %s No phone prefix
+PhoneCheckResult = Phone: %s
+UnableGetModifyRule = Unable to get the phone modify rule.
+
+[ProviderErr]
+CanNotBeUnlinked = This provider can't be unlinked
+CategoryNotSAML = provider %s's category is not SAML
+DoNotExist = the provider: %s does not exist
+InvalidProvider = Invalid captcha provider.
+LinkFirstErr = Please link first
+ProviderNotEnabled = The provider: %s is not enabled for the application
+ProviderNotSupported = The provider type: %s is not supported
+ProviderNotFound = The provider: %s is not found
+ProviderNotFoundForCategory = No provider for category: %s is found for application: %s
+
+[ResourceErr]
+NotAuthorized = You are not authorized to access this resource
+UserIsNil = User is nil for tag: /"avatar/"
+UsernameOrFilePathEmpty = Username or fullFilePath is empty: username = %s, fullFilePath = %s
+
+[SetPasswordErr]
+CanNotContainBlank = New password cannot contain blank space.
+LessThanSixCharacters = New password must have at least 6 characters
+
+[SignUpErr]
+DoNotAllowSignUp = The application does not allow to sign up new account
+SignOutFirst = Please sign out first before signing up
+
+[StorageErr]
+ObjectKeyNotAllowed = The objectKey: %s is not allowed
+
+[TokenErr]
+EmptyClientID = Empty clientId or clientSecret
+InvalidToken = Invalid token
+InvalidAppOrWrongClientSecret = Invalid application or wrong clientSecret
+InvalidClientId = Invalid client_id
+RedirectURIDoNotExist = Redirect URI: %s doesn't exist in the allowed Redirect URI list
+
+[UserErr]
+AffiliationBlankErr = Affiliation cannot be blank
+DisplayNameBlankErr = DisplayName cannot be blank
+DisplayNameInvalid = DisplayName is not valid real name
+DisplayNameCanNotBeEmpty = Display name cannot be empty
+DoNotExist = The user: %s doesn't exist
+DoNotExistInOrg = The user: %s/%s doesn't exist
+DoNotExistSignUp = the user does not exist, please sign up first
+FirstNameBlankErr = FirstName cannot be blank
+FailToImportUsers = Failed to import users
+LastNameBlankErr = LastName cannot be blank
+NameLessThanTwoCharacters = Username must have at least 2 characters
+NameStartWithADigitErr = Username cannot start with a digit
+NameIsEmailErr = Username cannot be an email address
+NameCantainWhitSpaceErr = Username cannot contain white spaces
+NameExistedErr = Username already exists
+NameEmptyErr = Empty username.
+NameTooLang = Username is too long (maximum is 39 characters).
+NameFormatErr = The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.
+PasswordLessThanSixCharacters = Password must have at least 6 characters
+InvalidInformation = Invalid information
+

i18n/languages/locale_ko.ini

@@ -0,0 +1,137 @@
+[ApplicationErr]
+AppNotFound = Application %s not found
+AppNotFoundForUserID = No application is found for userId: %s
+GrantTypeNotSupport = Grant_type: %s is not supported in this application
+HasNoProviders = This application has no providers
+HasNoProvidersOfType = This application has no providers of type
+InvalidID = Invalid application id
+
+[AuthErr]
+AuthStateWrong = State expected: %s, but got: %s
+ChallengeMethodErr = Challenge method should be S256
+CanNotUnlinkUsers = You are not the global admin, you can't unlink other users
+CanNotLinkMySelf = You can't unlink yourself, you are not a member of any application
+CallWebAuthnSigninBegin = Please call WebAuthnSigninBegin first
+NotHuman = Turing test failed.
+Unauthorized = Unauthorized operation
+WrongPasswordManyTimes = WrongPasswordManyTimes
+
+[CasErr]
+ServiceDoNotMatch = Service %s and %s do not match
+
+[EmailErr]
+ExistedErr = Email already exists
+EmptyErr = Email cannot be empty
+EmailInvalid = Email is invalid
+EmailCheckResult = Email: %s
+EmptyParam = Empty parameters for emailForm: %v
+InvalidReceivers = Invalid Email receivers: %s
+UnableGetModifyRule = Unable to get the email modify rule.
+
+[EnforcerErr]
+SignInFirst = Please sign in first
+
+[InitErr]
+InitScoreFailed = Get init score failed, error: %%w
+
+[LdapErr]
+MultipleAccounts = Multiple accounts with same uid, please check your ldap server
+PasswordWrong = Ldap user name or password incorrect
+ServerExisted = Ldap server exist
+
+[LoginErr]
+AppDoNotExist = The application: %s does not exist
+AppNotEnableSignUp = The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support
+AccountDoNotExist = The account does not exist
+InvalidUserInformation = Failed to create user, user information is invalid: %s
+LoginFirst = Please login first
+LoginFail = Failed to login in: %s
+NoPermission = You don't have the permission to do this
+OldUser = The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)
+ProviderCanNotSignUp = The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up
+SessionOutdated = Session outdated, please login again
+SignOutFirst = Please sign out first before signing in
+UserDoNotExist = The user: %s/%s doesn't exist
+UserIsForbidden = The user is forbidden to sign in, please contact the administrator
+UnknownAuthentication = Unknown authentication type (not password or provider), form = %s
+UnsupportedPasswordType = unsupported password type: %s
+
+[OrgErr]
+DoNotExist = Organization does not exist
+Immutable = The %s is immutable.
+OnlyAdmin = Only admin can modify the %s.
+UnknownModifyRule = Unknown modify rule %s.
+
+[ParameterErr]
+OrgMissingErr = Parameter organization is missing
+Missing = Missing parameter
+UnknownType = Unknown type
+Wrong = Wrong parameter
+
+[PhoneErr]
+CodeNotSent = Code has not been sent yet!
+CodeTimeOut = You should verify your code in %d min!
+ExistedErr = Phone already exists
+EmptyErr = Phone cannot be empty
+InvalidReceivers = Invalid phone receivers: %s
+NumberInvalid = Phone number is invalid
+NoPrefix = %s No phone prefix
+PhoneCheckResult = Phone: %s
+UnableGetModifyRule = Unable to get the phone modify rule.
+
+[ProviderErr]
+CanNotBeUnlinked = This provider can't be unlinked
+CategoryNotSAML = provider %s's category is not SAML
+DoNotExist = the provider: %s does not exist
+InvalidProvider = Invalid captcha provider.
+LinkFirstErr = Please link first
+ProviderNotEnabled = The provider: %s is not enabled for the application
+ProviderNotSupported = The provider type: %s is not supported
+ProviderNotFound = The provider: %s is not found
+ProviderNotFoundForCategory = No provider for category: %s is found for application: %s
+
+[ResourceErr]
+NotAuthorized = You are not authorized to access this resource
+UserIsNil = User is nil for tag: /"avatar/"
+UsernameOrFilePathEmpty = Username or fullFilePath is empty: username = %s, fullFilePath = %s
+
+[SetPasswordErr]
+CanNotContainBlank = New password cannot contain blank space.
+LessThanSixCharacters = New password must have at least 6 characters
+
+[SignUpErr]
+DoNotAllowSignUp = The application does not allow to sign up new account
+SignOutFirst = Please sign out first before signing up
+
+[StorageErr]
+ObjectKeyNotAllowed = The objectKey: %s is not allowed
+
+[TokenErr]
+EmptyClientID = Empty clientId or clientSecret
+InvalidToken = Invalid token
+InvalidAppOrWrongClientSecret = Invalid application or wrong clientSecret
+InvalidClientId = Invalid client_id
+RedirectURIDoNotExist = Redirect URI: %s doesn't exist in the allowed Redirect URI list
+
+[UserErr]
+AffiliationBlankErr = Affiliation cannot be blank
+DisplayNameBlankErr = DisplayName cannot be blank
+DisplayNameInvalid = DisplayName is not valid real name
+DisplayNameCanNotBeEmpty = Display name cannot be empty
+DoNotExist = The user: %s doesn't exist
+DoNotExistInOrg = The user: %s/%s doesn't exist
+DoNotExistSignUp = the user does not exist, please sign up first
+FirstNameBlankErr = FirstName cannot be blank
+FailToImportUsers = Failed to import users
+LastNameBlankErr = LastName cannot be blank
+NameLessThanTwoCharacters = Username must have at least 2 characters
+NameStartWithADigitErr = Username cannot start with a digit
+NameIsEmailErr = Username cannot be an email address
+NameCantainWhitSpaceErr = Username cannot contain white spaces
+NameExistedErr = Username already exists
+NameEmptyErr = Empty username.
+NameTooLang = Username is too long (maximum is 39 characters).
+NameFormatErr = The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.
+PasswordLessThanSixCharacters = Password must have at least 6 characters
+InvalidInformation = Invalid information
+

i18n/languages/locale_ru.ini

@@ -0,0 +1,137 @@
+[ApplicationErr]
+AppNotFound = Application %s not found
+AppNotFoundForUserID = No application is found for userId: %s
+GrantTypeNotSupport = Grant_type: %s is not supported in this application
+HasNoProviders = This application has no providers
+HasNoProvidersOfType = This application has no providers of type
+InvalidID = Invalid application id
+
+[AuthErr]
+AuthStateWrong = State expected: %s, but got: %s
+ChallengeMethodErr = Challenge method should be S256
+CanNotUnlinkUsers = You are not the global admin, you can't unlink other users
+CanNotLinkMySelf = You can't unlink yourself, you are not a member of any application
+CallWebAuthnSigninBegin = Please call WebAuthnSigninBegin first
+NotHuman = Turing test failed.
+Unauthorized = Unauthorized operation
+WrongPasswordManyTimes = WrongPasswordManyTimes
+
+[CasErr]
+ServiceDoNotMatch = Service %s and %s do not match
+
+[EmailErr]
+ExistedErr = Email already exists
+EmptyErr = Email cannot be empty
+EmailInvalid = Email is invalid
+EmailCheckResult = Email: %s
+EmptyParam = Empty parameters for emailForm: %v
+InvalidReceivers = Invalid Email receivers: %s
+UnableGetModifyRule = Unable to get the email modify rule.
+
+[EnforcerErr]
+SignInFirst = Please sign in first
+
+[InitErr]
+InitScoreFailed = Get init score failed, error: %%w
+
+[LdapErr]
+MultipleAccounts = Multiple accounts with same uid, please check your ldap server
+PasswordWrong = Ldap user name or password incorrect
+ServerExisted = Ldap server exist
+
+[LoginErr]
+AppDoNotExist = The application: %s does not exist
+AppNotEnableSignUp = The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support
+AccountDoNotExist = The account does not exist
+InvalidUserInformation = Failed to create user, user information is invalid: %s
+LoginFirst = Please login first
+LoginFail = Failed to login in: %s
+NoPermission = You don't have the permission to do this
+OldUser = The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)
+ProviderCanNotSignUp = The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up
+SessionOutdated = Session outdated, please login again
+SignOutFirst = Please sign out first before signing in
+UserDoNotExist = The user: %s/%s doesn't exist
+UserIsForbidden = The user is forbidden to sign in, please contact the administrator
+UnknownAuthentication = Unknown authentication type (not password or provider), form = %s
+UnsupportedPasswordType = unsupported password type: %s
+
+[OrgErr]
+DoNotExist = Organization does not exist
+Immutable = The %s is immutable.
+OnlyAdmin = Only admin can modify the %s.
+UnknownModifyRule = Unknown modify rule %s.
+
+[ParameterErr]
+OrgMissingErr = Parameter organization is missing
+Missing = Missing parameter
+UnknownType = Unknown type
+Wrong = Wrong parameter
+
+[PhoneErr]
+CodeNotSent = Code has not been sent yet!
+CodeTimeOut = You should verify your code in %d min!
+ExistedErr = Phone already exists
+EmptyErr = Phone cannot be empty
+InvalidReceivers = Invalid phone receivers: %s
+NumberInvalid = Phone number is invalid
+NoPrefix = %s No phone prefix
+PhoneCheckResult = Phone: %s
+UnableGetModifyRule = Unable to get the phone modify rule.
+
+[ProviderErr]
+CanNotBeUnlinked = This provider can't be unlinked
+CategoryNotSAML = provider %s's category is not SAML
+DoNotExist = the provider: %s does not exist
+InvalidProvider = Invalid captcha provider.
+LinkFirstErr = Please link first
+ProviderNotEnabled = The provider: %s is not enabled for the application
+ProviderNotSupported = The provider type: %s is not supported
+ProviderNotFound = The provider: %s is not found
+ProviderNotFoundForCategory = No provider for category: %s is found for application: %s
+
+[ResourceErr]
+NotAuthorized = You are not authorized to access this resource
+UserIsNil = User is nil for tag: /"avatar/"
+UsernameOrFilePathEmpty = Username or fullFilePath is empty: username = %s, fullFilePath = %s
+
+[SetPasswordErr]
+CanNotContainBlank = New password cannot contain blank space.
+LessThanSixCharacters = New password must have at least 6 characters
+
+[SignUpErr]
+DoNotAllowSignUp = The application does not allow to sign up new account
+SignOutFirst = Please sign out first before signing up
+
+[StorageErr]
+ObjectKeyNotAllowed = The objectKey: %s is not allowed
+
+[TokenErr]
+EmptyClientID = Empty clientId or clientSecret
+InvalidToken = Invalid token
+InvalidAppOrWrongClientSecret = Invalid application or wrong clientSecret
+InvalidClientId = Invalid client_id
+RedirectURIDoNotExist = Redirect URI: %s doesn't exist in the allowed Redirect URI list
+
+[UserErr]
+AffiliationBlankErr = Affiliation cannot be blank
+DisplayNameBlankErr = DisplayName cannot be blank
+DisplayNameInvalid = DisplayName is not valid real name
+DisplayNameCanNotBeEmpty = Display name cannot be empty
+DoNotExist = The user: %s doesn't exist
+DoNotExistInOrg = The user: %s/%s doesn't exist
+DoNotExistSignUp = the user does not exist, please sign up first
+FirstNameBlankErr = FirstName cannot be blank
+FailToImportUsers = Failed to import users
+LastNameBlankErr = LastName cannot be blank
+NameLessThanTwoCharacters = Username must have at least 2 characters
+NameStartWithADigitErr = Username cannot start with a digit
+NameIsEmailErr = Username cannot be an email address
+NameCantainWhitSpaceErr = Username cannot contain white spaces
+NameExistedErr = Username already exists
+NameEmptyErr = Empty username.
+NameTooLang = Username is too long (maximum is 39 characters).
+NameFormatErr = The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.
+PasswordLessThanSixCharacters = Password must have at least 6 characters
+InvalidInformation = Invalid information
+

