fix: fix Swagger docs page (#2025 )

Signed-off-by: baihhh <2542274498@qq.com>
feat: add tags to application (#2027 )
2025-07-23 22:53:31 +08:00 · 2023-06-30 00:48:39 +08:00 · 2023-06-30 00:04:12 +08:00 · 2023-06-29 21:44:14 +08:00 · 2023-06-29 18:56:19 +08:00 · 2023-06-28 09:19:39 +08:00
127 changed files with 4106 additions and 2567 deletions
--- a/conf/conf.go
+++ b/conf/conf.go
@ -110,7 +110,7 @@ func GetLanguage(language string) string {
 		return "en"
 	}

-	if len(language) != 2 {
+	if len(language) != 2 || language == "nu" {
 		return "en"
 	} else {
 		return language
--- a/controllers/account.go
+++ b/controllers/account.go
@ -370,6 +370,7 @@ func (c *ApiController) GetAccount() {

 	user.Permissions = object.GetMaskedPermissions(user.Permissions)
 	user.Roles = object.GetMaskedRoles(user.Roles)
+	user.MultiFactorAuths = object.GetAllMfaProps(user, true)

 	organization, err := object.GetMaskedOrganization(object.GetOrganizationByUser(user))
 	if err != nil {
--- a/controllers/application.go
+++ b/controllers/application.go
@ -50,7 +50,8 @@ func (c *ApiController) GetApplications() {
 		}

 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = object.GetMaskedApplications(applications, userId)
@ -59,13 +60,15 @@ func (c *ApiController) GetApplications() {
 		limit := util.ParseInt(limit)
 		count, err := object.GetApplicationCount(owner, field, value)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		paginator := pagination.SetPaginator(c.Ctx, limit, count)
 		app, err := object.GetPaginationApplications(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		applications := object.GetMaskedApplications(app, userId)
@ -85,7 +88,8 @@ func (c *ApiController) GetApplication() {
 	id := c.Input().Get("id")
 	app, err := object.GetApplication(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = object.GetMaskedApplication(app, userId)
@ -104,7 +108,8 @@ func (c *ApiController) GetUserApplication() {
 	id := c.Input().Get("id")
 	user, err := object.GetUser(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	if user == nil {
@ -114,7 +119,8 @@ func (c *ApiController) GetUserApplication() {

 	app, err := object.GetApplicationByUser(user)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = object.GetMaskedApplication(app, userId)
@ -147,7 +153,8 @@ func (c *ApiController) GetOrganizationApplications() {
 	if limit == "" || page == "" {
 		applications, err := object.GetOrganizationApplications(owner, organization)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = object.GetMaskedApplications(applications, userId)
--- a/controllers/auth.go
+++ b/controllers/auth.go
@ -69,9 +69,18 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		return
 	}

+	// check user's tag
+	if !user.IsGlobalAdmin && !user.IsAdmin && len(application.Tags) > 0 {
+		// only users with the tag that is listed in the application tags can login
+		if !util.InSlice(application.Tags, user.Tag) {
+			c.ResponseError(fmt.Sprintf(c.T("auth:User's tag: %s is not listed in the application's tags"), user.Tag))
+			return
+		}
+	}
+
 	if form.Password != "" && user.IsMfaEnabled() {
 		c.setMfaSessionData(&object.MfaSessionData{UserId: userId})
-		resp = &Response{Status: object.NextMfa, Data: user.GetPreferMfa(true)}
+		resp = &Response{Status: object.NextMfa, Data: user.GetPreferredMfaProps(true)}
 		return
 	}

@ -238,7 +247,7 @@ func isProxyProviderType(providerType string) bool {
 // @Param code_challenge_method   query    string  false code_challenge_method
 // @Param code_challenge          query    string  false code_challenge
 // @Param   form   body   controllers.AuthForm  true        "Login information"
-// @Success 200 {object} Response The Response object
+// @Success 200 {object} controllers.Response The Response object
 // @router /login [post]
 func (c *ApiController) Login() {
 	resp := &Response{}
@ -656,15 +665,20 @@ func (c *ApiController) Login() {
 		}

 		if authForm.Passcode != "" {
-			MfaUtil := object.GetMfaUtil(authForm.MfaType, user.GetPreferMfa(false))
-			err = MfaUtil.Verify(authForm.Passcode)
+			mfaUtil := object.GetMfaUtil(authForm.MfaType, user.GetPreferredMfaProps(false))
+			if mfaUtil == nil {
+				c.ResponseError("Invalid multi-factor authentication type")
+				return
+			}
+
+			err = mfaUtil.Verify(authForm.Passcode)
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
 			}
 		}
 		if authForm.RecoveryCode != "" {
-			err = object.RecoverTfs(user, authForm.RecoveryCode)
+			err = object.MfaRecover(user, authForm.RecoveryCode)
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
@ -751,7 +765,8 @@ func (c *ApiController) HandleSamlLogin() {
 func (c *ApiController) HandleOfficialAccountEvent() {
 	respBytes, err := ioutil.ReadAll(c.Ctx.Request.Body)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	var data struct {
@ -761,7 +776,8 @@ func (c *ApiController) HandleOfficialAccountEvent() {
 	}
 	err = xml.Unmarshal(respBytes, &data)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	lock.Lock()
--- a/controllers/base.go
+++ b/controllers/base.go
@ -79,7 +79,8 @@ func (c *ApiController) getCurrentUser() *object.User {
 	} else {
 		user, err = object.GetUser(userId)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return nil
 		}
 	}
 	return user
@ -112,7 +113,8 @@ func (c *ApiController) GetSessionApplication() *object.Application {
 	}
 	application, err := object.GetApplicationByClientId(clientId.(string))
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return nil
 	}

 	return application
@ -177,6 +179,10 @@ func (c *ApiController) SetSessionData(s *SessionData) {
 }

 func (c *ApiController) setMfaSessionData(data *object.MfaSessionData) {
+	if data == nil {
+		c.SetSession(object.MfaSessionUserId, nil)
+		return
+	}
 	c.SetSession(object.MfaSessionUserId, data.UserId)
 }

--- a/controllers/cert.go
+++ b/controllers/cert.go
@ -41,7 +41,8 @@ func (c *ApiController) GetCerts() {
 	if limit == "" || page == "" {
 		maskedCerts, err := object.GetMaskedCerts(object.GetCerts(owner))
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = maskedCerts
@ -50,13 +51,15 @@ func (c *ApiController) GetCerts() {
 		limit := util.ParseInt(limit)
 		count, err := object.GetCertCount(owner, field, value)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		paginator := pagination.SetPaginator(c.Ctx, limit, count)
 		certs, err := object.GetMaskedCerts(object.GetPaginationCerts(owner, paginator.Offset(), limit, field, value, sortField, sortOrder))
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.ResponseOk(certs, paginator.Nums())
@ -80,7 +83,8 @@ func (c *ApiController) GetGlobleCerts() {
 	if limit == "" || page == "" {
 		maskedCerts, err := object.GetMaskedCerts(object.GetGlobleCerts())
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = maskedCerts
@ -89,13 +93,15 @@ func (c *ApiController) GetGlobleCerts() {
 		limit := util.ParseInt(limit)
 		count, err := object.GetGlobalCertsCount(field, value)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		paginator := pagination.SetPaginator(c.Ctx, limit, count)
 		certs, err := object.GetMaskedCerts(object.GetPaginationGlobalCerts(paginator.Offset(), limit, field, value, sortField, sortOrder))
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.ResponseOk(certs, paginator.Nums())
@ -113,7 +119,8 @@ func (c *ApiController) GetCert() {
 	id := c.Input().Get("id")
 	cert, err := object.GetCert(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = object.GetMaskedCert(cert)
--- a/controllers/chat.go
+++ b/controllers/chat.go
@ -41,7 +41,8 @@ func (c *ApiController) GetChats() {
 	if limit == "" || page == "" {
 		maskedChats, err := object.GetMaskedChats(object.GetChats(owner))
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = maskedChats
@ -77,7 +78,8 @@ func (c *ApiController) GetChat() {

 	maskedChat, err := object.GetMaskedChat(object.GetChat(id))
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = maskedChat
--- a/controllers/enforcer.go
+++ b/controllers/enforcer.go
@ -44,14 +44,26 @@ func (c *ApiController) Enforce() {
 	}

 	if permissionId != "" {
-		enforceResult, err := object.Enforce(permissionId, &request)
+		permission, err := object.GetPermission(permissionId)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}

 		res := []bool{}
-		res = append(res, enforceResult)
+
+		if permission == nil {
+			res = append(res, false)
+		} else {
+			enforceResult, err := object.Enforce(permission, &request)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+
+			res = append(res, enforceResult)
+		}
+
 		c.ResponseOk(res)
 		return
 	}
@ -76,8 +88,16 @@ func (c *ApiController) Enforce() {
 	}

 	res := []bool{}
-	for _, permission := range permissions {
-		enforceResult, err := object.Enforce(permission.GetId(), &request)
+
+	listPermissionIdMap := object.GroupPermissionsByModelAdapter(permissions)
+	for _, permissionIds := range listPermissionIdMap {
+		firstPermission, err := object.GetPermission(permissionIds[0])
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		enforceResult, err := object.Enforce(firstPermission, &request, permissionIds...)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@ -85,6 +105,7 @@ func (c *ApiController) Enforce() {

 		res = append(res, enforceResult)
 	}
+
 	c.ResponseOk(res)
 }

@ -109,14 +130,32 @@ func (c *ApiController) BatchEnforce() {
 	}

 	if permissionId != "" {
-		enforceResult, err := object.BatchEnforce(permissionId, &requests)
+		permission, err := object.GetPermission(permissionId)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}

 		res := [][]bool{}
-		res = append(res, enforceResult)
+
+		if permission == nil {
+			l := len(requests)
+			resRequest := make([]bool, l)
+			for i := 0; i < l; i++ {
+				resRequest[i] = false
+			}
+
+			res = append(res, resRequest)
+		} else {
+			enforceResult, err := object.BatchEnforce(permission, &requests)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+
+			res = append(res, enforceResult)
+		}
+
 		c.ResponseOk(res)
 		return
 	}
@ -135,8 +174,16 @@ func (c *ApiController) BatchEnforce() {
 	}

 	res := [][]bool{}
-	for _, permission := range permissions {
-		enforceResult, err := object.BatchEnforce(permission.GetId(), &requests)
+
+	listPermissionIdMap := object.GroupPermissionsByModelAdapter(permissions)
+	for _, permissionIds := range listPermissionIdMap {
+		firstPermission, err := object.GetPermission(permissionIds[0])
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		enforceResult, err := object.BatchEnforce(firstPermission, &requests, permissionIds...)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@ -144,6 +191,7 @@ func (c *ApiController) BatchEnforce() {

 		res = append(res, enforceResult)
 	}
+
 	c.ResponseOk(res)
 }

--- a/controllers/message.go
+++ b/controllers/message.go
@ -53,7 +53,8 @@ func (c *ApiController) GetMessages() {
 		}

 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = object.GetMaskedMessages(messages)
@ -89,7 +90,8 @@ func (c *ApiController) GetMessage() {
 	id := c.Input().Get("id")
 	message, err := object.GetMessage(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = object.GetMaskedMessage(message)
@ -100,7 +102,8 @@ func (c *ApiController) ResponseErrorStream(errorText string) {
 	event := fmt.Sprintf("event: myerror\ndata: %s\n\n", errorText)
 	_, err := c.Ctx.ResponseWriter.Write([]byte(event))
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}
 }

@ -196,7 +199,8 @@ func (c *ApiController) GetMessageAnswer() {
 	event := fmt.Sprintf("event: end\ndata: %s\n\n", "end")
 	_, err = c.Ctx.ResponseWriter.Write([]byte(event))
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	answer := stringBuilder.String()
@ -204,7 +208,8 @@ func (c *ApiController) GetMessageAnswer() {
 	message.Text = answer
 	_, err = object.UpdateMessage(message.GetId(), message)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}
 }

--- a/controllers/mfa.go
+++ b/controllers/mfa.go
@ -17,7 +17,6 @@ package controllers
 import (
 	"net/http"

-	"github.com/beego/beego"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@ -29,12 +28,12 @@ import (
 // @param owner	form	string	true	"owner of user"
 // @param name	form	string	true	"name of user"
 // @param type	form	string	true	"MFA auth type"
-// @Success 200 {object}   The Response object
+// @Success 200 {object} controllers.Response The Response object
 // @router /mfa/setup/initiate [post]
 func (c *ApiController) MfaSetupInitiate() {
 	owner := c.Ctx.Request.Form.Get("owner")
 	name := c.Ctx.Request.Form.Get("name")
-	authType := c.Ctx.Request.Form.Get("type")
+	mfaType := c.Ctx.Request.Form.Get("mfaType")
 	userId := util.GetId(owner, name)

 	if len(userId) == 0 {
@ -42,10 +41,11 @@ func (c *ApiController) MfaSetupInitiate() {
 		return
 	}

-	MfaUtil := object.GetMfaUtil(authType, nil)
+	MfaUtil := object.GetMfaUtil(mfaType, nil)
 	if MfaUtil == nil {
 		c.ResponseError("Invalid auth type")
 	}
+
 	user, err := object.GetUser(userId)
 	if err != nil {
 		c.ResponseError(err.Error())
@ -57,10 +57,7 @@ func (c *ApiController) MfaSetupInitiate() {
 		return
 	}

-	issuer := beego.AppConfig.String("appname")
-	accountName := user.GetId()
-
-	mfaProps, err := MfaUtil.Initiate(c.Ctx, issuer, accountName)
+	mfaProps, err := MfaUtil.Initiate(c.Ctx, user.GetId())
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@ -79,16 +76,20 @@ func (c *ApiController) MfaSetupInitiate() {
 // @Success 200 {object}  Response object
 // @router /mfa/setup/verify [post]
 func (c *ApiController) MfaSetupVerify() {
-	authType := c.Ctx.Request.Form.Get("type")
+	mfaType := c.Ctx.Request.Form.Get("mfaType")
 	passcode := c.Ctx.Request.Form.Get("passcode")

-	if authType == "" || passcode == "" {
+	if mfaType == "" || passcode == "" {
 		c.ResponseError("missing auth type or passcode")
 		return
 	}
-	MfaUtil := object.GetMfaUtil(authType, nil)
+	mfaUtil := object.GetMfaUtil(mfaType, nil)
+	if mfaUtil == nil {
+		c.ResponseError("Invalid multi-factor authentication type")
+		return
+	}

-	err := MfaUtil.SetupVerify(c.Ctx, passcode)
+	err := mfaUtil.SetupVerify(c.Ctx, passcode)
 	if err != nil {
 		c.ResponseError(err.Error())
 	} else {
@ -108,7 +109,7 @@ func (c *ApiController) MfaSetupVerify() {
 func (c *ApiController) MfaSetupEnable() {
 	owner := c.Ctx.Request.Form.Get("owner")
 	name := c.Ctx.Request.Form.Get("name")
-	authType := c.Ctx.Request.Form.Get("type")
+	mfaType := c.Ctx.Request.Form.Get("mfaType")

 	user, err := object.GetUser(util.GetId(owner, name))
 	if err != nil {
@ -121,8 +122,13 @@ func (c *ApiController) MfaSetupEnable() {
 		return
 	}

-	twoFactor := object.GetMfaUtil(authType, nil)
-	err = twoFactor.Enable(c.Ctx, user)
+	mfaUtil := object.GetMfaUtil(mfaType, nil)
+	if mfaUtil == nil {
+		c.ResponseError("Invalid multi-factor authentication type")
+		return
+	}
+
+	err = mfaUtil.Enable(c.Ctx, user)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@ -137,11 +143,9 @@ func (c *ApiController) MfaSetupEnable() {
 // @Description: Delete MFA
 // @param owner	form	string	true	"owner of user"
 // @param name	form	string	true	"name of user"
-// @param id	form	string	true	"id of user's MFA props"
 // @Success 200 {object}  Response object
 // @router /delete-mfa/ [post]
 func (c *ApiController) DeleteMfa() {
-	id := c.Ctx.Request.Form.Get("id")
 	owner := c.Ctx.Request.Form.Get("owner")
 	name := c.Ctx.Request.Form.Get("name")
 	userId := util.GetId(owner, name)
@ -151,28 +155,18 @@ func (c *ApiController) DeleteMfa() {
 		c.ResponseError(err.Error())
 		return
 	}
-
 	if user == nil {
 		c.ResponseError("User doesn't exist")
 		return
 	}

-	mfaProps := user.MultiFactorAuths[:0]
-	i := 0
-	for _, mfaProp := range mfaProps {
-		if mfaProp.Id != id {
-			mfaProps[i] = mfaProp
-			i++
-		}
-	}
-	user.MultiFactorAuths = mfaProps
-	_, err = object.UpdateUser(userId, user, []string{"multi_factor_auths"}, user.IsAdminUser())
+	err = object.DisabledMultiFactorAuth(user)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	c.ResponseOk(user.MultiFactorAuths)
+	c.ResponseOk(object.GetAllMfaProps(user, true))
 }

 // SetPreferredMfa
@ -185,7 +179,7 @@ func (c *ApiController) DeleteMfa() {
 // @Success 200 {object}  Response object
 // @router /set-preferred-mfa [post]
 func (c *ApiController) SetPreferredMfa() {
-	id := c.Ctx.Request.Form.Get("id")
+	mfaType := c.Ctx.Request.Form.Get("mfaType")
 	owner := c.Ctx.Request.Form.Get("owner")
 	name := c.Ctx.Request.Form.Get("name")
 	userId := util.GetId(owner, name)
@ -195,29 +189,15 @@ func (c *ApiController) SetPreferredMfa() {
 		c.ResponseError(err.Error())
 		return
 	}
-
 	if user == nil {
 		c.ResponseError("User doesn't exist")
 		return
 	}

-	mfaProps := user.MultiFactorAuths
-	for i, mfaProp := range user.MultiFactorAuths {
-		if mfaProp.Id == id {
-			mfaProps[i].IsPreferred = true
-		} else {
-			mfaProps[i].IsPreferred = false
-		}
-	}
-
-	_, err = object.UpdateUser(userId, user, []string{"multi_factor_auths"}, user.IsAdminUser())
+	err = object.SetPreferredMultiFactorAuth(user, mfaType)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
-
-	for i, mfaProp := range mfaProps {
-		mfaProps[i] = object.GetMaskedProps(mfaProp)
-	}
-	c.ResponseOk(mfaProps)
+	c.ResponseOk(object.GetAllMfaProps(user, true))
 }
--- a/controllers/model.go
+++ b/controllers/model.go
@ -41,7 +41,8 @@ func (c *ApiController) GetModels() {
 	if limit == "" || page == "" {
 		models, err := object.GetModels(owner)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = models
@ -77,7 +78,8 @@ func (c *ApiController) GetModel() {

 	model, err := object.GetModel(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = model
--- a/controllers/organization.go
+++ b/controllers/organization.go
@ -38,16 +38,25 @@ func (c *ApiController) GetOrganizations() {
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")

