fix: show error when frontend HTML entry does not exist (#2289 )

* fix: add response when web file not found The error flow is as follows: Assuming my directory structure is as follows: ```tree ├── GitHub │ ├── casdoor # code repository ├── casdoor # compiled binary file ``` Execute the program in the `GitHub` directory: ```bash ./casdoor/casdoor ``` The working directory at this time is `GitHub`. According to the code: ```go func StaticFilter(ctx *context.Context) { urlPath := ctx.Request.URL.Path /// omitted path := "web/build" if urlPath == "/" { path += "/index.html" } else { path += urlPath } if !util.FileExist(path) { path = "web/build/index.html" } if !util.FileExist(path) { return } /// omitted } ``` If the user accesses `/`, according to this code, the returned value is actually `web/build/index.html`. But the current directory is GitHub, and there is no `web/build/index.html` file. According to the following code, it will directly return: ```go if !util.FileExist(path) { return } ``` Then in `main.go`: ```go beego.InsertFilter("*", beego.BeforeRouter, routers.StaticFilter) beego.InsertFilter("*", beego.BeforeRouter, routers.AutoSigninFilter) beego.InsertFilter("*", beego.BeforeRouter, routers.CorsFilter) beego.InsertFilter("*", beego.BeforeRouter, routers.ApiFilter) beego.InsertFilter("*", beego.BeforeRouter, routers.PrometheusFilter) beego.InsertFilter("*", beego.BeforeRouter, routers.RecordMessage) ``` The introduction of `beego.InsertFilter` is as follows: ``` func InsertFilter(pattern string, pos int, filter FilterFunc, params ...bool) *App InsertFilter adds a FilterFunc with pattern condition and action constant. The pos means action constant including beego.BeforeStatic, beego.BeforeRouter, beego.BeforeExec, beego.AfterExec and beego.FinishRouter. The bool params is for setting the returnOnOutput value (false allows multiple filters to execute) ``` When the `params` parameter is `false`, it runs multiple filters. The default is `true`. So normally, if ```go beego.InsertFilter("*", beego.BeforeRouter, routers.StaticFilter) ``` response something, the following filters will not be executed. But because the file does not exist, the function directly returns, causing the subsequent filters to continue executing. When it reaches ```go beego.InsertFilter("*", beego.BeforeRouter, routers.ApiFilter) ``` it will start to check permissions: ``` subOwner = anonymous, subName = anonymous, method = GET, urlPath = /login, obj.Owner = , obj.Name = , result = deny ``` Then it will report this error: ```json { "status": "error", "msg": "Unauthorized operation", "data": null, "data2": null } ``` The solution should be: ```go func StaticFilter(ctx *context.Context) { urlPath := ctx.Request.URL.Path /// omitted path := "web/build" if urlPath == "/" { path += "/index.html" } else { path += urlPath } if !util.FileExist(path) { // todo: response error: page not found return } /// omitted } ``` * Update static_filter.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>
fix: sendCasAuthenticationResponseErr when pgtUrlObj if not valid url (#2287 )
2025-07-31 17:10:32 +08:00 · 2023-09-02 00:06:04 +08:00 · 2023-09-01 22:26:57 +08:00 · 2023-09-01 21:47:26 +08:00 · 2023-09-01 21:16:51 +08:00 · 2023-09-01 18:02:13 +08:00
261 changed files with 18679 additions and 7868 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -110,7 +110,7 @@ jobs:
        with:
          start: yarn start
          wait-on: 'http://localhost:7001'
-          wait-on-timeout: 180
+          wait-on-timeout: 210
          working-directory: ./web

