Compare commits

...

7 Commits

Author SHA1 Message Date
6a1ec51978 feat: fix SSRF when download avatar (#1193) 2022-10-20 14:47:08 +08:00
dffa68cbce feat: fix SAML login error bug (#1228)
* Update LoginPage.js

* fix saml login error
2022-10-20 01:14:38 +08:00
fad209a7a3 Don't check username in UpdateUser() API 2022-10-19 22:50:19 +08:00
8b222ce2e3 Use Steam ID as username 2022-10-18 22:07:20 +08:00
c5293f428d fix: delete this accidentally added files (#1229)
* fix: delete this accidentally added files

* fix: ignore build result

* fix: remove unnecessary asterisk
2022-10-18 21:55:34 +08:00
146aec9ee8 feat: skip username restriction for new users coming from OAuth providers. (#1225) 2022-10-17 18:01:01 +08:00
50a52de856 feat: support database version control (#1221)
* feat: support Database version control

* Update adapter.go

* fix review problems

* Update adapter.go

Co-authored-by: Yang Luo <hsluoyz@qq.com>
2022-10-15 17:20:20 +08:00
15 changed files with 117 additions and 51 deletions

3
.gitignore vendored
View File

@ -27,3 +27,6 @@ logs/
files/
lastupdate.tmp
commentsRouter*.go
# ignore build result
casdoor

BIN
casdoor

Binary file not shown.

View File

@ -203,12 +203,6 @@ func (c *ApiController) Signup() {
}
}
msg = object.CheckUsername(user.Name)
if msg != "" {
c.ResponseError(msg)
return
}
affected := object.AddUser(user)
if !affected {
c.ResponseError(fmt.Sprintf("Failed to create user, user information is invalid: %s", util.StructToJson(user)))

View File

@ -411,12 +411,6 @@ func (c *ApiController) Login() {
// sync info from 3rd-party if possible
object.SetUserOAuthProperties(organization, user, provider.Type, userInfo)
msg := object.CheckUsername(user.Name)
if msg != "" {
c.ResponseError(msg)
return
}
affected := object.AddUser(user)
if !affected {
c.ResponseError(fmt.Sprintf("Failed to create user, user information is invalid: %s", util.StructToJson(user)))

View File

@ -158,12 +158,6 @@ func (c *ApiController) UpdateUser() {
columns = strings.Split(columnsStr, ",")
}
msg := object.CheckUsername(user.Name)
if msg != "" {
c.ResponseError(msg)
return
}
isGlobalAdmin := c.IsGlobalAdmin()
affected := object.UpdateUser(id, &user, columns, isGlobalAdmin)
if affected {

View File

@ -282,7 +282,7 @@ func getUser(gothUser goth.User, provider string) *UserInfo {
}
}
if provider == "steam" {
user.Username = user.DisplayName
user.Username = user.Id
user.Email = ""
}
return &user

View File

@ -19,11 +19,13 @@ import (
"runtime"
"github.com/beego/beego"
xormadapter "github.com/casbin/xorm-adapter/v3"
"github.com/casdoor/casdoor/conf"
"github.com/casdoor/casdoor/util"
_ "github.com/denisenkom/go-mssqldb" // db = mssql
_ "github.com/go-sql-driver/mysql" // db = mysql
_ "github.com/lib/pq" // db = postgres
"xorm.io/xorm/migrate"
//_ "github.com/mattn/go-sqlite3" // db = sqlite3
"xorm.io/core"
"xorm.io/xorm"
@ -40,6 +42,7 @@ func InitConfig() {
beego.BConfig.WebConfig.Session.SessionOn = true
InitAdapter(true)
initMigrations()
}
func InitAdapter(createDatabase bool) {
@ -214,6 +217,11 @@ func (a *Adapter) createTable() {
if err != nil {
panic(err)
}
err = a.Engine.Sync2(new(xormadapter.CasbinRule))
if err != nil {
panic(err)
}
}
func GetSession(owner string, offset, limit int, field, value, sortField, sortOrder string) *xorm.Session {
@ -239,3 +247,22 @@ func GetSession(owner string, offset, limit int, field, value, sortField, sortOr
}
return session
}
func initMigrations() {
migrations := []*migrate.Migration{
{
ID: "20221015CasbinRule--fill ptype field with p",
Migrate: func(tx *xorm.Engine) error {
_, err := tx.Cols("ptype").Update(&xormadapter.CasbinRule{
Ptype: "p",
})
return err
},
Rollback: func(tx *xorm.Engine) error {
return tx.DropTables(&xormadapter.CasbinRule{})
},
},
}
m := migrate.New(adapter.Engine, migrate.DefaultOptions, migrations)
m.Migrate()
}