+	isGlobalAdmin := c.IsGlobalAdmin()
 	if limit == "" || page == "" {
-		maskedOrganizations, err := object.GetMaskedOrganizations(object.GetOrganizations(owner))
+		var maskedOrganizations []*object.Organization
+		var err error
+
+		if isGlobalAdmin {
+			maskedOrganizations, err = object.GetMaskedOrganizations(object.GetOrganizations(owner))
+		} else {
+			maskedOrganizations, err = object.GetMaskedOrganizations(object.GetOrganizations(owner, c.getCurrentUser().Owner))
+		}
+
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = maskedOrganizations
 		c.ServeJSON()
 	} else {
-		isGlobalAdmin := c.IsGlobalAdmin()
 		if !isGlobalAdmin {
 			maskedOrganizations, err := object.GetMaskedOrganizations(object.GetOrganizations(owner, c.getCurrentUser().Owner))
 			if err != nil {
--- a/controllers/payment.go
+++ b/controllers/payment.go
@ -42,7 +42,8 @@ func (c *ApiController) GetPayments() {
 	if limit == "" || page == "" {
 		payments, err := object.GetPayments(owner)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = payments
@ -51,13 +52,15 @@ func (c *ApiController) GetPayments() {
 		limit := util.ParseInt(limit)
 		count, err := object.GetPaymentCount(owner, organization, field, value)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		paginator := pagination.SetPaginator(c.Ctx, limit, count)
 		payments, err := object.GetPaginationPayments(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.ResponseOk(payments, paginator.Nums())
@ -99,7 +102,8 @@ func (c *ApiController) GetPayment() {

 	payment, err := object.GetPayment(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = payment
@ -190,7 +194,8 @@ func (c *ApiController) NotifyPayment() {
 	}

 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}
 }

--- a/controllers/permission.go
+++ b/controllers/permission.go
@ -41,7 +41,8 @@ func (c *ApiController) GetPermissions() {
 	if limit == "" || page == "" {
 		permissions, err := object.GetPermissions(owner)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = permissions
@ -50,13 +51,15 @@ func (c *ApiController) GetPermissions() {
 		limit := util.ParseInt(limit)
 		count, err := object.GetPermissionCount(owner, field, value)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		paginator := pagination.SetPaginator(c.Ctx, limit, count)
 		permissions, err := object.GetPaginationPermissions(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.ResponseOk(permissions, paginator.Nums())
@ -116,7 +119,8 @@ func (c *ApiController) GetPermission() {

 	permission, err := object.GetPermission(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = permission
--- a/controllers/plan.go
+++ b/controllers/plan.go
@ -41,7 +41,8 @@ func (c *ApiController) GetPlans() {
 	if limit == "" || page == "" {
 		plans, err := object.GetPlans(owner)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = plans
@ -79,13 +80,15 @@ func (c *ApiController) GetPlan() {

 	plan, err := object.GetPlan(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	if includeOption {
 		options, err := object.GetPermissionsByRole(plan.Role)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		for _, option := range options {
--- a/controllers/pricing.go
+++ b/controllers/pricing.go
@ -41,7 +41,8 @@ func (c *ApiController) GetPricings() {
 	if limit == "" || page == "" {
 		pricings, err := object.GetPricings(owner)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = pricings
@ -70,14 +71,15 @@ func (c *ApiController) GetPricings() {
 // @Tag Pricing API
 // @Description get pricing
 // @Param   id     query    string  true        "The id ( owner/name ) of the pricing"
-// @Success 200 {object} object.pricing The Response object
+// @Success 200 {object} object.Pricing The Response object
 // @router /get-pricing [get]
 func (c *ApiController) GetPricing() {
 	id := c.Input().Get("id")

 	pricing, err := object.GetPricing(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = pricing
--- a/controllers/product.go
+++ b/controllers/product.go
@ -42,7 +42,8 @@ func (c *ApiController) GetProducts() {
 	if limit == "" || page == "" {
 		products, err := object.GetProducts(owner)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = products
@ -78,12 +79,14 @@ func (c *ApiController) GetProduct() {

 	product, err := object.GetProduct(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	err = object.ExtendProductWithProviders(product)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = product
--- a/controllers/provider.go
+++ b/controllers/provider.go
@ -46,7 +46,8 @@ func (c *ApiController) GetProviders() {
 	if limit == "" || page == "" {
 		providers, err := object.GetProviders(owner)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.ResponseOk(object.GetMaskedProviders(providers, isMaskEnabled))
@ -92,7 +93,8 @@ func (c *ApiController) GetGlobalProviders() {
 	if limit == "" || page == "" {
 		globalProviders, err := object.GetGlobalProviders()
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.ResponseOk(object.GetMaskedProviders(globalProviders, isMaskEnabled))
--- a/controllers/record.go
+++ b/controllers/record.go
@ -46,7 +46,8 @@ func (c *ApiController) GetRecords() {
 	if limit == "" || page == "" {
 		records, err := object.GetRecords()
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = records
@ -84,12 +85,14 @@ func (c *ApiController) GetRecordsByFilter() {
 	record := &object.Record{}
 	err := util.JsonToStruct(body, record)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	records, err := object.GetRecordsByField(record)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = records
--- a/controllers/resource.go
+++ b/controllers/resource.go
@ -53,7 +53,8 @@ func (c *ApiController) GetResources() {
 	if limit == "" || page == "" {
 		resources, err := object.GetResources(owner, user)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = resources
@ -86,7 +87,8 @@ func (c *ApiController) GetResource() {

 	resource, err := object.GetResource(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = resource
--- a/controllers/role.go
+++ b/controllers/role.go
@ -41,7 +41,8 @@ func (c *ApiController) GetRoles() {
 	if limit == "" || page == "" {
 		roles, err := object.GetRoles(owner)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = roles
@ -77,7 +78,8 @@ func (c *ApiController) GetRole() {

 	role, err := object.GetRole(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = role
--- a/controllers/session.go
+++ b/controllers/session.go
@ -41,7 +41,8 @@ func (c *ApiController) GetSessions() {
 	if limit == "" || page == "" {
 		sessions, err := object.GetSessions(owner)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = sessions
@ -76,7 +77,8 @@ func (c *ApiController) GetSingleSession() {

 	session, err := object.GetSingleSession(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = session
@ -155,7 +157,8 @@ func (c *ApiController) IsSessionDuplicated() {

 	isUserSessionDuplicated, err := object.IsSessionDuplicated(id, sessionId)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = &Response{Status: "ok", Msg: "", Data: isUserSessionDuplicated}
--- a/controllers/subscription.go
+++ b/controllers/subscription.go
@ -41,7 +41,8 @@ func (c *ApiController) GetSubscriptions() {
 	if limit == "" || page == "" {
 		subscriptions, err := object.GetSubscriptions(owner)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = subscriptions
@ -70,14 +71,15 @@ func (c *ApiController) GetSubscriptions() {
 // @Tag Subscription API
 // @Description get subscription
 // @Param   id     query    string  true        "The id ( owner/name ) of the subscription"
-// @Success 200 {object} object.subscription The Response object
+// @Success 200 {object} object.Subscription The Response object
 // @router /get-subscription [get]
 func (c *ApiController) GetSubscription() {
 	id := c.Input().Get("id")

 	subscription, err := object.GetSubscription(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = subscription
--- a/controllers/syncer.go
+++ b/controllers/syncer.go
@ -42,7 +42,8 @@ func (c *ApiController) GetSyncers() {
 	if limit == "" || page == "" {
 		organizationSyncers, err := object.GetOrganizationSyncers(owner, organization)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = organizationSyncers
@ -78,7 +79,8 @@ func (c *ApiController) GetSyncer() {

 	syncer, err := object.GetSyncer(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = syncer
--- a/controllers/token.go
+++ b/controllers/token.go
@ -43,7 +43,8 @@ func (c *ApiController) GetTokens() {
 	if limit == "" || page == "" {
 		token, err := object.GetTokens(owner, organization)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = token
@ -78,7 +79,8 @@ func (c *ApiController) GetToken() {
 	id := c.Input().Get("id")
 	token, err := object.GetToken(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = token
@ -193,7 +195,8 @@ func (c *ApiController) GetOAuthToken() {
 	host := c.Ctx.Request.Host
 	oAuthtoken, err := object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, username, password, host, refreshToken, tag, avatar, c.GetAcceptLanguage())
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = oAuthtoken
@ -236,7 +239,8 @@ func (c *ApiController) RefreshToken() {

 	refreshToken2, err := object.RefreshToken(grantType, refreshToken, scope, clientId, clientSecret, host)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = refreshToken2
@ -276,7 +280,8 @@ func (c *ApiController) IntrospectToken() {
 	}
 	application, err := object.GetApplicationByClientId(clientId)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	if application == nil || application.ClientSecret != clientSecret {
@ -289,7 +294,8 @@ func (c *ApiController) IntrospectToken() {
 	}
 	token, err := object.GetTokenByTokenAndApplication(tokenValue, application.Name)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	if token == nil {
--- a/controllers/user.go
+++ b/controllers/user.go
@ -41,7 +41,8 @@ func (c *ApiController) GetGlobalUsers() {
 	if limit == "" || page == "" {
 		maskedUsers, err := object.GetMaskedUsers(object.GetGlobalUsers())
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = maskedUsers
@ -101,7 +102,8 @@ func (c *ApiController) GetUsers() {

 		maskedUsers, err := object.GetMaskedUsers(object.GetUsers(owner))
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = maskedUsers
@ -153,7 +155,8 @@ func (c *ApiController) GetUser() {
 	if userId != "" && owner != "" {
 		userFromUserId, err = object.GetUserByUserId(owner, userId)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		id = util.GetId(userFromUserId.Owner, userFromUserId.Name)
@ -165,7 +168,8 @@ func (c *ApiController) GetUser() {

 	organization, err := object.GetOrganization(util.GetId("admin", owner))
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	if !organization.IsProfilePublic {
@ -190,17 +194,21 @@ func (c *ApiController) GetUser() {
 	}

 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

+	user.MultiFactorAuths = object.GetAllMfaProps(user, true)
 	err = object.ExtendUserWithRolesAndPermissions(user)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	maskedUser, err := object.GetMaskedUser(user)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = maskedUser
@ -415,6 +423,7 @@ func (c *ApiController) SetPassword() {

 	requestUserId := c.GetSessionUsername()
 	if requestUserId == "" && code == "" {
+		c.ResponseError(c.T("general:Please login first"), "Please login first")
 		return
 	} else if code == "" {
 		hasPermission, err := object.CheckUserPermission(requestUserId, userId, true, c.GetAcceptLanguage())
@ -424,7 +433,7 @@ func (c *ApiController) SetPassword() {
 		}
 	} else {
 		if code != c.GetSession("verifiedCode") {
-			c.ResponseError("")
+			c.ResponseError(c.T("general:Missing parameter"))
 			return
 		}
 		c.SetSession("verifiedCode", "")
@ -496,7 +505,8 @@ func (c *ApiController) GetSortedUsers() {

 	maskedUsers, err := object.GetMaskedUsers(object.GetSortedUsers(owner, sorter, limit))
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = maskedUsers
@ -556,8 +566,8 @@ func (c *ApiController) AddUserkeys() {
 func (c *ApiController) RemoveUserFromGroup() {
 	owner := c.Ctx.Request.Form.Get("owner")
 	name := c.Ctx.Request.Form.Get("name")
-	groupId := c.Ctx.Request.Form.Get("groupId")
+	groupName := c.Ctx.Request.Form.Get("groupName")

-	c.Data["json"] = wrapActionResponse(object.RemoveUserFromGroup(owner, name, groupId))
+	c.Data["json"] = wrapActionResponse(object.RemoveUserFromGroup(owner, name, groupName))
 	c.ServeJSON()
 }
--- a/controllers/user_upload.go
+++ b/controllers/user_upload.go
@ -19,13 +19,14 @@ import (
 	"io"
 	"mime/multipart"
 	"os"
+	"path/filepath"

 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )

 func saveFile(path string, file *multipart.File) (err error) {
-	f, err := os.Create(path)
+	f, err := os.Create(filepath.Clean(path))
 	if err != nil {
 		return err
 	}
--- a/controllers/util.go
+++ b/controllers/util.go
@ -55,6 +55,9 @@ func (c *ApiController) T(error string) string {
 // GetAcceptLanguage ...
 func (c *ApiController) GetAcceptLanguage() string {
 	language := c.Ctx.Request.Header.Get("Accept-Language")
+	if len(language) > 2 {
+		language = language[0:2]
+	}
 	return conf.GetLanguage(language)
 }

@ -94,7 +97,8 @@ func (c *ApiController) RequireSignedInUser() (*object.User, bool) {

 	user, err := object.GetUser(userId)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return nil, false
 	}

 	if user == nil {
--- a/controllers/verification.go
+++ b/controllers/verification.go
@ -93,9 +93,10 @@ func (c *ApiController) SendVerificationCode() {
 		}
 	}

-	// mfaSessionData != nil, means method is MfaSetupVerification
+	// mfaSessionData != nil, means method is MfaAuthVerification
 	if mfaSessionData := c.getMfaSessionData(); mfaSessionData != nil {
 		user, err = object.GetUser(mfaSessionData.UserId)
+		c.setMfaSessionData(nil)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@ -129,7 +130,7 @@ func (c *ApiController) SendVerificationCode() {
 		} else if vform.Method == ResetVerification {
 			user = c.getCurrentUser()
 		} else if vform.Method == MfaAuthVerification {
-			mfaProps := user.GetPreferMfa(false)
+			mfaProps := user.GetPreferredMfaProps(false)
 			if user != nil && util.GetMaskedEmail(mfaProps.Secret) == vform.Dest {
 				vform.Dest = mfaProps.Secret
 			}
@ -157,12 +158,14 @@ func (c *ApiController) SendVerificationCode() {
 			}

 			vform.CountryCode = user.GetCountryCode(vform.CountryCode)
-		} else if vform.Method == ResetVerification {
-			if user = c.getCurrentUser(); user != nil {
-				vform.CountryCode = user.GetCountryCode(vform.CountryCode)
+		} else if vform.Method == ResetVerification || vform.Method == MfaSetupVerification {
+			if vform.CountryCode == "" {
+				if user = c.getCurrentUser(); user != nil {
+					vform.CountryCode = user.GetCountryCode(vform.CountryCode)
+				}
 			}
 		} else if vform.Method == MfaAuthVerification {
-			mfaProps := user.GetPreferMfa(false)
+			mfaProps := user.GetPreferredMfaProps(false)
 			if user != nil && util.GetMaskedPhone(mfaProps.Secret) == vform.Dest {
 				vform.Dest = mfaProps.Secret
 			}
--- a/controllers/webauthn.go
+++ b/controllers/webauthn.go
@ -66,7 +66,7 @@ func (c *ApiController) WebAuthnSignupBegin() {
 // @Tag User API
 // @Description WebAuthn Registration Flow 2nd stage
 // @Param   body    body   protocol.CredentialCreationResponse  true        "authenticator attestation Response"
-// @Success 200 {object} Response "The Response object"
+// @Success 200 {object} controllers.Response "The Response object"
 // @router /webauthn/signup/finish [post]
 func (c *ApiController) WebAuthnSignupFinish() {
 	webauthnObj, err := object.GetWebAuthnObject(c.Ctx.Request.Host)
@ -150,7 +150,7 @@ func (c *ApiController) WebAuthnSigninBegin() {
 // @Tag Login API
 // @Description WebAuthn Login Flow 2nd stage
 // @Param   body    body   protocol.CredentialAssertionResponse  true        "authenticator assertion Response"
-// @Success 200 {object} Response "The Response object"
+// @Success 200 {object} controllers.Response "The Response object"
 // @router /webauthn/signin/finish [post]
 func (c *ApiController) WebAuthnSigninFinish() {
 	responseType := c.Input().Get("responseType")
--- a/controllers/webhook.go
+++ b/controllers/webhook.go
@ -42,7 +42,8 @@ func (c *ApiController) GetWebhooks() {
 	if limit == "" || page == "" {
 		webhooks, err := object.GetWebhooks(owner, organization)
 		if err != nil {
-			panic(err)
+			c.ResponseError(err.Error())
+			return
 		}

 		c.Data["json"] = webhooks
@ -79,7 +80,8 @@ func (c *ApiController) GetWebhook() {

 	webhook, err := object.GetWebhook(id)
 	if err != nil {
-		panic(err)
+		c.ResponseError(err.Error())
+		return
 	}

 	c.Data["json"] = webhook
--- a/deployment/deploy.go
+++ b/deployment/deploy.go
@ -17,6 +17,7 @@ package deployment
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 	"strings"

 	"github.com/casdoor/casdoor/object"
@ -45,7 +46,7 @@ func uploadFolder(storageProvider oss.StorageInterface, folder string) {
 			continue
 		}