i18n/languages/locale_zh.ini

@@ -0,0 +1,137 @@
+[ApplicationErr]
+AppNotFound = 应用 %%s 未找到
+AppNotFoundForUserID = 找不到该用户的应用程序 %s
+GrantTypeNotSupport = 此应用中不支持此授权类型
+HasNoProviders = 该应用无提供商
+HasNoProvidersOfType = 应用没有该类型的提供商
+InvalidID = 无效的Application ID
+
+[AuthErr]
+AuthStateWrong = 期望状态位: %s, 实际状态为: %s
+ChallengeMethodErr = Challenge 方法应该为 S256
+CanNotUnlinkUsers = 您不是全局管理员，无法取消链接其他用户
+CanNotLinkMySelf = 您无法取消链接，您不是任何应用程序的成员
+CallWebAuthnSigninBegin = 请先调用WebAuthnSigninBegin
+NotHuman = 真人验证失败
+Unauthorized = 未授权的操作
+WrongPasswordManyTimes = 输入密码错误次数已达上限，请在 %d 分 %d 秒后重试
+
+[CasErr]
+ServiceDoNotMatch = 服务 %s 与 %s 不匹配
+
+[EmailErr]
+ExistedErr = 该邮箱已存在
+EmptyErr = 邮箱不可为空
+EmailInvalid = 无效邮箱
+EmailCheckResult = Email: %s
+EmptyParam = 邮件参数为空: %v
+InvalidReceivers = 无效的邮箱接收者: %%s
+UnableGetModifyRule = 无法得到Email修改规则
+
+[EnforcerErr]
+SignInFirst = 请先登录
+
+[InitErr]
+InitScoreFailed = 初始化分数失败: %w
+
+[LdapErr]
+MultipleAccounts = 多个帐户具有相同的uid，请检查您的 ldap 服务器
+PasswordWrong = Ldap密码错误
+ServerExisted = Ldap服务器已存在
+
+[LoginErr]
+AppDoNotExist = 应用不存在: %s
+AppNotEnableSignUp = 提供商账户: %s 与用户名: %s (%s) 不存在且 不允许注册新账户, 请联系IT支持
+AccountDoNotExist = 账户不存在
+InvalidUserInformation = 创建用户失败，用户信息无效: %%s
+LoginFirst = 请先登录
+LoginFail = 无法登录: %s
+NoPermission = 您没有权限执行此操作
+OldUser = 提供商账户: %s 与用户名: %s (%s) 已经与其他账户绑定: %s (%s)
+ProviderCanNotSignUp = 提供商账户: %s 与用户名: %s (%s) 不存在且 不允许通过 %s 注册新账户, 请使用其他方式注册
+SignOutFirst = 请在登录前登出
+SessionOutdated = Session已过期，请重新登陆
+UserDoNotExist = 用户不存在: %s/%s
+UserIsForbidden = 该用户被禁止登陆，请联系管理员
+UnknownAuthentication = 未知的认证类型 (非密码或提供商认证), form = %s
+UnsupportedPasswordType = 不支持此密码类型
+
+[OrgErr]
+DoNotExist = 组织不存在
+Immutable = %s是不可变的
+OnlyAdmin = 只有管理员用户有此权限
+UnknownModifyRule = 未知的修改规则
+
+[ParameterErr]
+Missing = 参数丢失
+OrgMissingErr = Organization参数丢失
+UnknownType = 未知类型
+Wrong = 参数错误
+
+[PhoneErr]
+CodeNotSent = 验证码还未发送
+CodeTimeOut = 验证码过期
+ExistedErr = 该电话已存在
+EmptyErr = 电话不可为空
+InvalidReceivers = 无效的电话接收者: %s
+NumberInvalid = 无效电话
+PhoneCheckResult = 电话: %s
+UnableGetModifyRule = 无法得到电话修改规则
+NoPrefix = %s 无此电话前缀
+
+[ProviderErr]
+CanNotBeUnlinked = 该提供商不可被链接
+InvalidProvider = 无效的验证码提供商
+LinkFirstErr = 请先绑定
+ProviderNotEnabled = 提供商: %s 未被启用
+ProviderNotSupported = 不支持该类型的提供商: %s
+ProviderNotFound = 该提供商未找到: %s
+ProviderNotFoundForCategory = 该类型的提供商: %s 在应用中未找到: %s
+DoNotExist = 提供商: %s 不存在
+CategoryNotSAML = 提供商 %s类型不是SAML
+
+[ResourceErr]
+NotAuthorized = 您无权获取此资源
+UserIsNil = 用户头像标签为空
+UsernameOrFilePathEmpty = username或FilePath为空: username = %s, fullFilePath = %s
+
+[SetPasswordErr]
+CanNotContainBlank = 新密码不可以包含空客
+LessThanSixCharacters = 新密码至少为6位
+
+[SignUpErr]
+DoNotAllowSignUp = 该应用不允许注册新账户
+SignOutFirst = 请在登陆前登出
+
+[TokenErr]
+EmptyClientID = clientId或clientSecret为空
+InvalidAppOrWrongClientSecret = 无效应用或错误的clientSecret
+InvalidToken = 无效token
+InvalidClientId = 无效的ClientId
+RedirectURIDoNotExist = 重定向 URI：%s 在可列表中未找到
+
+[UserErr]
+AffiliationBlankErr = 联系方式不可为空
+DisplayNameBlankErr = 展示名称不可为空
+DisplayNameInvalid = 展示名称无效
+DisplayNameCanNotBeEmpty = 展示名称不可为空
+DoNotExist = 用户不存在: %s
+DoNotExistInOrg = 用户不存在: %s/%s
+FirstNameBlankErr = 名不可以为空
+FailToImportUsers = 导入用户失败
+LastNameBlankErr = 姓不可以为空
+NameLessThanTwoCharacters = 用户名至少要有2个字符
+NameStartWithADigitErr = 用户名禁止使用数字作为第一个字符
+NameIsEmailErr = 用户名不可以是邮箱地址
+NameCantainWhitSpaceErr = 用户名不可以包含空格
+NameExistedErr = 用户名已存在
+NameEmptyErr = 用户名不可为空
+NameTooLang = 用户名过长（最大长度为39个字符）
+NameFormatErr = 用户名只能包含字母数字字符、下划线或连字符，不能有连续的连字符或下划线，也不能以连字符或下划线开头或结尾
+PasswordLessThanSixCharacters = 密码至少为6字符
+DoNotExistSignUp = 用户不存在，请先注册
+InvalidInformation = 无效信息
+
+[StorageErr]
+ObjectKeyNotAllowed = object key :%s 不被允许
+

i18n/util.go

@@ -15,10 +15,21 @@
 package i18n
 
 import (
+	"embed"
 	"fmt"
+	"log"
 	"strings"
 
 	"github.com/casdoor/casdoor/util"
+	"gopkg.in/ini.v1"
+)
+
+//go:embed languages/*.ini
+var f embed.FS
+
+var (
+	langMapConfig  = make(map[string]*ini.File)
+	isNotFirstLoad = make(map[string]bool)
 )
 
 func getI18nFilePath(language string) string {
@@ -62,3 +73,20 @@ func applyData(data1 *I18nData, data2 *I18nData) {
 		}
 	}
 }
+
+func Translate(lang string, error string) string {
+	parts := strings.Split(error, ".")
+	if !strings.Contains(error, ".") || len(parts) != 2 {
+		log.Println("Invalid Error Name")
+		return ""
+	}
+
+	if isNotFirstLoad[lang] {
+		return langMapConfig[lang].Section(parts[0]).Key(parts[1]).String()
+	} else {
+		file, _ := f.ReadFile("languages/locale_" + lang + ".ini")
+		langMapConfig[lang], _ = ini.Load(file)
+		isNotFirstLoad[lang] = true
+		return langMapConfig[lang].Section(parts[0]).Key(parts[1]).String()
+	}
+}

idp/dingtalk.go

@@ -15,9 +15,12 @@
 package idp
 
 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
+	"log"
 	"net/http"
 	"strings"
 	"time"
@@ -167,7 +170,10 @@ func (idp *DingTalkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, erro
 		Email:       dtUserInfo.Email,
 		AvatarUrl:   dtUserInfo.AvatarUrl,
 	}
-
+	isUserInOrg, err := idp.isUserInOrg(userInfo.UnionId)
+	if !isUserInOrg {
+		return nil, err
+	}
 	return &userInfo, nil
 }
 
@@ -194,3 +200,62 @@ func (idp *DingTalkIdProvider) postWithBody(body interface{}, url string) ([]byt
 
 	return data, nil
 }
+
+func (idp *DingTalkIdProvider) getInnerAppAccessToken() string {
+	appKey := idp.Config.ClientID
+	appSecret := idp.Config.ClientSecret
+	body := make(map[string]string)
+	body["appKey"] = appKey
+	body["appSecret"] = appSecret
+	bodyData, err := json.Marshal(body)
+	if err != nil {
+		log.Println(err.Error())
+	}
+	reader := bytes.NewReader(bodyData)
+	request, err := http.NewRequest("POST", "https://api.dingtalk.com/v1.0/oauth2/accessToken", reader)
+	request.Header.Set("Content-Type", "application/json;charset=UTF-8")
+	resp, err := idp.Client.Do(request)
+	respBytes, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		log.Println(err.Error())
+	}
+	var data struct {
+		ExpireIn    int    `json:"expireIn"`
+		AccessToken string `json:"accessToken"`
+	}
+	err = json.Unmarshal(respBytes, &data)
+	if err != nil {
+		log.Println(err.Error())
+	}
+	return data.AccessToken
+}
+
+func (idp *DingTalkIdProvider) isUserInOrg(unionId string) (bool, error) {
+	body := make(map[string]string)
+	body["unionid"] = unionId
+	bodyData, err := json.Marshal(body)
+	if err != nil {
+		log.Println(err.Error())
+	}
+	reader := bytes.NewReader(bodyData)
+	accessToken := idp.getInnerAppAccessToken()
+	request, _ := http.NewRequest("POST", "https://oapi.dingtalk.com/topapi/user/getbyunionid?access_token="+accessToken, reader)
+	request.Header.Set("Content-Type", "application/json;charset=UTF-8")
+	resp, err := idp.Client.Do(request)
+	respBytes, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		log.Println(err.Error())
+	}
+	var data struct {
+		ErrCode    int    `json:"errcode"`
+		ErrMessage string `json:"errmsg"`
+	}
+	err = json.Unmarshal(respBytes, &data)
+	if err != nil {
+		log.Println(err.Error())
+	}
+	if data.ErrCode == 60121 {
+		return false, fmt.Errorf("the user is not found in the organization where clientId and clientSecret belong")
+	}
+	return true, nil
+}

idp/goth.go

@@ -282,7 +282,7 @@ func getUser(gothUser goth.User, provider string) *UserInfo {
 		}
 	}
 	if provider == "steam" {
-		user.Username = user.DisplayName
+		user.Username = user.Id
 		user.Email = ""
 	}
 	return &user

object/adapter.go

@@ -19,11 +19,13 @@ import (
 	"runtime"
 
 	"github.com/beego/beego"
+	xormadapter "github.com/casbin/xorm-adapter/v3"
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/util"
 	_ "github.com/denisenkom/go-mssqldb" // db = mssql
 	_ "github.com/go-sql-driver/mysql"   // db = mysql
 	_ "github.com/lib/pq"                // db = postgres
+	"xorm.io/xorm/migrate"
 	//_ "github.com/mattn/go-sqlite3"    // db = sqlite3
 	"xorm.io/core"
 	"xorm.io/xorm"
@@ -40,6 +42,7 @@ func InitConfig() {
 	beego.BConfig.WebConfig.Session.SessionOn = true
 
 	InitAdapter(true)
+	initMigrations()
 }
 
 func InitAdapter(createDatabase bool) {
@@ -214,6 +217,11 @@ func (a *Adapter) createTable() {
 	if err != nil {
 		panic(err)
 	}
+
+	err = a.Engine.Sync2(new(xormadapter.CasbinRule))
+	if err != nil {
+		panic(err)
+	}
 }
 
 func GetSession(owner string, offset, limit int, field, value, sortField, sortOrder string) *xorm.Session {
@@ -239,3 +247,22 @@ func GetSession(owner string, offset, limit int, field, value, sortField, sortOr
 	}
 	return session
 }
+
+func initMigrations() {
+	migrations := []*migrate.Migration{
+		{
+			ID: "20221015CasbinRule--fill ptype field with p",
+			Migrate: func(tx *xorm.Engine) error {
+				_, err := tx.Cols("ptype").Update(&xormadapter.CasbinRule{
+					Ptype: "p",
+				})
+				return err
+			},
+			Rollback: func(tx *xorm.Engine) error {
+				return tx.DropTables(&xormadapter.CasbinRule{})
+			},
+		},
+	}
+	m := migrate.New(adapter.Engine, migrate.DefaultOptions, migrations)
+	m.Migrate()
+}

object/application.go

@@ -70,6 +70,7 @@ type Application struct {
 	SigninHtml           string   `xorm:"mediumtext" json:"signinHtml"`
 	FormCss              string   `xorm:"text" json:"formCss"`
 	FormOffset           int      `json:"formOffset"`
+	FormSideHtml         string   `xorm:"mediumtext" json:"formSideHtml"`
 	FormBackgroundUrl    string   `xorm:"varchar(200)" json:"formBackgroundUrl"`
 }
 
@@ -269,6 +270,13 @@ func UpdateApplication(id string, application *Application) bool {
 		application.Name = name
 	}
 
+	if name != application.Name {
+		err := applicationChangeTrigger(name, application.Name)
+		if err != nil {
+			return false
+		}
+	}
+
 	for _, providerItem := range application.Providers {
 		providerItem.Provider = nil
 	}
@@ -399,3 +407,55 @@ func ExtendManagedAccountsWithUser(user *User) *User {
 
 	return user
 }
+
+func applicationChangeTrigger(oldName string, newName string) error {
+	session := adapter.Engine.NewSession()
+	defer session.Close()
+
+	err := session.Begin()
+	if err != nil {
+		return err
+	}
+
+	organization := new(Organization)
+	organization.DefaultApplication = newName
+	_, err = session.Where("default_application=?", oldName).Update(organization)
+	if err != nil {
+		return err
+	}
+
+	user := new(User)
+	user.SignupApplication = newName
+	_, err = session.Where("signup_application=?", oldName).Update(user)
+	if err != nil {
+		return err
+	}
+
+	resource := new(Resource)
+	resource.Application = newName
+	_, err = session.Where("application=?", oldName).Update(resource)
+	if err != nil {
+		return err
+	}
+
+	var permissions []*Permission
+	err = adapter.Engine.Find(&permissions)
+	if err != nil {
+		return err
+	}
+	for i := 0; i < len(permissions); i++ {
+		permissionResoureces := permissions[i].Resources
+		for j := 0; j < len(permissionResoureces); j++ {
+			if permissionResoureces[j] == oldName {
+				permissionResoureces[j] = newName
+			}
+		}
+		permissions[i].Resources = permissionResoureces
+		_, err = session.Where("name=?", permissions[i].Name).Update(permissions[i])
+		if err != nil {
+			return err
+		}
+	}
+
+	return session.Commit()
+}

object/avatar.go

@@ -50,7 +50,7 @@ func downloadFile(url string) (*bytes.Buffer, error) {
 	return fileBuffer, nil
 }
 
-func getPermanentAvatarUrl(organization string, username string, url string) string {
+func getPermanentAvatarUrl(organization string, username string, url string, upload bool) string {
 	if url == "" {
 		return ""
 	}
@@ -62,6 +62,14 @@ func getPermanentAvatarUrl(organization string, username string, url string) str
 	fullFilePath := fmt.Sprintf("/avatar/%s/%s.png", organization, username)
 	uploadedFileUrl, _ := getUploadFileUrl(defaultStorageProvider, fullFilePath, false)
 
+	if upload {
+		DownloadAndUpload(url, fullFilePath)
+	}
+
+	return uploadedFileUrl
+}
+
+func DownloadAndUpload(url string, fullFilePath string) {
 	fileBuffer, err := downloadFile(url)
 	if err != nil {
 		panic(err)
@@ -71,6 +79,4 @@ func getPermanentAvatarUrl(organization string, username string, url string) str
 	if err != nil {
 		panic(err)
 	}
-
-	return uploadedFileUrl
 }

object/avatar_test.go

@@ -32,7 +32,7 @@ func TestSyncPermanentAvatars(t *testing.T) {
 			continue
 		}
 
-		user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
+		user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, true)
 		updateUserColumn("permanent_avatar", user)
 		fmt.Printf("[%d/%d]: Update user: [%s]'s permanent avatar: %s\n", i, len(users), user.GetId(), user.PermanentAvatar)
 	}

object/casbin_adapter.go

@@ -22,7 +22,6 @@ import (
 	"github.com/casbin/casbin/v2/model"
 	xormadapter "github.com/casbin/xorm-adapter/v3"
 	"github.com/casdoor/casdoor/util"
-
 	"xorm.io/core"
 )
 

object/cert.go

@@ -114,6 +114,12 @@ func UpdateCert(id string, cert *Cert) bool {
 		return false
 	}
 
+	if name != cert.Name {
+		err := certChangeTrigger(name, cert.Name)
+		if err != nil {
+			return false
+		}
+	}
 	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(cert)
 	if err != nil {
 		panic(err)
@@ -161,3 +167,22 @@ func getCertByApplication(application *Application) *Cert {
 func GetDefaultCert() *Cert {
 	return getCert("admin", "cert-built-in")
 }
+
+func certChangeTrigger(oldName string, newName string) error {
+	session := adapter.Engine.NewSession()
+	defer session.Close()
+
+	err := session.Begin()
+	if err != nil {
+		return err
+	}
+
+	application := new(Application)
+	application.Cert = newName
+	_, err = session.Where("cert=?", oldName).Update(application)
+	if err != nil {
+		return err
+	}
+
+	return session.Commit()
+}

object/check.go

@@ -22,6 +22,7 @@ import (
 	"unicode"
 
 	"github.com/casdoor/casdoor/cred"
+	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/util"
 	goldap "github.com/go-ldap/ldap/v3"
 )
@@ -41,84 +42,89 @@ func init() {
 	reFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
 }
 
-func CheckUserSignup(application *Application, organization *Organization, username string, password string, displayName string, firstName string, lastName string, email string, phone string, affiliation string) string {
+func CheckUserSignup(application *Application, organization *Organization, username string, password string, displayName string, firstName string, lastName string, email string, phone string, affiliation string, lang string) string {
 	if organization == nil {
-		return "organization does not exist"
+		return i18n.Translate(lang, "OrgErr.DoNotExist")
 	}
 
 	if application.IsSignupItemVisible("Username") {
 		if len(username) <= 1 {
-			return "username must have at least 2 characters"
+			return i18n.Translate(lang, "UserErr.NameLessThanTwoCharacters")
 		}
 		if unicode.IsDigit(rune(username[0])) {
-			return "username cannot start with a digit"
+			return i18n.Translate(lang, "UserErr.NameStartWithADigitErr")
 		}
 		if util.IsEmailValid(username) {
-			return "username cannot be an email address"
+			return i18n.Translate(lang, "UserErr.NameIsEmailErr")
 		}
 		if reWhiteSpace.MatchString(username) {
-			return "username cannot contain white spaces"
+			return i18n.Translate(lang, "UserErr.NameCantainWhitSpaceErr")
 		}
+		msg := CheckUsername(username, lang)
+		if msg != "" {
+			return msg
+		}
+
 		if HasUserByField(organization.Name, "name", username) {
-			return "username already exists"
+			return i18n.Translate(lang, "UserErr.NameExistedErr")
 		}
 		if HasUserByField(organization.Name, "email", email) {
-			return "email already exists"
+			return i18n.Translate(lang, "EmailErr.ExistedErr")
 		}
 		if HasUserByField(organization.Name, "phone", phone) {
-			return "phone already exists"
+			return i18n.Translate(lang, "PhoneErr.ExistedErr")
 		}
 	}
 
 	if len(password) <= 5 {
-		return "password must have at least 6 characters"
+		return i18n.Translate(lang, "UserErr.PasswordLessThanSixCharacters")
 	}
 
 	if application.IsSignupItemVisible("Email") {
 		if email == "" {
 			if application.IsSignupItemRequired("Email") {
-				return "email cannot be empty"
+				return i18n.Translate(lang, "EmailErr.EmptyErr")
 			} else {
 				return ""
 			}
 		}
 
 		if HasUserByField(organization.Name, "email", email) {
-			return "email already exists"
+			return i18n.Translate(lang, "EmailErr.ExistedErr")
 		} else if !util.IsEmailValid(email) {
-			return "email is invalid"
+			return i18n.Translate(lang, "EmailErr.EmailInvalid")
 		}
 	}
 
 	if application.IsSignupItemVisible("Phone") {
 		if phone == "" {
 			if application.IsSignupItemRequired("Phone") {
-				return "phone cannot be empty"
+				return i18n.Translate(lang, "PhoneErr.EmptyErr")
 			} else {
 				return ""
 			}
 		}
 
 		if HasUserByField(organization.Name, "phone", phone) {
-			return "phone already exists"
+			return i18n.Translate(lang, "PhoneErr.ExistedErr")
 		} else if organization.PhonePrefix == "86" && !util.IsPhoneCnValid(phone) {
-			return "phone number is invalid"
+			return i18n.Translate(lang, "PhoneErr.NumberInvalid")
 		}
 	}
 
 	if application.IsSignupItemVisible("Display name") {
 		if application.GetSignupItemRule("Display name") == "First, last" && (firstName != "" || lastName != "") {
 			if firstName == "" {
-				return "firstName cannot be blank"
+				return i18n.Translate(lang, "UserErr.FirstNameBlankErr")
 			} else if lastName == "" {
-				return "lastName cannot be blank"
+				return i18n.Translate(lang, "UserErr.LastNameBlankErr")
 			}
 		} else {
 			if displayName == "" {
-				return "displayName cannot be blank"
+				return i18n.Translate(lang, "UserErr.DisplayNameBlankErr")
 			} else if application.GetSignupItemRule("Display name") == "Real name" {
 				if !isValidRealName(displayName) {
-					return "displayName is not valid real name"
+					return i18n.Translate(lang, "UserErr.DisplayNameInvalid")
 				}
 			}
 		}
@@ -126,14 +132,14 @@ func CheckUserSignup(application *Application, organization *Organization, usern
 
 	if application.IsSignupItemVisible("Affiliation") {
 		if affiliation == "" {
-			return "affiliation cannot be blank"
+			return i18n.Translate(lang, "UserErr.AffiliationBlankErr")
 		}
 	}
 
 	return ""
 }
 
-func checkSigninErrorTimes(user *User) string {
+func checkSigninErrorTimes(user *User, lang string) string {
 	if user.SigninWrongTimes >= SigninWrongTimesLimit {
 		lastSignWrongTime, _ := time.Parse(time.RFC3339, user.LastSigninWrongTime)
 		passedTime := time.Now().UTC().Sub(lastSignWrongTime)
@@ -141,7 +147,7 @@ func checkSigninErrorTimes(user *User) string {
 