      - uses: actions/upload-artifact@v3
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@
    <img alt="GitHub Workflow Status (branch)" src="https://github.com/casdoor/casdoor/workflows/Build/badge.svg?style=flat-square">
  </a>
  <a href="https://github.com/casdoor/casdoor/releases/latest">
-    <img alt="GitHub Release" src="https://img.shields.io/github/v/release/casbin/casdoor.svg">
+    <img alt="GitHub Release" src="https://img.shields.io/github/v/release/casdoor/casdoor.svg">
  </a>
  <a href="https://hub.docker.com/repository/docker/casbin/casdoor">
    <img alt="Docker Image Version (latest semver)" src="https://img.shields.io/badge/Docker%20Hub-latest-brightgreen">
@@ -23,16 +23,16 @@
    <img alt="Go Report Card" src="https://goreportcard.com/badge/github.com/casdoor/casdoor?style=flat-square">
  </a>
  <a href="https://github.com/casdoor/casdoor/blob/master/LICENSE">
-    <img src="https://img.shields.io/github/license/casbin/casdoor?style=flat-square" alt="license">
+    <img src="https://img.shields.io/github/license/casdoor/casdoor?style=flat-square" alt="license">
  </a>
  <a href="https://github.com/casdoor/casdoor/issues">
-    <img alt="GitHub issues" src="https://img.shields.io/github/issues/casbin/casdoor?style=flat-square">
+    <img alt="GitHub issues" src="https://img.shields.io/github/issues/casdoor/casdoor?style=flat-square">
  </a>
  <a href="#">
-    <img alt="GitHub stars" src="https://img.shields.io/github/stars/casbin/casdoor?style=flat-square">
+    <img alt="GitHub stars" src="https://img.shields.io/github/stars/casdoor/casdoor?style=flat-square">
  </a>
  <a href="https://github.com/casdoor/casdoor/network">
-    <img alt="GitHub forks" src="https://img.shields.io/github/forks/casbin/casdoor?style=flat-square">
+    <img alt="GitHub forks" src="https://img.shields.io/github/forks/casdoor/casdoor?style=flat-square">
  </a>
  <a href="https://crowdin.com/project/casdoor-site">
    <img alt="Crowdin" src="https://badges.crowdin.net/casdoor-site/localized.svg">
--- a/ai/ai.go
+++ b/ai/ai.go
@@ -1,141 +0,0 @@
-// Copyright 2023 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package ai
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"net/http"
-	"strings"
-	"time"
-
-	"github.com/sashabaranov/go-openai"
-)
-
-func queryAnswer(authToken string, question string, timeout int) (string, error) {
-	// fmt.Printf("Question: %s\n", question)
-
-	client := getProxyClientFromToken(authToken)
-
-	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(2+timeout*2)*time.Second)
-	defer cancel()
-
-	resp, err := client.CreateChatCompletion(
-		ctx,
-		openai.ChatCompletionRequest{
-			Model: openai.GPT3Dot5Turbo,
-			Messages: []openai.ChatCompletionMessage{
-				{
-					Role:    openai.ChatMessageRoleUser,
-					Content: question,
-				},
-			},
-		},
-	)
-	if err != nil {
-		return "", err
-	}
-
-	res := resp.Choices[0].Message.Content
-	res = strings.Trim(res, "\n")
-	// fmt.Printf("Answer: %s\n\n", res)
-	return res, nil
-}
-
-func QueryAnswerSafe(authToken string, question string) string {
-	var res string
-	var err error
-	for i := 0; i < 10; i++ {
-		res, err = queryAnswer(authToken, question, i)
-		if err != nil {
-			if i > 0 {
-				fmt.Printf("\tFailed (%d): %s\n", i+1, err.Error())
-			}
-		} else {
-			break
-		}
-	}
-	if err != nil {
-		panic(err)
-	}
-
-	return res
-}
-
-func QueryAnswerStream(authToken string, question string, writer io.Writer, builder *strings.Builder) error {
-	client := getProxyClientFromToken(authToken)
-
-	ctx := context.Background()
-	flusher, ok := writer.(http.Flusher)
-	if !ok {
-		return fmt.Errorf("writer does not implement http.Flusher")
-	}
-	// https://platform.openai.com/tokenizer
-	// https://github.com/pkoukk/tiktoken-go#available-encodings
-	promptTokens, err := getTokenSize(openai.GPT3TextDavinci003, question)
-	if err != nil {
-		return err
-	}
-
-	// https://platform.openai.com/docs/models/gpt-3-5
-	maxTokens := 4097 - promptTokens
-
-	respStream, err := client.CreateCompletionStream(
-		ctx,
-		openai.CompletionRequest{
-			Model:     openai.GPT3TextDavinci003,
-			Prompt:    question,
-			MaxTokens: maxTokens,
-			Stream:    true,
-		},
-	)
-	if err != nil {
-		return err
-	}
-	defer respStream.Close()
-
-	isLeadingReturn := true
-	for {
-		completion, streamErr := respStream.Recv()
-		if streamErr != nil {
-			if streamErr == io.EOF {
-				break
-			}
-			return streamErr
-		}
-
-		data := completion.Choices[0].Text
-		if isLeadingReturn && len(data) != 0 {
-			if strings.Count(data, "\n") == len(data) {
-				continue
-			} else {
-				isLeadingReturn = false
-			}
-		}
-
-		fmt.Printf("%s", data)
-
-		// Write the streamed data as Server-Sent Events
-		if _, err = fmt.Fprintf(writer, "event: message\ndata: %s\n\n", data); err != nil {
-			return err
-		}
-		flusher.Flush()
-		// Append the response to the strings.Builder
-		builder.WriteString(data)
-	}
-
-	return nil
-}
--- a/authz/authz.go
+++ b/authz/authz.go
@@ -18,60 +18,21 @@ import (
 	"strings"

 	"github.com/casbin/casbin/v2"
-	"github.com/casbin/casbin/v2/model"
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
-	xormadapter "github.com/casdoor/xorm-adapter/v3"
 	stringadapter "github.com/qiangmzsx/string-adapter/v2"
 )

 var Enforcer *casbin.Enforcer

-func InitAuthz() {
-	var err error
-
-	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
-	driverName := conf.GetConfigString("driverName")
-	dataSourceName := conf.GetConfigRealDataSourceName(driverName)
-	a, err := xormadapter.NewAdapterWithTableName(driverName, dataSourceName, "casbin_rule", tableNamePrefix, true)
-	if err != nil {
-		panic(err)
-	}
-
-	modelText := `
-[request_definition]
-r = subOwner, subName, method, urlPath, objOwner, objName
-
-[policy_definition]
-p = subOwner, subName, method, urlPath, objOwner, objName
-
-[role_definition]
-g = _, _
-
-[policy_effect]
-e = some(where (p.eft == allow))
-
-[matchers]
-m = (r.subOwner == p.subOwner || p.subOwner == "*") && \
-    (r.subName == p.subName || p.subName == "*" || r.subName != "anonymous" && p.subName == "!anonymous") && \
-    (r.method == p.method || p.method == "*") && \
-    (r.urlPath == p.urlPath || p.urlPath == "*") && \
-    (r.objOwner == p.objOwner || p.objOwner == "*") && \
-    (r.objName == p.objName || p.objName == "*") || \
-    (r.subOwner == r.objOwner && r.subName == r.objName)
-`
-
-	m, err := model.NewModelFromString(modelText)
-	if err != nil {
-		panic(err)
-	}
-
-	Enforcer, err = casbin.NewEnforcer(m, a)
+func InitApi() {
+	e, err := object.GetInitializedEnforcer(util.GetId("built-in", "api-enforcer-built-in"))
 	if err != nil {
 		panic(err)
 	}

+	Enforcer = e.Enforcer
 	Enforcer.ClearPolicy()

 	// if len(Enforcer.GetPolicy()) == 0 {
@@ -126,6 +87,7 @@ p, *, *, GET, /api/get-prometheus-info, *, *
 p, *, *, *, /api/metrics, *, *
 p, *, *, GET, /api/get-pricing, *, *
 p, *, *, GET, /api/get-plan, *, *
+p, *, *, GET, /api/get-subscription, *, *
 p, *, *, GET, /api/get-organization-names, *, *
 `

--- a/conf/conf.go
+++ b/conf/conf.go
@@ -15,7 +15,7 @@
 package conf

 import (
-	"encoding/json"
+	"fmt"
 	"os"
 	"runtime"
 	"strconv"
@@ -24,15 +24,6 @@ import (
 	"github.com/beego/beego"
 )