-		file, err := os.Open(path + filename)
+		file, err := os.Open(filepath.Clean(path + filename))
 		if err != nil {
 			panic(err)
 		}
--- a/go.mod
+++ b/go.mod
@ -42,14 +42,14 @@ require (
 	github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d // indirect
 	github.com/nyaruka/phonenumbers v1.1.5
 	github.com/pkoukk/tiktoken-go v0.1.1
-	github.com/plutov/paypal/v4 v4.7.0
+	github.com/pquerna/otp v1.4.0
 	github.com/prometheus/client_golang v1.11.1
 	github.com/prometheus/client_model v0.2.0
 	github.com/qiangmzsx/string-adapter/v2 v2.1.0
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/russellhaering/gosaml2 v0.9.0
 	github.com/russellhaering/goxmldsig v1.2.0
-	github.com/sashabaranov/go-openai v1.9.1
+	github.com/sashabaranov/go-openai v1.12.0
 	github.com/satori/go.uuid v1.2.0
 	github.com/shiena/ansicolor v0.0.0-20200904210342-c7312218db18 // indirect
 	github.com/shirou/gopsutil v3.21.11+incompatible
@ -59,7 +59,7 @@ require (
 	github.com/tealeg/xlsx v1.0.5
 	github.com/thanhpk/randstr v1.0.4
 	github.com/tklauser/go-sysconf v0.3.10 // indirect
-	github.com/xorm-io/builder v0.3.13 // indirect
+	github.com/xorm-io/builder v0.3.13
 	github.com/xorm-io/core v0.7.4
 	github.com/xorm-io/xorm v1.1.6
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
--- a/go.sum
+++ b/go.sum
@ -105,6 +105,8 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/bradfitz/gomemcache v0.0.0-20180710155616-bc664df96737/go.mod h1:PmM6Mmwb0LSuEubjR8N7PtNe1KxZLtOUHtbeikc5h60=
 github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/casbin/casbin v1.7.0/go.mod h1:c67qKN6Oum3UF5Q1+BByfFxkwKvhwW57ITjqwtzR1KE=
@ -495,10 +497,10 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkoukk/tiktoken-go v0.1.1 h1:jtkYlIECjyM9OW1w4rjPmTohK4arORP9V25y6TM6nXo=
 github.com/pkoukk/tiktoken-go v0.1.1/go.mod h1:boMWvk9pQCOTx11pgu0DrIdrAKgQzzJKUP6vLXaz7Rw=
-github.com/plutov/paypal/v4 v4.7.0 h1:6TRvYD4ny6yQfHaABeStNf43GFM1wpW5jU/XEDGQmq0=
-github.com/plutov/paypal/v4 v4.7.0/go.mod h1:D56boafCRGcF/fEM0w282kj0fCDKIyrwOPX/Te1jCmw=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg=
+github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
@ -546,6 +548,8 @@ github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sashabaranov/go-openai v1.9.1 h1:3N52HkJKo9Zlo/oe1AVv5ZkCOny0ra58/ACvAxkN3MM=
 github.com/sashabaranov/go-openai v1.9.1/go.mod h1:lj5b/K+zjTSFxVLijLSTDZuP7adOgerWeFyZLUhAKRg=
+github.com/sashabaranov/go-openai v1.12.0 h1:aRNHH0gtVfrpIaEolD0sWrLLRnYQNK4cH/bIAHwL8Rk=
+github.com/sashabaranov/go-openai v1.12.0/go.mod h1:lj5b/K+zjTSFxVLijLSTDZuP7adOgerWeFyZLUhAKRg=
 github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
@ -595,7 +599,6 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
--- a/i18n/locales/de/data.json
+++ b/i18n/locales/de/data.json
@ -18,7 +18,8 @@
    "The login method: login with password is not enabled for the application": "Die Anmeldeart \"Anmeldung mit Passwort\" ist für die Anwendung nicht aktiviert",
    "The provider: %s is not enabled for the application": "Der Anbieter: %s ist nicht für die Anwendung aktiviert",
    "Unauthorized operation": "Nicht autorisierte Operation",
-    "Unknown authentication type (not password or provider), form = %s": "Unbekannter Authentifizierungstyp (nicht Passwort oder Anbieter), Formular = %s"
+    "Unknown authentication type (not password or provider), form = %s": "Unbekannter Authentifizierungstyp (nicht Passwort oder Anbieter), Formular = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
  },
  "cas": {
    "Service %s and %s do not match": "Service %s und %s stimmen nicht überein"
--- a/i18n/locales/en/data.json
+++ b/i18n/locales/en/data.json
@ -18,7 +18,8 @@
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
    "Unauthorized operation": "Unauthorized operation",
-    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s"
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
  },
  "cas": {
    "Service %s and %s do not match": "Service %s and %s do not match"
--- a/i18n/locales/es/data.json
+++ b/i18n/locales/es/data.json
@ -18,7 +18,8 @@
    "The login method: login with password is not enabled for the application": "El método de inicio de sesión: inicio de sesión con contraseña no está habilitado para la aplicación",
    "The provider: %s is not enabled for the application": "El proveedor: %s no está habilitado para la aplicación",
    "Unauthorized operation": "Operación no autorizada",
-    "Unknown authentication type (not password or provider), form = %s": "Tipo de autenticación desconocido (no es contraseña o proveedor), formulario = %s"
+    "Unknown authentication type (not password or provider), form = %s": "Tipo de autenticación desconocido (no es contraseña o proveedor), formulario = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
  },
  "cas": {
    "Service %s and %s do not match": "Los servicios %s y %s no coinciden"
--- a/i18n/locales/fr/data.json
+++ b/i18n/locales/fr/data.json
@ -18,7 +18,8 @@
    "The login method: login with password is not enabled for the application": "La méthode de connexion : connexion avec mot de passe n'est pas activée pour l'application",
    "The provider: %s is not enabled for the application": "Le fournisseur :%s n'est pas activé pour l'application",
    "Unauthorized operation": "Opération non autorisée",
-    "Unknown authentication type (not password or provider), form = %s": "Type d'authentification inconnu (pas de mot de passe ou de fournisseur), formulaire = %s"
+    "Unknown authentication type (not password or provider), form = %s": "Type d'authentification inconnu (pas de mot de passe ou de fournisseur), formulaire = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
  },
  "cas": {
    "Service %s and %s do not match": "Les services %s et %s ne correspondent pas"
--- a/i18n/locales/id/data.json
+++ b/i18n/locales/id/data.json
@ -18,7 +18,8 @@
    "The login method: login with password is not enabled for the application": "Metode login: login dengan kata sandi tidak diaktifkan untuk aplikasi tersebut",
    "The provider: %s is not enabled for the application": "Penyedia: %s tidak diaktifkan untuk aplikasi ini",
    "Unauthorized operation": "Operasi tidak sah",
-    "Unknown authentication type (not password or provider), form = %s": "Jenis otentikasi tidak diketahui (bukan kata sandi atau pemberi), formulir = %s"
+    "Unknown authentication type (not password or provider), form = %s": "Jenis otentikasi tidak diketahui (bukan kata sandi atau pemberi), formulir = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
  },
  "cas": {
    "Service %s and %s do not match": "Layanan %s dan %s tidak cocok"
--- a/i18n/locales/ja/data.json
+++ b/i18n/locales/ja/data.json
@ -18,7 +18,8 @@
    "The login method: login with password is not enabled for the application": "ログイン方法：パスワードでのログインはアプリケーションで有効になっていません",
    "The provider: %s is not enabled for the application": "プロバイダー：%sはアプリケーションでは有効化されていません",
    "Unauthorized operation": "不正操作",
-    "Unknown authentication type (not password or provider), form = %s": "不明な認証タイプ（パスワードまたはプロバイダーではない）フォーム=%s"
+    "Unknown authentication type (not password or provider), form = %s": "不明な認証タイプ（パスワードまたはプロバイダーではない）フォーム=%s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
  },
  "cas": {
    "Service %s and %s do not match": "サービス%sと%sは一致しません"
--- a/i18n/locales/ko/data.json
+++ b/i18n/locales/ko/data.json
@ -18,7 +18,8 @@
    "The login method: login with password is not enabled for the application": "어플리케이션에서는 암호를 사용한 로그인 방법이 활성화되어 있지 않습니다",
    "The provider: %s is not enabled for the application": "제공자 %s은(는) 응용 프로그램에서 활성화되어 있지 않습니다",
    "Unauthorized operation": "무단 조작",
-    "Unknown authentication type (not password or provider), form = %s": "알 수 없는 인증 유형(암호 또는 공급자가 아님), 폼 = %s"
+    "Unknown authentication type (not password or provider), form = %s": "알 수 없는 인증 유형(암호 또는 공급자가 아님), 폼 = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
  },
  "cas": {
    "Service %s and %s do not match": "서비스 %s와 %s는 일치하지 않습니다"
--- a/i18n/locales/pt/data.json
+++ b/i18n/locales/pt/data.json
@ -18,7 +18,8 @@
    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
    "Unauthorized operation": "Unauthorized operation",
-    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s"
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
  },
  "cas": {
    "Service %s and %s do not match": "Service %s and %s do not match"
--- a/i18n/locales/ru/data.json
+++ b/i18n/locales/ru/data.json
@ -18,7 +18,8 @@
    "The login method: login with password is not enabled for the application": "Метод входа: вход с паролем не включен для приложения",
    "The provider: %s is not enabled for the application": "Провайдер: %s не включен для приложения",
    "Unauthorized operation": "Несанкционированная операция",
-    "Unknown authentication type (not password or provider), form = %s": "Неизвестный тип аутентификации (не пароль и не провайдер), форма = %s"
+    "Unknown authentication type (not password or provider), form = %s": "Неизвестный тип аутентификации (не пароль и не провайдер), форма = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
  },
  "cas": {
    "Service %s and %s do not match": "Сервисы %s и %s не совпадают"
--- a/i18n/locales/vi/data.json
+++ b/i18n/locales/vi/data.json
@ -18,7 +18,8 @@
    "The login method: login with password is not enabled for the application": "Phương thức đăng nhập: đăng nhập bằng mật khẩu không được kích hoạt cho ứng dụng",
    "The provider: %s is not enabled for the application": "Nhà cung cấp: %s không được kích hoạt cho ứng dụng",
    "Unauthorized operation": "Hoạt động không được ủy quyền",
-    "Unknown authentication type (not password or provider), form = %s": "Loại xác thực không xác định (không phải mật khẩu hoặc nhà cung cấp), biểu mẫu = %s"
+    "Unknown authentication type (not password or provider), form = %s": "Loại xác thực không xác định (không phải mật khẩu hoặc nhà cung cấp), biểu mẫu = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
  },
  "cas": {
    "Service %s and %s do not match": "Dịch sang tiếng Việt: Dịch vụ %s và %s không khớp"
--- a/i18n/locales/zh/data.json
+++ b/i18n/locales/zh/data.json
@ -18,7 +18,8 @@
    "The login method: login with password is not enabled for the application": "该应用禁止采用密码登录方式",
    "The provider: %s is not enabled for the application": "该应用的提供商: %s未被启用",
    "Unauthorized operation": "未授权的操作",
-    "Unknown authentication type (not password or provider), form = %s": "未知的认证类型（非密码或第三方提供商）：%s"
+    "Unknown authentication type (not password or provider), form = %s": "未知的认证类型（非密码或第三方提供商）：%s",
+    "User's tag: %s is not listed in the application's tags": "用户的标签: %s不在该应用的标签列表中"
  },
  "cas": {
    "Service %s and %s do not match": "服务%s与%s不匹配"
--- a/idp/wechat.go
+++ b/idp/wechat.go
@ -198,12 +198,22 @@ func (idp *WeChatIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 func GetWechatOfficialAccountAccessToken(clientId string, clientSecret string) (string, error) {
 	accessTokenUrl := fmt.Sprintf("https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=%s&secret=%s", clientId, clientSecret)
 	request, err := http.NewRequest("GET", accessTokenUrl, nil)
+	if err != nil {
+		return "", err
+	}
+
 	client := new(http.Client)
 	resp, err := client.Do(request)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
 	respBytes, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return "", err
 	}
+
 	var data struct {
 		ExpireIn    int    `json:"expires_in"`
 		AccessToken string `json:"access_token"`
@ -212,20 +222,30 @@ func GetWechatOfficialAccountAccessToken(clientId string, clientSecret string) (
 	if err != nil {
 		return "", err
 	}
+
 	return data.AccessToken, nil
 }

 func GetWechatOfficialAccountQRCode(clientId string, clientSecret string) (string, error) {
 	accessToken, err := GetWechatOfficialAccountAccessToken(clientId, clientSecret)
 	client := new(http.Client)
-	params := "{\"action_name\": \"QR_LIMIT_STR_SCENE\", \"action_info\": {\"scene\": {\"scene_str\": \"test\"}}}"
+
+	weChatEndpoint := "https://api.weixin.qq.com/cgi-bin/qrcode/create"
+	qrCodeUrl := fmt.Sprintf("%s?access_token=%s", weChatEndpoint, accessToken)
+	params := `{"action_name": "QR_LIMIT_STR_SCENE", "action_info": {"scene": {"scene_str": "test"}}}`
+
 	bodyData := bytes.NewReader([]byte(params))
-	qrCodeUrl := fmt.Sprintf("https://api.weixin.qq.com/cgi-bin/qrcode/create?access_token=%s", accessToken)
 	requeset, err := http.NewRequest("POST", qrCodeUrl, bodyData)
+	if err != nil {
+		return "", err
+	}
+
 	resp, err := client.Do(requeset)
 	if err != nil {
 		return "", err
 	}
+	defer resp.Body.Close()
+
 	respBytes, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return "", err
--- a/object/adapter.go
+++ b/object/adapter.go
@ -145,11 +145,6 @@ func (a *Adapter) createTable() {
 		panic(err)
 	}

-	err = a.Engine.Sync2(new(UserGroupRelation))
-	if err != nil {
-		panic(err)
-	}
-
 	err = a.Engine.Sync2(new(Role))
 	if err != nil {
 		panic(err)
@ -280,7 +275,7 @@ func GetSession(owner string, offset, limit int, field, value, sortField, sortOr
 		session = session.And("owner=?", owner)
 	}
 	if field != "" && value != "" {
-		if filterField(field) {
+		if util.FilterField(field) {
 			session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
 		}
 	}
@ -308,7 +303,7 @@ func GetSessionForUser(owner string, offset, limit int, field, value, sortField,
 		}
 	}
 	if field != "" && value != "" {
-		if filterField(field) {
+		if util.FilterField(field) {
 			if offset != -1 {
 				field = fmt.Sprintf("a.%s", field)
 			}
--- a/object/application.go
+++ b/object/application.go
@ -57,6 +57,7 @@ type Application struct {
 	SignupItems         []*SignupItem   `xorm:"varchar(1000)" json:"signupItems"`
 	GrantTypes          []string        `xorm:"varchar(1000)" json:"grantTypes"`
 	OrganizationObj     *Organization   `xorm:"-" json:"organizationObj"`
+	Tags                []string        `xorm:"mediumtext" json:"tags"`

 	ClientId             string     `xorm:"varchar(100)" json:"clientId"`
 	ClientSecret         string     `xorm:"varchar(100)" json:"clientSecret"`
--- a/object/check.go
+++ b/object/check.go
@ -16,7 +16,6 @@ package object

 import (
 	"fmt"
-	"regexp"
 	"strings"
 	"time"
 	"unicode"
@ -28,21 +27,11 @@ import (
 	goldap "github.com/go-ldap/ldap/v3"
 )

-var (
-	reWhiteSpace     *regexp.Regexp
-	reFieldWhiteList *regexp.Regexp
-)
-
 const (
 	SigninWrongTimesLimit     = 5
 	LastSignWrongTimeDuration = time.Minute * 15
 )

-func init() {
-	reWhiteSpace, _ = regexp.Compile(`\s`)
-	reFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
-}
-
 func CheckUserSignup(application *Application, organization *Organization, form *form.AuthForm, lang string) string {
 	if organization == nil {
 		return i18n.Translate(lang, "check:Organization does not exist")
@ -58,7 +47,7 @@ func CheckUserSignup(application *Application, organization *Organization, form
 		if util.IsEmailValid(form.Username) {
 			return i18n.Translate(lang, "check:Username cannot be an email address")
 		}
-		if reWhiteSpace.MatchString(form.Username) {
+		if util.ReWhiteSpace.MatchString(form.Username) {
 			return i18n.Translate(lang, "check:Username cannot contain white spaces")
 		}

@ -294,10 +283,6 @@ func CheckUserPassword(organization string, username string, password string, la
 	return user, ""
 }

-func filterField(field string) bool {
-	return reFieldWhiteList.MatchString(field)
-}
-
 func CheckUserPermission(requestUserId, userId string, strict bool, lang string) (bool, error) {
 	if requestUserId == "" {
 		return false, fmt.Errorf(i18n.Translate(lang, "general:Please login first"))
@ -396,14 +381,9 @@ func CheckUsername(username string, lang string) string {
 		return i18n.Translate(lang, "check:Username is too long (maximum is 39 characters).")
 	}

-	exclude, _ := regexp.Compile("^[\u0021-\u007E]+$")
-	if !exclude.MatchString(username) {
-		return ""
-	}
-
 	// https://stackoverflow.com/questions/58726546/github-username-convention-using-regex
-	re, _ := regexp.Compile("^[a-zA-Z0-9]+((?:-[a-zA-Z0-9]+)|(?:_[a-zA-Z0-9]+))*$")
-	if !re.MatchString(username) {
+
+	if !util.ReUserName.MatchString(username) {
 		return i18n.Translate(lang, "check:The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.")
 	}

--- a/object/group.go
+++ b/object/group.go
@ -19,6 +19,7 @@ import (
 	"fmt"

 	"github.com/casdoor/casdoor/util"
+	"github.com/xorm-io/builder"
 	"github.com/xorm-io/core"
 )

@ -28,13 +29,13 @@ type Group struct {
 	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
 	UpdatedTime string `xorm:"varchar(100)" json:"updatedTime"`

-	DisplayName  string    `xorm:"varchar(100)" json:"displayName"`
-	Manager      string    `xorm:"varchar(100)" json:"manager"`
-	ContactEmail string    `xorm:"varchar(100)" json:"contactEmail"`
-	Type         string    `xorm:"varchar(100)" json:"type"`
-	ParentId     string    `xorm:"varchar(100)" json:"parentId"`
-	IsTopGroup   bool      `xorm:"bool" json:"isTopGroup"`
-	Users        *[]string `xorm:"-" json:"users"`
+	DisplayName  string  `xorm:"varchar(100)" json:"displayName"`
+	Manager      string  `xorm:"varchar(100)" json:"manager"`
+	ContactEmail string  `xorm:"varchar(100)" json:"contactEmail"`
+	Type         string  `xorm:"varchar(100)" json:"type"`
+	ParentId     string  `xorm:"varchar(100)" json:"parentId"`
+	IsTopGroup   bool    `xorm:"bool" json:"isTopGroup"`
+	Users        []*User `xorm:"-" json:"users"`

 	Title    string   `json:"title,omitempty"`
 	Key      string   `json:"key,omitempty"`
@ -94,24 +95,6 @@ func getGroup(owner string, name string) (*Group, error) {
 	}
 }

-func getGroupByName(name string) (*Group, error) {
-	if name == "" {
-		return nil, nil
-	}
-
-	group := Group{Name: name}
-	existed, err := adapter.Engine.Get(&group)
-	if err != nil {
-		return nil, err
-	}
-
-	if existed {
-		return &group, nil
-	} else {
-		return nil, nil
-	}
-}
-
 func GetGroup(id string) (*Group, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
 	return getGroup(owner, name)
@ -124,7 +107,13 @@ func UpdateGroup(id string, group *Group) (bool, error) {
 		return false, err
 	}

-	group.UpdatedTime = util.GetCurrentTime()
+	if name != group.Name {
+		err := GroupChangeTrigger(name, group.Name)
+		if err != nil {
+			return false, err
+		}
+	}
+
 	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(group)
 	if err != nil {
 		return false, err
@ -165,31 +154,14 @@ func DeleteGroup(group *Group) (bool, error) {
 		return false, errors.New("group has children group")
 	}

-	if count, err := GetGroupUserCount(group.GetId(), "", ""); err != nil {
+	if count, err := GetGroupUserCount(group.Name, "", ""); err != nil {
 		return false, err
 	} else if count > 0 {
 		return false, errors.New("group has users")
 	}

-	session := adapter.Engine.NewSession()
-	defer session.Close()
-
-	if err := session.Begin(); err != nil {
-		return false, err
-	}
-
-	if _, err := session.Delete(&UserGroupRelation{GroupName: group.Name}); err != nil {
-		session.Rollback()
-		return false, err
-	}
-
-	affected, err := session.ID(core.PK{group.Owner, group.Name}).Delete(&Group{})
+	affected, err := adapter.Engine.ID(core.PK{group.Owner, group.Name}).Delete(&Group{})
 	if err != nil {
-		session.Rollback()
-		return false, err
-	}
-
-	if err := session.Commit(); err != nil {
 		return false, err
 	}