 		// deny the login if the error times is greater than the limit and the last login time is less than the duration
 		if seconds > 0 {
-			return fmt.Sprintf("You have entered the wrong password too many times, please wait for %d minutes %d seconds and try again", seconds/60, seconds%60)
+			return fmt.Sprintf(i18n.Translate(lang, "AuthErr.WrongPasswordManyTimes"), seconds/60, seconds%60)
 		}
 
 		// reset the error times
@@ -153,15 +159,15 @@ func checkSigninErrorTimes(user *User) string {
 	return ""
 }
 
-func CheckPassword(user *User, password string) string {
+func CheckPassword(user *User, password string, lang string) string {
 	// check the login error times
-	if msg := checkSigninErrorTimes(user); msg != "" {
+	if msg := checkSigninErrorTimes(user, lang); msg != "" {
 		return msg
 	}
 
 	organization := GetOrganizationByUser(user)
 	if organization == nil {
-		return "organization does not exist"
+		return i18n.Translate(lang, "OrgErr.DoNotExist")
 	}
 
 	credManager := cred.GetCredManager(organization.PasswordType)
@@ -180,11 +186,11 @@ func CheckPassword(user *User, password string) string {
 
 		return recordSigninErrorInfo(user)
 	} else {
-		return fmt.Sprintf("unsupported password type: %s", organization.PasswordType)
+		return fmt.Sprintf(i18n.Translate(lang, "LoginErr.UnsupportedPasswordType"), organization.PasswordType)
 	}
 }
 
-func checkLdapUserPassword(user *User, password string) (*User, string) {
+func checkLdapUserPassword(user *User, password string, lang string) (*User, string) {
 	ldaps := GetLdaps(user.Owner)
 	ldapLoginSuccess := false
 	for _, ldapServer := range ldaps {
@@ -204,7 +210,7 @@ func checkLdapUserPassword(user *User, password string) (*User, string) {
 		if len(searchResult.Entries) == 0 {
 			continue
 		} else if len(searchResult.Entries) > 1 {
-			return nil, "Error: multiple accounts with same uid, please check your ldap server"
+			return nil, i18n.Translate(lang, "LdapErr.MultipleAccounts")
 		}
 
 		dn := searchResult.Entries[0].DN
@@ -215,26 +221,26 @@ func checkLdapUserPassword(user *User, password string) (*User, string) {
 	}
 
 	if !ldapLoginSuccess {
-		return nil, "ldap user name or password incorrect"
+		return nil, i18n.Translate(lang, "LdapErr.PasswordWrong")
 	}
 	return user, ""
 }
 
-func CheckUserPassword(organization string, username string, password string) (*User, string) {
+func CheckUserPassword(organization string, username string, password string, lang string) (*User, string) {
 	user := GetUserByFields(organization, username)
 	if user == nil || user.IsDeleted == true {
-		return nil, "the user does not exist, please sign up first"
+		return nil, i18n.Translate(lang, "UserErr.DoNotExistSignUp")
 	}
 
 	if user.IsForbidden {
-		return nil, "the user is forbidden to sign in, please contact the administrator"
+		return nil, i18n.Translate(lang, "LoginErr.UserIsForbidden")
 	}
 
 	if user.Ldap != "" {
 		// ONLY for ldap users
-		return checkLdapUserPassword(user, password)
+		return checkLdapUserPassword(user, password, lang)
 	} else {
-		msg := CheckPassword(user, password)
+		msg := CheckPassword(user, password, lang)
 		if msg != "" {
 			return nil, msg
 		}
@@ -246,15 +252,15 @@ func filterField(field string) bool {
 	return reFieldWhiteList.MatchString(field)
 }
 
-func CheckUserPermission(requestUserId, userId, userOwner string, strict bool) (bool, error) {
+func CheckUserPermission(requestUserId, userId, userOwner string, strict bool, lang string) (bool, error) {
 	if requestUserId == "" {
-		return false, fmt.Errorf("please login first")
+		return false, fmt.Errorf(i18n.Translate(lang, "LoginErr.LoginFirst"))
 	}
 
 	if userId != "" {
 		targetUser := GetUser(userId)
 		if targetUser == nil {
-			return false, fmt.Errorf("the user: %s doesn't exist", userId)
+			return false, fmt.Errorf(i18n.Translate(lang, "UserErr.DoNotExist"), userId)
 		}
 
 		userOwner = targetUser.Owner
@@ -266,7 +272,7 @@ func CheckUserPermission(requestUserId, userId, userOwner string, strict bool) (
 	} else {
 		requestUser := GetUser(requestUserId)
 		if requestUser == nil {
-			return false, fmt.Errorf("session outdated, please login again")
+			return false, fmt.Errorf(i18n.Translate(lang, "LoginErr.SessionOutdated"))
 		}
 		if requestUser.IsGlobalAdmin {
 			hasPermission = true
@@ -281,7 +287,7 @@ func CheckUserPermission(requestUserId, userId, userOwner string, strict bool) (
 		}
 	}
 
-	return hasPermission, fmt.Errorf("you don't have the permission to do this")
+	return hasPermission, fmt.Errorf(i18n.Translate(lang, "LoginErr.NoPermission"))
 }
 
 func CheckAccessPermission(userId string, application *Application) (bool, error) {
@@ -313,3 +319,41 @@ func CheckAccessPermission(userId string, application *Application) (bool, error
 	}
 	return allowed, err
 }
+
+func CheckUsername(username string, lang string) string {
+	if username == "" {
+		return i18n.Translate(lang, "UserErr.NameEmptyErr")
+	} else if len(username) > 39 {
+		return i18n.Translate(lang, "UserErr.NameTooLang")
+	}
+
+	exclude, _ := regexp.Compile("^[\u0021-\u007E]+$")
+	if !exclude.MatchString(username) {
+		return ""
+	}
+
+	// https://stackoverflow.com/questions/58726546/github-username-convention-using-regex
+	re, _ := regexp.Compile("^[a-zA-Z0-9]+((?:-[a-zA-Z0-9]+)|(?:_[a-zA-Z0-9]+))*$")
+	if !re.MatchString(username) {
+		return i18n.Translate(lang, "UserErr.NameFormatErr")
+	}
+
+	return ""
+}
+
+func CheckToEnableCaptcha(application *Application) bool {
+	if len(application.Providers) == 0 {
+		return false
+	}
+
+	for _, providerItem := range application.Providers {
+		if providerItem.Provider == nil {
+			continue
+		}
+		if providerItem.Provider.Category == "Captcha" && providerItem.Provider.Type == "Default" {
+			return providerItem.Rule == "Always"
+		}
+	}
+
+	return false
+}

object/init.go

@@ -143,7 +143,7 @@ func initBuiltInApplication() {
 		EnablePassword: true,
 		EnableSignUp:   true,
 		Providers: []*ProviderItem{
-			{Name: "provider_captcha_default", CanSignUp: false, CanSignIn: false, CanUnlink: false, Prompted: false, AlertType: "None", Provider: nil},
+			{Name: "provider_captcha_default", CanSignUp: false, CanSignIn: false, CanUnlink: false, Prompted: false, AlertType: "None", Rule: "None", Provider: nil},
 		},
 		SignupItems: []*SignupItem{
 			{Name: "ID", Visible: false, Required: true, Prompted: false, Rule: "Random"},

object/init_data.go

@@ -56,12 +56,40 @@ func readInitDataFromFile(filePath string) *InitData {
 
 	s := util.ReadStringFromPath(filePath)
 
-	data := &InitData{}
+	data := &InitData{
+		Organizations: []*Organization{},
+		Applications:  []*Application{},
+		Users:         []*User{},
+		Certs:         []*Cert{},
+		Providers:     []*Provider{},
+		Ldaps:         []*Ldap{},
+	}
 	err := util.JsonToStruct(s, data)
 	if err != nil {
 		panic(err)
 	}
 
+	// transform nil slice to empty slice
+	for _, organization := range data.Organizations {
+		if organization.Tags == nil {
+			organization.Tags = []string{}
+		}
+	}
+	for _, application := range data.Applications {
+		if application.Providers == nil {
+			application.Providers = []*ProviderItem{}
+		}
+		if application.SignupItems == nil {
+			application.SignupItems = []*SignupItem{}
+		}
+		if application.GrantTypes == nil {
+			application.GrantTypes = []string{}
+		}
+		if application.RedirectUris == nil {
+			application.RedirectUris = []string{}
+		}
+	}
+
 	return data
 }
 

object/ldap.go

@@ -409,6 +409,7 @@ func SyncLdapUsers(owner string, users []LdapRespUser, ldapId string) (*[]LdapRe
 				}
 			}
 		}
+
 		if !found && !AddUser(&User{
 			Owner:       owner,
 			Name:        buildLdapUserName(user.Uid, user.UidNumber),

object/ldapserver.go

@@ -62,7 +62,7 @@ func GetFilteredUsers(m *ldapserver.Message, name, org string) ([]*User, int) {
 			return nil, ldapserver.LDAPResultInsufficientAccessRights
 		}
 	} else {
-		hasPermission, err := CheckUserPermission(fmt.Sprintf("%s/%s", m.Client.OrgName, m.Client.UserName), fmt.Sprintf("%s/%s", org, name), org, true)
+		hasPermission, err := CheckUserPermission(fmt.Sprintf("%s/%s", m.Client.OrgName, m.Client.UserName), fmt.Sprintf("%s/%s", org, name), org, true, "en")
 		if !hasPermission {
 			log.Printf("ErrMsg = %v", err.Error())
 			return nil, ldapserver.LDAPResultInsufficientAccessRights

object/model.go

@@ -92,6 +92,12 @@ func UpdateModel(id string, modelObj *Model) bool {
 		return false
 	}
 
+	if name != modelObj.Name {
+		err := modelChangeTrigger(name, modelObj.Name)
+		if err != nil {
+			return false
+		}
+	}
 	// check model grammar
 	_, err := model.NewModelFromString(modelObj.ModelText)
 	if err != nil {
@@ -127,3 +133,22 @@ func DeleteModel(model *Model) bool {
 func (model *Model) GetId() string {
 	return fmt.Sprintf("%s/%s", model.Owner, model.Name)
 }
+
+func modelChangeTrigger(oldName string, newName string) error {
+	session := adapter.Engine.NewSession()
+	defer session.Close()
+
+	err := session.Begin()
+	if err != nil {
+		return err
+	}
+
+	permission := new(Permission)
+	permission.Model = newName
+	_, err = session.Where("model=?", oldName).Update(permission)
+	if err != nil {
+		return err
+	}
+
+	return session.Commit()
+}

object/organization.go

@@ -16,8 +16,10 @@ package object
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/casdoor/casdoor/cred"
+	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/util"
 	"xorm.io/core"
 )
@@ -133,15 +135,10 @@ func UpdateOrganization(id string, organization *Organization) bool {
 	}
 
 	if name != organization.Name {
-		go func() {
-			application := new(Application)
-			application.Organization = organization.Name
-			_, _ = adapter.Engine.Where("organization=?", name).Update(application)
-
-			user := new(User)
-			user.Owner = organization.Name
-			_, _ = adapter.Engine.Where("owner=?", name).Update(user)
-		}()
+		err := organizationChangeTrigger(name, organization.Name)
+		if err != nil {
+			return false
+		}
 	}
 
 	if organization.MasterPassword != "" && organization.MasterPassword != "***" {
@@ -202,30 +199,30 @@ func GetAccountItemByName(name string, organization *Organization) *AccountItem
 	return nil
 }
 
-func CheckAccountItemModifyRule(accountItem *AccountItem, user *User) (bool, string) {
+func CheckAccountItemModifyRule(accountItem *AccountItem, user *User, lang string) (bool, string) {
 	switch accountItem.ModifyRule {
 	case "Admin":
 		if !(user.IsAdmin || user.IsGlobalAdmin) {
-			return false, fmt.Sprintf("Only admin can modify the %s.", accountItem.Name)
+			return false, fmt.Sprintf(i18n.Translate(lang, "OrgErr.OnlyAdmin"), accountItem.Name)
 		}
 	case "Immutable":
-		return false, fmt.Sprintf("The %s is immutable.", accountItem.Name)
+		return false, fmt.Sprintf(i18n.Translate(lang, "OrgErr.Immutable"), accountItem.Name)
 	case "Self":
 		break
 	default:
-		return false, fmt.Sprintf("Unknown modify rule %s.", accountItem.ModifyRule)
+		return false, fmt.Sprintf(i18n.Translate(lang, "OrgErr.UnknownModifyRule"), accountItem.ModifyRule)
 	}
 	return true, ""
 }
 
-func GetDefaultApplication(id string) *Application {
+func GetDefaultApplication(id string) (*Application, error) {
 	organization := GetOrganization(id)
 	if organization == nil {
-		return nil
+		return nil, fmt.Errorf("The organization: %s does not exist", id)
 	}
 
 	if organization.DefaultApplication != "" {
-		return getApplication("admin", organization.DefaultApplication)
+		return getApplication("admin", organization.DefaultApplication), fmt.Errorf("The default application: %s does not exist", organization.DefaultApplication)
 	}
 
 	applications := []*Application{}
@@ -235,7 +232,7 @@ func GetDefaultApplication(id string) *Application {
 	}
 
 	if len(applications) == 0 {
-		return nil
+		return nil, fmt.Errorf("The application does not exist")
 	}
 
 	defaultApplication := applications[0]
@@ -249,5 +246,150 @@ func GetDefaultApplication(id string) *Application {
 	extendApplicationWithProviders(defaultApplication)
 	extendApplicationWithOrg(defaultApplication)
 
-	return defaultApplication
+	return defaultApplication, nil
+}
+
+func organizationChangeTrigger(oldName string, newName string) error {
+	session := adapter.Engine.NewSession()
+	defer session.Close()
+
+	err := session.Begin()
+	if err != nil {
+		return err
+	}
+
+	application := new(Application)
+	application.Organization = newName
+	_, err = session.Where("organization=?", oldName).Update(application)
+	if err != nil {
+		return err
+	}
+
+	user := new(User)
+	user.Owner = newName
+	_, err = session.Where("owner=?", oldName).Update(user)
+	if err != nil {
+		return err
+	}
+
+	role := new(Role)
+	_, err = adapter.Engine.Where("owner=?", oldName).Get(role)
+	if err != nil {
+		return err
+	}
+	for i, u := range role.Users {
+		// u = organization/username
+		split := strings.Split(u, "/")
+		if split[0] == oldName {
+			split[0] = newName
+			role.Users[i] = split[0] + "/" + split[1]
+		}
+	}
+	for i, u := range role.Roles {
+		// u = organization/username
+		split := strings.Split(u, "/")
+		if split[0] == oldName {
+			split[0] = newName
+			role.Roles[i] = split[0] + "/" + split[1]
+		}
+	}
+	role.Owner = newName
+	_, err = session.Where("owner=?", oldName).Update(role)
+	if err != nil {
+		return err
+	}
+
+	permission := new(Permission)
+	_, err = adapter.Engine.Where("owner=?", oldName).Get(permission)
+	if err != nil {
+		return err
+	}
+	for i, u := range permission.Users {
+		// u = organization/username
+		split := strings.Split(u, "/")
+		if split[0] == oldName {
+			split[0] = newName
+			permission.Users[i] = split[0] + "/" + split[1]
+		}
+	}
+	for i, u := range permission.Roles {
+		// u = organization/username
+		split := strings.Split(u, "/")
+		if split[0] == oldName {
+			split[0] = newName
+			permission.Roles[i] = split[0] + "/" + split[1]
+		}
+	}
+	permission.Owner = newName
+	_, err = session.Where("owner=?", oldName).Update(permission)
+	if err != nil {
+		return err
+	}
+
+	casbinAdapter := new(CasbinAdapter)
+	casbinAdapter.Owner = newName
+	casbinAdapter.Organization = newName
+	_, err = session.Where("owner=?", oldName).Update(casbinAdapter)
+	if err != nil {
+		return err
+	}
+
+	ldap := new(Ldap)
+	ldap.Owner = newName
+	_, err = session.Where("owner=?", oldName).Update(ldap)
+	if err != nil {
+		return err
+	}
+
+	model := new(Model)
+	model.Owner = newName
+	_, err = session.Where("owner=?", oldName).Update(model)
+	if err != nil {
+		return err
+	}
+
+	payment := new(Payment)
+	payment.Organization = newName
+	_, err = session.Where("organization=?", oldName).Update(payment)
+	if err != nil {
+		return err
+	}
+
+	record := new(Record)
+	record.Owner = newName
+	record.Organization = newName
+	_, err = session.Where("organization=?", oldName).Update(record)
+	if err != nil {
+		return err
+	}
+
+	resource := new(Resource)
+	resource.Owner = newName
+	_, err = session.Where("owner=?", oldName).Update(resource)
+	if err != nil {
+		return err
+	}
+
+	syncer := new(Syncer)
+	syncer.Organization = newName
+	_, err = session.Where("organization=?", oldName).Update(syncer)
+	if err != nil {
+		return err
+	}
+
+	token := new(Token)
+	token.Organization = newName
+	_, err = session.Where("organization=?", oldName).Update(token)
+	if err != nil {
+		return err
+	}
+
+	webhook := new(Webhook)
+	webhook.Organization = newName
+	_, err = session.Where("organization=?", oldName).Update(webhook)
+	if err != nil {
+		return err
+	}
+
+	return session.Commit()
 }

object/provider.go

@@ -17,6 +17,7 @@ package object
 import (
 	"fmt"
 