-type Quota struct {
-	Organization int `json:"organization"`
-	User         int `json:"user"`
-	Application  int `json:"application"`
-	Provider     int `json:"provider"`
-}
-
-var quota = &Quota{-1, -1, -1, -1}
-
 func init() {
 	// this array contains the beego configuration items that may be modified via env
 	presetConfigItems := []string{"httpport", "appname"}
@@ -44,17 +35,6 @@ func init() {
 			}
 		}
 	}
-	initQuota()
-}
-
-func initQuota() {
-	res := beego.AppConfig.String("quota")
-	if res != "" {
-		err := json.Unmarshal([]byte(res), quota)
-		if err != nil {
-			panic(err)
-		}
-	}
 }

 func GetConfigString(key string) string {
@@ -67,7 +47,7 @@ func GetConfigString(key string) string {
 		if key == "staticBaseUrl" {
 			res = "https://cdn.casbin.org"
 		} else if key == "logConfig" {
-			res = "{\"filename\": \"logs/casdoor.log\", \"maxdays\":99999, \"perm\":\"0770\"}"
+			res = fmt.Sprintf("{\"filename\": \"logs/%s.log\", \"maxdays\":99999, \"perm\":\"0770\"}", beego.AppConfig.String("appname"))
 		}
 	}

@@ -129,10 +109,6 @@ func GetConfigBatchSize() int {
 	return res
 }

-func GetConfigQuota() *Quota {
-	return quota
-}
-
 func GetConfigRealDataSourceName(driverName string) string {
 	var dataSourceName string
 	if driverName != "mysql" {
--- a/conf/conf_quota.go
+++ b/conf/conf_quota.go
@@ -0,0 +1,48 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package conf
+
+import (
+	"encoding/json"
+
+	"github.com/beego/beego"
+)
+
+type Quota struct {
+	Organization int `json:"organization"`
+	User         int `json:"user"`
+	Application  int `json:"application"`
+	Provider     int `json:"provider"`
+}
+
+var quota = &Quota{-1, -1, -1, -1}
+
+func init() {
+	initQuota()
+}
+
+func initQuota() {
+	res := beego.AppConfig.String("quota")
+	if res != "" {
+		err := json.Unmarshal([]byte(res), quota)
+		if err != nil {
+			panic(err)
+		}
+	}
+}
+
+func GetConfigQuota() *Quota {
+	return quota
+}
--- a/controllers/account.go
+++ b/controllers/account.go
@@ -140,25 +140,28 @@ func (c *ApiController) Signup() {
 		username = id
 	}

-	password := authForm.Password
-	msg = object.CheckPasswordComplexityByOrg(organization, password)
-	if msg != "" {
-		c.ResponseError(msg)
-		return
-	}
-
 	initScore, err := organization.GetInitScore()
 	if err != nil {
 		c.ResponseError(fmt.Errorf(c.T("account:Get init score failed, error: %w"), err).Error())
 		return
 	}

+	userType := "normal-user"
+	if authForm.Plan != "" && authForm.Pricing != "" {
+		err = object.CheckPricingAndPlan(authForm.Organization, authForm.Pricing, authForm.Plan)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		userType = "paid-user"
+	}
+
 	user := &object.User{
 		Owner:             authForm.Organization,
 		Name:              username,
 		CreatedTime:       util.GetCurrentTime(),
 		Id:                id,
-		Type:              "normal-user",
+		Type:              userType,
 		Password:          authForm.Password,
 		DisplayName:       authForm.Name,
 		Avatar:            organization.DefaultAvatar,
@@ -171,7 +174,6 @@ func (c *ApiController) Signup() {
 		Region:            authForm.Region,
 		Score:             initScore,
 		IsAdmin:           false,
-		IsGlobalAdmin:     false,
 		IsForbidden:       false,
 		IsDeleted:         false,
 		SignupApplication: application.Name,
@@ -211,7 +213,7 @@ func (c *ApiController) Signup() {
 		return
 	}

-	if application.HasPromptPage() {
+	if application.HasPromptPage() && user.Type == "normal-user" {
 		// The prompt page needs the user to be signed in
 		c.SetSessionUsername(user.GetId())
 	}
@@ -228,15 +230,6 @@ func (c *ApiController) Signup() {
 		return
 	}