@ -220,3 +192,113 @@ func ConvertToTreeData(groups []*Group, parentId string) []*Group {
 	}
 	return treeData
 }
+
+func RemoveUserFromGroup(owner, name, groupName string) (bool, error) {
+	user, err := getUser(owner, name)
+	if err != nil {
+		return false, err
+	}
+	if user == nil {
+		return false, errors.New("user not exist")
+	}
+
+	user.Groups = util.DeleteVal(user.Groups, groupName)
+	affected, err := updateUser(user.GetId(), user, []string{"groups"})
+	if err != nil {
+		return false, err
+	}
+	return affected != 0, err
+}
+
+func GetGroupUserCount(groupName string, field, value string) (int64, error) {
+	if field == "" && value == "" {
+		return adapter.Engine.Where(builder.Like{"`groups`", groupName}).
+			Count(&User{})
+	} else {
+		return adapter.Engine.Table("user").
+			Where(builder.Like{"`groups`", groupName}).
+			And(fmt.Sprintf("user.%s LIKE ?", util.CamelToSnakeCase(field)), "%"+value+"%").
+			Count()
+	}
+}
+
+func GetPaginationGroupUsers(groupName string, offset, limit int, field, value, sortField, sortOrder string) ([]*User, error) {
+	users := []*User{}
+	session := adapter.Engine.Table("user").
+		Where(builder.Like{"`groups`", groupName})
+
+	if offset != -1 && limit != -1 {
+		session.Limit(limit, offset)
+	}
+
+	if field != "" && value != "" {
+		session = session.And(fmt.Sprintf("user.%s LIKE ?", util.CamelToSnakeCase(field)), "%"+value+"%")
+	}
+
+	if sortField == "" || sortOrder == "" {
+		sortField = "created_time"
+	}
+	if sortOrder == "ascend" {
+		session = session.Asc(fmt.Sprintf("user.%s", util.SnakeString(sortField)))
+	} else {
+		session = session.Desc(fmt.Sprintf("user.%s", util.SnakeString(sortField)))
+	}
+
+	err := session.Find(&users)
+	if err != nil {
+		return nil, err
+	}
+
+	return users, nil
+}
+
+func GetGroupUsers(groupName string) ([]*User, error) {
+	users := []*User{}
+	err := adapter.Engine.Table("user").
+		Where(builder.Like{"`groups`", groupName}).
+		Find(&users)
+	if err != nil {
+		return nil, err
+	}
+
+	return users, nil
+}
+
+func GroupChangeTrigger(oldName, newName string) error {
+	session := adapter.Engine.NewSession()
+	defer session.Close()
+	err := session.Begin()
+	if err != nil {
+		return err
+	}
+
+	users := []*User{}
+	err = session.Where(builder.Like{"`groups`", oldName}).Find(&users)
+	if err != nil {
+		return err
+	}
+
+	for _, user := range users {
+		user.Groups = util.ReplaceVal(user.Groups, oldName, newName)
+		_, err := updateUser(user.GetId(), user, []string{"groups"})
+		if err != nil {
+			return err
+		}
+	}
+
+	groups := []*Group{}
+	err = session.Where("parent_id = ?", oldName).Find(&groups)
+	for _, group := range groups {
+		group.ParentId = newName
+		_, err := session.ID(core.PK{group.Owner, group.Name}).Cols("parent_id").Update(group)
+		if err != nil {
+			return err
+		}
+	}
+
+	err = session.Commit()
+	if err != nil {
+		return err
+	}
+	return nil
+}
--- a/object/init.go
+++ b/object/init.go
@ -184,6 +184,7 @@ func initBuiltInApplication() {
 			{Name: "Phone", Visible: true, Required: true, Prompted: false, Rule: "None"},
 			{Name: "Agreement", Visible: true, Required: true, Prompted: false, Rule: "None"},
 		},
+		Tags:          []string{},
 		RedirectUris:  []string{},
 		ExpireInHours: 168,
 		FormOffset:    2,
--- a/object/init_data.go
+++ b/object/init_data.go
@ -145,6 +145,9 @@ func readInitDataFromFile(filePath string) (*InitData, error) {
 		if application.RedirectUris == nil {
 			application.RedirectUris = []string{}
 		}
+		if application.Tags == nil {
+			application.Tags = []string{}
+		}
 	}
 	for _, permission := range data.Permissions {
 		if permission.Actions == nil {
--- a/object/mfa.go
+++ b/object/mfa.go
@ -22,14 +22,16 @@ import (
 	"github.com/beego/beego/context"
 )

+const MfaRecoveryCodesSession = "mfa_recovery_codes"
+
 type MfaSessionData struct {
 	UserId string
 }

 type MfaProps struct {
-	Id            string   `json:"id"`
+	Enabled       bool     `json:"enabled"`
 	IsPreferred   bool     `json:"isPreferred"`
-	AuthType      string   `json:"type" form:"type"`
+	MfaType       string   `json:"mfaType" form:"mfaType"`
 	Secret        string   `json:"secret,omitempty"`
 	CountryCode   string   `json:"countryCode,omitempty"`
 	URL           string   `json:"url,omitempty"`
@ -37,15 +39,16 @@ type MfaProps struct {
 }

 type MfaInterface interface {
-	SetupVerify(ctx *context.Context, passCode string) error
-	Verify(passCode string) error
-	Initiate(ctx *context.Context, name1 string, name2 string) (*MfaProps, error)
+	Initiate(ctx *context.Context, userId string) (*MfaProps, error)
+	SetupVerify(ctx *context.Context, passcode string) error
 	Enable(ctx *context.Context, user *User) error
+	Verify(passcode string) error
 }

 const (
-	SmsType  = "sms"
-	TotpType = "app"
+	EmailType = "email"
+	SmsType   = "sms"
+	TotpType  = "app"
 )

 const (
@ -54,28 +57,30 @@ const (
 	RequiredMfa      = "RequiredMfa"
 )

-func GetMfaUtil(providerType string, config *MfaProps) MfaInterface {
-	switch providerType {
+func GetMfaUtil(mfaType string, config *MfaProps) MfaInterface {
+	switch mfaType {
 	case SmsType:
-		return NewSmsTwoFactor(config)
+		return NewSmsMfaUtil(config)
+	case EmailType:
+		return NewEmailMfaUtil(config)
 	case TotpType:
-		return nil
+		return NewTotpMfaUtil(config)
 	}

 	return nil
 }

-func RecoverTfs(user *User, recoveryCode string) error {
+func MfaRecover(user *User, recoveryCode string) error {
 	hit := false

-	twoFactor := user.GetPreferMfa(false)
-	if len(twoFactor.RecoveryCodes) == 0 {
+	if len(user.RecoveryCodes) == 0 {
 		return fmt.Errorf("do not have recovery codes")
 	}

-	for _, code := range twoFactor.RecoveryCodes {
+	for _, code := range user.RecoveryCodes {
 		if code == recoveryCode {
 			hit = true
+			user.RecoveryCodes = util.DeleteVal(user.RecoveryCodes, code)
 			break
 		}
 	}
@ -83,30 +88,106 @@ func RecoverTfs(user *User, recoveryCode string) error {
 		return fmt.Errorf("recovery code not found")
 	}

-	affected, err := UpdateUser(user.GetId(), user, []string{"two_factor_auth"}, user.IsAdminUser())
+	_, err := UpdateUser(user.GetId(), user, []string{"recovery_codes"}, user.IsAdminUser())
 	if err != nil {
 		return err
 	}

-	if !affected {
-		return fmt.Errorf("")
+	return nil
+}
+
+func GetAllMfaProps(user *User, masked bool) []*MfaProps {
+	mfaProps := []*MfaProps{}
+
+	for _, mfaType := range []string{SmsType, EmailType, TotpType} {
+		mfaProps = append(mfaProps, user.GetMfaProps(mfaType, masked))
+	}
+	return mfaProps
+}
+
+func (user *User) GetMfaProps(mfaType string, masked bool) *MfaProps {
+	mfaProps := &MfaProps{}
+
+	if mfaType == SmsType {
+		if !user.MfaPhoneEnabled {
+			return &MfaProps{
+				Enabled: false,
+				MfaType: mfaType,
+			}
+		}
+
+		mfaProps = &MfaProps{
+			Enabled:     user.MfaPhoneEnabled,
+			MfaType:     mfaType,
+			CountryCode: user.CountryCode,
+		}
+		if masked {
+			mfaProps.Secret = util.GetMaskedPhone(user.Phone)
+		} else {
+			mfaProps.Secret = user.Phone
+		}
+	} else if mfaType == EmailType {
+		if !user.MfaEmailEnabled {
+			return &MfaProps{
+				Enabled: false,
+				MfaType: mfaType,
+			}
+		}
+
+		mfaProps = &MfaProps{
+			Enabled: user.MfaEmailEnabled,
+			MfaType: mfaType,
+		}
+		if masked {
+			mfaProps.Secret = util.GetMaskedEmail(user.Email)
+		} else {
+			mfaProps.Secret = user.Email
+		}
+	} else if mfaType == TotpType {
+		if user.TotpSecret == "" {
+			return &MfaProps{
+				Enabled: false,
+				MfaType: mfaType,
+			}
+		}
+
+		mfaProps = &MfaProps{
+			Enabled: true,
+			MfaType: mfaType,
+		}
+		if masked {
+			mfaProps.Secret = ""
+		} else {
+			mfaProps.Secret = user.TotpSecret
+		}
+	}
+
+	if user.PreferredMfaType == mfaType {
+		mfaProps.IsPreferred = true
+	}
+	return mfaProps
+}
+
+func DisabledMultiFactorAuth(user *User) error {
+	user.PreferredMfaType = ""
+	user.RecoveryCodes = []string{}
+	user.MfaPhoneEnabled = false
+	user.MfaEmailEnabled = false
+	user.TotpSecret = ""
+
+	_, err := updateUser(user.GetId(), user, []string{"preferred_mfa_type", "recovery_codes", "mfa_phone_enabled", "mfa_email_enabled", "totp_secret"})
+	if err != nil {
+		return err
 	}
 	return nil
 }

-func GetMaskedProps(props *MfaProps) *MfaProps {
-	maskedProps := &MfaProps{
-		AuthType:    props.AuthType,
-		Id:          props.Id,
-		IsPreferred: props.IsPreferred,
-	}
+func SetPreferredMultiFactorAuth(user *User, mfaType string) error {
+	user.PreferredMfaType = mfaType

-	if props.AuthType == SmsType {
-		if !util.IsEmailValid(props.Secret) {
-			maskedProps.Secret = util.GetMaskedPhone(props.Secret)
-		} else {
-			maskedProps.Secret = util.GetMaskedEmail(props.Secret)
-		}
+	_, err := UpdateUser(user.GetId(), user, []string{"preferred_mfa_type"}, user.IsAdminUser())
+	if err != nil {
+		return err
 	}
-	return maskedProps
+	return nil
 }
--- a/object/mfa_sms.go
+++ b/object/mfa_sms.go
@ -18,22 +18,35 @@ import (
 	"errors"
 	"fmt"

-	"github.com/casdoor/casdoor/util"
-
 	"github.com/beego/beego/context"
+	"github.com/casdoor/casdoor/util"
 	"github.com/google/uuid"
 )

 const (
-	MfaSmsCountryCodeSession   = "mfa_country_code"
-	MfaSmsDestSession          = "mfa_dest"
-	MfaSmsRecoveryCodesSession = "mfa_recovery_codes"
+	MfaSmsCountryCodeSession = "mfa_country_code"
+	MfaSmsDestSession        = "mfa_dest"
 )

 type SmsMfa struct {
 	Config *MfaProps
 }

+func (mfa *SmsMfa) Initiate(ctx *context.Context, userId string) (*MfaProps, error) {
+	recoveryCode := uuid.NewString()
+
+	err := ctx.Input.CruSession.Set(MfaRecoveryCodesSession, []string{recoveryCode})
+	if err != nil {
+		return nil, err
+	}
+
+	mfaProps := MfaProps{
+		MfaType:       mfa.Config.MfaType,
+		RecoveryCodes: []string{recoveryCode},
+	}
+	return &mfaProps, nil
+}
+
 func (mfa *SmsMfa) SetupVerify(ctx *context.Context, passCode string) error {
 	dest := ctx.Input.CruSession.Get(MfaSmsDestSession).(string)
 	countryCode := ctx.Input.CruSession.Get(MfaSmsCountryCodeSession).(string)
@ -47,6 +60,45 @@ func (mfa *SmsMfa) SetupVerify(ctx *context.Context, passCode string) error {
 	return nil
 }

+func (mfa *SmsMfa) Enable(ctx *context.Context, user *User) error {
+	recoveryCodes := ctx.Input.CruSession.Get(MfaRecoveryCodesSession).([]string)
+	if len(recoveryCodes) == 0 {
+		return fmt.Errorf("recovery codes is missing")
+	}
+
+	columns := []string{"recovery_codes", "preferred_mfa_type"}
+
+	user.RecoveryCodes = append(user.RecoveryCodes, recoveryCodes...)
+	if user.PreferredMfaType == "" {
+		user.PreferredMfaType = mfa.Config.MfaType
+	}
+
+	if mfa.Config.MfaType == SmsType {
+		user.MfaPhoneEnabled = true
+		columns = append(columns, "mfa_phone_enabled")
+
+		if user.Phone == "" {
+			user.Phone = ctx.Input.CruSession.Get(MfaSmsDestSession).(string)
+			user.CountryCode = ctx.Input.CruSession.Get(MfaSmsCountryCodeSession).(string)
+			columns = append(columns, "phone", "country_code")
+		}
+	} else if mfa.Config.MfaType == EmailType {
+		user.MfaEmailEnabled = true
+		columns = append(columns, "mfa_email_enabled")
+
+		if user.Email == "" {
+			user.Email = ctx.Input.CruSession.Get(MfaSmsDestSession).(string)
+			columns = append(columns, "email")
+		}
+	}
+
+	_, err := UpdateUser(user.GetId(), user, columns, false)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func (mfa *SmsMfa) Verify(passCode string) error {
 	if !util.IsEmailValid(mfa.Config.Secret) {
 		mfa.Config.Secret, _ = util.GetE164Number(mfa.Config.Secret, mfa.Config.CountryCode)
@ -57,65 +109,21 @@ func (mfa *SmsMfa) Verify(passCode string) error {
 	return nil
 }

-func (mfa *SmsMfa) Initiate(ctx *context.Context, name string, secret string) (*MfaProps, error) {
-	recoveryCode, err := uuid.NewRandom()
-	if err != nil {
-		return nil, err
-	}
-
-	err = ctx.Input.CruSession.Set(MfaSmsRecoveryCodesSession, []string{recoveryCode.String()})
-	if err != nil {
-		return nil, err
-	}
-
-	mfaProps := MfaProps{
-		AuthType:      SmsType,
-		RecoveryCodes: []string{recoveryCode.String()},
-	}
-	return &mfaProps, nil
-}
-
-func (mfa *SmsMfa) Enable(ctx *context.Context, user *User) error {
-	dest := ctx.Input.CruSession.Get(MfaSmsDestSession).(string)
-	recoveryCodes := ctx.Input.CruSession.Get(MfaSmsRecoveryCodesSession).([]string)
-	countryCode := ctx.Input.CruSession.Get(MfaSmsCountryCodeSession).(string)
-
-	if dest == "" || len(recoveryCodes) == 0 {
-		return fmt.Errorf("MFA dest or recovery codes is empty")
-	}
-
-	if !util.IsEmailValid(dest) {
-		mfa.Config.CountryCode = countryCode
-	}
-
-	mfa.Config.AuthType = SmsType
-	mfa.Config.Id = uuid.NewString()
-	mfa.Config.Secret = dest
-	mfa.Config.RecoveryCodes = recoveryCodes
-
-	for i, mfaProp := range user.MultiFactorAuths {
-		if mfaProp.Secret == mfa.Config.Secret {
-			user.MultiFactorAuths = append(user.MultiFactorAuths[:i], user.MultiFactorAuths[i+1:]...)
-		}
-	}
-	user.MultiFactorAuths = append(user.MultiFactorAuths, mfa.Config)
-
-	affected, err := UpdateUser(user.GetId(), user, []string{"multi_factor_auths"}, user.IsAdminUser())
-	if err != nil {
-		return err
-	}
-
-	if !affected {
-		return fmt.Errorf("failed to enable two factor authentication")
-	}
-
-	return nil
-}
-
-func NewSmsTwoFactor(config *MfaProps) *SmsMfa {
+func NewSmsMfaUtil(config *MfaProps) *SmsMfa {
 	if config == nil {
 		config = &MfaProps{
-			AuthType: SmsType,
+			MfaType: SmsType,
+		}
+	}
+	return &SmsMfa{
+		Config: config,
+	}
+}
+
+func NewEmailMfaUtil(config *MfaProps) *SmsMfa {
+	if config == nil {
+		config = &MfaProps{
+			MfaType: EmailType,
 		}
 	}
 	return &SmsMfa{
--- a/object/mfa_totp.go
+++ b/object/mfa_totp.go
@ -0,0 +1,133 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/beego/beego"
+	"github.com/beego/beego/context"
+	"github.com/google/uuid"
+	"github.com/pquerna/otp"
+	"github.com/pquerna/otp/totp"
+)
+
+const MfaTotpSecretSession = "mfa_totp_secret"
+
+type TotpMfa struct {
+	Config     *MfaProps
+	period     uint
+	secretSize uint
+	digits     otp.Digits
+}
+
+func (mfa *TotpMfa) Initiate(ctx *context.Context, userId string) (*MfaProps, error) {
+	issuer := beego.AppConfig.String("appname")
+	if issuer == "" {
+		issuer = "casdoor"
+	}
+
+	key, err := totp.Generate(totp.GenerateOpts{
+		Issuer:      issuer,
+		AccountName: userId,
+		Period:      mfa.period,
+		SecretSize:  mfa.secretSize,
+		Digits:      mfa.digits,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	err = ctx.Input.CruSession.Set(MfaTotpSecretSession, key.Secret())
+	if err != nil {
+		return nil, err
+	}
+
+	recoveryCode := uuid.NewString()
+	err = ctx.Input.CruSession.Set(MfaRecoveryCodesSession, []string{recoveryCode})
+	if err != nil {
+		return nil, err
+	}
+
+	mfaProps := MfaProps{
+		MfaType:       mfa.Config.MfaType,
+		RecoveryCodes: []string{recoveryCode},
+		Secret:        key.Secret(),
+		URL:           key.URL(),
+	}
+	return &mfaProps, nil
+}
+
+func (mfa *TotpMfa) SetupVerify(ctx *context.Context, passcode string) error {
+	secret := ctx.Input.CruSession.Get(MfaTotpSecretSession).(string)
+	result := totp.Validate(passcode, secret)
+
+	if result {
+		return nil
+	} else {
+		return errors.New("totp passcode error")
+	}
+}
+
+func (mfa *TotpMfa) Enable(ctx *context.Context, user *User) error {
+	recoveryCodes := ctx.Input.CruSession.Get(MfaRecoveryCodesSession).([]string)
+	if len(recoveryCodes) == 0 {
+		return fmt.Errorf("recovery codes is missing")
+	}
+	secret := ctx.Input.CruSession.Get(MfaTotpSecretSession).(string)
+	if secret == "" {
+		return fmt.Errorf("totp secret is missing")
+	}
+
+	columns := []string{"recovery_codes", "preferred_mfa_type", "totp_secret"}
+
+	user.RecoveryCodes = append(user.RecoveryCodes, recoveryCodes...)
+	user.TotpSecret = secret
+	if user.PreferredMfaType == "" {
+		user.PreferredMfaType = mfa.Config.MfaType
+	}
+
+	_, err := updateUser(user.GetId(), user, columns)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (mfa *TotpMfa) Verify(passcode string) error {
+	result := totp.Validate(passcode, mfa.Config.Secret)
+
+	if result {
+		return nil
+	} else {
+		return errors.New("totp passcode error")
+	}
+}
+
+func NewTotpMfaUtil(config *MfaProps) *TotpMfa {
+	if config == nil {
+		config = &MfaProps{
+			MfaType: TotpType,
+		}
+	}
+
+	return &TotpMfa{
+		Config:     config,
+		period:     30,
+		secretSize: 20,
+		digits:     otp.DigitsSix,
+	}
+}
--- a/object/permission.go
+++ b/object/permission.go
@ -370,3 +370,24 @@ func GetMaskedPermissions(permissions []*Permission) []*Permission {

 	return permissions
 }
+
+// GroupPermissionsByModelAdapter group permissions by model and adapter.
+// Every model and adapter will be a key, and the value is a list of permission ids.
+// With each list of permission ids have the same key, we just need to init the
+// enforcer and do the enforce/batch-enforce once (with list of permission ids
+// as the policyFilter when the enforcer load policy).
+func GroupPermissionsByModelAdapter(permissions []*Permission) map[string][]string {
+	m := make(map[string][]string)
+
+	for _, permission := range permissions {
+		key := permission.Model + permission.Adapter
+		permissionIds, ok := m[key]
+		if !ok {
+			m[key] = []string{permission.GetId()}
+		} else {
+			m[key] = append(permissionIds, permission.GetId())
+		}
+	}
+
+	return m
+}
--- a/object/permission_enforcer.go
+++ b/object/permission_enforcer.go
@ -26,7 +26,7 @@ import (
 	xormadapter "github.com/casdoor/xorm-adapter/v3"
 )