+	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/pp"
 	"github.com/casdoor/casdoor/util"
 	"xorm.io/core"
@@ -59,6 +60,7 @@ type Provider struct {
 	IntranetEndpoint string `xorm:"varchar(100)" json:"intranetEndpoint"`
 	Domain           string `xorm:"varchar(100)" json:"domain"`
 	Bucket           string `xorm:"varchar(100)" json:"bucket"`
+	PathPrefix       string `xorm:"varchar(100)" json:"pathPrefix"`
 
 	Metadata               string `xorm:"mediumtext" json:"metadata"`
 	IdP                    string `xorm:"mediumtext" json:"idP"`
@@ -100,6 +102,16 @@ func GetProviderCount(owner, field, value string) int {
 	return int(count)
 }
 
+func GetGlobalProviderCount(field, value string) int {
+	session := GetSession("", -1, -1, field, value, "", "")
+	count, err := session.Count(&Provider{})
+	if err != nil {
+		panic(err)
+	}
+
+	return int(count)
+}
+
 func GetProviders(owner string) []*Provider {
 	providers := []*Provider{}
 	err := adapter.Engine.Desc("created_time").Find(&providers, &Provider{Owner: owner})
@@ -110,8 +122,18 @@ func GetProviders(owner string) []*Provider {
 	return providers
 }
 
-func GetPaginationProviders(owner string, offset, limit int, field, value, sortField, sortOrder string) []*Provider {
+func GetGlobalProviders() []*Provider {
 	providers := []*Provider{}
+	err := adapter.Engine.Desc("created_time").Find(&providers)
+	if err != nil {
+		panic(err)
+	}
+
+	return providers
+}
+
+func GetPaginationProviders(owner string, offset, limit int, field, value, sortField, sortOrder string) []*Provider {
+	var providers []*Provider
 	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
 	err := session.Find(&providers)
 	if err != nil {
@@ -121,6 +143,17 @@ func GetPaginationProviders(owner string, offset, limit int, field, value, sortF
 	return providers
 }
 
+func GetPaginationGlobalProviders(offset, limit int, field, value, sortField, sortOrder string) []*Provider {
+	var providers []*Provider
+	session := GetSession("", offset, limit, field, value, sortField, sortOrder)
+	err := session.Find(&providers)
+	if err != nil {
+		panic(err)
+	}
+
+	return providers
+}
+
 func getProvider(owner string, name string) *Provider {
 	if owner == "" || name == "" {
 		return nil
@@ -174,6 +207,13 @@ func UpdateProvider(id string, provider *Provider) bool {
 		return false
 	}
 
+	if name != provider.Name {
+		err := providerChangeTrigger(name, provider.Name)
+		if err != nil {
+			return false
+		}
+	}
+
 	session := adapter.Engine.ID(core.PK{owner, name}).AllCols()
 	if provider.ClientSecret == "***" {
 		session = session.Omit("client_secret")
@@ -228,7 +268,7 @@ func (p *Provider) GetId() string {
 	return fmt.Sprintf("%s/%s", p.Owner, p.Name)
 }
 
-func GetCaptchaProviderByOwnerName(applicationId string) (*Provider, error) {
+func GetCaptchaProviderByOwnerName(applicationId, lang string) (*Provider, error) {
 	owner, name := util.GetOwnerAndNameFromId(applicationId)
 	provider := Provider{Owner: owner, Name: name, Category: "Captcha"}
 	existed, err := adapter.Engine.Get(&provider)
@@ -237,27 +277,65 @@ func GetCaptchaProviderByOwnerName(applicationId string) (*Provider, error) {
 	}
 
 	if !existed {
-		return nil, fmt.Errorf("the provider: %s does not exist", applicationId)
+		return nil, fmt.Errorf(i18n.Translate(lang, "ProviderErr.DoNotExist"), applicationId)
 	}
 
 	return &provider, nil
 }
 
-func GetCaptchaProviderByApplication(applicationId, isCurrentProvider string) (*Provider, error) {
+func GetCaptchaProviderByApplication(applicationId, isCurrentProvider, lang string) (*Provider, error) {
 	if isCurrentProvider == "true" {
-		return GetCaptchaProviderByOwnerName(applicationId)
+		return GetCaptchaProviderByOwnerName(applicationId, lang)
 	}
 	application := GetApplication(applicationId)
 	if application == nil || len(application.Providers) == 0 {
-		return nil, fmt.Errorf("invalid application id")
+		return nil, fmt.Errorf(i18n.Translate(lang, "ApplicationErr.InvalidID"))
 	}
 	for _, provider := range application.Providers {
 		if provider.Provider == nil {
 			continue
 		}
 		if provider.Provider.Category == "Captcha" {
-			return GetCaptchaProviderByOwnerName(fmt.Sprintf("%s/%s", provider.Provider.Owner, provider.Provider.Name))
+			return GetCaptchaProviderByOwnerName(fmt.Sprintf("%s/%s", provider.Provider.Owner, provider.Provider.Name), lang)
 		}
 	}
 	return nil, nil
 }
+
+func providerChangeTrigger(oldName string, newName string) error {
+	session := adapter.Engine.NewSession()
+	defer session.Close()
+
+	err := session.Begin()
+	if err != nil {
+		return err
+	}
+
+	var applications []*Application
+	err = adapter.Engine.Find(&applications)
+	if err != nil {
+		return err
+	}
+	for i := 0; i < len(applications); i++ {
+		providers := applications[i].Providers
+		for j := 0; j < len(providers); j++ {
+			if providers[j].Name == oldName {
+				providers[j].Name = newName
+			}
+		}
+		applications[i].Providers = providers
+		_, err = session.Where("name=?", applications[i].Name).Update(applications[i])
+		if err != nil {
+			return err
+		}
+	}
+
+	resource := new(Resource)
+	resource.Provider = newName
+	_, err = session.Where("provider=?", oldName).Update(resource)
+	if err != nil {
+		return err
+	}
+
+	return session.Commit()
+}

object/provider_item.go

@@ -21,6 +21,7 @@ type ProviderItem struct {
 	CanUnlink bool      `json:"canUnlink"`
 	Prompted  bool      `json:"prompted"`
 	AlertType string    `json:"alertType"`
+	Rule      string    `json:"rule"`
 	Provider  *Provider `json:"provider"`
 }
 

object/role.go

@@ -16,6 +16,7 @@ package object
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/casdoor/casdoor/util"
 	"xorm.io/core"
@@ -94,6 +95,13 @@ func UpdateRole(id string, role *Role) bool {
 		return false
 	}
 
+	if name != role.Name {
+		err := roleChangeTrigger(name, role.Name)
+		if err != nil {
+			return false
+		}
+	}
+
 	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(role)
 	if err != nil {
 		panic(err)
@@ -133,3 +141,54 @@ func GetRolesByUser(userId string) []*Role {
 
 	return roles
 }
+
+func roleChangeTrigger(oldName string, newName string) error {
+	session := adapter.Engine.NewSession()
+	defer session.Close()
+
+	err := session.Begin()
+	if err != nil {
+		return err
+	}
+
+	var roles []*Role
+	err = adapter.Engine.Find(&roles)
+	if err != nil {
+		return err
+	}
+	for _, role := range roles {
+		for j, u := range role.Roles {
+			split := strings.Split(u, "/")
+			if split[1] == oldName {
+				split[1] = newName
+				role.Roles[j] = split[0] + "/" + split[1]
+			}
+		}
+		_, err = session.Where("name=?", role.Name).Update(role)
+		if err != nil {
+			return err
+		}
+	}
+
+	var permissions []*Permission
+	err = adapter.Engine.Find(&permissions)
+	if err != nil {
+		return err
+	}
+	for _, permission := range permissions {
+		for j, u := range permission.Roles {
+			// u = organization/username
+			split := strings.Split(u, "/")
+			if split[1] == oldName {
+				split[1] = newName
+				permission.Roles[j] = split[0] + "/" + split[1]
+			}
+		}
+		_, err = session.Where("name=?", permission.Name).Update(permission)
+		if err != nil {
+			return err
+		}
+	}
+
+	return session.Commit()
+}

object/saml_sp.go

@@ -24,6 +24,7 @@ import (
 	"strings"
 
 	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/i18n"
 	saml2 "github.com/russellhaering/gosaml2"
 	dsig "github.com/russellhaering/goxmldsig"
 )
@@ -41,10 +42,10 @@ func ParseSamlResponse(samlResponse string, providerType string) (string, error)
 	return assertionInfo.NameID, nil
 }
 
-func GenerateSamlLoginUrl(id, relayState string) (string, string, error) {
+func GenerateSamlLoginUrl(id, relayState, lang string) (string, string, error) {
 	provider := GetProvider(id)
 	if provider.Category != "SAML" {
-		return "", "", fmt.Errorf("provider %s's category is not SAML", provider.Name)
+		return "", "", fmt.Errorf(i18n.Translate(lang, "ProviderErr.CategoryNotSAML"), provider.Name)
 	}
 	sp, err := buildSp(provider, "")
 	if err != nil {

object/storage.go

@@ -21,6 +21,7 @@ import (
 	"strings"
 
 	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/storage"
 	"github.com/casdoor/casdoor/util"
 )
@@ -54,7 +55,7 @@ func escapePath(path string) string {
 }
 
 func getUploadFileUrl(provider *Provider, fullFilePath string, hasTimestamp bool) (string, string) {
-	escapedPath := escapePath(fullFilePath)
+	escapedPath := util.UrlJoin(provider.PathPrefix, escapePath(fullFilePath))
 	objectKey := util.UrlJoin(util.GetUrlPath(provider.Domain), escapedPath)
 
 	host := ""
@@ -69,7 +70,7 @@ func getUploadFileUrl(provider *Provider, fullFilePath string, hasTimestamp bool
 		host = util.UrlJoin(provider.Domain, "/files")
 	}
 	if provider.Type == "Azure Blob" {
-		host = fmt.Sprintf("%s/%s", host, provider.Bucket)
+		host = util.UrlJoin(host, provider.Bucket)
 	}
 
 	fileUrl := util.UrlJoin(host, escapePath(objectKey))
@@ -126,16 +127,16 @@ func UploadFileSafe(provider *Provider, fullFilePath string, fileBuffer *bytes.B
 	return fileUrl, objectKey, nil
 }
 
-func DeleteFile(provider *Provider, objectKey string) error {
+func DeleteFile(provider *Provider, objectKey string, lang string) error {
 	// check fullFilePath is there security issue
 	if strings.Contains(objectKey, "..") {
-		return fmt.Errorf("the objectKey: %s is not allowed", objectKey)
+		return fmt.Errorf(i18n.Translate(lang, "StorageErr.ObjectKeyNotAllowed"), objectKey)
 	}
 
 	endpoint := getProviderEndpoint(provider)
 	storageProvider := storage.GetStorageProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.RegionId, provider.Bucket, endpoint)
 	if storageProvider == nil {
-		return fmt.Errorf("the provider type: %s is not supported", provider.Type)
+		return fmt.Errorf(i18n.Translate(lang, "ProviderErr.ProviderNotSupported"), provider.Type)
 	}
 
 	if provider.Domain == "" {

object/syncer_user.go

@@ -37,7 +37,16 @@ func (syncer *Syncer) getOriginalUsers() ([]*OriginalUser, error) {
 		return nil, err
 	}
 
-	return syncer.getOriginalUsersFromMap(results), nil
+	// Memory leak problem handling
+	// https://github.com/casdoor/casdoor/issues/1256
+	users := syncer.getOriginalUsersFromMap(results)
+	for _, m := range results {
+		for k := range m {
+			delete(m, k)
+		}
+	}
+
+	return users, nil
 }
 
 func (syncer *Syncer) getOriginalUserMap() ([]*OriginalUser, map[string]*OriginalUser, error) {
@@ -120,7 +129,7 @@ func (syncer *Syncer) updateUserForOriginalFields(user *User) (bool, error) {
 	}
 
 	if user.Avatar != oldUser.Avatar && user.Avatar != "" {
-		user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
+		user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, true)
 	}
 
 	columns := syncer.getCasdoorColumns()

object/token.go

@@ -21,6 +21,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/idp"
 	"github.com/casdoor/casdoor/util"
 	"xorm.io/core"
@@ -238,14 +239,14 @@ func GetTokenByTokenAndApplication(token string, application string) *Token {
 	return &tokenResult
 }
 
-func CheckOAuthLogin(clientId string, responseType string, redirectUri string, scope string, state string) (string, *Application) {
+func CheckOAuthLogin(clientId string, responseType string, redirectUri string, scope string, state string, lang string) (string, *Application) {
 	if responseType != "code" && responseType != "token" && responseType != "id_token" {
-		return fmt.Sprintf("error: grant_type: %s is not supported in this application", responseType), nil
+		return fmt.Sprintf(i18n.Translate(lang, "ApplicationErr.GrantTypeNotSupport"), responseType), nil
 	}
 
 	application := GetApplicationByClientId(clientId)
 	if application == nil {
-		return "Invalid client_id", nil
+		return i18n.Translate(lang, "TokenErr.InvalidClientId"), nil
 	}
 
 	validUri := false
@@ -256,7 +257,7 @@ func CheckOAuthLogin(clientId string, responseType string, redirectUri string, s
 		}
 	}
 	if !validUri {
-		return fmt.Sprintf("Redirect URI: \"%s\" doesn't exist in the allowed Redirect URI list", redirectUri), application
+		return fmt.Sprintf(i18n.Translate(lang, "TokenErr.RedirectURIDoNotExist"), redirectUri), application
 	}
 
 	// Mask application for /api/get-app-login
@@ -264,7 +265,7 @@ func CheckOAuthLogin(clientId string, responseType string, redirectUri string, s
 	return "", application
 }
 
-func GetOAuthCode(userId string, clientId string, responseType string, redirectUri string, scope string, state string, nonce string, challenge string, host string) *Code {
+func GetOAuthCode(userId string, clientId string, responseType string, redirectUri string, scope string, state string, nonce string, challenge string, host string, lang string) *Code {
 	user := GetUser(userId)
 	if user == nil {
 		return &Code{
@@ -279,7 +280,7 @@ func GetOAuthCode(userId string, clientId string, responseType string, redirectU
 		}
 	}
 
-	msg, application := CheckOAuthLogin(clientId, responseType, redirectUri, scope, state)
+	msg, application := CheckOAuthLogin(clientId, responseType, redirectUri, scope, state, lang)
 	if msg != "" {
 		return &Code{
 			Message: msg,
@@ -322,7 +323,7 @@ func GetOAuthCode(userId string, clientId string, responseType string, redirectU
 	}
 }
 
-func GetOAuthToken(grantType string, clientId string, clientSecret string, code string, verifier string, scope string, username string, password string, host string, tag string, avatar string) interface{} {
+func GetOAuthToken(grantType string, clientId string, clientSecret string, code string, verifier string, scope string, username string, password string, host string, tag string, avatar string, lang string) interface{} {
 	application := GetApplicationByClientId(clientId)
 	if application == nil {
 		return &TokenError{
@@ -353,7 +354,7 @@ func GetOAuthToken(grantType string, clientId string, clientSecret string, code
 
 	if tag == "wechat_miniprogram" {
 		// Wechat Mini Program
-		token, tokenError = GetWechatMiniProgramToken(application, code, host, username, avatar)
+		token, tokenError = GetWechatMiniProgramToken(application, code, host, username, avatar, lang)
 	}
 
 	if tokenError != nil {
@@ -559,7 +560,7 @@ func GetPasswordToken(application *Application, username string, password string
 			ErrorDescription: "the user does not exist",
 		}
 	}
-	msg := CheckPassword(user, password)
+	msg := CheckPassword(user, password, "en")
 	if msg != "" {
 		return nil, &TokenError{
 			Error:            InvalidGrant,
@@ -669,7 +670,7 @@ func GetTokenByUser(application *Application, user *User, scope string, host str
 