-	isSignupFromPricing := authForm.Plan != "" && authForm.Pricing != ""
-	if isSignupFromPricing {
-		_, err = object.Subscribe(organization.Name, user.Name, authForm.Plan, authForm.Pricing)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-	}
-
 	record := object.NewRecord(c.Ctx)
 	record.Organization = application.Organization
 	record.User = user.Name
@@ -290,10 +283,11 @@ func (c *ApiController) Logout() {
 		c.ResponseOk(user, application.HomepageUrl)
 		return
 	} else {
-		if redirectUri == "" {
-			c.ResponseError(c.T("general:Missing parameter") + ": post_logout_redirect_uri")
-			return
-		}
+		// "post_logout_redirect_uri" has been made optional, see: https://github.com/casdoor/casdoor/issues/2151
+		// if redirectUri == "" {
+		// 	c.ResponseError(c.T("general:Missing parameter") + ": post_logout_redirect_uri")
+		// 	return
+		// }
 		if accessToken == "" {
 			c.ResponseError(c.T("general:Missing parameter") + ": id_token_hint")
 			return
--- a/controllers/adapter.go
+++ b/controllers/adapter.go
@@ -0,0 +1,145 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/beego/beego/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetAdapters
+// @Title GetAdapters
+// @Tag Adapter API
+// @Description get adapters
+// @Param   owner     query    string  true        "The owner of adapters"
+// @Success 200 {array} object.Adapter The Response object
+// @router /get-adapters [get]
+func (c *ApiController) GetAdapters() {
+	owner := c.Input().Get("owner")
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+
+	if limit == "" || page == "" {
+		adapters, err := object.GetAdapters(owner)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(adapters)
+	} else {
+		limit := util.ParseInt(limit)
+		count, err := object.GetAdapterCount(owner, field, value)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		paginator := pagination.SetPaginator(c.Ctx, limit, count)
+		adapters, err := object.GetPaginationAdapters(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(adapters, paginator.Nums())
+	}
+}
+
+// GetAdapter
+// @Title GetAdapter
+// @Tag Adapter API
+// @Description get adapter
+// @Param   id     query    string  true        "The id ( owner/name ) of the adapter"
+// @Success 200 {object} object.Adapter The Response object
+// @router /get-adapter [get]
+func (c *ApiController) GetAdapter() {
+	id := c.Input().Get("id")
+
+	adapter, err := object.GetAdapter(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(adapter)
+}
+
+// UpdateAdapter
+// @Title UpdateAdapter
+// @Tag Adapter API
+// @Description update adapter
+// @Param   id     query    string  true        "The id ( owner/name ) of the adapter"
+// @Param   body    body   object.Adapter  true        "The details of the adapter"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-adapter [post]
+func (c *ApiController) UpdateAdapter() {
+	id := c.Input().Get("id")
+
+	var adapter object.Adapter
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &adapter)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdateAdapter(id, &adapter))
+	c.ServeJSON()
+}
+
+// AddAdapter
+// @Title AddAdapter
+// @Tag Adapter API
+// @Description add adapter
+// @Param   body    body   object.Adapter  true        "The details of the adapter"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-adapter [post]
+func (c *ApiController) AddAdapter() {
+	var adapter object.Adapter
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &adapter)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.AddAdapter(&adapter))
+	c.ServeJSON()
+}
+
+// DeleteAdapter
+// @Title DeleteAdapter
+// @Tag Adapter API
+// @Description delete adapter
+// @Param   body    body   object.Adapter  true        "The details of the adapter"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-adapter [post]
+func (c *ApiController) DeleteAdapter() {
+	var adapter object.Adapter
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &adapter)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeleteAdapter(&adapter))
+	c.ServeJSON()
+}
--- a/controllers/application.go
+++ b/controllers/application.go
@@ -62,13 +62,13 @@ func (c *ApiController) GetApplications() {
 		}

 		paginator := pagination.SetPaginator(c.Ctx, limit, count)
-		app, err := object.GetPaginationApplications(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		application, err := object.GetPaginationApplications(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}

-		applications := object.GetMaskedApplications(app, userId)
+		applications := object.GetMaskedApplications(application, userId)
 		c.ResponseOk(applications, paginator.Nums())
 	}
 }
@@ -84,13 +84,23 @@ func (c *ApiController) GetApplication() {
 	userId := c.GetSessionUsername()
 	id := c.Input().Get("id")

-	app, err := object.GetApplication(id)
+	application, err := object.GetApplication(id)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	c.ResponseOk(object.GetMaskedApplication(app, userId))
+	if c.Input().Get("withKey") != "" && application.Cert != "" {
+		cert, err := object.GetCert(util.GetId(application.Owner, application.Cert))
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		application.CertPublicKey = cert.Certificate
+	}
+
+	c.ResponseOk(object.GetMaskedApplication(application, userId))
 }

 // GetUserApplication
@@ -164,13 +174,13 @@ func (c *ApiController) GetOrganizationApplications() {
 		}

 		paginator := pagination.SetPaginator(c.Ctx, limit, count)
-		app, err := object.GetPaginationOrganizationApplications(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		application, err := object.GetPaginationOrganizationApplications(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}

-		applications := object.GetMaskedApplications(app, userId)
+		applications := object.GetMaskedApplications(application, userId)
 		c.ResponseOk(applications, paginator.Nums())
 	}
 }
--- a/controllers/auth.go
+++ b/controllers/auth.go
@@ -70,7 +70,7 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 	}

 	// check user's tag
-	if !user.IsGlobalAdmin && !user.IsAdmin && len(application.Tags) > 0 {
+	if !user.IsGlobalAdmin() && !user.IsAdmin && len(application.Tags) > 0 {
 		// only users with the tag that is listed in the application tags can login
 		if !util.InSlice(application.Tags, user.Tag) {
 			c.ResponseError(fmt.Sprintf(c.T("auth:User's tag: %s is not listed in the application's tags"), user.Tag))
@@ -78,6 +78,46 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		}
 	}

+	// check whether paid-user have active subscription
+	if user.Type == "paid-user" {
+		subscriptions, err := object.GetSubscriptionsByUser(user.Owner, user.Name)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		existActiveSubscription := false
+		for _, subscription := range subscriptions {
+			if subscription.State == object.SubStateActive {
+				existActiveSubscription = true
+				break
+			}
+		}
+		if !existActiveSubscription {
+			// check pending subscription
+			for _, sub := range subscriptions {
+				if sub.State == object.SubStatePending {
+					c.ResponseOk("BuyPlanResult", sub)
+					return
+				}
+			}
+			// paid-user does not have active or pending subscription, find the default pricing of application
+			pricing, err := object.GetApplicationDefaultPricing(application.Organization, application.Name)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+			if pricing == nil {
+				c.ResponseError(fmt.Sprintf(c.T("auth:paid-user %s does not have active or pending subscription and the application: %s does not have default pricing"), user.Name, application.Name))
+				return
+			} else {
+				// let the paid-user select plan
+				c.ResponseOk("SelectPlan", pricing)
+				return
+			}
+
+		}
+	}
+
 	if form.Type == ResponseTypeLogin {
 		c.SetSessionUsername(userId)
 		util.LogInfo(c.Ctx, "API: [%s] signed in", userId)
@@ -187,11 +227,34 @@ func (c *ApiController) GetApplicationLogin() {
 	redirectUri := c.Input().Get("redirectUri")
 	scope := c.Input().Get("scope")
 	state := c.Input().Get("state")
+	id := c.Input().Get("id")
+	loginType := c.Input().Get("type")