-func getEnforcer(permission *Permission) *casbin.Enforcer {
+func getEnforcer(permission *Permission, permissionIDs ...string) *casbin.Enforcer {
 	tableName := "permission_rule"
 	if len(permission.Adapter) != 0 {
 		adapterObj, err := getCasbinAdapter(permission.Owner, permission.Adapter)
@ -77,8 +77,13 @@ func getEnforcer(permission *Permission) *casbin.Enforcer {

 	enforcer.SetAdapter(adapter)

+	policyFilterV5 := []string{permission.GetId()}
+	if len(permissionIDs) != 0 {
+		policyFilterV5 = permissionIDs
+	}
+
 	policyFilter := xormadapter.Filter{
-		V5: []string{permission.GetId()},
+		V5: policyFilterV5,
 	}

 	if !HasRoleDefinition(m) {
@ -241,28 +246,13 @@ func removePolicies(permission *Permission) {

 type CasbinRequest = []interface{}

-func Enforce(permissionId string, request *CasbinRequest) (bool, error) {
-	permission, err := GetPermission(permissionId)
-	if err != nil {
-		return false, err
-	}
-
-	enforcer := getEnforcer(permission)
+func Enforce(permission *Permission, request *CasbinRequest, permissionIds ...string) (bool, error) {
+	enforcer := getEnforcer(permission, permissionIds...)
 	return enforcer.Enforce(*request...)
 }

-func BatchEnforce(permissionId string, requests *[]CasbinRequest) ([]bool, error) {
-	permission, err := GetPermission(permissionId)
-	if err != nil {
-		res := []bool{}
-		for i := 0; i < len(*requests); i++ {
-			res = append(res, false)
-		}
-
-		return res, err
-	}
-
-	enforcer := getEnforcer(permission)
+func BatchEnforce(permission *Permission, requests *[]CasbinRequest, permissionIds ...string) ([]bool, error) {
+	enforcer := getEnforcer(permission, permissionIds...)
 	return enforcer.BatchEnforce(*requests)
 }

--- a/object/permission_upload.go
+++ b/object/permission_upload.go
@ -43,6 +43,7 @@ func UploadPermissions(owner string, fileId string) (bool, error) {

 	newPermissions := []*Permission{}
 	for index, line := range table {
+		line := line
 		if index == 0 || parseLineItem(&line, 0) == "" {
 			continue
 		}
--- a/object/role_upload.go
+++ b/object/role_upload.go
@ -43,6 +43,7 @@ func UploadRoles(owner string, fileId string) (bool, error) {

 	newRoles := []*Role{}
 	for index, line := range table {
+		line := line
 		if index == 0 || parseLineItem(&line, 0) == "" {
 			continue
 		}
--- a/object/saml_idp.go
+++ b/object/saml_idp.go
@ -260,10 +260,17 @@ func GetSamlResponse(application *Application, user *User, samlRequest string, h
 	// decompress
 	var buffer bytes.Buffer
 	rdr := flate.NewReader(bytes.NewReader(defated))
-	_, err = io.Copy(&buffer, rdr)
-	if err != nil {
-		return "", "", "", err
+
+	for {
+		_, err := io.CopyN(&buffer, rdr, 1024)
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			return "", "", "", err
+		}
 	}
+
 	var authnRequest saml.AuthnRequest
 	err = xml.Unmarshal(buffer.Bytes(), &authnRequest)
 	if err != nil {
--- a/object/syncer.go
+++ b/object/syncer.go
@ -50,6 +50,7 @@ type Syncer struct {
 	AvatarBaseUrl    string         `xorm:"varchar(100)" json:"avatarBaseUrl"`
 	ErrorText        string         `xorm:"mediumtext" json:"errorText"`
 	SyncInterval     int            `json:"syncInterval"`
+	IsReadOnly       bool           `json:"isReadOnly"`
 	IsEnabled        bool           `json:"isEnabled"`

 	Adapter *Adapter `xorm:"-" json:"-"`
--- a/object/syncer_sync.go
+++ b/object/syncer_sync.go
@ -63,9 +63,11 @@ func (syncer *Syncer) syncUsers() {
 				}
 			} else {
 				if user.PreHash == oHash {
-					updatedOUser := syncer.createOriginalUserFromUser(user)
-					syncer.updateUser(updatedOUser)
-					fmt.Printf("Update from user to oUser: %v\n", updatedOUser)
+					if !syncer.IsReadOnly {
+						updatedOUser := syncer.createOriginalUserFromUser(user)
+						syncer.updateUser(updatedOUser)
+						fmt.Printf("Update from user to oUser: %v\n", updatedOUser)
+					}

 					// update preHash
 					user.PreHash = user.Hash
@ -91,15 +93,17 @@ func (syncer *Syncer) syncUsers() {
 		panic(err)
 	}

-	for _, user := range users {
-		id := user.Id
-		if _, ok := oUserMap[id]; !ok {
-			newOUser := syncer.createOriginalUserFromUser(user)
-			_, err = syncer.addUser(newOUser)
-			if err != nil {
-				panic(err)
+	if !syncer.IsReadOnly {
+		for _, user := range users {
+			id := user.Id
+			if _, ok := oUserMap[id]; !ok {
+				newOUser := syncer.createOriginalUserFromUser(user)
+				_, err = syncer.addUser(newOUser)
+				if err != nil {
+					panic(err)
+				}
+				fmt.Printf("New oUser: %v\n", newOUser)
 			}
-			fmt.Printf("New oUser: %v\n", newOUser)
 		}
 	}
 }
--- a/object/syncer_util.go
+++ b/object/syncer_util.go
@ -170,6 +170,7 @@ func (syncer *Syncer) getOriginalUsersFromMap(results []map[string]string) []*Or
 		originalUser := &OriginalUser{
 			Address:    []string{},
 			Properties: map[string]string{},
+			Groups:     []string{},
 		}

 		for _, tableColumn := range syncer.TableColumns {
--- a/object/token.go
+++ b/object/token.go
@ -794,7 +794,7 @@ func GetWechatMiniProgramToken(application *Application, code string, host strin
 			ErrorDescription: "the wechat mini program session is invalid",
 		}, nil
 	}
-	user, err := getUserByWechatId(openId, unionId)
+	user, err := getUserByWechatId(application.Organization, openId, unionId)
 	if err != nil {
 		return nil, nil, err
 	}
--- a/object/token_jwt.go
+++ b/object/token_jwt.go
@ -216,6 +216,9 @@ func refineUser(user *User) *User {
 	if user.Permissions == nil {
 		user.Permissions = []*Permission{}
 	}
+	if user.Groups == nil {
+		user.Groups = []string{}
+	}

 	return user
 }
--- a/object/user.go
+++ b/object/user.go
@ -159,7 +159,12 @@ type User struct {
 	Custom          string `xorm:"custom varchar(100)" json:"custom"`

 	WebauthnCredentials []webauthn.Credential `xorm:"webauthnCredentials blob" json:"webauthnCredentials"`
-	MultiFactorAuths    []*MfaProps           `json:"multiFactorAuths"`
+	PreferredMfaType    string                `xorm:"varchar(100)" json:"preferredMfaType"`
+	RecoveryCodes       []string              `xorm:"varchar(1000)" json:"recoveryCodes,omitempty"`
+	TotpSecret          string                `xorm:"varchar(100)" json:"totpSecret,omitempty"`
+	MfaPhoneEnabled     bool                  `json:"mfaPhoneEnabled"`
+	MfaEmailEnabled     bool                  `json:"mfaEmailEnabled"`
+	MultiFactorAuths    []*MfaProps           `xorm:"-" json:"multiFactorAuths,omitempty"`

 	Ldap       string            `xorm:"ldap varchar(100)" json:"ldap"`
 	Properties map[string]string `json:"properties"`
@ -220,11 +225,11 @@ func GetPaginationGlobalUsers(offset, limit int, field, value, sortField, sortOr
 	return users, nil
 }

-func GetUserCount(owner, field, value string, groupId string) (int64, error) {
+func GetUserCount(owner, field, value string, groupName string) (int64, error) {
 	session := GetSession(owner, -1, -1, field, value, "", "")

-	if groupId != "" {
-		return GetGroupUserCount(groupId, field, value)
+	if groupName != "" {
+		return GetGroupUserCount(groupName, field, value)
 	}

 	return session.Count(&User{})
@ -264,11 +269,11 @@ func GetSortedUsers(owner string, sorter string, limit int) ([]*User, error) {
 	return users, nil
 }

-func GetPaginationUsers(owner string, offset, limit int, field, value, sortField, sortOrder string, groupId string) ([]*User, error) {
+func GetPaginationUsers(owner string, offset, limit int, field, value, sortField, sortOrder string, groupName string) ([]*User, error) {
 	users := []*User{}

-	if groupId != "" {
-		return GetPaginationGroupUsers(groupId, offset, limit, field, value, sortField, sortOrder)
+	if groupName != "" {
+		return GetPaginationGroupUsers(groupName, offset, limit, field, value, sortField, sortOrder)
 	}

 	session := GetSessionForUser(owner, offset, limit, field, value, sortField, sortOrder)
@ -315,12 +320,12 @@ func getUserById(owner string, id string) (*User, error) {
 	}
 }

-func getUserByWechatId(wechatOpenId string, wechatUnionId string) (*User, error) {
+func getUserByWechatId(owner string, wechatOpenId string, wechatUnionId string) (*User, error) {
 	if wechatUnionId == "" {
 		wechatUnionId = wechatOpenId
 	}
 	user := &User{}
-	existed, err := adapter.Engine.Where("wechat = ? OR wechat = ?", wechatOpenId, wechatUnionId).Get(user)
+	existed, err := adapter.Engine.Where("owner = ?", owner).Where("wechat = ? OR wechat = ?", wechatOpenId, wechatUnionId).Get(user)
 	if err != nil {
 		return nil, err
 	}
@ -425,18 +430,22 @@ func GetMaskedUser(user *User, errs ...error) (*User, error) {
 	if user.Password != "" {
 		user.Password = "***"
 	}
-
+	if user.AccessSecret != "" {
+		user.AccessSecret = "***"
+	}
 	if user.ManagedAccounts != nil {
 		for _, manageAccount := range user.ManagedAccounts {
 			manageAccount.Password = "***"
 		}
 	}

-	if user.MultiFactorAuths != nil {
-		for i, props := range user.MultiFactorAuths {
-			user.MultiFactorAuths[i] = GetMaskedProps(props)
-		}
+	if user.TotpSecret != "" {
+		user.TotpSecret = ""
 	}
+	if user.RecoveryCodes != nil {
+		user.RecoveryCodes = nil
+	}
+
 	return user, nil
 }

@ -483,17 +492,13 @@ func UpdateUser(id string, user *User, columns []string, isAdmin bool) (bool, er
 	if name != user.Name {
 		err := userChangeTrigger(name, user.Name)
 		if err != nil {
-			return false, nil
+			return false, err
 		}
 	}

 	if user.Password == "***" {
 		user.Password = oldUser.Password
 	}
-	err = user.UpdateUserHash()
-	if err != nil {
-		panic(err)
-	}

 	if user.Avatar != oldUser.Avatar && user.Avatar != "" && user.PermanentAvatar != "*" {
 		user.PermanentAvatar, err = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, false)
@ -521,7 +526,7 @@ func UpdateUser(id string, user *User, columns []string, isAdmin bool) (bool, er
 		columns = append(columns, "name", "email", "phone", "country_code")
 	}

-	affected, err := updateUser(oldUser, user, columns)
+	affected, err := updateUser(id, user, columns)
 	if err != nil {
 		return false, err
 	}
@ -529,32 +534,17 @@ func UpdateUser(id string, user *User, columns []string, isAdmin bool) (bool, er
 	return affected != 0, nil
 }

-func updateUser(oldUser, user *User, columns []string) (int64, error) {
-	session := adapter.Engine.NewSession()
-	defer session.Close()
-
-	session.Begin()
-
-	if util.ContainsString(columns, "groups") {
-		affected, err := updateUserGroupRelation(session, user)
-		if err != nil {
-			session.Rollback()
-			return affected, err
-		}
-	}
-
-	affected, err := session.ID(core.PK{oldUser.Owner, oldUser.Name}).Cols(columns...).Update(user)
+func updateUser(id string, user *User, columns []string) (int64, error) {
+	owner, name := util.GetOwnerAndNameFromIdNoCheck(id)
+	err := user.UpdateUserHash()
 	if err != nil {
-		session.Rollback()
-		return affected, err
-	}
-
-	err = session.Commit()
-	if err != nil {
-		session.Rollback()
 		return 0, err
 	}

+	affected, err := adapter.Engine.ID(core.PK{owner, name}).Cols(columns...).Update(user)
+	if err != nil {
+		return 0, err
+	}
 	return affected, nil
 }

@ -725,11 +715,6 @@ func DeleteUser(user *User) (bool, error) {
 		return false, err
 	}

-	affected, err = DeleteRelationByUserId(user.Id)
-	if err != nil {
-		return false, err
-	}
-
 	return affected != 0, nil
 }

@ -745,7 +730,7 @@ func GetUserInfo(user *User, scope string, aud string, host string) *Userinfo {
 		resp.Name = user.Name
 		resp.DisplayName = user.DisplayName
 		resp.Avatar = user.Avatar
-		resp.Groups = []string{user.Owner}
+		resp.Groups = user.Groups
 	}
 	if strings.Contains(scope, "email") {
 		resp.Email = user.Email
@ -781,6 +766,10 @@ func ExtendUserWithRolesAndPermissions(user *User) (err error) {
 		return err
 	}

+	if user.Groups == nil {
+		user.Groups = []string{}
+	}
+
 	return
 }

@ -843,35 +832,14 @@ func userChangeTrigger(oldName string, newName string) error {
 }

 func (user *User) IsMfaEnabled() bool {
-	return len(user.MultiFactorAuths) > 0
+	return user.PreferredMfaType != ""
 }

-func (user *User) GetPreferMfa(masked bool) *MfaProps {
-	if len(user.MultiFactorAuths) == 0 {
+func (user *User) GetPreferredMfaProps(masked bool) *MfaProps {
+	if user.PreferredMfaType == "" {
 		return nil
 	}
-
-	if masked {
-		if len(user.MultiFactorAuths) == 1 {
-			return GetMaskedProps(user.MultiFactorAuths[0])
-		}
-		for _, v := range user.MultiFactorAuths {
-			if v.IsPreferred {
-				return GetMaskedProps(v)
-			}
-		}
-		return GetMaskedProps(user.MultiFactorAuths[0])
-	} else {
-		if len(user.MultiFactorAuths) == 1 {
-			return user.MultiFactorAuths[0]
-		}
-		for _, v := range user.MultiFactorAuths {
-			if v.IsPreferred {
-				return v
-			}
-		}
-		return user.MultiFactorAuths[0]
-	}
+	return user.GetMfaProps(user.PreferredMfaType, masked)
 }

 func AddUserkeys(user *User, isAdmin bool) (bool, error) {
--- a/object/user_avatar.go
+++ b/object/user_avatar.go
@ -34,7 +34,7 @@ func downloadImage(client *http.Client, url string) (*bytes.Buffer, string, erro
 	resp, err := client.Do(req)
 	if err != nil {
 		fmt.Printf("downloadImage() error for url [%s]: %s\n", url, err.Error())
-		if strings.Contains(err.Error(), "EOF") {
+		if strings.Contains(err.Error(), "EOF") || strings.Contains(err.Error(), "no such host") {
 			return nil, "", nil
 		} else {
 			return nil, "", err
--- a/object/user_avatar_favicon.go
+++ b/object/user_avatar_favicon.go
@ -18,9 +18,9 @@ import (
 	"bytes"
 	"fmt"
 	"net/http"
-	"net/url"
 	"strings"

+	"github.com/casdoor/casdoor/util"
 	"golang.org/x/net/html"
 )

@ -124,6 +124,7 @@ func chooseFaviconLinkBySizes(links []Link) *Link {
 	var chosenLink *Link

 	for _, link := range links {
+		link := link
 		if chosenLink == nil || compareSizes(link.Sizes, chosenLink.Sizes) > 0 {
 			chosenLink = &link
 		}
@ -206,10 +207,7 @@ func getFaviconFileBuffer(client *http.Client, email string) (*bytes.Buffer, str
 		}

 		if !strings.HasPrefix(faviconUrl, "http") {
-			faviconUrl, err = url.JoinPath(htmlUrl, faviconUrl)
-			if err != nil {
-				return nil, "", err
-			}
+			faviconUrl = util.UrlJoin(htmlUrl, faviconUrl)
 		}
 	}