 // GetWechatMiniProgramToken
 // Wechat Mini Program flow
-func GetWechatMiniProgramToken(application *Application, code string, host string, username string, avatar string) (*Token, *TokenError) {
+func GetWechatMiniProgramToken(application *Application, code string, host string, username string, avatar string, lang string) (*Token, *TokenError) {
 	mpProvider := GetWechatMiniProgramProvider(application)
 	if mpProvider == nil {
 		return nil, &TokenError{
@@ -703,7 +704,7 @@ func GetWechatMiniProgramToken(application *Application, code string, host strin
 		}
 		// Add new user
 		var name string
-		if username != "" {
+		if CheckUsername(username, lang) == "" {
 			name = username
 		} else {
 			name = fmt.Sprintf("wechat-%s", openId)

object/token_jwt_key.go

@@ -37,7 +37,7 @@ func generateRsaKeys(bitSize int, expireInYears int, commonName string, organiza
 	// Encode private key to PKCS#1 ASN.1 PEM.
 	privateKeyPem := pem.EncodeToMemory(
 		&pem.Block{
-			Type:  "PRIVATE KEY",
+			Type:  "RSA PRIVATE KEY",
 			Bytes: x509.MarshalPKCS1PrivateKey(key),
 		},
 	)

object/user.go

@@ -380,13 +380,20 @@ func UpdateUser(id string, user *User, columns []string, isGlobalAdmin bool) boo
 		return false
 	}
 
+	if name != user.Name {
+		err := userChangeTrigger(name, user.Name)
+		if err != nil {
+			return false
+		}
+	}
+
 	if user.Password == "***" {
 		user.Password = oldUser.Password
 	}
 	user.UpdateUserHash()
 
 	if user.Avatar != oldUser.Avatar && user.Avatar != "" && user.PermanentAvatar != "*" {
-		user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
+		user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, false)
 	}
 
 	if len(columns) == 0 {
@@ -416,10 +423,17 @@ func UpdateUserForAllFields(id string, user *User) bool {
 		return false
 	}
 
+	if name != user.Name {
+		err := userChangeTrigger(name, user.Name)
+		if err != nil {
+			return false
+		}
+	}
+
 	user.UpdateUserHash()
 
 	if user.Avatar != oldUser.Avatar && user.Avatar != "" {
-		user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
+		user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, false)
 	}
 
 	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(user)
@@ -449,7 +463,7 @@ func AddUser(user *User) bool {
 	user.UpdateUserHash()
 	user.PreHash = user.Hash
 
-	user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
+	user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, false)
 
 	user.Ranking = GetUserCount(user.Owner, "", "") + 1
 
@@ -474,7 +488,7 @@ func AddUsers(users []*User) bool {
 		user.UpdateUserHash()
 		user.PreHash = user.Hash
 
-		user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
+		user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, true)
 	}
 
 	affected, err := adapter.Engine.Insert(users)
@@ -567,3 +581,62 @@ func ExtendUserWithRolesAndPermissions(user *User) {
 	user.Roles = GetRolesByUser(user.GetId())
 	user.Permissions = GetPermissionsByUser(user.GetId())
 }
+
+func userChangeTrigger(oldName string, newName string) error {
+	session := adapter.Engine.NewSession()
+	defer session.Close()
+
+	err := session.Begin()
+	if err != nil {
+		return err
+	}
+
+	var roles []*Role
+	err = adapter.Engine.Find(&roles)
+	if err != nil {
+		return err
+	}
+	for _, role := range roles {
+		for j, u := range role.Users {
+			// u = organization/username
+			split := strings.Split(u, "/")
+			if split[1] == oldName {
+				split[1] = newName
+				role.Users[j] = split[0] + "/" + split[1]
+			}
+		}
+		_, err = session.Where("name=?", role.Name).Update(role)
+		if err != nil {
+			return err
+		}
+	}
+
+	var permissions []*Permission
+	err = adapter.Engine.Find(&permissions)
+	if err != nil {
+		return err
+	}
+	for _, permission := range permissions {
+		for j, u := range permission.Users {
+			// u = organization/username
+			split := strings.Split(u, "/")
+			if split[1] == oldName {
+				split[1] = newName
+				permission.Users[j] = split[0] + "/" + split[1]
+			}
+		}
+		_, err = session.Where("name=?", permission.Name).Update(permission)
+		if err != nil {
+			return err
+		}
+	}
+
+	resource := new(Resource)
+	resource.User = newName
+	_, err = session.Where("user=?", oldName).Update(resource)
+	if err != nil {
+		return err
+	}
+
+	return session.Commit()
+}

object/verification.go

@@ -21,6 +21,7 @@ import (
 	"time"
 
 	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/util"
 	"xorm.io/core"
 )
@@ -122,11 +123,11 @@ func getVerificationRecord(dest string) *VerificationRecord {
 	return &record
 }
 
-func CheckVerificationCode(dest, code string) string {
+func CheckVerificationCode(dest, code, lang string) string {
 	record := getVerificationRecord(dest)
 
 	if record == nil {
-		return "Code has not been sent yet!"
+		return i18n.Translate(lang, "PhoneErr.CodeNotSent")
 	}
 
 	timeout, err := conf.GetConfigInt64("verificationCodeTimeout")
@@ -136,7 +137,7 @@ func CheckVerificationCode(dest, code string) string {
 
 	now := time.Now().Unix()
 	if now-record.Time > timeout*60 {
-		return fmt.Sprintf("You should verify your code in %d min!", timeout)
+		return fmt.Sprintf(i18n.Translate(lang, "PhoneErr.CodeTimeOut"), timeout)
 	}
 
 	if record.Code != code {
@@ -159,7 +160,7 @@ func DisableVerificationCode(dest string) {
 	}
 }
 
-// from Casnode/object/validateCode.go line 116
+// From Casnode/object/validateCode.go line 116
 var stdNums = []byte("0123456789")
 
 func getRandomCode(length int) string {

routers/authz_filter.go

@@ -63,11 +63,16 @@ func getObject(ctx *context.Context) (string, string) {
 	if method == http.MethodGet {
 		// query == "?id=built-in/admin"
 		id := ctx.Input.Query("id")
-		if id == "" {
-			return "", ""
+		if id != "" {
+			return util.GetOwnerAndNameFromId(id)
 		}
 
-		return util.GetOwnerAndNameFromId(id)
+		owner := ctx.Input.Query("owner")
+		if owner != "" {
+			return owner, ""
+		}
+
+		return "", ""
 	} else {
 		body := ctx.Input.RequestBody
 

routers/auto_signin_filter.go

@@ -62,7 +62,7 @@ func AutoSigninFilter(ctx *context.Context) {
 	password := ctx.Input.Query("password")
 	if userId != "" && password != "" && ctx.Input.Query("grant_type") == "" {
 		owner, name := util.GetOwnerAndNameFromId(userId)
-		_, msg := object.CheckUserPassword(owner, name, password)
+		_, msg := object.CheckUserPassword(owner, name, password, "en")
 		if msg != "" {
 			responseError(ctx, msg)
 			return

routers/router.go

@@ -123,6 +123,7 @@ func initAPI() {
 
 	beego.Router("/api/get-providers", &controllers.ApiController{}, "GET:GetProviders")
 	beego.Router("/api/get-provider", &controllers.ApiController{}, "GET:GetProvider")
+	beego.Router("/api/get-global-providers", &controllers.ApiController{}, "GET:GetGlobalProviders")
 	beego.Router("/api/update-provider", &controllers.ApiController{}, "POST:UpdateProvider")
 	beego.Router("/api/add-provider", &controllers.ApiController{}, "POST:AddProvider")
 	beego.Router("/api/delete-provider", &controllers.ApiController{}, "POST:DeleteProvider")

web/package.json

@@ -70,6 +70,7 @@
     "eslint-plugin-react": "^7.31.1",
     "husky": "^4.3.8",
     "lint-staged": "^13.0.3",
+    "path-browserify": "^1.0.1",
     "stylelint": "^14.11.0",
     "stylelint-config-recommended-less": "^1.0.4",
     "stylelint-config-standard": "^28.0.0"

web/src/AccountTable.js

@@ -120,7 +120,7 @@ class AccountTable extends React.Component {
         },
       },
       {
-        title: i18next.t("provider:visible"),
+        title: i18next.t("organization:Visible"),
         dataIndex: "visible",
         key: "visible",
         width: "120px",
@@ -133,7 +133,7 @@ class AccountTable extends React.Component {
         },
       },
       {
-        title: i18next.t("organization:viewRule"),
+        title: i18next.t("organization:View rule"),
         dataIndex: "viewRule",
         key: "viewRule",
         width: "155px",
@@ -160,7 +160,7 @@ class AccountTable extends React.Component {
         },
       },
       {
-        title: i18next.t("organization:modifyRule"),
+        title: i18next.t("organization:Modify rule"),
         dataIndex: "modifyRule",
         key: "modifyRule",
         width: "155px",

web/src/AdapterEditPage.js

@@ -59,7 +59,7 @@ class AdapterEditPage extends React.Component {
   }
 
   getOrganizations() {
-    OrganizationBackend.getOrganizations(this.state.organizationName)
+    OrganizationBackend.getOrganizations("admin")
       .then((res) => {
         this.setState({
           organizations: (res.msg === undefined) ? res : [],
@@ -195,7 +195,7 @@ class AdapterEditPage extends React.Component {
             {Setting.getLabel(i18next.t("general:Organization"), i18next.t("general:Organization - Tooltip"))} :
           </Col>
           <Col span={22} >
-            <Select virtual={false} style={{width: "100%"}} value={this.state.adapter.organization} onChange={(value => {this.updateadapterField("organization", value);})}>
+            <Select virtual={false} style={{width: "100%"}} value={this.state.adapter.organization} onChange={(value => {this.updateAdapterField("organization", value);})}>
               {
                 this.state.organizations.map((organization, index) => <Option key={index} value={organization.name}>{organization.name}</Option>)
               }

web/src/AdapterListPage.js

@@ -70,21 +70,6 @@ class AdapterListPage extends BaseListPage {
 
   renderTable(adapters) {
     const columns = [
-      {
-        title: i18next.t("general:Organization"),
-        dataIndex: "organization",
-        key: "organization",
-        width: "120px",
-        sorter: true,
-        ...this.getColumnSearchProps("organization"),
-        render: (text, record, index) => {
-          return (
-            <Link to={`/organizations/${text}`}>
-              {text}
-            </Link>
-          );
-        },
-      },
       {
         title: i18next.t("general:Name"),
         dataIndex: "name",
@@ -101,6 +86,21 @@ class AdapterListPage extends BaseListPage {
           );
         },
       },
+      {
+        title: i18next.t("general:Organization"),
+        dataIndex: "organization",
+        key: "organization",
+        width: "120px",
+        sorter: true,
+        ...this.getColumnSearchProps("organization"),
+        render: (text, record, index) => {
+          return (
+            <Link to={`/organizations/${text}`}>
+              {text}
+            </Link>
+          );
+        },
+      },
       {
         title: i18next.t("general:Created time"),
         dataIndex: "createdTime",

web/src/App.js

@@ -16,8 +16,8 @@ import React, {Component} from "react";
 import "./App.less";
 import {Helmet} from "react-helmet";
 import * as Setting from "./Setting";
-import {DownOutlined, LogoutOutlined, SettingOutlined} from "@ant-design/icons";
-import {Avatar, BackTop, Button, Card, Dropdown, Layout, Menu, Result} from "antd";
+import {BarsOutlined, DownOutlined, LogoutOutlined, SettingOutlined} from "@ant-design/icons";
+import {Avatar, BackTop, Button, Card, Drawer, Dropdown, Layout, Menu, Result} from "antd";
 import {Link, Redirect, Route, Switch, withRouter} from "react-router-dom";
 import OrganizationListPage from "./OrganizationListPage";
 import OrganizationEditPage from "./OrganizationEditPage";
@@ -74,6 +74,7 @@ import ModelEditPage from "./ModelEditPage";
 import SystemInfo from "./SystemInfo";
 import AdapterListPage from "./AdapterListPage";
 import AdapterEditPage from "./AdapterEditPage";
+import {withTranslation} from "react-i18next";
 
 const {Header, Footer} = Layout;
 
@@ -85,6 +86,7 @@ class App extends Component {
       selectedMenuKey: 0,
       account: undefined,
       uri: null,
+      menuVisible: false,
     };
 
     Setting.initServerUrl();
@@ -219,10 +221,9 @@ class App extends Component {
         if (res.status === "ok") {
           account = res.data;
           account.organization = res.data2;
-
           this.setLanguage(account);
         } else {
-          if (res.msg !== "Please sign in first") {
+          if (res.data !== "Please login first") {
             Setting.showMessage("error", `Failed to sign in: ${res.msg}`);
           }
         }
@@ -298,12 +299,12 @@ class App extends Component {
       <Menu onClick={this.handleRightDropdownClick.bind(this)}>
         <Menu.Item key="/account">
           <SettingOutlined />
-          &nbsp;
+          &nbsp;&nbsp;
           {i18next.t("account:My Account")}
         </Menu.Item>
         <Menu.Item key="/logout">
           <LogoutOutlined />
-          &nbsp;
+          &nbsp;&nbsp;
           {i18next.t("account:Logout")}
         </Menu.Item>
       </Menu>
@@ -378,6 +379,9 @@ class App extends Component {
           </Link>
         </Menu.Item>
       );
+    }
+
+    if (Setting.isLocalAdminUser(this.state.account)) {
       res.push(
         <Menu.Item key="/users">
           <Link to="/users">
@@ -416,13 +420,6 @@ class App extends Component {
           </Link>
         </Menu.Item>
       );
-      res.push(
-        <Menu.Item key="/providers">
-          <Link to="/providers">
-            {i18next.t("general:Providers")}
-          </Link>
-        </Menu.Item>
-      );
       res.push(
         <Menu.Item key="/applications">
           <Link to="/applications">
@@ -433,6 +430,13 @@ class App extends Component {
     }
 
     if (Setting.isLocalAdminUser(this.state.account)) {
+      res.push(
+        <Menu.Item key="/providers">
+          <Link to="/providers">
+            {i18next.t("general:Providers")}
+          </Link>
+        </Menu.Item>
+      );
       res.push(
         <Menu.Item key="/resources">
           <Link to="/resources">
@@ -562,6 +566,7 @@ class App extends Component {
           <Route exact path="/adapters/:organizationName/:adapterName" render={(props) => this.renderLoginIfNotLoggedIn(<AdapterEditPage account={this.state.account} {...props} />)} />
           <Route exact path="/providers" render={(props) => this.renderLoginIfNotLoggedIn(<ProviderListPage account={this.state.account} {...props} />)} />
           <Route exact path="/providers/:providerName" render={(props) => this.renderLoginIfNotLoggedIn(<ProviderEditPage account={this.state.account} {...props} />)} />
+          <Route exact path="/providers/:organizationName/:providerName" render={(props) => this.renderLoginIfNotLoggedIn(<ProviderEditPage account={this.state.account} {...props} />)} />
           <Route exact path="/applications" render={(props) => this.renderLoginIfNotLoggedIn(<ApplicationListPage account={this.state.account} {...props} />)} />
           <Route exact path="/applications/:applicationName" render={(props) => this.renderLoginIfNotLoggedIn(<ApplicationEditPage account={this.state.account} {...props} />)} />
           <Route exact path="/resources" render={(props) => this.renderLoginIfNotLoggedIn(<ResourceListPage account={this.state.account} {...props} />)} />
@@ -592,6 +597,18 @@ class App extends Component {
     );
   }
 
+  onClose = () => {
+    this.setState({
+      menuVisible: false,
+    });
+  };
+
+  showMenu = () => {
+    this.setState({
+      menuVisible: true,
+    });
+  };
+
   renderContent() {
     if (!Setting.isMobile()) {
       return (
@@ -610,7 +627,7 @@ class App extends Component {
                   // theme="dark"
                   mode={(Setting.isMobile() && this.isStartPages()) ? "inline" : "horizontal"}
                   selectedKeys={[`${this.state.selectedMenuKey}`]}
-                  style={{lineHeight: "64px", width: "78%", position: "absolute", left: "145px"}}
+                  style={{lineHeight: "64px", position: "absolute", left: "145px", right: "200px"}}
                 >
                   {
                     this.renderMenu()
@@ -643,22 +660,28 @@ class App extends Component {
                 </Link>
               )
             }
-            <Menu
-            // theme="dark"
-              mode={(Setting.isMobile() && this.isStartPages()) ? "inline" : "horizontal"}
-              selectedKeys={[`${this.state.selectedMenuKey}`]}
-              style={{lineHeight: "64px"}}
-            >
-              {
-                this.renderMenu()
-              }
-              <div style = {{float: "right"}}>
+            <Drawer title={i18next.t("general:Close")} placement="left" visible={this.state.menuVisible} onClose={this.onClose}>
+              <Menu
+                // theme="dark"
+                mode={(Setting.isMobile()) ? "inline" : "horizontal"}
+                selectedKeys={[`${this.state.selectedMenuKey}`]}
+                style={{lineHeight: "64px"}}
+                onClick={this.onClose}
+              >
                 {
-                  this.renderAccount()
+                  this.renderMenu()
                 }
-                <SelectLanguageBox />
-              </div>
-            </Menu>
+              </Menu>
+            </Drawer>
+            <Button icon={<BarsOutlined />} onClick={this.showMenu} type="text">
+              {i18next.t("general:Menu")}
+            </Button>
+            <div style = {{float: "right"}}>
+              {
+                this.renderAccount()
+              }
+              <SelectLanguageBox />
+            </div>
           </Header>
           {
             this.renderRouter()
@@ -776,4 +799,4 @@ class App extends Component {
   }
 }
 