-	msg, application, err := object.CheckOAuthLogin(clientId, responseType, redirectUri, scope, state, c.GetAcceptLanguage())
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
+	var application *object.Application
+	var msg string
+	var err error
+	if loginType == "code" {
+		msg, application, err = object.CheckOAuthLogin(clientId, responseType, redirectUri, scope, state, c.GetAcceptLanguage())
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	} else if loginType == "cas" {
+		application, err = object.GetApplication(id)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		if application == nil {
+			c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), id))
+			return
+		}
+
+		err = object.CheckCasLogin(application, c.GetAcceptLanguage(), redirectUri)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 	}

 	application = object.GetMaskedApplication(application, "")
@@ -566,7 +629,6 @@ func (c *ApiController) Login() {
 						Region:            userInfo.CountryCode,
 						Score:             initScore,
 						IsAdmin:           false,
-						IsGlobalAdmin:     false,
 						IsForbidden:       false,
 						IsDeleted:         false,
 						SignupApplication: application.Name,
--- a/controllers/base.go
+++ b/controllers/base.go
@@ -61,6 +61,10 @@ func (c *ApiController) IsAdminOrSelf(user2 *object.User) bool {
 		return true
 	}

+	if user == nil || user2 == nil {
+		return false
+	}
+
 	if user.Owner == user2.Owner && user.Name == user2.Name {
 		return true
 	}
@@ -79,7 +83,7 @@ func (c *ApiController) isGlobalAdmin() (bool, *object.User) {
 		return false, nil
 	}

-	return user.Owner == "built-in" || user.IsGlobalAdmin, user
+	return user.IsGlobalAdmin(), user
 }

 func (c *ApiController) getCurrentUser() *object.User {
--- a/controllers/cas.go
+++ b/controllers/cas.go
@@ -35,6 +35,11 @@ const (
 	UnauthorizedService      string = "UNAUTHORIZED_SERVICE"
 )

+func queryUnescape(service string) string {
+	s, _ := url.QueryUnescape(service)
+	return s
+}
+
 func (c *RootController) CasValidate() {
 	ticket := c.Input().Get("ticket")
 	service := c.Input().Get("service")
@@ -60,24 +65,25 @@ func (c *RootController) CasServiceValidate() {
 	if !strings.HasPrefix(ticket, "ST") {
 		c.sendCasAuthenticationResponseErr(InvalidTicket, fmt.Sprintf("Ticket %s not recognized", ticket), format)
 	}
-	c.CasP3ServiceAndProxyValidate()
+	c.CasP3ProxyValidate()
 }

 func (c *RootController) CasProxyValidate() {
+	// https://apereo.github.io/cas/6.6.x/protocol/CAS-Protocol-Specification.html#26-proxyvalidate-cas-20
+	// "/proxyValidate" should accept both service tickets and proxy tickets.
+	c.CasP3ProxyValidate()
+}
+
+func (c *RootController) CasP3ServiceValidate() {
 	ticket := c.Input().Get("ticket")
 	format := c.Input().Get("format")
-	if !strings.HasPrefix(ticket, "PT") {
+	if !strings.HasPrefix(ticket, "ST") {
 		c.sendCasAuthenticationResponseErr(InvalidTicket, fmt.Sprintf("Ticket %s not recognized", ticket), format)
 	}
-	c.CasP3ServiceAndProxyValidate()
+	c.CasP3ProxyValidate()
 }