--- a/object/user_group.go
+++ b/object/user_group.go
@ -1,157 +0,0 @@
-package object
-
-import (
-	"errors"
-	"fmt"
-
-	"github.com/casdoor/casdoor/util"
-	"github.com/xorm-io/core"
-	"github.com/xorm-io/xorm"
-)
-
-type UserGroupRelation struct {
-	UserId    string `xorm:"varchar(100) notnull pk" json:"userId"`
-	GroupName string `xorm:"varchar(100) notnull pk" json:"groupName"`
-
-	CreatedTime string `xorm:"created" json:"createdTime"`
-	UpdatedTime string `xorm:"updated" json:"updatedTime"`
-}
-
-func updateUserGroupRelation(session *xorm.Session, user *User) (int64, error) {
-	physicalGroupCount, err := session.In("name", user.Groups).Count(Group{Type: "Physical"})
-	if err != nil {
-		return 0, err
-	}
-	if physicalGroupCount > 1 {
-		return 0, errors.New("user can only be in one physical group")
-	}
-
-	groups := []*Group{}
-	err = session.In("name", user.Groups).Find(&groups)
-	if err != nil {
-		return 0, err
-	}
-	if len(groups) != len(user.Groups) {
-		return 0, errors.New("group not found")
-	}
-
-	_, err = session.Delete(&UserGroupRelation{UserId: user.Id})
-	if err != nil {
-		return 0, err
-	}
-
-	relations := []*UserGroupRelation{}
-	for _, group := range groups {
-		relations = append(relations, &UserGroupRelation{UserId: user.Id, GroupName: group.Name})
-	}
-	if len(relations) == 0 {
-		return 1, nil
-	}
-	_, err = session.Insert(relations)
-	if err != nil {
-		return 0, err
-	}
-
-	return 1, nil
-}
-
-func RemoveUserFromGroup(owner, name, groupId string) (bool, error) {
-	user, err := getUser(owner, name)
-	if err != nil {
-		return false, err
-	}
-
-	groups := []string{}
-	for _, group := range user.Groups {
-		if group != groupId {
-			groups = append(groups, group)
-		}
-	}
-	user.Groups = groups
-
-	_, err = UpdateUser(util.GetId(owner, name), user, []string{"groups"}, false)
-	if err != nil {
-		return false, err
-	}
-	return true, nil
-}
-
-func DeleteUserGroupRelation(userId, groupId string) (int64, error) {
-	affected, err := adapter.Engine.ID(core.PK{userId, groupId}).Delete(&UserGroupRelation{})
-	return affected, err
-}
-
-func DeleteRelationByUserId(id string) (int64, error) {
-	affected, err := adapter.Engine.Delete(&UserGroupRelation{UserId: id})
-	return affected, err
-}
-
-func GetGroupUserCount(groupName string, field, value string) (int64, error) {
-	group, err := getGroupByName(groupName)
-	if group == nil || err != nil {
-		return 0, err
-	}
-
-	if field == "" && value == "" {
-		return adapter.Engine.Count(UserGroupRelation{GroupName: group.Name})
-	} else {
-		return adapter.Engine.Table("user").
-			Join("INNER", []string{"user_group_relation", "r"}, "user.id = r.user_id").
-			Where("r.group_name = ?", group.Name).
-			And(fmt.Sprintf("user.%s LIKE ?", util.CamelToSnakeCase(field)), "%"+value+"%").
-			Count()
-	}
-}
-
-func GetPaginationGroupUsers(groupName string, offset, limit int, field, value, sortField, sortOrder string) ([]*User, error) {
-	group, err := getGroupByName(groupName)
-	if group == nil || err != nil {
-		return nil, err
-	}
-
-	users := []*User{}
-	session := adapter.Engine.Table("user").
-		Join("INNER", []string{"user_group_relation", "r"}, "user.id = r.user_id").
-		Where("r.group_name = ?", group.Name)
-
-	if offset != -1 && limit != -1 {
-		session.Limit(limit, offset)
-	}
-
-	if field != "" && value != "" {
-		session = session.And(fmt.Sprintf("user.%s LIKE ?", util.CamelToSnakeCase(field)), "%"+value+"%")
-	}
-
-	if sortField == "" || sortOrder == "" {
-		sortField = "created_time"
-	}
-	if sortOrder == "ascend" {
-		session = session.Asc(fmt.Sprintf("user.%s", util.SnakeString(sortField)))
-	} else {
-		session = session.Desc(fmt.Sprintf("user.%s", util.SnakeString(sortField)))
-	}
-
-	err = session.Find(&users)
-	if err != nil {
-		return nil, err
-	}
-
-	return users, nil
-}
-
-func GetGroupUsers(groupName string) ([]*User, error) {
-	group, err := getGroupByName(groupName)
-	if group == nil || err != nil {
-		return []*User{}, err
-	}
-
-	users := []*User{}
-	err = adapter.Engine.Table("user").
-		Join("INNER", []string{"user_group_relation", "r"}, "user.id = r.user_id").
-		Where("r.group_name = ?", group.Name).Find(&users)
-	if err != nil {
-		return nil, err
-	}
-
-	return users, nil
-}
--- a/object/user_upload.go
+++ b/object/user_upload.go
@ -83,6 +83,7 @@ func UploadUsers(owner string, fileId string) (bool, error) {

 	newUsers := []*User{}
 	for index, line := range table {
+		line := line
 		if index == 0 || parseLineItem(&line, 0) == "" {
 			continue
 		}
--- a/object/user_util.go
+++ b/object/user_util.go
@ -288,9 +288,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, lang str
 		itemsChanged = append(itemsChanged, item)
 	}

-	oldUserTwoFactorAuthJson, _ := json.Marshal(oldUser.MultiFactorAuths)
-	newUserTwoFactorAuthJson, _ := json.Marshal(newUser.MultiFactorAuths)
-	if string(oldUserTwoFactorAuthJson) != string(newUserTwoFactorAuthJson) {
+	if oldUser.PreferredMfaType != newUser.PreferredMfaType {
 		item := GetAccountItemByName("Multi-factor authentication", organization)
 		itemsChanged = append(itemsChanged, item)
 	}
--- a/routers/static_filter.go
+++ b/routers/static_filter.go
@ -19,6 +19,7 @@ import (
 	"io"
 	"net/http"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"

@ -72,7 +73,7 @@ func StaticFilter(ctx *context.Context) {
 }

 func serveFileWithReplace(w http.ResponseWriter, r *http.Request, name string, old string, new string) {
-	f, err := os.Open(name)
+	f, err := os.Open(filepath.Clean(name))
 	if err != nil {
 		panic(err)
 	}
--- a/storage/local_file_system.go
+++ b/storage/local_file_system.go
@ -70,7 +70,7 @@ func (fileSystem FileSystem) Put(path string, reader io.Reader) (*oss.Object, er
 		return nil, err
 	}

-	dst, err := os.Create(fullPath)
+	dst, err := os.Create(filepath.Clean(fullPath))

 	if err == nil {
 		if seeker, ok := reader.(io.ReadSeeker); ok {
--- a/swagger/swagger.json
+++ b/swagger/swagger.json
@ -43,6 +43,34 @@
                }
            }
        },
+        "/api/add-adapter": {
+            "post": {
+                "tags": [
+                    "Adapter API"
+                ],
+                "description": "add adapter",
+                "operationId": "ApiController.AddCasbinAdapter",
+                "parameters": [
+                    {
+                        "in": "body",
+                        "name": "body",
+                        "description": "The details of the adapter",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/object.Adapter"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
        "/api/add-application": {
            "post": {
                "tags": [
@ -127,6 +155,34 @@
                }
            }
        },
+        "/api/add-group": {
+            "post": {
+                "tags": [
+                    "Group API"
+                ],
+                "description": "add group",
+                "operationId": "ApiController.AddGroup",
+                "parameters": [
+                    {
+                        "in": "body",
+                        "name": "body",
+                        "description": "The details of the group",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/object.Group"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
        "/api/add-ldap": {
            "post": {
                "tags": [
@ -599,6 +655,14 @@
                }
            }
        },
+        "/api/add-user-keys": {
+            "post": {
+                "tags": [
+                    "User API"
+                ],
+                "operationId": "ApiController.AddUserkeys"
+            }
+        },
        "/api/add-webhook": {
            "post": {
                "tags": [
@ -782,13 +846,13 @@
                "tags": [
                    "Enforce API"
                ],
-                "description": "perform enforce",
+                "description": "Call Casbin BatchEnforce API",
                "operationId": "ApiController.BatchEnforce",
                "parameters": [
                    {
                        "in": "body",
                        "name": "body",
-                        "description": "casbin request array",
+                        "description": "array of casbin requests",
                        "required": true,
                        "schema": {
                            "$ref": "#/definitions/object.CasbinRequest"
@ -858,6 +922,34 @@
                "operationId": "ApiController.CheckUserPassword"
            }
        },
+        "/api/delete-adapter": {
+            "post": {
+                "tags": [
+                    "Adapter API"
+                ],
+                "description": "delete adapter",
+                "operationId": "ApiController.DeleteCasbinAdapter",
+                "parameters": [
+                    {
+                        "in": "body",
+                        "name": "body",
+                        "description": "The details of the adapter",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/object.Adapter"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
        "/api/delete-application": {
            "post": {
                "tags": [
@ -942,6 +1034,34 @@
                }
            }
        },
+        "/api/delete-group": {
+            "post": {
+                "tags": [
+                    "Group API"
+                ],
+                "description": "delete group",
+                "operationId": "ApiController.DeleteGroup",
+                "parameters": [
+                    {
+                        "in": "body",
+                        "name": "body",
+                        "description": "The details of the group",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/object.Group"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
        "/api/delete-ldap": {
            "post": {
                "tags": [
@ -1429,13 +1549,13 @@
                "tags": [
                    "Enforce API"
                ],
-                "description": "perform enforce",
+                "description": "Call Casbin Enforce API",
                "operationId": "ApiController.Enforce",
                "parameters": [
                    {
                        "in": "body",
                        "name": "body",
-                        "description": "casbin request",
+                        "description": "Casbin request",
                        "required": true,
                        "schema": {
                            "$ref": "#/definitions/object.CasbinRequest"
@ -1487,6 +1607,61 @@
                }
            }
        },
+        "/api/get-adapter": {
+            "get": {
+                "tags": [
+                    "Adapter API"
+                ],
+                "description": "get adapter",
+                "operationId": "ApiController.GetCasbinAdapter",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "id",
+                        "description": "The id ( owner/name ) of the adapter",
+                        "required": true,
+                        "type": "string"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/object.Adapter"
+                        }
+                    }
+                }
+            }
+        },
+        "/api/get-adapters": {
+            "get": {
+                "tags": [
+                    "Adapter API"
+                ],
+                "description": "get adapters",
+                "operationId": "ApiController.GetCasbinAdapters",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "owner",
+                        "description": "The owner of adapters",
+                        "required": true,
+                        "type": "string"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/object.Adapter"
+                            }
+                        }
+                    }
+                }
+            }
+        },
        "/api/get-app-login": {
            "get": {
                "tags": [
@ -1825,6 +2000,61 @@
                }
            }
        },
+        "/api/get-group": {
+            "get": {
+                "tags": [
+                    "Group API"
+                ],
+                "description": "get group",
+                "operationId": "ApiController.GetGroup",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "id",
+                        "description": "The id ( owner/name ) of the group",
+                        "required": true,
+                        "type": "string"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/object.Group"
+                        }
+                    }
+                }
+            }
+        },
+        "/api/get-groups": {
+            "get": {
+                "tags": [
+                    "Group API"
+                ],
+                "description": "get groups",
+                "operationId": "ApiController.GetGroups",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "owner",
+                        "description": "The owner of groups",
+                        "required": true,
+                        "type": "string"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/object.Group"
+                            }
+                        }
+                    }
+                }
+            }
+        },
        "/api/get-ldap": {
            "get": {
                "tags": [
@ -2045,7 +2275,7 @@
                "tags": [
                    "Organization API"
                ],
-                "description": "get all organization names",
+                "description": "get all organization name and displayName",
                "operationId": "ApiController.GetOrganizationNames",
                "parameters": [
                    {
@ -2338,7 +2568,7 @@
                    "200": {
                        "description": "The Response object",
                        "schema": {
-                            "$ref": "#/definitions/object.pricing"
+                            "$ref": "#/definitions/object.Pricing"
                        }
                    }
                }
@ -2753,7 +2983,7 @@
                    "200": {
                        "description": "The Response object",
                        "schema": {
-                            "$ref": "#/definitions/object.subscription"
+                            "$ref": "#/definitions/object.Subscription"
                        }
                    }
                }
@ -3328,7 +3558,7 @@
                    "200": {
                        "description": "The Response object",
                        "schema": {
-                            "$ref": "#/definitions/Response"
+                            "$ref": "#/definitions/controllers.Response"
                        }
                    }
                }
@ -3598,9 +3828,9 @@
                "operationId": "ApiController.MfaSetupInitiate",
                "responses": {
                    "200": {
-                        "description": "Response object",
+                        "description": "The Response object",
                        "schema": {
-                            "$ref": "#/definitions/The"
+                            "$ref": "#/definitions/controllers.Response"
                        }
                    }
                }
@ -3799,6 +4029,41 @@
                ]
            }
        },
+        "/api/update-adapter": {
+            "post": {
+                "tags": [
+                    "Adapter API"
+                ],
+                "description": "update adapter",
+                "operationId": "ApiController.UpdateCasbinAdapter",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "id",
+                        "description": "The id ( owner/name ) of the adapter",
+                        "required": true,
+                        "type": "string"
+                    },
+                    {
+                        "in": "body",
+                        "name": "body",
+                        "description": "The details of the adapter",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/object.Adapter"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
        "/api/update-application": {
            "post": {
                "tags": [
@ -3904,6 +4169,41 @@
                }
            }
        },
+        "/api/update-group": {
+            "post": {
+                "tags": [
+                    "Group API"
+                ],
+                "description": "update group",
+                "operationId": "ApiController.UpdateGroup",
+                "parameters": [
+                    {
+                        "in": "query",
+                        "name": "id",
+                        "description": "The id ( owner/name ) of the group",
+                        "required": true,
+                        "type": "string"
+                    },
+                    {
+                        "in": "body",
+                        "name": "body",
+                        "description": "The details of the group",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/object.Group"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The Response object",
+                        "schema": {
+                            "$ref": "#/definitions/controllers.Response"
+                        }
+                    }
+                }
+            }
+        },
        "/api/update-ldap": {
            "post": {
                "tags": [
@ -4579,7 +4879,7 @@
                    "200": {
                        "description": "\"The Response object\"",
                        "schema": {
-                            "$ref": "#/definitions/Response"
+                            "$ref": "#/definitions/controllers.Response"
                        }
                    }
                }
@ -4624,7 +4924,7 @@
                    "200": {
                        "description": "\"The Response object\"",
                        "schema": {
-                            "$ref": "#/definitions/Response"
+                            "$ref": "#/definitions/controllers.Response"
                        }
                    }
                }
@ -4632,14 +4932,6 @@
        }
    },
    "definitions": {
-        "1225.0xc0002e2ae0.false": {
-            "title": "false",
-            "type": "object"
-        },
-        "1260.0xc0002e2b10.false": {
-            "title": "false",
-            "type": "object"
-        },
        "LaravelResponse": {
            "title": "LaravelResponse",
            "type": "object"
@ -4648,10 +4940,6 @@
            "title": "Response",
            "type": "object"
        },
-        "The": {
-            "title": "The",
-            "type": "object"
-        },
        "controllers.AuthForm": {
            "title": "AuthForm",
            "type": "object"
@ -4685,10 +4973,16 @@
            "type": "object",
            "properties": {
                "data": {
-                    "$ref": "#/definitions/1225.0xc0002e2ae0.false"
+                    "additionalProperties": {
+                        "description": "support string | class | List\u003cclass\u003e and os on",
+                        "type": "string"
+                    }
                },
                "data2": {
-                    "$ref": "#/definitions/1260.0xc0002e2b10.false"
+                    "additionalProperties": {
+                        "description": "support string | class | List\u003cclass\u003e and os on",
+                        "type": "string"
+                    }
                },
                "msg": {
                    "type": "string"
@ -4726,8 +5020,8 @@
            "title": "JSONWebKey",
            "type": "object"
        },
-        "object.\u0026{179844 0xc000a02f90 false}": {
-            "title": "\u0026{179844 0xc000a02f90 false}",
+        "object": {
+            "title": "object",
            "type": "object"
        },
        "object.AccountItem": {
@ -4917,7 +5211,7 @@
            "title": "CasbinRequest",
            "type": "array",
            "items": {
-                "$ref": "#/definitions/object.\u0026{179844 0xc000a02f90 false}"
+                "$ref": "#/definitions/object.CasbinRequest"
            }
        },
        "object.Cert": {
@ -5029,6 +5323,63 @@
                }
            }
        },
+        "object.Group": {
+            "title": "Group",
+            "type": "object",
+            "properties": {
+                "children": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/object.Group"
+                    }
+                },
+                "contactEmail": {
+                    "type": "string"
+                },
+                "createdTime": {
+                    "type": "string"
+                },
+                "displayName": {
+                    "type": "string"
+                },
+                "isEnabled": {
+                    "type": "boolean"
+                },
+                "isTopGroup": {
+                    "type": "boolean"
+                },
+                "key": {
+                    "type": "string"
+                },
+                "manager": {
+                    "type": "string"
+                },
+                "name": {
+                    "type": "string"
+                },
+                "owner": {
+                    "type": "string"
+                },
+                "parentId": {
+                    "type": "string"
+                },
+                "title": {
+                    "type": "string"
+                },
+                "type": {
+                    "type": "string"
+                },
+                "updatedTime": {
+                    "type": "string"
+                },
+                "users": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/object.User"
+                    }
+                }
+            }
+        },
        "object.Header": {
            "title": "Header",
            "type": "object",
@ -5175,12 +5526,15 @@
                "countryCode": {
                    "type": "string"
                },
-                "id": {
-                    "type": "string"
+                "enabled": {
+                    "type": "boolean"
                },
                "isPreferred": {
                    "type": "boolean"
                },
+                "mfaType": {
+                    "type": "string"
+                },
                "recoveryCodes": {
                    "type": "array",
                    "items": {
@ -5190,9 +5544,6 @@
                "secret": {
                    "type": "string"
                },
-                "type": {
-                    "type": "string"
-                },
                "url": {
                    "type": "string"
                }
@ -5205,6 +5556,9 @@
                "createdTime": {
                    "type": "string"
                },
+                "description": {
+                    "type": "string"
+                },
                "displayName": {
                    "type": "string"
                },
@ -5362,6 +5716,12 @@
                "owner": {
                    "type": "string"
                },
+                "passwordOptions": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
                "passwordSalt": {
                    "type": "string"
                },
@ -5492,6 +5852,9 @@
                "createdTime": {
                    "type": "string"
                },
+                "description": {
+                    "type": "string"
+                },
                "displayName": {
                    "type": "string"
                },
@ -5611,9 +5974,6 @@
                "displayName": {
                    "type": "string"
                },
-                "hasTrial": {
-                    "type": "boolean"
-                },
                "isEnabled": {
                    "type": "boolean"
                },
@ -5933,6 +6293,9 @@
                "createdTime": {
                    "type": "string"
                },
+                "description": {
+                    "type": "string"
+                },
                "displayName": {
                    "type": "string"
                },
@ -6068,6 +6431,9 @@
                "isEnabled": {
                    "type": "boolean"
                },
+                "isReadOnly": {
+                    "type": "boolean"
+                },
                "name": {
                    "type": "string"
                },
@ -6248,6 +6614,12 @@
            "title": "User",
            "type": "object",
            "properties": {
+                "accessKey": {
+                    "type": "string"
+                },
+                "accessSecret": {
+                    "type": "string"
+                },
                "address": {
                    "type": "array",
                    "items": {
@ -6275,6 +6647,9 @@
                "avatar": {
                    "type": "string"
                },
+                "avatarType": {
+                    "type": "string"
+                },
                "azuread": {
                    "type": "string"
                },
@ -6380,6 +6755,12 @@
                "google": {
                    "type": "string"
                },
+                "groups": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
                "hash": {
                    "type": "string"
                },
@ -6480,6 +6861,12 @@
                "meetup": {
                    "type": "string"
                },
+                "mfaEmailEnabled": {
+                    "type": "boolean"
+                },
+                "mfaPhoneEnabled": {
+                    "type": "boolean"
+                },
                "microsoftonline": {
                    "type": "string"
                },
@ -6540,6 +6927,9 @@
                "preHash": {
                    "type": "string"
                },
+                "preferredMfaType": {
+                    "type": "string"
+                },
                "properties": {
                    "additionalProperties": {
                        "type": "string"
@ -6552,6 +6942,12 @@
                    "type": "integer",
                    "format": "int64"
                },
+                "recoveryCodes": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
                "region": {
                    "type": "string"
                },
@ -6605,6 +7001,9 @@
                "title": {
                    "type": "string"
                },
+                "totpSecret": {
+                    "type": "string"
+                },
                "tumblr": {
                    "type": "string"
                },
@ -6677,15 +7076,18 @@
                "email": {
                    "type": "string"
                },
+                "groups": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
                "iss": {
                    "type": "string"
                },
                "name": {
                    "type": "string"
                },
-                "organization": {
-                    "type": "string"
-                },
                "phone": {
                    "type": "string"
                },
@ -6745,14 +7147,6 @@
                }
            }
        },
-        "object.pricing": {
-            "title": "pricing",
-            "type": "object"
-        },
-        "object.subscription": {
-            "title": "subscription",
-            "type": "object"
-        },
        "protocol.CredentialAssertion": {
            "title": "CredentialAssertion",
            "type": "object"
--- a/swagger/swagger.yml
+++ b/swagger/swagger.yml
@ -28,6 +28,24 @@ paths:
          description: ""
          schema:
            $ref: '#/definitions/object.OidcDiscovery'
+  /api/add-adapter:
+    post:
+      tags:
+      - Adapter API
+      description: add adapter
+      operationId: ApiController.AddCasbinAdapter
+      parameters:
+      - in: body
+        name: body
+        description: The details of the adapter
+        required: true
+        schema:
+          $ref: '#/definitions/object.Adapter'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/add-application:
    post:
      tags:
@ -82,6 +100,24 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
+  /api/add-group:
+    post:
+      tags:
+      - Group API
+      description: add group
+      operationId: ApiController.AddGroup
+      parameters:
+      - in: body
+        name: body
+        description: The details of the group
+        required: true
+        schema:
+          $ref: '#/definitions/object.Group'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/add-ldap:
    post:
      tags:
@ -386,6 +422,11 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
+  /api/add-user-keys:
+    post:
+      tags:
+      - User API
+      operationId: ApiController.AddUserkeys
  /api/add-webhook:
    post:
      tags:
@ -506,12 +547,12 @@ paths:
    post:
      tags:
      - Enforce API
-      description: perform enforce
+      description: Call Casbin BatchEnforce API
      operationId: ApiController.BatchEnforce
      parameters:
      - in: body
        name: body
-        description: casbin request array
+        description: array of casbin requests
        required: true
        schema:
          $ref: '#/definitions/object.CasbinRequest'
@ -555,6 +596,24 @@ paths:
      tags:
      - User API
      operationId: ApiController.CheckUserPassword
+  /api/delete-adapter:
+    post:
+      tags:
+      - Adapter API
+      description: delete adapter
+      operationId: ApiController.DeleteCasbinAdapter
+      parameters:
+      - in: body
+        name: body
+        description: The details of the adapter
+        required: true
+        schema:
+          $ref: '#/definitions/object.Adapter'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/delete-application:
    post:
      tags:
@ -609,6 +668,24 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
+  /api/delete-group:
+    post:
+      tags:
+      - Group API
+      description: delete group
+      operationId: ApiController.DeleteGroup
+      parameters:
+      - in: body
+        name: body
+        description: The details of the group
+        required: true
+        schema:
+          $ref: '#/definitions/object.Group'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/delete-ldap:
    post:
      tags:
@ -923,12 +1000,12 @@ paths:
    post:
      tags:
      - Enforce API
-      description: perform enforce
+      description: Call Casbin Enforce API
      operationId: ApiController.Enforce
      parameters:
      - in: body
        name: body
-        description: casbin request
+        description: Casbin request
        required: true
        schema:
          $ref: '#/definitions/object.CasbinRequest'
@ -960,6 +1037,42 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
+  /api/get-adapter:
+    get:
+      tags:
+      - Adapter API
+      description: get adapter
+      operationId: ApiController.GetCasbinAdapter
+      parameters:
+      - in: query
+        name: id
+        description: The id ( owner/name ) of the adapter
+        required: true
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/object.Adapter'
+  /api/get-adapters:
+    get:
+      tags:
+      - Adapter API
+      description: get adapters
+      operationId: ApiController.GetCasbinAdapters
+      parameters:
+      - in: query
+        name: owner
+        description: The owner of adapters
+        required: true
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            type: array
+            items:
+              $ref: '#/definitions/object.Adapter'
  /api/get-app-login:
    get:
      tags:
@ -1183,6 +1296,42 @@ paths:
            type: array
            items:
              $ref: '#/definitions/object.Cert'
+  /api/get-group:
+    get:
+      tags:
+      - Group API
+      description: get group
+      operationId: ApiController.GetGroup
+      parameters:
+      - in: query
+        name: id
+        description: The id ( owner/name ) of the group
+        required: true
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/object.Group'
+  /api/get-groups:
+    get:
+      tags:
+      - Group API
+      description: get groups
+      operationId: ApiController.GetGroups
+      parameters:
+      - in: query
+        name: owner
+        description: The owner of groups
+        required: true
+        type: string
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            type: array
+            items:
+              $ref: '#/definitions/object.Group'
  /api/get-ldap:
    get:
      tags:
@ -1327,7 +1476,7 @@ paths:
    get:
      tags:
      - Organization API
-      description: get all organization names
+      description: get all organization name and displayName
      operationId: ApiController.GetOrganizationNames
      parameters:
      - in: query
@ -1521,7 +1670,7 @@ paths:
        "200":
          description: The Response object
          schema:
-            $ref: '#/definitions/object.pricing'
+            $ref: '#/definitions/object.Pricing'
  /api/get-pricings:
    get:
      tags:
@ -1793,7 +1942,7 @@ paths:
        "200":
          description: The Response object
          schema:
-            $ref: '#/definitions/object.subscription'
+            $ref: '#/definitions/object.Subscription'
  /api/get-subscriptions:
    get:
      tags:
@ -2172,7 +2321,7 @@ paths:
        "200":
          description: The Response object
          schema:
-            $ref: '#/definitions/Response'
+            $ref: '#/definitions/controllers.Response'
  /api/login/oauth/access_token:
    post:
      tags:
@ -2351,9 +2500,9 @@ paths:
      operationId: ApiController.MfaSetupInitiate
      responses:
        "200":
-          description: Response object
+          description: The Response object
          schema:
-            $ref: '#/definitions/The'
+            $ref: '#/definitions/controllers.Response'
  /api/mfa/setup/verify:
    post:
      tags:
@ -2480,6 +2629,29 @@ paths:
    post:
      tags:
      - Login API
+  /api/update-adapter:
+    post:
+      tags:
+      - Adapter API
+      description: update adapter
+      operationId: ApiController.UpdateCasbinAdapter
+      parameters:
+      - in: query
+        name: id
+        description: The id ( owner/name ) of the adapter
+        required: true
+        type: string
+      - in: body
+        name: body
+        description: The details of the adapter
+        required: true
+        schema:
+          $ref: '#/definitions/object.Adapter'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/update-application:
    post:
      tags:
@ -2549,6 +2721,29 @@ paths:
          description: The Response object
          schema:
            $ref: '#/definitions/controllers.Response'
+  /api/update-group:
+    post:
+      tags:
+      - Group API
+      description: update group
+      operationId: ApiController.UpdateGroup
+      parameters:
+      - in: query
+        name: id
+        description: The id ( owner/name ) of the group
+        required: true
+        type: string
+      - in: body
+        name: body
+        description: The details of the group
+        required: true
+        schema:
+          $ref: '#/definitions/object.Group'
+      responses:
+        "200":
+          description: The Response object
+          schema:
+            $ref: '#/definitions/controllers.Response'
  /api/update-ldap:
    post:
      tags:
@ -2994,7 +3189,7 @@ paths:
        "200":
          description: '"The Response object"'
          schema:
-            $ref: '#/definitions/Response'
+            $ref: '#/definitions/controllers.Response'
  /api/webauthn/signup/begin:
    get:
      tags:
@ -3023,23 +3218,14 @@ paths:
        "200":
          description: '"The Response object"'
          schema:
-            $ref: '#/definitions/Response'
+            $ref: '#/definitions/controllers.Response'
 definitions:
-  1225.0xc0002e2ae0.false:
-    title: "false"
-    type: object
-  1260.0xc0002e2b10.false:
-    title: "false"
-    type: object
  LaravelResponse:
    title: LaravelResponse
    type: object
  Response:
    title: Response
    type: object
-  The:
-    title: The
-    type: object
  controllers.AuthForm:
    title: AuthForm
    type: object
@ -3064,9 +3250,13 @@ definitions:
    type: object
    properties:
      data:
-        $ref: '#/definitions/1225.0xc0002e2ae0.false'
+        additionalProperties:
+          description: support string | class | List<class> and os on
+          type: string
      data2:
-        $ref: '#/definitions/1260.0xc0002e2b10.false'
+        additionalProperties:
+          description: support string | class | List<class> and os on
+          type: string
      msg:
        type: string
      name:
@ -3090,8 +3280,8 @@ definitions:
  jose.JSONWebKey:
    title: JSONWebKey
    type: object
-  object.&{179844 0xc000a02f90 false}:
-    title: '&{179844 0xc000a02f90 false}'
+  object:
+    title: object
    type: object
  object.AccountItem:
    title: AccountItem
@ -3220,7 +3410,7 @@ definitions:
    title: CasbinRequest
    type: array
    items:
-      $ref: '#/definitions/object.&{179844 0xc000a02f90 false}'
+      $ref: '#/definitions/object.CasbinRequest'
  object.Cert:
    title: Cert
    type: object
@ -3295,6 +3485,44 @@ definitions:
      throughput:
        type: number
        format: double
+  object.Group:
+    title: Group
+    type: object
+    properties:
+      children:
+        type: array
+        items:
+          $ref: '#/definitions/object.Group'
+      contactEmail:
+        type: string
+      createdTime:
+        type: string
+      displayName:
+        type: string
+      isEnabled:
+        type: boolean
+      isTopGroup:
+        type: boolean
+      key:
+        type: string
+      manager:
+        type: string
+      name:
+        type: string
+      owner:
+        type: string
+      parentId:
+        type: string
+      title:
+        type: string
+      type:
+        type: string
+      updatedTime:
+        type: string
+      users:
+        type: array
+        items:
+          $ref: '#/definitions/object.User'
  object.Header:
    title: Header
    type: object
@ -3395,18 +3623,18 @@ definitions:
    properties:
      countryCode:
        type: string
-      id:
-        type: string
+      enabled:
+        type: boolean
      isPreferred:
        type: boolean
+      mfaType:
+        type: string
      recoveryCodes:
        type: array
        items:
          type: string
      secret:
        type: string
-      type:
-        type: string
      url:
        type: string
  object.Model:
@ -3415,6 +3643,8 @@ definitions:
    properties:
      createdTime:
        type: string
+      description:
+        type: string
      displayName:
        type: string
      isEnabled:
@ -3520,6 +3750,10 @@ definitions:
        type: string
      owner:
        type: string
+      passwordOptions:
+        type: array
+        items:
+          type: string
      passwordSalt:
        type: string
      passwordType:
@ -3607,6 +3841,8 @@ definitions:
        type: string
      createdTime:
        type: string
+      description:
+        type: string
      displayName:
        type: string
      domains:
@ -3687,8 +3923,6 @@ definitions:
        type: string
      displayName:
        type: string
-      hasTrial:
-        type: boolean
      isEnabled:
        type: boolean
      name:
@ -3904,6 +4138,8 @@ definitions:
    properties:
      createdTime:
        type: string
+      description:
+        type: string
      displayName:
        type: string
      domains:
@ -3995,6 +4231,8 @@ definitions:
        type: string
      isEnabled:
        type: boolean
+      isReadOnly:
+        type: boolean
      name:
        type: string
      organization:
@ -4117,6 +4355,10 @@ definitions:
    title: User
    type: object
    properties:
+      accessKey:
+        type: string
+      accessSecret:
+        type: string
      address:
        type: array
        items:
@ -4135,6 +4377,8 @@ definitions:
        type: string
      avatar:
        type: string
+      avatarType:
+        type: string
      azuread:
        type: string
      baidu:
@ -4205,6 +4449,10 @@ definitions:
        type: string
      google:
        type: string
+      groups:
+        type: array
+        items:
+          type: string
      hash:
        type: string
      heroku:
@ -4272,6 +4520,10 @@ definitions:
          $ref: '#/definitions/object.ManagedAccount'
      meetup:
        type: string
+      mfaEmailEnabled:
+        type: boolean
+      mfaPhoneEnabled:
+        type: boolean
      microsoftonline:
        type: string
      multiFactorAuths:
@ -4312,6 +4564,8 @@ definitions:
        type: string
      preHash:
        type: string
+      preferredMfaType:
+        type: string
      properties:
        additionalProperties:
          type: string
@ -4320,6 +4574,10 @@ definitions:
      ranking:
        type: integer
        format: int64
+      recoveryCodes:
+        type: array
+        items:
+          type: string
      region:
        type: string
      roles:
@ -4356,6 +4614,8 @@ definitions:
        type: string
      title:
        type: string
+      totpSecret:
+        type: string
      tumblr:
        type: string
      twitch:
@ -4404,12 +4664,14 @@ definitions:
        type: string
      email:
        type: string
+      groups:
+        type: array
+        items:
+          type: string
      iss:
        type: string
      name:
        type: string
-      organization:
-        type: string
      phone:
        type: string
      picture:
@ -4448,12 +4710,6 @@ definitions:
        type: string
      url:
        type: string
-  object.pricing:
-    title: pricing
-    type: object
-  object.subscription:
-    title: subscription
-    type: object
  protocol.CredentialAssertion:
    title: CredentialAssertion
    type: object
--- a/util/slice.go
+++ b/util/slice.go
@ -26,11 +26,32 @@ func DeleteVal(values []string, val string) []string {
 	return newValues
 }