-export default withRouter(App);
+export default withRouter(withTranslation()(App));

web/src/App.less

@@ -65,7 +65,7 @@
   right: 0;
 }
 
-.language_box {
+.language-box {
   background: url("@{StaticBaseUrl}/img/muti_language.svg");
   background-size: 25px, 25px;
   background-position: center;
@@ -94,7 +94,39 @@
   align-items: stretch;
 }
 
-.login-content{
+.side-image {
+  display: none;
+
+  @media screen and (min-width: 1100px) {
+    display: block;
+    position: relative;
+    width: 500px;
+    border-right: 0.5px solid rgb(196 203 215);
+  }
+}
+
+.forget-content {
+  padding: 10px 100px 20px;
+  border: 2px solid #fff;
+  border-radius: 7px;
+  background-color: rgb(255 255 255);
+  box-shadow: 0 0 20px rgb(0 0 0 / 20%);
+}
+
+.login-panel {
+  margin-top: 50px;
+  margin-bottom: 50px;
+  display: flex;
+  background-color: rgb(255 255 255);
+  overflow: hidden;
+}
+
+.login-form {
+  text-align: center;
+  padding: 30px;
+}
+
+.login-content {
   display: flex;
   flex-direction: row;
   justify-content: center;
@@ -105,7 +137,9 @@
 }
 
 .loginBackground {
-  height: 100%;
+  display: flex;
+  align-items: center;
+  flex: 1 1 0;
   background: #fff no-repeat;
   background-size: 100% 100%;
   background-attachment: fixed;

web/src/ApplicationEditPage.js

@@ -32,6 +32,7 @@ import copy from "copy-to-clipboard";
 
 import {Controlled as CodeMirror} from "react-codemirror2";
 import "codemirror/lib/codemirror.css";
+
 require("codemirror/theme/material-darker.css");
 require("codemirror/mode/htmlmixed/htmlmixed");
 require("codemirror/mode/xml/xml");
@@ -39,19 +40,58 @@ require("codemirror/mode/css/css");
 
 const {Option} = Select;
 
-const template = {
-  padding: "30px",
-  border: "2px solid #ffffff",
-  borderRadius: "7px",
-  backgroundColor: "#ffffff",
-  boxShadow: " 0px 0px 20px rgba(0, 0, 0, 0.20)",
-};
+const template = `<style>
+  .login-panel{
+    padding: 40px 70px 0 70px;
+    border-radius: 10px;
+    background-color: #ffffff;
+    box-shadow: 0 0 30px 20px rgba(0, 0, 0, 0.20);
+}
+</style>`;
+
+const sideTemplate = `<style>
+  .left-model{
+    text-align: center;
+    padding: 30px;
+    background-color: #8ca0ed;
+    position: absolute;
+    transform: none;
+    width: 100%;
+    height: 100%;
+  }
+  .side-logo{
+    display: flex;
+    align-items: center;
+  }
+  .side-logo span {
+    font-family: Montserrat, sans-serif;
+    font-weight: 900;
+    font-size: 2.4rem;
+    line-height: 1.3;
+    margin-left: 16px;
+    color: #404040;
+  }
+  .img{
+    max-width: none;
+    margin: 41px 0 13px;
+  }
+</style>
+<div class="left-model">
+  <span class="side-logo"> <img src="https://cdn.casbin.org/img/casdoor-logo_1185x256.png" alt="Casdoor" style="width: 120px"> 
+    <span>SSO</span> 
+  </span>
+  <div class="img">
+    <img src="https://cdn.casbin.org/img/casbin.svg" alt="Casdoor"/>
+  </div>
+</div>
+`;
 
 class ApplicationEditPage extends React.Component {
   constructor(props) {
     super(props);
     this.state = {
       classes: props,
+      owner: props.account.owner,
       applicationName: props.match.params.applicationName,
       application: null,
       organizations: [],
@@ -102,12 +142,21 @@ class ApplicationEditPage extends React.Component {
   }
 
   getProviders() {
-    ProviderBackend.getProviders("admin")
-      .then((res) => {
-        this.setState({
-          providers: res,
+    if (Setting.isAdminUser(this.props.account)) {
+      ProviderBackend.getGlobalProviders()
+        .then((res) => {
+          this.setState({
+            providers: res,
+          });
         });
-      });
+    } else {
+      ProviderBackend.getProviders(this.state.owner)
+        .then((res) => {
+          this.setState({
+            providers: res,
+          });
+        });
+    }
   }
 
   getSamlMetadata() {
@@ -157,7 +206,6 @@ class ApplicationEditPage extends React.Component {
   }
 
   renderApplication() {
-    const preview = JSON.stringify(template, null, 2);
     return (
       <Card size="small" title={
         <div>
@@ -562,10 +610,10 @@ class ApplicationEditPage extends React.Component {
           </Col>
           <Col span={22} style={(Setting.isMobile()) ? {maxWidth: "100%"} : {}}>
             <Row style={{marginTop: "20px"}} >
-              <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 1}>
+              <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
                 {Setting.getLabel(i18next.t("general:URL"), i18next.t("general:URL - Tooltip"))} :
               </Col>
-              <Col span={23} >
+              <Col span={22} >
                 <Input prefix={<LinkOutlined />} value={this.state.application.formBackgroundUrl} onChange={e => {
                   this.updateApplicationField("formBackgroundUrl", e.target.value);
                 }} />
@@ -590,7 +638,7 @@ class ApplicationEditPage extends React.Component {
           <Col span={22}>
             <Popover placement="right" content={
               <div style={{width: "900px", height: "300px"}} >
-                <CodeMirror value={this.state.application.formCss === "" ? preview : this.state.application.formCss}
+                <CodeMirror value={this.state.application.formCss === "" ? template : this.state.application.formCss}
                   options={{mode: "css", theme: "material-darker"}}
                   onBeforeChange={(editor, data, value) => {
                     this.updateApplicationField("formCss", value);
@@ -606,14 +654,42 @@ class ApplicationEditPage extends React.Component {
         </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("application:From position"), i18next.t("application:From position - Tooltip"))} :
+            {Setting.getLabel(i18next.t("application:Form position"), i18next.t("application:Form position - Tooltip"))} :
           </Col>
           <Col span={22} >
-            <Radio.Group onChange={e => {this.updateApplicationField("formOffset", e.target.value);}} value={this.state.application.formOffset !== 0 ? this.state.application.formOffset : 8}>
-              <Radio.Button value={2}>left</Radio.Button>
-              <Radio.Button value={8}>center</Radio.Button>
-              <Radio.Button value={14}>right</Radio.Button>
-            </Radio.Group>
+            <Row style={{marginTop: "20px"}} >
+              <Radio.Group onChange={e => {this.updateApplicationField("formOffset", e.target.value);}} value={this.state.application.formOffset}>
+                <Radio.Button value={1}>{i18next.t("application:Left")}</Radio.Button>
+                <Radio.Button value={2}>{i18next.t("application:Center")}</Radio.Button>
+                <Radio.Button value={3}>{i18next.t("application:Right")}</Radio.Button>
+                <Radio.Button value={4}>
+                  {i18next.t("application:Enable side panel")}
+                </Radio.Button>
+              </Radio.Group>
+            </Row>
+            {this.state.application.formOffset === 4 ?
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
+                  {Setting.getLabel(i18next.t("application:Side panel HTML"), i18next.t("application:Side panel HTML - Tooltip"))} :
+                </Col>
+                <Col span={21} >
+                  <Popover placement="right" content={
+                    <div style={{width: "900px", height: "300px"}} >
+                      <CodeMirror value={this.state.application.formSideHtml === "" ? sideTemplate : this.state.application.formSideHtml}
+                        options={{mode: "htmlmixed", theme: "material-darker"}}
+                        onBeforeChange={(editor, data, value) => {
+                          this.updateApplicationField("formSideHtml", value);
+                        }}
+                      />
+                    </div>
+                  } title={i18next.t("application:Side panel HTML - Edit")} trigger="click">
+                    <Input value={this.state.application.formSideHtml} style={{marginBottom: "10px"}} onChange={e => {
+                      this.updateApplicationField("formSideHtml", e.target.value);
+                    }} />
+                  </Popover>
+                </Col>
+              </Row>
+              : null}
           </Col>
         </Row>
         {
@@ -707,7 +783,7 @@ class ApplicationEditPage extends React.Component {
         <br />
         <div style={{position: "relative", width: "90%", border: "1px solid rgb(217,217,217)", boxShadow: "10px 10px 5px #888888", flexDirection: "column", flex: "auto"}}>
           <PromptPage application={this.state.application} account={this.props.account} />
-          <div style={maskStyle}></div>
+          <div style={maskStyle} />
         </div>
       </Col>
     );

web/src/CropperDiv.js

@@ -12,19 +12,21 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import React, {useState} from "react";
+import React, {useEffect, useState} from "react";
 import Cropper from "react-cropper";
 import "cropperjs/dist/cropper.css";
 import * as Setting from "./Setting";
-import {Button, Col, Modal, Row} from "antd";
+import {Button, Col, Modal, Row, Select} from "antd";
 import i18next from "i18next";
 import * as ResourceBackend from "./backend/ResourceBackend";
 
 export const CropperDiv = (props) => {
+  const [loading, setLoading] = useState(true);
+  const [options, setOptions] = useState([]);
   const [image, setImage] = useState("");
   const [cropper, setCropper] = useState();
-  const [visible, setVisible] = React.useState(false);
-  const [confirmLoading, setConfirmLoading] = React.useState(false);
+  const [visible, setVisible] = useState(false);
+  const [confirmLoading, setConfirmLoading] = useState(false);
   const {title} = props;
   const {user} = props;
   const {buttonText} = props;
@@ -60,7 +62,7 @@ export const CropperDiv = (props) => {
       ResourceBackend.uploadResource(user.owner, user.name, "avatar", "CropperDiv", fullFilePath, blob)
         .then((res) => {
           if (res.status === "ok") {
-            window.location.href = "/account";
+            window.location.href = window.location.pathname;
           } else {
             Setting.showMessage("error", res.msg);
           }
@@ -88,6 +90,48 @@ export const CropperDiv = (props) => {
     uploadButton.click();
   };
 
+  const getOptions = (data) => {
+    const options = [];
+    if (props.account.organization.defaultAvatar !== null) {
+      options.push({value: props.account.organization.defaultAvatar});
+    }
+    for (let i = 0; i < data.length; i++) {
+      if (data[i].fileType === "image") {
+        const url = `${data[i].url}`;
+        options.push({
+          value: url,
+        });
+      }
+    }
+    return options;
+  };
+
+  const getBase64Image = (src) => {
+    return new Promise((resolve) => {
+      const image = new Image();
+      image.src = src;
+      image.setAttribute("crossOrigin", "anonymous");
+      image.onload = () => {
+        const canvas = document.createElement("canvas");
+        canvas.width = image.width;
+        canvas.height = image.height;
+        const ctx = canvas.getContext("2d");
+        ctx.drawImage(image, 0, 0, image.width, image.height);
+        const dataURL = canvas.toDataURL("image/png");
+        resolve(dataURL);
+      };
+    });
+  };
+
+  useEffect(() => {
+    setLoading(true);
+    ResourceBackend.getResources(props.account.owner, props.account.name, "", "", "", "", "", "")
+      .then((res) => {
+        setLoading(false);
+        setOptions(getOptions(res));
+      });
+  }, []);
+
   return (
     <div>
       <Button type="default" onClick={showModal}>
@@ -105,10 +149,20 @@ export const CropperDiv = (props) => {
           [<Button block key="submit" type="primary" onClick={handleOk}>{i18next.t("user:Set new profile picture")}</Button>]
         }
       >
-        <Col style={{margin: "0px auto 40px auto", width: 1000, height: 300}}>
+        <Col style={{margin: "0px auto 60px auto", width: 1000, height: 350}}>
           <Row style={{width: "100%", marginBottom: "20px"}}>
             <input style={{display: "none"}} ref={input => uploadButton = input} type="file" accept="image/*" onChange={onChange} />
             <Button block onClick={selectFile}>{i18next.t("user:Select a photo...")}</Button>
+            <Select
+              style={{width: "100%"}}
+              loading={loading}
+              placeholder={i18next.t("user:Please select avatar from resources")}
+              onChange={(async value => {
+                setImage(await getBase64Image(value));
+              })}
+              options={options}
+              allowClear={true}
+            />
           </Row>
           <Cropper
             style={{height: "100%"}}

web/src/ModelListPage.js

@@ -63,21 +63,6 @@ class ModelListPage extends BaseListPage {
 
   renderTable(models) {
     const columns = [
-      {
-        title: i18next.t("general:Organization"),
-        dataIndex: "owner",
-        key: "owner",
-        width: "120px",
-        sorter: true,
-        ...this.getColumnSearchProps("owner"),
-        render: (text, record, index) => {
-          return (
-            <Link to={`/organizations/${text}`}>
-              {text}
-            </Link>
-          );
-        },
-      },
       {
         title: i18next.t("general:Name"),
         dataIndex: "name",
@@ -94,6 +79,21 @@ class ModelListPage extends BaseListPage {
           );
         },
       },
+      {
+        title: i18next.t("general:Organization"),
+        dataIndex: "owner",
+        key: "owner",
+        width: "120px",
+        sorter: true,
+        ...this.getColumnSearchProps("owner"),
+        render: (text, record, index) => {
+          return (
+            <Link to={`/organizations/${text}`}>
+              {text}
+            </Link>
+          );
+        },
+      },
       {
         title: i18next.t("general:Created time"),
         dataIndex: "createdTime",

web/src/PaymentListPage.js

@@ -76,6 +76,38 @@ class PaymentListPage extends BaseListPage {
 
   renderTable(payments) {
     const columns = [
+      {
+        title: i18next.t("general:Name"),
+        dataIndex: "name",
+        key: "name",
+        width: "180px",
+        fixed: "left",
+        sorter: true,
+        ...this.getColumnSearchProps("name"),
+        render: (text, record, index) => {
+          return (
+            <Link to={`/payments/${text}`}>
+              {text}
+            </Link>
+          );
+        },
+      },
+      {
+        title: i18next.t("general:Provider"),
+        dataIndex: "provider",
+        key: "provider",
+        width: "150px",
+        fixed: "left",
+        sorter: true,
+        ...this.getColumnSearchProps("provider"),
+        render: (text, record, index) => {
+          return (
+            <Link to={`/providers/${text}`}>
+              {text}
+            </Link>
+          );
+        },
+      },
       {
         title: i18next.t("general:Organization"),
         dataIndex: "organization",
@@ -106,22 +138,7 @@ class PaymentListPage extends BaseListPage {
           );
         },
       },
-      {
-        title: i18next.t("general:Name"),
-        dataIndex: "name",
-        key: "name",
-        width: "180px",
-        fixed: "left",
-        sorter: true,
-        ...this.getColumnSearchProps("name"),
-        render: (text, record, index) => {
-          return (
-            <Link to={`/payments/${text}`}>
-              {text}
-            </Link>
-          );
-        },
-      },
+
       {
         title: i18next.t("general:Created time"),
         dataIndex: "createdTime",
@@ -140,22 +157,6 @@ class PaymentListPage extends BaseListPage {
       //   sorter: true,
       //   ...this.getColumnSearchProps('displayName'),
       // },
-      {
-        title: i18next.t("general:Provider"),
-        dataIndex: "provider",
-        key: "provider",
-        width: "150px",
-        fixed: "left",
-        sorter: true,
-        ...this.getColumnSearchProps("provider"),
-        render: (text, record, index) => {
-          return (
-            <Link to={`/providers/${text}`}>
-              {text}
-            </Link>
-          );
-        },
-      },
       {
         title: i18next.t("payment:Type"),
         dataIndex: "type",

web/src/PermissionEditPage.js

@@ -35,6 +35,7 @@ class PermissionEditPage extends React.Component {
       permissionName: props.match.params.permissionName,
       permission: null,
       organizations: [],
+      model: null,
       users: [],
       roles: [],
       models: [],
@@ -59,6 +60,7 @@ class PermissionEditPage extends React.Component {
         this.getRoles(permission.owner);
         this.getModels(permission.owner);
         this.getResources(permission.owner);
+        this.getModel(permission.owner, permission.model);
       });
   }
 
@@ -98,6 +100,15 @@ class PermissionEditPage extends React.Component {
       });
   }
 
+  getModel(organizationName, modelName) {
+    ModelBackend.getModel(organizationName, modelName)
+      .then((res) => {
+        this.setState({
+          model: res,
+        });
+      });
+  }
+
   getResources(organizationName) {
     ApplicationBackend.getApplicationsByOrganization("admin", organizationName)
       .then((res) => {
@@ -115,6 +126,10 @@ class PermissionEditPage extends React.Component {
   }
 
   updatePermissionField(key, value) {
+    if (key === "model") {
+      this.getModel(this.state.permission.owner, value);
+    }
+
     value = this.parsePermissionField(key, value);
 
     const permission = this.state.permission;
@@ -124,6 +139,13 @@ class PermissionEditPage extends React.Component {
     });
   }
 