View File

@ -50,7 +50,7 @@ func downloadFile(url string) (*bytes.Buffer, error) {
return fileBuffer, nil
}
func getPermanentAvatarUrl(organization string, username string, url string) string {
func getPermanentAvatarUrl(organization string, username string, url string, upload bool) string {
if url == "" {
return ""
}
@ -62,6 +62,14 @@ func getPermanentAvatarUrl(organization string, username string, url string) str
fullFilePath := fmt.Sprintf("/avatar/%s/%s.png", organization, username)
uploadedFileUrl, _ := getUploadFileUrl(defaultStorageProvider, fullFilePath, false)
if upload {
DownloadAndUpload(url, fullFilePath)
}
return uploadedFileUrl
}
func DownloadAndUpload(url string, fullFilePath string) {
fileBuffer, err := downloadFile(url)
if err != nil {
panic(err)
@ -71,6 +79,4 @@ func getPermanentAvatarUrl(organization string, username string, url string) str
if err != nil {
panic(err)
}
return uploadedFileUrl
}

View File

@ -32,7 +32,7 @@ func TestSyncPermanentAvatars(t *testing.T) {
continue
}
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, true)
updateUserColumn("permanent_avatar", user)
fmt.Printf("[%d/%d]: Update user: [%s]'s permanent avatar: %s\n", i, len(users), user.GetId(), user.PermanentAvatar)
}

View File

@ -59,6 +59,11 @@ func CheckUserSignup(application *Application, organization *Organization, usern
if reWhiteSpace.MatchString(username) {
return "username cannot contain white spaces"
}
msg := CheckUsername(username)
if msg != "" {
return msg
}
if HasUserByField(organization.Name, "name", username) {
return "username already exists"
}
@ -314,16 +319,16 @@ func CheckAccessPermission(userId string, application *Application) (bool, error
return allowed, err
}
func CheckUsername(name string) string {
if name == "" {
func CheckUsername(username string) string {
if username == "" {
return "Empty username."
} else if len(name) > 39 {
} else if len(username) > 39 {
return "Username is too long (maximum is 39 characters)."
}
// https://stackoverflow.com/questions/58726546/github-username-convention-using-regex
re, _ := regexp.Compile("^[a-zA-Z0-9]+((?:-[a-zA-Z0-9]+)|(?:_[a-zA-Z0-9]+))*$")
if !re.MatchString(name) {
if !re.MatchString(username) {
return "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline."
}

View File

@ -120,7 +120,7 @@ func (syncer *Syncer) updateUserForOriginalFields(user *User) (bool, error) {
}
if user.Avatar != oldUser.Avatar && user.Avatar != "" {
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, true)
}
columns := syncer.getCasdoorColumns()

View File

@ -386,7 +386,7 @@ func UpdateUser(id string, user *User, columns []string, isGlobalAdmin bool) boo
user.UpdateUserHash()
if user.Avatar != oldUser.Avatar && user.Avatar != "" && user.PermanentAvatar != "*" {
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, false)
}
if len(columns) == 0 {
@ -419,7 +419,7 @@ func UpdateUserForAllFields(id string, user *User) bool {
user.UpdateUserHash()
if user.Avatar != oldUser.Avatar && user.Avatar != "" {
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, false)
}
affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(user)
@ -449,7 +449,7 @@ func AddUser(user *User) bool {
user.UpdateUserHash()
user.PreHash = user.Hash
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, false)
user.Ranking = GetUserCount(user.Owner, "", "") + 1
@ -474,7 +474,7 @@ func AddUsers(users []*User) bool {
user.UpdateUserHash()
user.PreHash = user.Hash
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar)
user.PermanentAvatar = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, true)
}
affected, err := adapter.Engine.Insert(users)