+func ReplaceVal(values []string, oldVal string, newVal string) []string {
+	newValues := []string{}
+	for _, v := range values {
+		if v == oldVal {
+			newValues = append(newValues, newVal)
+		} else {
+			newValues = append(newValues, v)
+		}
+	}
+	return newValues
+}
+
 func ContainsString(values []string, val string) bool {
 	sort.Strings(values)
 	return sort.SearchStrings(values, val) != len(values)
 }

+func InSlice(slice []string, elem string) bool {
+	for _, val := range slice {
+		if val == elem {
+			return true
+		}
+	}
+	return false
+}
+
 func ReturnAnyNotEmpty(strs ...string) string {
 	for _, str := range strs {
 		if str != "" {
--- a/util/string.go
+++ b/util/string.go
@ -22,6 +22,7 @@ import (
 	"fmt"
 	"math/rand"
 	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
@ -201,7 +202,7 @@ func GetMinLenStr(strs ...string) string {
 }

 func ReadStringFromPath(path string) string {
-	data, err := os.ReadFile(path)
+	data, err := os.ReadFile(filepath.Clean(path))
 	if err != nil {
 		panic(err)
 	}
--- a/util/system.go
+++ b/util/system.go
@ -18,6 +18,7 @@ import (
 	"bufio"
 	"os"
 	"path"
+	"path/filepath"
 	"regexp"
 	"runtime"
 	"strconv"
@ -155,7 +156,7 @@ func GetVersionInfoFromFile() (*VersionInfo, error) {

 	_, filename, _, _ := runtime.Caller(0)
 	rootPath := path.Dir(path.Dir(filename))
-	file, err := os.Open(path.Join(rootPath, "version_info.txt"))
+	file, err := os.Open(filepath.Clean(path.Join(rootPath, "version_info.txt")))
 	if err != nil {
 		return res, err
 	}
--- a/util/validation.go
+++ b/util/validation.go
@ -22,10 +22,18 @@ import (
 	"github.com/nyaruka/phonenumbers"
 )

-var rePhone *regexp.Regexp
+var (
+	rePhone          *regexp.Regexp
+	ReWhiteSpace     *regexp.Regexp
+	ReFieldWhiteList *regexp.Regexp
+	ReUserName       *regexp.Regexp
+)

 func init() {
 	rePhone, _ = regexp.Compile(`(\d{3})\d*(\d{4})`)
+	ReWhiteSpace, _ = regexp.Compile(`\s`)
+	ReFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
+	ReUserName, _ = regexp.Compile("^[a-zA-Z0-9]+((?:-[a-zA-Z0-9]+)|(?:_[a-zA-Z0-9]+))*$")
 }

 func IsEmailValid(email string) bool {
@ -70,3 +78,7 @@ func GetCountryCode(prefix string, phone string) (string, error) {

 	return countryCode, nil
 }
+
+func FilterField(field string) bool {
+	return ReFieldWhiteList.MatchString(field)
+}
--- a/web/package.json
+++ b/web/package.json
@ -24,8 +24,6 @@
    "i18next": "^19.8.9",
    "libphonenumber-js": "^1.10.19",
    "moment": "^2.29.1",
-    "qrcode.react": "^3.1.0",
-    "qs": "^6.10.2",
    "react": "^18.2.0",
    "react-app-polyfill": "^3.0.0",
    "react-codemirror2": "^7.2.1",
--- a/web/src/AdapterEditPage.js
+++ b/web/src/AdapterEditPage.js
@ -76,6 +76,10 @@ class AdapterEditPage extends React.Component {
  getModels(organizationName) {
    ModelBackend.getModels(organizationName)
      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
        this.setState({
          models: res,
        });
--- a/web/src/App.js
+++ b/web/src/App.js
@ -343,9 +343,11 @@ class App extends Component {
    items.push(Setting.getItem(<><SettingOutlined />&nbsp;&nbsp;{i18next.t("account:My Account")}</>,
      "/account"
    ));
-    items.push(Setting.getItem(<><CommentOutlined />&nbsp;&nbsp;{i18next.t("account:Chats & Messages")}</>,
-      "/chat"
-    ));
+    if (Conf.EnableChatPages) {
+      items.push(Setting.getItem(<><CommentOutlined />&nbsp;&nbsp;{i18next.t("account:Chats & Messages")}</>,
+        "/chat"
+      ));
+    }
    items.push(Setting.getItem(<><LogoutOutlined />&nbsp;&nbsp;{i18next.t("account:Logout")}</>,
      "/logout"));

@ -411,6 +413,14 @@ class App extends Component {
    res.push(Setting.getItem(<Link to="/">{i18next.t("general:Home")}</Link>, "/"));

    if (Setting.isLocalAdminUser(this.state.account)) {
+      if (Conf.ShowGithubCorner) {
+        res.push(Setting.getItem(<a href={"https://casdoor.com"}>
+          <span style={{fontWeight: "bold", backgroundColor: "rgba(87,52,211,0.4)", marginTop: "12px", paddingLeft: "5px", paddingRight: "5px", display: "flex", alignItems: "center", height: "40px", borderRadius: "5px"}}>
+            🚀 SaaS Hosting 🔥
+          </span>
+        </a>, "#"));
+      }
+
      res.push(Setting.getItem(<Link to="/organizations">{i18next.t("general:Organizations")}</Link>,
        "/organizations"));

@ -449,13 +459,15 @@ class App extends Component {
        "/providers"
      ));

-      res.push(Setting.getItem(<Link to="/chats">{i18next.t("general:Chats")}</Link>,
-        "/chats"
-      ));
+      if (Conf.EnableChatPages) {
+        res.push(Setting.getItem(<Link to="/chats">{i18next.t("general:Chats")}</Link>,
+          "/chats"
+        ));