-func queryUnescape(service string) string {
-	s, _ := url.QueryUnescape(service)
-	return s
-}
-
-func (c *RootController) CasP3ServiceAndProxyValidate() {
+func (c *RootController) CasP3ProxyValidate() {
 	ticket := c.Input().Get("ticket")
 	format := c.Input().Get("format")
 	service := c.Input().Get("service")
@@ -115,15 +121,17 @@ func (c *RootController) CasP3ServiceAndProxyValidate() {
 		pgtiou := serviceResponse.Success.ProxyGrantingTicket
 		// todo: check whether it is https
 		pgtUrlObj, err := url.Parse(pgtUrl)
+		if err != nil {
+			c.sendCasAuthenticationResponseErr(InvalidProxyCallback, err.Error(), format)
+			return
+		}
+
 		if pgtUrlObj.Scheme != "https" {
 			c.sendCasAuthenticationResponseErr(InvalidProxyCallback, "callback is not https", format)
 			return
 		}
+
 		// make a request to pgturl passing pgt and pgtiou
-		if err != nil {
-			c.sendCasAuthenticationResponseErr(InternalError, err.Error(), format)
-			return
-		}
 		param := pgtUrlObj.Query()
 		param.Add("pgtId", pgt)
 		param.Add("pgtIou", pgtiou)
@@ -263,7 +271,6 @@ func (c *RootController) sendCasAuthenticationResponseErr(code, msg, format stri
 			Message: msg,
 		},
 	}
-
 	if format == "json" {
 		c.Data["json"] = serviceResponse
 		c.ServeJSON()
--- a/controllers/casbin_adapter.go
+++ b/controllers/casbin_adapter.go
@@ -1,235 +0,0 @@
-// Copyright 2022 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-
-	"github.com/beego/beego/utils/pagination"
-	"github.com/casdoor/casdoor/object"
-	"github.com/casdoor/casdoor/util"
-	xormadapter "github.com/casdoor/xorm-adapter/v3"
-)
-
-// GetCasbinAdapters
-// @Title GetCasbinAdapters
-// @Tag Adapter API
-// @Description get adapters
-// @Param   owner     query    string  true        "The owner of adapters"
-// @Success 200 {array} object.Adapter The Response object
-// @router /get-adapters [get]
-func (c *ApiController) GetCasbinAdapters() {
-	owner := c.Input().Get("owner")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
-
-	if limit == "" || page == "" {
-		adapters, err := object.GetCasbinAdapters(owner)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(adapters)
-	} else {
-		limit := util.ParseInt(limit)
-		count, err := object.GetCasbinAdapterCount(owner, field, value)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
-		adapters, err := object.GetPaginationCasbinAdapters(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(adapters, paginator.Nums())
-	}
-}
-
-// GetCasbinAdapter
-// @Title GetCasbinAdapter
-// @Tag Adapter API
-// @Description get adapter
-// @Param   id     query    string  true        "The id ( owner/name ) of the adapter"
-// @Success 200 {object} object.Adapter The Response object
-// @router /get-adapter [get]
-func (c *ApiController) GetCasbinAdapter() {
-	id := c.Input().Get("id")
-
-	adapter, err := object.GetCasbinAdapter(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(adapter)
-}
-
-// UpdateCasbinAdapter
-// @Title UpdateCasbinAdapter
-// @Tag Adapter API
-// @Description update adapter
-// @Param   id     query    string  true        "The id ( owner/name ) of the adapter"
-// @Param   body    body   object.Adapter  true        "The details of the adapter"
-// @Success 200 {object} controllers.Response The Response object
-// @router /update-adapter [post]
-func (c *ApiController) UpdateCasbinAdapter() {
-	id := c.Input().Get("id")
-
-	var casbinAdapter object.CasbinAdapter
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &casbinAdapter)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.UpdateCasbinAdapter(id, &casbinAdapter))
-	c.ServeJSON()
-}
-
-// AddCasbinAdapter
-// @Title AddCasbinAdapter
-// @Tag Adapter API
-// @Description add adapter
-// @Param   body    body   object.Adapter  true        "The details of the adapter"
-// @Success 200 {object} controllers.Response The Response object
-// @router /add-adapter [post]
-func (c *ApiController) AddCasbinAdapter() {
-	var casbinAdapter object.CasbinAdapter
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &casbinAdapter)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.AddCasbinAdapter(&casbinAdapter))
-	c.ServeJSON()
-}
-
-// DeleteCasbinAdapter
-// @Title DeleteCasbinAdapter
-// @Tag Adapter API
-// @Description delete adapter
-// @Param   body    body   object.Adapter  true        "The details of the adapter"
-// @Success 200 {object} controllers.Response The Response object
-// @router /delete-adapter [post]
-func (c *ApiController) DeleteCasbinAdapter() {
-	var casbinAdapter object.CasbinAdapter
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &casbinAdapter)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.DeleteCasbinAdapter(&casbinAdapter))
-	c.ServeJSON()
-}
-
-func (c *ApiController) SyncPolicies() {
-	id := c.Input().Get("id")
-	adapter, err := object.GetCasbinAdapter(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	policies, err := object.SyncPolicies(adapter)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(policies)
-}
-
-func (c *ApiController) UpdatePolicy() {
-	id := c.Input().Get("id")
-	adapter, err := object.GetCasbinAdapter(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	var policies []xormadapter.CasbinRule
-	err = json.Unmarshal(c.Ctx.Input.RequestBody, &policies)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	affected, err := object.UpdatePolicy(util.CasbinToSlice(policies[0]), util.CasbinToSlice(policies[1]), adapter)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	c.Data["json"] = wrapActionResponse(affected)
-	c.ServeJSON()
-}
-
-func (c *ApiController) AddPolicy() {
-	id := c.Input().Get("id")
-	adapter, err := object.GetCasbinAdapter(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	var policy xormadapter.CasbinRule
-	err = json.Unmarshal(c.Ctx.Input.RequestBody, &policy)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	affected, err := object.AddPolicy(util.CasbinToSlice(policy), adapter)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	c.Data["json"] = wrapActionResponse(affected)
-	c.ServeJSON()
-}
-
-func (c *ApiController) RemovePolicy() {
-	id := c.Input().Get("id")
-	adapter, err := object.GetCasbinAdapter(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	var policy xormadapter.CasbinRule
-	err = json.Unmarshal(c.Ctx.Input.RequestBody, &policy)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	affected, err := object.RemovePolicy(util.CasbinToSlice(policy), adapter)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	c.Data["json"] = wrapActionResponse(affected)
-	c.ServeJSON()
-}
--- a/controllers/casbin_api.go
+++ b/controllers/casbin_api.go
@@ -35,6 +35,7 @@ func (c *ApiController) Enforce() {
 	permissionId := c.Input().Get("permissionId")
 	modelId := c.Input().Get("modelId")
 	resourceId := c.Input().Get("resourceId")
+	enforcerId := c.Input().Get("enforcerId")

 	var request object.CasbinRequest
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &request)
@@ -43,6 +44,23 @@ func (c *ApiController) Enforce() {
 		return
 	}

+	if enforcerId != "" {
+		enforcer, err := object.GetInitializedEnforcer(enforcerId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		res, err := enforcer.Enforce(request...)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(res)
+		return
+	}
+
 	if permissionId != "" {
 		permission, err := object.GetPermission(permissionId)
 		if err != nil {
@@ -121,6 +139,7 @@ func (c *ApiController) Enforce() {
 func (c *ApiController) BatchEnforce() {
 	permissionId := c.Input().Get("permissionId")
 	modelId := c.Input().Get("modelId")
+	enforcerId := c.Input().Get("enforcerId")

 	var requests []object.CasbinRequest
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &requests)
@@ -129,6 +148,23 @@ func (c *ApiController) BatchEnforce() {
 		return
 	}