+  hasRoleDefinition(model) {
+    if (model !== null) {
+      return model.modelText.includes("role_definition");
+    }
+    return false;
+  }
+
   renderPermission() {
     return (
       <Card size="small" title={
@@ -214,7 +236,7 @@ class PermissionEditPage extends React.Component {
             {Setting.getLabel(i18next.t("role:Sub roles"), i18next.t("role:Sub roles - Tooltip"))} :
           </Col>
           <Col span={22} >
-            <Select virtual={false} mode="tags" style={{width: "100%"}} value={this.state.permission.roles} onChange={(value => {this.updatePermissionField("roles", value);})}>
+            <Select virtual={false} disabled={!this.hasRoleDefinition(this.state.model)} mode="tags" style={{width: "100%"}} value={this.state.permission.roles} onChange={(value => {this.updatePermissionField("roles", value);})}>
               {
                 this.state.roles.filter(roles => (roles.owner !== this.state.roles.owner || roles.name !== this.state.roles.name)).map((permission, index) => <Option key={index} value={`${permission.owner}/${permission.name}`}>{`${permission.owner}/${permission.name}`}</Option>)
               }

web/src/PermissionListPage.js

@@ -77,21 +77,7 @@ class PermissionListPage extends BaseListPage {
 
   renderTable(permissions) {
     const columns = [
-      {
-        title: i18next.t("general:Organization"),
-        dataIndex: "owner",
-        key: "owner",
-        width: "120px",
-        sorter: true,
-        ...this.getColumnSearchProps("owner"),
-        render: (text, record, index) => {
-          return (
-            <Link to={`/organizations/${text}`}>
-              {text}
-            </Link>
-          );
-        },
-      },
+      // https://github.com/ant-design/ant-design/issues/22184
       {
         title: i18next.t("general:Name"),
         dataIndex: "name",
@@ -108,6 +94,21 @@ class PermissionListPage extends BaseListPage {
           );
         },
       },
+      {
+        title: i18next.t("general:Organization"),
+        dataIndex: "owner",
+        key: "owner",
+        width: "120px",
+        sorter: true,
+        ...this.getColumnSearchProps("owner"),
+        render: (text, record, index) => {
+          return (
+            <Link to={`/organizations/${text}`}>
+              {text}
+            </Link>
+          );
+        },
+      },
       {
         title: i18next.t("general:Created time"),
         dataIndex: "createdTime",
@@ -341,7 +342,7 @@ class PermissionListPage extends BaseListPage {
     this.setState({loading: true});
 
     const getPermissions = Setting.isLocalAdminUser(this.props.account) ? PermissionBackend.getPermissions : PermissionBackend.getPermissionsBySubmitter;
-    getPermissions("", params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    getPermissions(Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         if (res.status === "ok") {
           this.setState({

web/src/ProviderEditPage.js

@@ -32,6 +32,7 @@ class ProviderEditPage extends React.Component {
     this.state = {
       classes: props,
       providerName: props.match.params.providerName,
+      owner: props.organizationName !== undefined ? props.organizationName : props.match.params.organizationName,
       provider: null,
       mode: props.location.mode !== undefined ? props.location.mode : "edit",
     };
@@ -42,7 +43,7 @@ class ProviderEditPage extends React.Component {
   }
 
   getProvider() {
-    ProviderBackend.getProvider("admin", this.state.providerName)
+    ProviderBackend.getProvider(this.state.owner, this.state.providerName)
       .then((provider) => {
         this.setState({
           provider: provider,
@@ -469,6 +470,16 @@ class ProviderEditPage extends React.Component {
                 }} />
               </Col>
             </Row>
+            <Row style={{marginTop: "20px"}} >
+              <Col style={{marginTop: "5px"}} span={2}>
+                {Setting.getLabel(i18next.t("provider:Path prefix"), i18next.t("provider:The prefix path of the file - Tooltip"))} :
+              </Col>
+              <Col span={22} >
+                <Input value={this.state.provider.pathPrefix} onChange={e => {
+                  this.updateProviderField("pathPrefix", e.target.value);
+                }} />
+              </Col>
+            </Row>
             <Row style={{marginTop: "20px"}} >
               <Col style={{marginTop: "5px"}} span={2}>
                 {Setting.getLabel(i18next.t("provider:Domain"), i18next.t("provider:Domain - Tooltip"))} :

web/src/ProviderListPage.js

@@ -23,10 +23,25 @@ import i18next from "i18next";
 import BaseListPage from "./BaseListPage";
 
 class ProviderListPage extends BaseListPage {
+  constructor(props) {
+    super(props);
+    this.state = {
+      classes: props,
+      owner: Setting.isAdminUser(props.account) ? "admin" : props.account.organization.name,
+      data: [],
+      pagination: {
+        current: 1,
+        pageSize: 10,
+      },
+      loading: false,
+      searchText: "",
+      searchedColumn: "",
+    };
+  }
   newProvider() {
     const randomName = Setting.getRandomName();
     return {
-      owner: "admin", // this.props.account.providername,
+      owner: this.state.owner,
       name: `provider_${randomName}`,
       createdTime: moment().format(),
       displayName: `New Provider - ${randomName}`,
@@ -46,7 +61,7 @@ class ProviderListPage extends BaseListPage {
     const newProvider = this.newProvider();
     ProviderBackend.addProvider(newProvider)
       .then((res) => {
-        this.props.history.push({pathname: `/providers/${newProvider.name}`, mode: "add"});
+        this.props.history.push({pathname: `/providers/${newProvider.owner}/${newProvider.name}`, mode: "add"});
       }
       )
       .catch(error => {
@@ -177,7 +192,7 @@ class ProviderListPage extends BaseListPage {
         render: (text, record, index) => {
           return (
             <div>
-              <Button style={{marginTop: "10px", marginBottom: "10px", marginRight: "10px"}} type="primary" onClick={() => this.props.history.push(`/providers/${record.name}`)}>{i18next.t("general:Edit")}</Button>
+              <Button style={{marginTop: "10px", marginBottom: "10px", marginRight: "10px"}} type="primary" onClick={() => this.props.history.push(`/providers/${record.owner}/${record.name}`)}>{i18next.t("general:Edit")}</Button>
               <Popconfirm
                 title={`Sure to delete provider: ${record.name} ?`}
                 onConfirm={() => this.deleteProvider(index)}
@@ -224,7 +239,8 @@ class ProviderListPage extends BaseListPage {
       value = params.type;
     }
     this.setState({loading: true});
-    ProviderBackend.getProviders("admin", params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    (Setting.isAdminUser(this.props.account) ? ProviderBackend.getGlobalProviders(params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+      : ProviderBackend.getProviders(this.state.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder))
       .then((res) => {
         if (res.status === "ok") {
           this.setState({

web/src/ProviderTable.js

@@ -39,7 +39,7 @@ class ProviderTable extends React.Component {
   }
 
   addRow(table) {
-    const row = {name: Setting.getNewRowNameForTable(table, "Please select a provider"), canSignUp: true, canSignIn: true, canUnlink: true, alertType: "None"};
+    const row = {name: Setting.getNewRowNameForTable(table, "Please select a provider"), canSignUp: true, canSignIn: true, canUnlink: true, alertType: "None", rule: "None"};
     if (table === undefined) {
       table = [];
     }
@@ -105,7 +105,7 @@ class ProviderTable extends React.Component {
         },
       },
       {
-        title: i18next.t("provider:canSignUp"),
+        title: i18next.t("provider:Can signup"),
         dataIndex: "canSignUp",
         key: "canSignUp",
         width: "120px",
@@ -122,7 +122,7 @@ class ProviderTable extends React.Component {
         },
       },
       {
-        title: i18next.t("provider:canSignIn"),
+        title: i18next.t("provider:Can signin"),
         dataIndex: "canSignIn",
         key: "canSignIn",
         width: "120px",
@@ -139,7 +139,7 @@ class ProviderTable extends React.Component {
         },
       },
       {
-        title: i18next.t("provider:canUnlink"),
+        title: i18next.t("provider:Can unlink"),
         dataIndex: "canUnlink",
         key: "canUnlink",
         width: "120px",
@@ -156,7 +156,7 @@ class ProviderTable extends React.Component {
         },
       },
       {
-        title: i18next.t("provider:prompted"),
+        title: i18next.t("provider:Prompted"),
         dataIndex: "prompted",
         key: "prompted",
         width: "120px",
@@ -193,6 +193,28 @@ class ProviderTable extends React.Component {
       //     )
       //   }
       // },
+      {
+        title: i18next.t("application:Rule"),
+        dataIndex: "rule",
+        key: "rule",
+        width: "100px",
+        render: (text, record, index) => {
+          if (record.provider?.category !== "Captcha") {
+            return null;
+          }
+          return (
+            <Select virtual={false} style={{width: "100%"}}
+              value={text}
+              defaultValue="None"
+              onChange={value => {
+                this.updateField(table, index, "rule", value);
+              }} >
+              <Option key="None" value="None">{i18next.t("application:None")}</Option>
+              <Option key="Always" value="Always">{i18next.t("application:Always")}</Option>
+            </Select>
+          );
+        },
+      },
       {
         title: i18next.t("general:Action"),
         key: "action",

web/src/RoleListPage.js

@@ -25,7 +25,7 @@ class RoleListPage extends BaseListPage {
   newRole() {
     const randomName = Setting.getRandomName();
     return {
-      owner: "built-in",
+      owner: this.props.account.owner,
       name: `role_${randomName}`,
       createdTime: moment().format(),
       displayName: `New Role - ${randomName}`,
@@ -65,21 +65,6 @@ class RoleListPage extends BaseListPage {
 
   renderTable(roles) {
     const columns = [
-      {
-        title: i18next.t("general:Organization"),
-        dataIndex: "owner",
-        key: "owner",
-        width: "120px",
-        sorter: true,
-        ...this.getColumnSearchProps("owner"),
-        render: (text, record, index) => {
-          return (
-            <Link to={`/organizations/${text}`}>
-              {text}
-            </Link>
-          );
-        },
-      },
       {
         title: i18next.t("general:Name"),
         dataIndex: "name",
@@ -96,6 +81,21 @@ class RoleListPage extends BaseListPage {
           );
         },
       },
+      {
+        title: i18next.t("general:Organization"),
+        dataIndex: "owner",
+        key: "owner",
+        width: "120px",
+        sorter: true,
+        ...this.getColumnSearchProps("owner"),
+        render: (text, record, index) => {
+          return (
+            <Link to={`/organizations/${text}`}>
+              {text}
+            </Link>
+          );
+        },
+      },
       {
         title: i18next.t("general:Created time"),
         dataIndex: "createdTime",
@@ -211,7 +211,7 @@ class RoleListPage extends BaseListPage {
       value = params.type;
     }
     this.setState({loading: true});
-    RoleBackend.getRoles("", params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+    RoleBackend.getRoles(Setting.isAdminUser(this.props.account) ? "" : this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         if (res.status === "ok") {
           this.setState({

web/src/SelectLanguageBox.js

@@ -49,7 +49,7 @@ class SelectLanguageBox extends React.Component {
 
     return (
       <Dropdown overlay={menu} >
-        <div className="language_box" id={this.props.id} style={this.props.style} />
+        <div className="language-box" id={this.props.id} style={this.props.style} />
       </Dropdown>
     );
   }

web/src/Setting.js

@@ -12,9 +12,10 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+import React from "react";
+import {Link} from "react-router-dom";
 import {Tag, Tooltip, message} from "antd";
 import {QuestionCircleTwoTone} from "@ant-design/icons";
-import React from "react";
 import {isMobile as isMobileDevice} from "react-device-detect";
 import "./i18n";
 import i18next from "i18next";
@@ -22,6 +23,7 @@ import copy from "copy-to-clipboard";
 import {authConfig} from "./auth/Auth";
 import {Helmet} from "react-helmet";
 import * as Conf from "./Conf";
+import * as path from "path-browserify";
 
 export const ServerUrl = "";
 
@@ -554,7 +556,11 @@ export function changeLanguage(language) {
   localStorage.setItem("language", language);
   changeMomentLanguage(language);
   i18next.changeLanguage(language);
-  window.location.reload(true);
+  // window.location.reload(true);
+}
+
+export function getAcceptLanguage() {
+  return i18next.language + ";q=0.9,en;q=0.8";
 }
 
 export function changeMomentLanguage(language) {
@@ -737,64 +743,96 @@ export function renderLogo(application) {
   }
 }
 
-export function goToLogin(ths, application) {
+export function getLoginLink(application) {
+  let url;
   if (application === null) {
-    return;
-  }
-
-  if (!application.enablePassword && window.location.pathname.includes("/auto-signup/oauth/authorize")) {
-    const link = window.location.href.replace("/auto-signup/oauth/authorize", "/login/oauth/authorize");
-    goToLink(link);
-    return;
-  }
-
-  if (authConfig.appName === application.name) {
-    goToLinkSoft(ths, "/login");
+    url = null;
+  } else if (!application.enablePassword && window.location.pathname.includes("/auto-signup/oauth/authorize")) {
+    url = window.location.href.replace("/auto-signup/oauth/authorize", "/login/oauth/authorize");
+  } else if (authConfig.appName === application.name) {
+    url = "/login";
+  } else if (application.signinUrl === "") {
+    url = path.join(application.homepageUrl, "/login");
   } else {
-    if (application.signinUrl === "") {
-      goToLink(`${application.homepageUrl}/login`);
-    } else {
-      goToLink(application.signinUrl);
-    }
+    url = application.signinUrl;
+  }
+  return url;
+}
+
+export function renderLoginLink(application, text) {
+  const url = getLoginLink(application);
+  return renderLink(url, text, null);
+}
+
+export function redirectToLoginPage(application, history) {
+  const loginLink = getLoginLink(application);
+  history.push(loginLink);
+}
+
+function renderLink(url, text, onClick) {
+  if (url === null) {
+    return null;
+  }
+
+  if (url.startsWith("/")) {
+    return (
+      <Link style={{float: "right"}} to={url} onClick={() => {
+        if (onClick !== null) {
+          onClick();
+        }
+      }}>{text}</Link>
+    );
+  } else if (url.startsWith("http")) {
+    return (
+      <a target="_blank" rel="noopener noreferrer" style={{float: "right"}} href={url} onClick={() => {
+        if (onClick !== null) {
+          onClick();
+        }
+      }}>{text}</a>
+    );
+  } else {
+    return null;
   }
 }
 
-export function goToSignup(ths, application) {
+export function renderSignupLink(application, text) {
+  let url;
   if (application === null) {
-    return;
-  }
-
-  if (!application.enablePassword && window.location.pathname.includes("/login/oauth/authorize")) {
-    const link = window.location.href.replace("/login/oauth/authorize", "/auto-signup/oauth/authorize");
-    goToLink(link);
-    return;
-  }
-
-  if (authConfig.appName === application.name) {
-    goToLinkSoft(ths, "/signup");
+    url = null;
+  } else if (!application.enablePassword && window.location.pathname.includes("/login/oauth/authorize")) {
+    url = window.location.href.replace("/login/oauth/authorize", "/auto-signup/oauth/authorize");
+  } else if (authConfig.appName === application.name) {
+    url = "/signup";
   } else {
     if (application.signupUrl === "") {
-      goToLinkSoft(ths, `/signup/${application.name}`);
+      url = `/signup/${application.name}`;
     } else {
-      goToLink(application.signupUrl);
+      url = application.signupUrl;
     }
   }
+
+  const storeSigninUrl = () => {
+    sessionStorage.setItem("signinUrl", window.location.href);
+  };
+
+  return renderLink(url, text, storeSigninUrl);
 }
 
-export function goToForget(ths, application) {
+export function renderForgetLink(application, text) {
+  let url;
   if (application === null) {
-    return;
-  }
-
-  if (authConfig.appName === application.name) {
-    goToLinkSoft(ths, "/forget");
+    url = null;
+  } else if (authConfig.appName === application.name) {
+    url = "/forget";
   } else {
     if (application.forgetUrl === "") {
-      goToLinkSoft(ths, `/forget/${application.name}`);
+      url = `/forget/${application.name}`;
     } else {
-      goToLink(application.forgetUrl);
+      url = application.forgetUrl;
     }
   }
+
+  return renderLink(url, text, null);
 }
 
 export function renderHelmet(application) {

web/src/SignupTable.js

@@ -104,7 +104,7 @@ class SignupTable extends React.Component {
         },
       },
       {
-        title: i18next.t("provider:visible"),
+        title: i18next.t("provider:Visible"),
         dataIndex: "visible",
         key: "visible",
         width: "120px",
@@ -126,7 +126,7 @@ class SignupTable extends React.Component {
         },
       },
       {
-        title: i18next.t("provider:required"),
+        title: i18next.t("provider:Required"),
         dataIndex: "required",
         key: "required",
         width: "120px",
@@ -143,7 +143,7 @@ class SignupTable extends React.Component {
         },
       },
       {
-        title: i18next.t("provider:prompted"),
+        title: i18next.t("provider:Prompted"),
         dataIndex: "prompted",
         key: "prompted",
         width: "120px",
@@ -164,7 +164,7 @@ class SignupTable extends React.Component {
         },
       },
       {
-        title: i18next.t("application:rule"),
+        title: i18next.t("application:Rule"),
         dataIndex: "rule",
         key: "rule",
         width: "155px",

web/src/SyncerListPage.js

@@ -88,21 +88,6 @@ class SyncerListPage extends BaseListPage {
 
   renderTable(syncers) {
     const columns = [
-      {
-        title: i18next.t("general:Organization"),
-        dataIndex: "organization",
-        key: "organization",
-        width: "120px",
-        sorter: true,
-        ...this.getColumnSearchProps("organization"),
-        render: (text, record, index) => {
-          return (
-            <Link to={`/organizations/${text}`}>
-              {text}
-            </Link>
-          );
-        },
-      },
       {
         title: i18next.t("general:Name"),
         dataIndex: "name",
@@ -119,6 +104,21 @@ class SyncerListPage extends BaseListPage {
           );
         },
       },
+      {
+        title: i18next.t("general:Organization"),
+        dataIndex: "organization",
+        key: "organization",
+        width: "120px",
+        sorter: true,
+        ...this.getColumnSearchProps("organization"),
+        render: (text, record, index) => {
+          return (
+            <Link to={`/organizations/${text}`}>
+              {text}
+            </Link>
+          );
+        },
+      },
       {
         title: i18next.t("general:Created time"),
         dataIndex: "createdTime",

web/src/SystemInfo.js

@@ -90,37 +90,66 @@ class SystemInfo extends React.Component {
         </div> : i18next.t("system:Get Memory Usage Failed")
     );
 