-      res.push(Setting.getItem(<Link to="/messages">{i18next.t("general:Messages")}</Link>,
-        "/messages"
-      ));
+        res.push(Setting.getItem(<Link to="/messages">{i18next.t("general:Messages")}</Link>,
+          "/messages"
+        ));
+      }

      res.push(Setting.getItem(<Link to="/resources">{i18next.t("general:Resources")}</Link>,
        "/resources"
@ -476,7 +488,6 @@ class App extends Component {
      res.push(Setting.getItem(<Link to="/subscriptions">{i18next.t("general:Subscriptions")}</Link>,
        "/subscriptions"
      ));
-
    }

    if (Setting.isLocalAdminUser(this.state.account)) {
@ -501,7 +512,6 @@ class App extends Component {
      ));

      if (Conf.EnableExtraPages) {
-
        res.push(Setting.getItem(<Link to="/products">{i18next.t("general:Products")}</Link>,
          "/products"
        ));
@ -510,8 +520,8 @@ class App extends Component {
          "/payments"
        ));
      }
-
    }
+
    if (Setting.isAdminUser(this.state.account)) {
      res.push(Setting.getItem(<Link to="/sysinfo">{i18next.t("general:System Info")}</Link>,
        "/sysinfo"
--- a/web/src/ApplicationEditPage.js
+++ b/web/src/ApplicationEditPage.js
@ -118,20 +118,30 @@ class ApplicationEditPage extends React.Component {

  getApplication() {
    ApplicationBackend.getApplication("admin", this.state.applicationName)
-      .then((application) => {
-        if (application === null) {
+      .then((res) => {
+        if (res === null) {
          this.props.history.push("/404");
          return;
        }

-        if (application.grantTypes === null || application.grantTypes === undefined || application.grantTypes.length === 0) {
-          application.grantTypes = ["authorization_code"];
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
        }
+
+        if (res.grantTypes === null || res.grantTypes === undefined || res.grantTypes.length === 0) {
+          res.grantTypes = ["authorization_code"];
+        }
+
+        if (res.tags === null || res.tags === undefined) {
+          res.tags = [];
+        }
+
        this.setState({
-          application: application,
+          application: res,
        });

-        this.getCerts(application.organization);
+        this.getCerts(res.organization);
      });
  }

@ -307,6 +317,18 @@ class ApplicationEditPage extends React.Component {
            </Select>
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("organization:Tags"), i18next.t("application:Tags - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Select virtual={false} mode="tags" style={{width: "100%"}} value={this.state.application.tags} onChange={(value => {this.updateApplicationField("tags", value);})}>
+              {
+                this.state.application.tags?.map((item, index) => <Option key={index} value={item}>{item}</Option>)
+              }
+            </Select>
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
            {Setting.getLabel(i18next.t("provider:Client ID"), i18next.t("provider:Client ID - Tooltip"))} :
--- a/web/src/CertEditPage.js
+++ b/web/src/CertEditPage.js
@ -44,14 +44,19 @@ class CertEditPage extends React.Component {

  getCert() {
    CertBackend.getCert(this.state.owner, this.state.certName)
-      .then((cert) => {
-        if (cert === null) {
+      .then((res) => {
+        if (res === null) {
          this.props.history.push("/404");
          return;
        }

+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
+
        this.setState({
-          cert: cert,
+          cert: res,
        });
      });
  }
--- a/web/src/ChatEditPage.js
+++ b/web/src/ChatEditPage.js
@ -40,17 +40,21 @@ class ChatEditPage extends React.Component {

  getChat() {
    ChatBackend.getChat("admin", this.state.chatName)
-      .then((chat) => {
-        if (chat === null) {
+      .then((res) => {
+        if (res === null) {
          this.props.history.push("/404");
          return;
        }

+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
        this.setState({
-          chat: chat,
+          chat: res,
        });

-        this.getUsers(chat.organization);
+        this.getUsers(res.organization);
      });
  }

@ -66,6 +70,11 @@ class ChatEditPage extends React.Component {
  getUsers(organizationName) {
    UserBackend.getUsers(organizationName)
      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
+
        this.setState({
          users: res,
        });
--- a/web/src/Conf.js
+++ b/web/src/Conf.js
@ -21,6 +21,8 @@ export const DefaultLanguage = "en";

 export const EnableExtraPages = true;

+export const EnableChatPages = true;
+
 export const InitThemeAlgorithm = true;
 export const ThemeDefault = {
  themeType: "default",
--- a/web/src/EntryPage.js
+++ b/web/src/EntryPage.js
@ -74,8 +74,12 @@ class EntryPage extends React.Component {
      });

      ApplicationBackend.getApplication("admin", pricing.application)
-        .then((application) => {
-          const themeData = application !== null ? Setting.getThemeData(application.organizationObj, application) : Conf.ThemeDefault;
+        .then((res) => {
+          if (res.status === "error") {
+            Setting.showMessage("error", res.msg);
+            return;
+          }
+          const themeData = res !== null ? Setting.getThemeData(res.organizationObj, res) : Conf.ThemeDefault;
          this.props.updataThemeData(themeData);
        });
    };
--- a/web/src/GroupEdit.js
+++ b/web/src/GroupEdit.js
@ -131,7 +131,7 @@ class GroupEditPage extends React.Component {
            {Setting.getLabel(i18next.t("general:Name"), i18next.t("general:Name - Tooltip"))} :
          </Col>
          <Col span={22} >
-            <Input disabled={true} value={this.state.group.name} onChange={e => {
+            <Input value={this.state.group.name} onChange={e => {
              this.updateGroupField("name", e.target.value);
            }} />
          </Col>
--- a/web/src/MessageEditPage.js
+++ b/web/src/MessageEditPage.js
@ -45,17 +45,20 @@ class MessageEditPage extends React.Component {

  getMessage() {
    MessageBackend.getMessage("admin", this.state.messageName)
-      .then((message) => {
-        if (message === null) {
+      .then((res) => {
+        if (res === null) {
          this.props.history.push("/404");
          return;
        }
-
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
        this.setState({
-          message: message,
+          message: res,
        });

-        this.getUsers(message.organization);
+        this.getUsers(res.organization);
      });
  }

@ -80,6 +83,10 @@ class MessageEditPage extends React.Component {
  getUsers(organizationName) {
    UserBackend.getUsers(organizationName)
      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
        this.setState({
          users: res,
        });
--- a/web/src/ModelEditPage.js
+++ b/web/src/ModelEditPage.js
@ -47,14 +47,19 @@ class ModelEditPage extends React.Component {

  getModel() {
    ModelBackend.getModel(this.state.organizationName, this.state.modelName)
-      .then((model) => {
-        if (model === null) {
+      .then((res) => {
+        if (res === null) {
          this.props.history.push("/404");
          return;
        }

+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
+
        this.setState({
-          model: model,
+          model: res,
        });
      });
  }
--- a/web/src/OrganizationEditPage.js
+++ b/web/src/OrganizationEditPage.js
@ -68,9 +68,14 @@ class OrganizationEditPage extends React.Component {

  getApplications() {
    ApplicationBackend.getApplicationsByOrganization("admin", this.state.organizationName)
-      .then((applications) => {
+      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
+
        this.setState({
-          applications: applications,
+          applications: res,
        });
      });
  }
--- a/web/src/PermissionEditPage.js
+++ b/web/src/PermissionEditPage.js
@ -49,21 +49,26 @@ class PermissionEditPage extends React.Component {

  getPermission() {
    PermissionBackend.getPermission(this.state.organizationName, this.state.permissionName)
-      .then((permission) => {
-        if (permission === null) {
+      .then((res) => {
+        if (res === null) {
          this.props.history.push("/404");
          return;
        }

+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
+
        this.setState({
-          permission: permission,
+          permission: res,
        });

-        this.getUsers(permission.owner);
-        this.getRoles(permission.owner);
-        this.getModels(permission.owner);
-        this.getResources(permission.owner);
-        this.getModel(permission.owner, permission.model);
+        this.getUsers(res.owner);
+        this.getRoles(res.owner);
+        this.getModels(res.owner);
+        this.getResources(res.owner);
+        this.getModel(res.owner, res.model);
      });
  }

@ -79,6 +84,10 @@ class PermissionEditPage extends React.Component {
  getUsers(organizationName) {
    UserBackend.getUsers(organizationName)
      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
        this.setState({
          users: res,
        });
@ -88,6 +97,10 @@ class PermissionEditPage extends React.Component {
  getRoles(organizationName) {
    RoleBackend.getRoles(organizationName)
      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
        this.setState({
          roles: res,
        });
@ -97,6 +110,10 @@ class PermissionEditPage extends React.Component {
  getModels(organizationName) {
    ModelBackend.getModels(organizationName)
      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
        this.setState({
          models: res,
        });
@ -106,6 +123,10 @@ class PermissionEditPage extends React.Component {
  getModel(organizationName, modelName) {
    ModelBackend.getModel(organizationName, modelName)
      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
        this.setState({
          model: res,
        });
--- a/web/src/PlanEditPage.js
+++ b/web/src/PlanEditPage.js
@ -64,6 +64,10 @@ class PlanEditPage extends React.Component {
  getRoles(organizationName) {
    RoleBackend.getRoles(organizationName)
      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
        this.setState({
          roles: res,
        });
@ -73,6 +77,10 @@ class PlanEditPage extends React.Component {
  getUsers(organizationName) {
    UserBackend.getUsers(organizationName)
      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
        this.setState({
          users: res,
        });
--- a/web/src/PricingEditPage.js
+++ b/web/src/PricingEditPage.js
@ -49,22 +49,31 @@ class PricingEditPage extends React.Component {

  getPricing() {
    PricingBackend.getPricing(this.state.organizationName, this.state.pricingName)
-      .then((pricing) => {
-        if (pricing === null) {
+      .then((res) => {
+        if (res === null) {
          this.props.history.push("/404");
          return;
        }

+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
+
        this.setState({
-          pricing: pricing,
+          pricing: res,
        });
-        this.getPlans(pricing.owner);
+        this.getPlans(res.owner);
      });
  }

  getPlans(organizationName) {
    PlanBackend.getPlans(organizationName)
      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
        this.setState({
          plans: res,
        });
@ -109,9 +118,13 @@ class PricingEditPage extends React.Component {

  getUserApplication() {
    ApplicationBackend.getUserApplication(this.state.organizationName, this.state.userName)
-      .then((application) => {
+      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
        this.setState({
-          application: application,
+          application: res,
        });
      });
  }
--- a/web/src/ProductBuyPage.js
+++ b/web/src/ProductBuyPage.js
@ -41,9 +41,14 @@ class ProductBuyPage extends React.Component {
    }

    ProductBackend.getProduct(this.props.account.owner, this.state.productName)
-      .then((product) => {
+      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
+
        this.setState({
-          product: product,
+          product: res,
        });
      });
  }
--- a/web/src/RoleEditPage.js
+++ b/web/src/RoleEditPage.js
@ -42,18 +42,22 @@ class RoleEditPage extends React.Component {

  getRole() {
    RoleBackend.getRole(this.state.organizationName, this.state.roleName)
-      .then((role) => {
-        if (role === null) {
+      .then((res) => {
+        if (res === null) {
          this.props.history.push("/404");
          return;
        }
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }

        this.setState({
-          role: role,
+          role: res,
        });

-        this.getUsers(role.owner);
-        this.getRoles(role.owner);
+        this.getUsers(res.owner);
+        this.getRoles(res.owner);
      });
  }

@ -69,6 +73,10 @@ class RoleEditPage extends React.Component {
  getUsers(organizationName) {
    UserBackend.getUsers(organizationName)
      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
        this.setState({
          users: res,
        });
@ -78,6 +86,10 @@ class RoleEditPage extends React.Component {
  getRoles(organizationName) {
    RoleBackend.getRoles(organizationName)
      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
        this.setState({
          roles: res,
        });
--- a/web/src/SubscriptionEditPage.js
+++ b/web/src/SubscriptionEditPage.js
@ -46,18 +46,23 @@ class SubscriptionEditPage extends React.Component {

  getSubscription() {
    SubscriptionBackend.getSubscription(this.state.organizationName, this.state.subscriptionName)
-      .then((subscription) => {
-        if (subscription === null) {
+      .then((res) => {
+        if (res === null) {
          this.props.history.push("/404");
          return;
        }

+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
+
        this.setState({
-          subscription: subscription,
+          subscription: res,
        });

-        this.getUsers(subscription.owner);
-        this.getPlanes(subscription.owner);
+        this.getUsers(res.owner);
+        this.getPlanes(res.owner);
      });
  }

@ -73,6 +78,10 @@ class SubscriptionEditPage extends React.Component {
  getUsers(organizationName) {
    UserBackend.getUsers(organizationName)
      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
        this.setState({
          users: res,
        });
--- a/web/src/SyncerEditPage.js
+++ b/web/src/SyncerEditPage.js
@ -47,14 +47,19 @@ class SyncerEditPage extends React.Component {

  getSyncer() {
    SyncerBackend.getSyncer("admin", this.state.syncerName)
-      .then((syncer) => {
-        if (syncer === null) {
+      .then((res) => {
+        if (res === null) {
          this.props.history.push("/404");
          return;
        }

+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
+
        this.setState({
-          syncer: syncer,
+          syncer: res,
        });
      });
  }
@ -376,6 +381,16 @@ class SyncerEditPage extends React.Component {
            </div>
          </Col>
        </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
+            {Setting.getLabel(i18next.t("syncer:Is read-only"), i18next.t("syncer:Is read-only - Tooltip"))} :
+          </Col>
+          <Col span={1} >
+            <Switch checked={this.state.syncer.isReadOnly} onChange={checked => {
+              this.updateSyncerField("isReadOnly", checked);
+            }} />
+          </Col>
+        </Row>
        <Row style={{marginTop: "20px"}} >
          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
            {Setting.getLabel(i18next.t("general:Is enabled"), i18next.t("general:Is enabled - Tooltip"))} :
--- a/web/src/SyncerListPage.js
+++ b/web/src/SyncerListPage.js
@ -42,6 +42,7 @@ class SyncerListPage extends BaseListPage {
      affiliationTable: "",
      avatarBaseUrl: "",
      syncInterval: 10,
+      isReadOnly: false,
      isEnabled: false,
    };
  }
--- a/web/src/TokenEditPage.js
+++ b/web/src/TokenEditPage.js
@ -35,14 +35,19 @@ class TokenEditPage extends React.Component {

  getToken() {
    TokenBackend.getToken("admin", this.state.tokenName)
-      .then((token) => {
-        if (token === null) {
+      .then((res) => {
+        if (res === null) {
          this.props.history.push("/404");
          return;
        }

+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
+
        this.setState({
-          token: token,
+          token: res,
        });
      });
  }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Baihhh	91cb5f393a	fix: fix Swagger docs page (#2025 ) Signed-off-by: baihhh <2542274498@qq.com>	2023-06-30 00:48:39 +08:00
haiwu	807aea5ec7	feat: add tags to application (#2027 ) * feat: add tags to application * fix: fix for merge master * feat: update i18n(backend&frontend) for application tags	2023-06-30 00:04:12 +08:00
Yaodong Yu	1c42b6e395	fix: refactor the idp and regex code (#2030 ) * refactor: validate util and idp * chore: clean code * chore: clean code	2023-06-29 21:44:14 +08:00
Ilya Sulimanov	49a73f8138	fix: getOrganization without pagination for global admin (#2028 ) * fix: getOrganization without pagination for global admin return only built-in org * fix gofumpt	2023-06-29 18:56:19 +08:00
Yang Luo	55784c68a3	Fix bug in /get-organizations API for org admin	2023-06-28 09:19:39 +08:00
June	8080b10b3b	feat: show code signin page with password disabled (#2021 )	2023-06-28 00:38:48 +08:00
Trần Thanh Tịnh	cd7589775c	feat: replace all panic by response err (#1993 ) * fix: missing return after response error * feat: handle error in frontend * feat: disable loading and catch org edit error * chore: i18 for error message * chore: remove break line * feat: application catching error	2023-06-27 21:33:47 +08:00
Yaodong Yu	0a8c2a35fe	feat: add TOTP multi-factor authentication (#2014 ) * feat: add totp multi-factor authentication * feat: add license * feat:i18n and update yarn.lock * feat:i18n * fix: i18n	2023-06-24 18:39:54 +08:00
XDTD	d1e734e4ce	fix: set the default value of user.Groups for syncer (#2016 ) fix: set the default value of user.Groups for syncer	2023-06-24 18:29:50 +08:00
XDTD	68f032b54d	fix: add isReadOnly for syncer (#2015 ) * feat: add read only mod for syncer * feat: change readOnlyEnable to isReadOnly	2023-06-24 17:56:41 +08:00
June	1780620ef4	feat: handle error when permission not found (#2012 )	2023-06-24 00:30:43 +08:00
Yang Luo	5c968ed1ce	Fix avatar cannot show issue	2023-06-23 15:53:41 +08:00
Yang Luo	4016fc0f65	Add EnableChatPages to Conf	2023-06-23 11:35:34 +08:00
June	463b3ad976	fix: refactor and optimize Enforce() API (#2009 )	2023-06-22 17:45:24 +08:00
Yang Luo	b817a55f9f	Fix error handling in SetPassword()	2023-06-22 14:51:56 +08:00
June	2c2ddfbb92	feat: optimize batch-enforce (#1997 )	2023-06-22 14:40:09 +08:00
Alex OvsInc	cadb533595	fix: unsafe verification username in CheckUsername (#2006 ) * Customization of the initialization file * Unsafe verification username in CheckUsername	2023-06-21 23:20:23 +08:00
Yang Luo	a3b0f1fc74	feat: add owner to getUserByWechatId()	2023-06-21 21:29:53 +08:00
Yaodong Yu	c391af4552	feat: improve MFA by using user's own Email and Phone (#2002 ) * refactor: mfa * fix: clean code * fix: clean code * fix: fix crash and improve robot	2023-06-21 18:56:37 +08:00
Alex OvsInc	6ebca6dbe7	fix: Gosec/sec fixes (#2004 ) * Customization of the initialization file * fix: G601 (CWE-118): Implicit memory aliasing in for loop * fix: G304 (CWE-22): Potential file inclusion via variable * fix: G110 (CWE-409): Potential DoS vulnerability via decompression bomb	2023-06-21 18:55:20 +08:00
Yang Luo	d505a4bf2d	Remove org API calls in PasswordModal page	2023-06-21 00:49:03 +08:00
Yang Luo	812bc5f6b2	Fix "nu" bug in GetLanguage()	2023-06-20 21:16:01 +08:00
Xinhao Yuan	f6f4d44444	feat: remove url.JoinPath() to be compatible with Go 1.17 (#1995 )	2023-06-20 17:44:40 +08:00
StevenLei	926e73ed1b	fix: fix "Accept-Language" parsing in request (#1996 )	2023-06-20 17:43:48 +08:00
Yaodong Yu	65716af89e	feat: deprecate the user group relation table (#1990 ) * fix: deprecate the user group relation table * fix: clean code * fix: fix trigger * Update group.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-06-19 19:08:45 +08:00
Yang Luo	d9c4f401e3	Fix error in downloadImage()	2023-06-19 17:52:01 +08:00
Yang Luo	58aa7dba6a	Fix groups in GetUserInfo()	2023-06-19 11:06:55 +08:00
Yang Luo	29fc820578	Set User.groups to []	2023-06-19 09:42:17 +08:00