+	if enforcerId != "" {
+		enforcer, err := object.GetInitializedEnforcer(enforcerId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		res, err := enforcer.BatchEnforce(requests)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(res)
+		return
+	}
+
 	if permissionId != "" {
 		permission, err := object.GetPermission(permissionId)
 		if err != nil {
--- a/controllers/chat.go
+++ b/controllers/chat.go
@@ -1,145 +0,0 @@
-// Copyright 2023 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-
-	"github.com/beego/beego/utils/pagination"
-	"github.com/casdoor/casdoor/object"
-	"github.com/casdoor/casdoor/util"
-)
-
-// GetChats
-// @Title GetChats
-// @Tag Chat API
-// @Description get chats
-// @Param   owner     query    string  true        "The owner of chats"
-// @Success 200 {array} object.Chat The Response object
-// @router /get-chats [get]
-func (c *ApiController) GetChats() {
-	owner := "admin"
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
-
-	if limit == "" || page == "" {
-		maskedChats, err := object.GetMaskedChats(object.GetChats(owner))
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(maskedChats)
-	} else {
-		limit := util.ParseInt(limit)
-		count, err := object.GetChatCount(owner, field, value)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
-		chats, err := object.GetMaskedChats(object.GetPaginationChats(owner, paginator.Offset(), limit, field, value, sortField, sortOrder))
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(chats, paginator.Nums())
-	}
-}
-
-// GetChat
-// @Title GetChat
-// @Tag Chat API
-// @Description get chat
-// @Param   id     query    string  true        "The id ( owner/name ) of the chat"
-// @Success 200 {object} object.Chat The Response object
-// @router /get-chat [get]
-func (c *ApiController) GetChat() {
-	id := c.Input().Get("id")
-
-	maskedChat, err := object.GetMaskedChat(object.GetChat(id))
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(maskedChat)
-}
-
-// UpdateChat
-// @Title UpdateChat
-// @Tag Chat API
-// @Description update chat
-// @Param   id     query    string  true        "The id ( owner/name ) of the chat"
-// @Param   body    body   object.Chat  true        "The details of the chat"
-// @Success 200 {object} controllers.Response The Response object
-// @router /update-chat [post]
-func (c *ApiController) UpdateChat() {
-	id := c.Input().Get("id")
-
-	var chat object.Chat
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &chat)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.UpdateChat(id, &chat))
-	c.ServeJSON()
-}
-
-// AddChat
-// @Title AddChat
-// @Tag Chat API
-// @Description add chat
-// @Param   body    body   object.Chat  true        "The details of the chat"
-// @Success 200 {object} controllers.Response The Response object
-// @router /add-chat [post]
-func (c *ApiController) AddChat() {
-	var chat object.Chat
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &chat)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.AddChat(&chat))
-	c.ServeJSON()
-}
-
-// DeleteChat
-// @Title DeleteChat
-// @Tag Chat API
-// @Description delete chat
-// @Param   body    body   object.Chat  true        "The details of the chat"
-// @Success 200 {object} controllers.Response The Response object
-// @router /delete-chat [post]
-func (c *ApiController) DeleteChat() {
-	var chat object.Chat
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &chat)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.DeleteChat(&chat))
-	c.ServeJSON()
-}
--- a/controllers/enforcer.go
+++ b/controllers/enforcer.go
@@ -20,6 +20,7 @@ import (
 	"github.com/beego/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
+	xormadapter "github.com/casdoor/xorm-adapter/v3"
 )

 // GetEnforcers
@@ -61,7 +62,7 @@ func (c *ApiController) GetEnforcers() {
 			return
 		}

-		c.ResponseOk(enforcers)
+		c.ResponseOk(enforcers, paginator.Nums())
 	}
 }

@@ -74,6 +75,7 @@ func (c *ApiController) GetEnforcers() {
 // @router /get-enforcer [get]
 func (c *ApiController) GetEnforcer() {
 	id := c.Input().Get("id")
+	loadModelCfg := c.Input().Get("loadModelCfg")

 	enforcer, err := object.GetEnforcer(id)
 	if err != nil {
@@ -81,6 +83,13 @@ func (c *ApiController) GetEnforcer() {
 		return
 	}

+	if loadModelCfg == "true" && enforcer.Model != "" {
+		err := enforcer.LoadModelCfg()
+		if err != nil {
+			return
+		}
+	}
+
 	c.ResponseOk(enforcer)
 }

@@ -143,3 +152,88 @@ func (c *ApiController) DeleteEnforcer() {
 	c.Data["json"] = wrapActionResponse(object.DeleteEnforcer(&enforcer))
 	c.ServeJSON()
 }
+
+func (c *ApiController) GetPolicies() {
+	id := c.Input().Get("id")
+	adapterId := c.Input().Get("adapterId")
+
+	if adapterId != "" {
+		adapter, err := object.GetAdapter(adapterId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		err = adapter.InitAdapter()
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		c.ResponseOk()
+		return
+	}
+
+	policies, err := object.GetPolicies(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(policies)
+}
+
+func (c *ApiController) UpdatePolicy() {
+	id := c.Input().Get("id")
+
+	var policies []xormadapter.CasbinRule
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &policies)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	affected, err := object.UpdatePolicy(id, util.CasbinToSlice(policies[0]), util.CasbinToSlice(policies[1]))
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	c.Data["json"] = wrapActionResponse(affected)
+	c.ServeJSON()
+}
+
+func (c *ApiController) AddPolicy() {
+	id := c.Input().Get("id")
+
+	var policy xormadapter.CasbinRule
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &policy)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	affected, err := object.AddPolicy(id, util.CasbinToSlice(policy))
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	c.Data["json"] = wrapActionResponse(affected)
+	c.ServeJSON()
+}
+
+func (c *ApiController) RemovePolicy() {
+	id := c.Input().Get("id")
+
+	var policy xormadapter.CasbinRule
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &policy)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	affected, err := object.RemovePolicy(id, util.CasbinToSlice(policy))
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	c.Data["json"] = wrapActionResponse(affected)
+	c.ServeJSON()
+}
--- a/controllers/get-dashboard.go
+++ b/controllers/get-dashboard.go
@@ -0,0 +1,35 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import "github.com/casdoor/casdoor/object"
+
+// GetDashboard
+// @Title GetDashboard
+// @Tag GetDashboard API
+// @Description get information of dashboard
+// @Success 200 {object} controllers.Response The Response object
+// @router /get-dashboard [get]
+func (c *ApiController) GetDashboard() {
+	owner := c.Input().Get("owner")
+
+	data, err := object.GetDashboard(owner)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(data)
+}
--- a/controllers/link.go
+++ b/controllers/link.go
@@ -45,13 +45,13 @@ func (c *ApiController) Unlink() {
 	// the user will be unlinked from the provider
 	unlinkedUser := form.User