View File

@ -12,19 +12,21 @@
// See the License for the specific language governing permissions and
// limitations under the License.
import React, {useState} from "react";
import React, {useEffect, useState} from "react";
import Cropper from "react-cropper";
import "cropperjs/dist/cropper.css";
import * as Setting from "./Setting";
import {Button, Col, Modal, Row} from "antd";
import {Button, Col, Modal, Row, Select} from "antd";
import i18next from "i18next";
import * as ResourceBackend from "./backend/ResourceBackend";
export const CropperDiv = (props) => {
const [loading, setLoading] = useState(true);
const [options, setOptions] = useState([]);
const [image, setImage] = useState("");
const [cropper, setCropper] = useState();
const [visible, setVisible] = React.useState(false);
const [confirmLoading, setConfirmLoading] = React.useState(false);
const [visible, setVisible] = useState(false);
const [confirmLoading, setConfirmLoading] = useState(false);
const {title} = props;
const {user} = props;
const {buttonText} = props;
@ -60,7 +62,7 @@ export const CropperDiv = (props) => {
ResourceBackend.uploadResource(user.owner, user.name, "avatar", "CropperDiv", fullFilePath, blob)
.then((res) => {
if (res.status === "ok") {
window.location.href = "/account";
window.location.href = window.location.pathname;
} else {
Setting.showMessage("error", res.msg);
}
@ -88,6 +90,48 @@ export const CropperDiv = (props) => {
uploadButton.click();
};
const getOptions = (data) => {
const options = [];
if (props.account.organization.defaultAvatar !== null) {
options.push({value: props.account.organization.defaultAvatar});
}
for (let i = 0; i < data.length; i++) {
if (data[i].fileType === "image") {
const url = `${data[i].url}`;
options.push({
value: url,
});
}
}
return options;
};
const getBase64Image = (src) => {
return new Promise((resolve) => {
const image = new Image();
image.src = src;
image.setAttribute("crossOrigin", "anonymous");
image.onload = () => {
const canvas = document.createElement("canvas");
canvas.width = image.width;
canvas.height = image.height;
const ctx = canvas.getContext("2d");
ctx.drawImage(image, 0, 0, image.width, image.height);
const dataURL = canvas.toDataURL("image/png");
resolve(dataURL);
};
});
};
useEffect(() => {
setLoading(true);
ResourceBackend.getResources(props.account.owner, props.account.name, "", "", "", "", "", "")
.then((res) => {
setLoading(false);
setOptions(getOptions(res));
});
}, []);
return (
<div>
<Button type="default" onClick={showModal}>
@ -105,10 +149,20 @@ export const CropperDiv = (props) => {
[<Button block key="submit" type="primary" onClick={handleOk}>{i18next.t("user:Set new profile picture")}</Button>]
}
>
<Col style={{margin: "0px auto 40px auto", width: 1000, height: 300}}>
<Col style={{margin: "0px auto 60px auto", width: 1000, height: 350}}>
<Row style={{width: "100%", marginBottom: "20px"}}>
<input style={{display: "none"}} ref={input => uploadButton = input} type="file" accept="image/*" onChange={onChange} />
<Button block onClick={selectFile}>{i18next.t("user:Select a photo...")}</Button>
<Select
style={{width: "100%"}}
loading={loading}
placeholder={i18next.t("user:Please select avatar from resources")}
onChange={(async value => {
setImage(await getBase64Image(value));
})}
options={options}
allowClear={true}
/>
</Row>
<Cropper
style={{height: "100%"}}

View File

@ -17,7 +17,6 @@ import {Button, Card, Col, Input, Result, Row, Select, Spin, Switch} from "antd"
import * as UserBackend from "./backend/UserBackend";
import * as OrganizationBackend from "./backend/OrganizationBackend";
import * as Setting from "./Setting";
import {LinkOutlined} from "@ant-design/icons";
import i18next from "i18next";
import CropperDiv from "./CropperDiv.js";
import * as ApplicationBackend from "./backend/ApplicationBackend";
@ -232,16 +231,6 @@ class UserEditPage extends React.Component {
{Setting.getLabel(i18next.t("general:Avatar"), i18next.t("general:Avatar - Tooltip"))} :
</Col>
<Col span={22} >
<Row style={{marginTop: "20px"}} >
<Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
{i18next.t("general:URL")}:
</Col>
<Col span={22} >
<Input prefix={<LinkOutlined />} value={this.state.user.avatar} onChange={e => {
this.updateUserField("avatar", e.target.value);
}} />
</Col>
</Row>
<Row style={{marginTop: "20px"}} >
<Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
{i18next.t("general:Preview")}:

View File

@ -156,8 +156,8 @@ class LoginPage extends React.Component {
values["type"] = "saml";
}
if (this.state.owner !== null && this.state.owner !== undefined) {
values["organization"] = this.state.owner;
if (this.state.application.organization !== null && this.state.application.organization !== undefined) {
values["organization"] = this.state.application.organization;
}
}
postCodeLoginAction(res) {