-    return (
-      <Row>
-        <Col span={6}></Col>
-        <Col span={12}>
-          <Row gutter={[10, 10]}>
-            <Col span={12}>
-              <Card title={i18next.t("system:CPU Usage")} bordered={true} style={{textAlign: "center"}}>
-                {this.state.loading ? <Spin size="large" /> : CPUInfo}
-              </Card>
-            </Col>
-            <Col span={12}>
-              <Card title={i18next.t("system:Memory Usage")} bordered={true} style={{textAlign: "center"}}>
-                {this.state.loading ? <Spin size="large" /> : MemInfo}
-              </Card>
-            </Col>
-          </Row>
-          <Divider />
-          <Card title={i18next.t("system:About Casdoor")} bordered={true} style={{textAlign: "center"}}>
-            <div>{i18next.t("system:An Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML and CAS")}</div>
-            GitHub: <a href="https://github.com/casdoor/casdoor">casdoor</a>
-            <br />
-            {i18next.t("system:Version")}: <a href={this.state.href}>{this.state.latestVersion}</a>
-            <br />
-            {i18next.t("system:Official Website")}: <a href="https://casdoor.org/">casdoor.org</a>
-            <br />
-            {i18next.t("system:Community")}: <a href="https://casdoor.org/#:~:text=Casdoor%20API-,Community,-GitHub">contact us</a>
-          </Card>
-        </Col>
-        <Col span={6}></Col>
-      </Row>
-    );
+    if (!Setting.isMobile()) {
+      return (
+        <Row>
+          <Col span={6}></Col>
+          <Col span={12}>
+            <Row gutter={[10, 10]}>
+              <Col span={12}>
+                <Card title={i18next.t("system:CPU Usage")} bordered={true} style={{textAlign: "center", height: "100%"}}>
+                  {this.state.loading ? <Spin size="large" /> : CPUInfo}
+                </Card>
+              </Col>
+              <Col span={12}>
+                <Card title={i18next.t("system:Memory Usage")} bordered={true} style={{textAlign: "center", height: "100%"}}>
+                  {this.state.loading ? <Spin size="large" /> : MemInfo}
+                </Card>
+              </Col>
+            </Row>
+            <Divider />
+            <Card title={i18next.t("system:About Casdoor")} bordered={true} style={{textAlign: "center"}}>
+              <div>{i18next.t("system:An Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML and CAS")}</div>
+              GitHub: <a href="https://github.com/casdoor/casdoor">casdoor</a>
+              <br />
+              {i18next.t("system:Version")}: <a href={this.state.href}>{this.state.latestVersion}</a>
+              <br />
+              {i18next.t("system:Official Website")}: <a href="https://casdoor.org/">casdoor.org</a>
+              <br />
+              {i18next.t("system:Community")}: <a href="https://casdoor.org/#:~:text=Casdoor%20API-,Community,-GitHub">contact us</a>
+            </Card>
+          </Col>
+          <Col span={6}></Col>
+        </Row>
+      );
+    } else {
+      return (
+        <Row gutter={[16, 0]}>
+          <Col span={24}>
+            <Card title={i18next.t("system:CPU Usage")} bordered={true} style={{textAlign: "center", width: "100%"}}>
+              {this.state.loading ? <Spin size="large" /> : CPUInfo}
+            </Card>
+          </Col>
+          <Col span={24}>
+            <Card title={i18next.t("system:Memory Usage")} bordered={true} style={{textAlign: "center", width: "100%"}}>
+              {this.state.loading ? <Spin size="large" /> : MemInfo}
+            </Card>
+          </Col>
+          <Col span={24}>
+            <Card title={i18next.t("system:About Casdoor")} bordered={true} style={{textAlign: "center"}}>
+              <div>{i18next.t("system:An Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML and CAS")}</div>
+              GitHub: <a href="https://github.com/casdoor/casdoor">casdoor</a>
+              <br />
+              {i18next.t("system:Version")}: <a href={this.state.href}>{this.state.latestVersion}</a>
+              <br />
+              {i18next.t("system:Official Website")}: <a href="https://casdoor.org/">casdoor.org</a>
+              <br />
+              {i18next.t("system:Community")}: <a href="https://casdoor.org/#:~:text=Casdoor%20API-,Community,-GitHub">contact us</a>
+            </Card>
+          </Col>
+        </Row>
+      );
+    }
   }
 }
 

web/src/UserEditPage.js

@@ -17,7 +17,6 @@ import {Button, Card, Col, Input, Result, Row, Select, Spin, Switch} from "antd"
 import * as UserBackend from "./backend/UserBackend";
 import * as OrganizationBackend from "./backend/OrganizationBackend";
 import * as Setting from "./Setting";
-import {LinkOutlined} from "@ant-design/icons";
 import i18next from "i18next";
 import CropperDiv from "./CropperDiv.js";
 import * as ApplicationBackend from "./backend/ApplicationBackend";
@@ -232,16 +231,6 @@ class UserEditPage extends React.Component {
             {Setting.getLabel(i18next.t("general:Avatar"), i18next.t("general:Avatar - Tooltip"))} :
           </Col>
           <Col span={22} >
-            <Row style={{marginTop: "20px"}} >
-              <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-                {i18next.t("general:URL")}:
-              </Col>
-              <Col span={22} >
-                <Input prefix={<LinkOutlined />} value={this.state.user.avatar} onChange={e => {
-                  this.updateUserField("avatar", e.target.value);
-                }} />
-              </Col>
-            </Row>
             <Row style={{marginTop: "20px"}} >
               <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
                 {i18next.t("general:Preview")}:
@@ -661,7 +650,7 @@ class UserEditPage extends React.Component {
     return (
       <div>
         {
-          this.state.loading ? <Spin size="large" /> : (
+          this.state.loading ? <Spin size="large" style={{marginLeft: "50%", marginTop: "10%"}} /> : (
             this.state.user !== null ? this.renderUser() :
               <Result
                 status="404"

web/src/UserListPage.js

@@ -17,6 +17,7 @@ import {Link} from "react-router-dom";
 import {Button, Popconfirm, Switch, Table, Upload} from "antd";
 import {UploadOutlined} from "@ant-design/icons";
 import moment from "moment";
+import * as OrganizationBackend from "./backend/OrganizationBackend";
 import * as Setting from "./Setting";
 import * as UserBackend from "./backend/UserBackend";
 import i18next from "i18next";
@@ -28,6 +29,7 @@ class UserListPage extends BaseListPage {
     this.state = {
       classes: props,
       organizationName: props.match.params.organizationName,
+      organization: null,
       data: [],
       pagination: {
         current: 1,
@@ -271,6 +273,15 @@ class UserListPage extends BaseListPage {
         width: "110px",
         sorter: true,
         ...this.getColumnSearchProps("tag"),
+        render: (text, record, index) => {
+          const tagMap = {};
+          this.state.organization?.tags?.map((tag, index) => {
+            const tokens = tag.split("|");
+            const displayValue = Setting.getLanguage() !== "zh" ? tokens[0] : tokens[1];
+            tagMap[tokens[0]] = displayValue;
+          });
+          return tagMap[text];
+        },
       },
       {
         title: i18next.t("user:Is admin"),
@@ -352,7 +363,7 @@ class UserListPage extends BaseListPage {
 
     return (
       <div>
-        <Table scroll={{x: "max-content"}} columns={columns} dataSource={users} rowKey="name" size="middle" bordered pagination={paginationProps}
+        <Table scroll={{x: "max-content"}} columns={columns} dataSource={users} rowKey={(record) => `${record.owner}/${record.name}`} size="middle" bordered pagination={paginationProps}
           title={() => (
             <div>
               {i18next.t("general:Users")}&nbsp;&nbsp;&nbsp;&nbsp;
@@ -374,7 +385,7 @@ class UserListPage extends BaseListPage {
     const sortField = params.sortField, sortOrder = params.sortOrder;
     this.setState({loading: true});
     if (this.state.organizationName === undefined) {
-      UserBackend.getGlobalUsers(params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
+      (Setting.isAdminUser(this.props.account) ? UserBackend.getGlobalUsers(params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder) : UserBackend.getUsers(this.props.account.owner, params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder))
         .then((res) => {
           if (res.status === "ok") {
             this.setState({
@@ -387,6 +398,11 @@ class UserListPage extends BaseListPage {
               searchText: params.searchText,
               searchedColumn: params.searchedColumn,
             });
+
+            const users = res.data;
+            if (users.length > 0) {
+              this.getOrganization(users[0].owner);
+            }
           }
         });
     } else {
@@ -403,10 +419,24 @@ class UserListPage extends BaseListPage {
               searchText: params.searchText,
               searchedColumn: params.searchedColumn,
             });
+
+            const users = res.data;
+            if (users.length > 0) {
+              this.getOrganization(users[0].owner);
+            }
           }
         });
     }
   };
+
+  getOrganization(organizationName) {
+    OrganizationBackend.getOrganization("admin", organizationName)
+      .then((organization) => {
+        this.setState({
+          organization: organization,
+        });
+      });
+  }
 }
 
 export default UserListPage;

web/src/WebhookListPage.js

@@ -67,21 +67,6 @@ class WebhookListPage extends BaseListPage {
 
   renderTable(webhooks) {
     const columns = [
-      {
-        title: i18next.t("general:Organization"),
-        dataIndex: "organization",
-        key: "organization",
-        width: "110px",
-        sorter: true,
-        ...this.getColumnSearchProps("organization"),
-        render: (text, record, index) => {
-          return (
-            <Link to={`/organizations/${text}`}>
-              {text}
-            </Link>
-          );
-        },
-      },
       {
         title: i18next.t("general:Name"),
         dataIndex: "name",
@@ -98,6 +83,21 @@ class WebhookListPage extends BaseListPage {
           );
         },
       },
+      {
+        title: i18next.t("general:Organization"),
+        dataIndex: "organization",
+        key: "organization",
+        width: "110px",
+        sorter: true,
+        ...this.getColumnSearchProps("organization"),
+        render: (text, record, index) => {
+          return (
+            <Link to={`/organizations/${text}`}>
+              {text}
+            </Link>
+          );
+        },
+      },
       {
         title: i18next.t("general:Created time"),
         dataIndex: "createdTime",

web/src/auth/AuthBackend.js

@@ -13,11 +13,15 @@
 // limitations under the License.
 
 import {authConfig} from "./Auth";
+import * as Setting from "../Setting";
 
 export function getAccount(query) {
   return fetch(`${authConfig.serverUrl}/api/get-account${query}`, {
     method: "GET",
     credentials: "include",
+    headers: {
+      "Accept-Language": Setting.getAcceptLanguage(),
+    },
   }).then(res => res.json());
 }
 
@@ -26,6 +30,9 @@ export function signup(values) {
     method: "POST",
     credentials: "include",
     body: JSON.stringify(values),
+    headers: {
+      "Accept-Language": Setting.getAcceptLanguage(),
+    },
   }).then(res => res.json());
 }
 
@@ -34,6 +41,9 @@ export function getEmailAndPhone(values) {
     method: "POST",
     credentials: "include",
     body: JSON.stringify(values),
+    headers: {
+      "Accept-Language": Setting.getAcceptLanguage(),
+    },
   }).then((res) => res.json());
 }
 
@@ -51,6 +61,9 @@ export function getApplicationLogin(oAuthParams) {
   return fetch(`${authConfig.serverUrl}/api/get-app-login${oAuthParamsToQuery(oAuthParams)}`, {
     method: "GET",
     credentials: "include",
+    headers: {
+      "Accept-Language": Setting.getAcceptLanguage(),
+    },
   }).then(res => res.json());
 }
 
@@ -59,6 +72,9 @@ export function login(values, oAuthParams) {
     method: "POST",
     credentials: "include",
     body: JSON.stringify(values),
+    headers: {
+      "Accept-Language": Setting.getAcceptLanguage(),
+    },
   }).then(res => res.json());
 }
 
@@ -67,6 +83,9 @@ export function loginCas(values, params) {
     method: "POST",
     credentials: "include",
     body: JSON.stringify(values),
+    headers: {
+      "Accept-Language": Setting.getAcceptLanguage(),
+    },
   }).then(res => res.json());
 }
 
@@ -74,6 +93,9 @@ export function logout() {
   return fetch(`${authConfig.serverUrl}/api/logout`, {
     method: "POST",
     credentials: "include",
+    headers: {
+      "Accept-Language": Setting.getAcceptLanguage(),
+    },
   }).then(res => res.json());
 }
 
@@ -82,6 +104,9 @@ export function unlink(values) {
     method: "POST",
     credentials: "include",
     body: JSON.stringify(values),
+    headers: {
+      "Accept-Language": Setting.getAcceptLanguage(),
+    },
   }).then(res => res.json());
 }
 
@@ -89,6 +114,9 @@ export function getSamlLogin(providerId, relayState) {
   return fetch(`${authConfig.serverUrl}/api/get-saml-login?id=${providerId}&relayState=${relayState}`, {
     method: "GET",
     credentials: "include",
+    headers: {
+      "Accept-Language": Setting.getAcceptLanguage(),
+    },
   }).then(res => res.json());
 }
 
@@ -97,5 +125,8 @@ export function loginWithSaml(values, param) {
     method: "POST",
     credentials: "include",
     body: JSON.stringify(values),
+    headers: {
+      "Accept-Language": Setting.getAcceptLanguage(),
+    },
   }).then(res => res.json());
 }

web/src/auth/ForgetPage.js

@@ -23,6 +23,7 @@ import {CountDownInput} from "../common/CountDownInput";
 import * as UserBackend from "../backend/UserBackend";
 import {CheckCircleOutlined, KeyOutlined, LockOutlined, SolutionOutlined, UserOutlined} from "@ant-design/icons";
 import CustomGithubCorner from "../CustomGithubCorner";
+import {withRouter} from "react-router-dom";
 
 const {Step} = Steps;
 const {Option} = Select;
@@ -166,7 +167,7 @@ class ForgetPage extends React.Component {
     values.userOwner = this.state.application?.organizationObj.name;
     UserBackend.setPassword(values.userOwner, values.username, "", values?.newPassword).then(res => {
       if (res.status === "ok") {
-        Setting.goToLogin(this, this.state.application);
+        Setting.redirectToLoginPage(this.state.application, this.props.history);
       } else {
         Setting.showMessage("error", i18next.t(`signup:${res.msg}`));
       }
@@ -487,63 +488,67 @@ class ForgetPage extends React.Component {
     }
 
     return (
-      <Row>
-        <Col span={24} style={{justifyContent: "center"}}>
+      <div className="loginBackground" style={{backgroundImage: Setting.inIframe() || Setting.isMobile() ? null : `url(${application.formBackgroundUrl})`}}>
+        <CustomGithubCorner />
+        <div className="login-content forget-content" style={{padding: Setting.isMobile() ? "0" : null, boxShadow: Setting.isMobile() ? "none" : null}}>
           <Row>
-            <Col span={24}>
-              <div style={{marginTop: "80px", marginBottom: "10px", textAlign: "center"}}>
-                {
-                  Setting.renderHelmet(application)
-                }
-                <CustomGithubCorner />
-                {
-                  Setting.renderLogo(application)
-                }
+            <Col span={24} style={{justifyContent: "center"}}>
+              <Row>
+                <Col span={24}>
+                  <div style={{marginTop: "80px", marginBottom: "10px", textAlign: "center"}}>
+                    {
+                      Setting.renderHelmet(application)
+                    }
+                    {
+                      Setting.renderLogo(application)
+                    }
+                  </div>
+                </Col>
+              </Row>
+              <Row>
+                <Col span={24}>
+                  <div style={{textAlign: "center", fontSize: "28px"}}>
+                    {i18next.t("forget:Retrieve password")}
+                  </div>
+                </Col>
+              </Row>
+              <Row>
+                <Col span={24}>
+                  <Steps
+                    current={this.state.current}
+                    style={{
+                      width: "90%",
+                      maxWidth: "500px",
+                      margin: "auto",
+                      marginTop: "80px",
+                    }}
+                  >
+                    <Step
+                      title={i18next.t("forget:Account")}
+                      icon={<UserOutlined />}
+                    />
+                    <Step
+                      title={i18next.t("forget:Verify")}
+                      icon={<SolutionOutlined />}
+                    />
+                    <Step
+                      title={i18next.t("forget:Reset")}
+                      icon={<KeyOutlined />}
+                    />
+                  </Steps>
+                </Col>
+              </Row>
+            </Col>
+            <Col span={24} style={{display: "flex", justifyContent: "center"}}>
+              <div style={{marginTop: "10px", textAlign: "center"}}>
+                {this.renderForm(application)}
               </div>
             </Col>
           </Row>
-          <Row>
-            <Col span={24}>
-              <div style={{textAlign: "center", fontSize: "28px"}}>
-                {i18next.t("forget:Retrieve password")}
-              </div>
-            </Col>
-          </Row>
-          <Row>
-            <Col span={24}>
-              <Steps
-                current={this.state.current}
-                style={{
-                  width: "90%",
-                  maxWidth: "500px",
-                  margin: "auto",
-                  marginTop: "80px",
-                }}
-              >
-                <Step
-                  title={i18next.t("forget:Account")}
-                  icon={<UserOutlined />}
-                />
-                <Step
-                  title={i18next.t("forget:Verify")}
-                  icon={<SolutionOutlined />}
-                />
-                <Step
-                  title={i18next.t("forget:Reset")}
-                  icon={<KeyOutlined />}
-                />
-              </Steps>
-            </Col>
-          </Row>
-        </Col>
-        <Col span={24} style={{display: "flex", justifyContent: "center"}}>
-          <div style={{marginTop: "10px", textAlign: "center"}}>
-            {this.renderForm(application)}
-          </div>
-        </Col>
-      </Row>
+        </div>
+      </div>
     );
   }
 }
 
-export default ForgetPage;
+export default withRouter(ForgetPage);