-	if user.Id != unlinkedUser.Id && !user.IsGlobalAdmin {
+	if user.Id != unlinkedUser.Id && !user.IsGlobalAdmin() {
 		// if the user is not the same as the one we are unlinking, we need to make sure the user is the global admin.
 		c.ResponseError(c.T("link:You are not the global admin, you can't unlink other users"))
 		return
 	}

-	if user.Id == unlinkedUser.Id && !user.IsGlobalAdmin {
+	if user.Id == unlinkedUser.Id && !user.IsGlobalAdmin() {
 		// if the user is unlinking themselves, should check the provider can be unlinked, if not, we should return an error.
 		application, err := object.GetApplicationByUser(user)
 		if err != nil {
--- a/controllers/message.go
+++ b/controllers/message.go
@@ -1,313 +0,0 @@
-// Copyright 2023 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-	"fmt"
-	"strings"
-
-	"github.com/beego/beego/utils/pagination"
-	"github.com/casdoor/casdoor/ai"
-	"github.com/casdoor/casdoor/object"
-	"github.com/casdoor/casdoor/util"
-)
-
-// GetMessages
-// @Title GetMessages
-// @Tag Message API
-// @Description get messages
-// @Param   owner     query    string  true        "The owner of messages"
-// @Success 200 {array} object.Message The Response object
-// @router /get-messages [get]
-func (c *ApiController) GetMessages() {
-	owner := c.Input().Get("owner")
-	organization := c.Input().Get("organization")
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
-	chat := c.Input().Get("chat")
-
-	if limit == "" || page == "" {
-		var messages []*object.Message
-		var err error
-		if chat == "" {
-			messages, err = object.GetMessages(owner)
-		} else {
-			messages, err = object.GetChatMessages(chat)
-		}
-
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(object.GetMaskedMessages(messages))
-	} else {
-		limit := util.ParseInt(limit)
-		count, err := object.GetMessageCount(owner, organization, field, value)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
-		paginationMessages, err := object.GetPaginationMessages(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		messages := object.GetMaskedMessages(paginationMessages)
-		c.ResponseOk(messages, paginator.Nums())
-	}
-}
-
-// GetMessage
-// @Title GetMessage
-// @Tag Message API
-// @Description get message
-// @Param   id     query    string  true        "The id ( owner/name ) of the message"
-// @Success 200 {object} object.Message The Response object
-// @router /get-message [get]
-func (c *ApiController) GetMessage() {
-	id := c.Input().Get("id")
-	message, err := object.GetMessage(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(message)
-}
-
-func (c *ApiController) ResponseErrorStream(errorText string) {
-	event := fmt.Sprintf("event: myerror\ndata: %s\n\n", errorText)
-	_, err := c.Ctx.ResponseWriter.Write([]byte(event))
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-}
-
-// GetMessageAnswer
-// @Title GetMessageAnswer
-// @Tag Message API
-// @Description get message answer
-// @Param   id     query    string  true        "The id ( owner/name ) of the message"
-// @Success 200 {object} object.Message The Response object
-// @router /get-message-answer [get]
-func (c *ApiController) GetMessageAnswer() {
-	id := c.Input().Get("id")
-
-	c.Ctx.ResponseWriter.Header().Set("Content-Type", "text/event-stream")
-	c.Ctx.ResponseWriter.Header().Set("Cache-Control", "no-cache")
-	c.Ctx.ResponseWriter.Header().Set("Connection", "keep-alive")
-
-	message, err := object.GetMessage(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	if message == nil {
-		c.ResponseErrorStream(fmt.Sprintf(c.T("chat:The message: %s is not found"), id))
-		return
-	}
-
-	if message.Author != "AI" || message.ReplyTo == "" || message.Text != "" {
-		c.ResponseErrorStream(c.T("chat:The message is invalid"))
-		return
-	}
-
-	chatId := util.GetId("admin", message.Chat)
-	chat, err := object.GetChat(chatId)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	if chat == nil || chat.Organization != message.Organization {
-		c.ResponseErrorStream(fmt.Sprintf(c.T("chat:The chat: %s is not found"), chatId))
-		return
-	}
-
-	if chat.Type != "AI" {
-		c.ResponseErrorStream(c.T("chat:The chat type must be \"AI\""))
-		return
-	}
-
-	questionMessage, err := object.GetMessage(message.ReplyTo)
-	if questionMessage == nil {
-		c.ResponseErrorStream(fmt.Sprintf(c.T("chat:The message: %s is not found"), id))
-		return
-	}
-
-	providerId := util.GetId(chat.Owner, chat.User2)
-	provider, err := object.GetProvider(providerId)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	if provider == nil {
-		c.ResponseErrorStream(fmt.Sprintf(c.T("chat:The provider: %s is not found"), providerId))
-		return
-	}
-
-	if provider.Category != "AI" || provider.ClientSecret == "" {
-		c.ResponseErrorStream(fmt.Sprintf(c.T("chat:The provider: %s is invalid"), providerId))
-		return
-	}
-
-	c.Ctx.ResponseWriter.Header().Set("Content-Type", "text/event-stream")
-	c.Ctx.ResponseWriter.Header().Set("Cache-Control", "no-cache")
-	c.Ctx.ResponseWriter.Header().Set("Connection", "keep-alive")
-
-	authToken := provider.ClientSecret
-	question := questionMessage.Text
-	var stringBuilder strings.Builder
-
-	fmt.Printf("Question: [%s]\n", questionMessage.Text)
-	fmt.Printf("Answer: [")
-
-	err = ai.QueryAnswerStream(authToken, question, c.Ctx.ResponseWriter, &stringBuilder)
-	if err != nil {
-		c.ResponseErrorStream(err.Error())
-		return
-	}
-
-	fmt.Printf("]\n")
-
-	event := fmt.Sprintf("event: end\ndata: %s\n\n", "end")
-	_, err = c.Ctx.ResponseWriter.Write([]byte(event))
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	answer := stringBuilder.String()
-
-	message.Text = answer
-	_, err = object.UpdateMessage(message.GetId(), message)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-}
-
-// UpdateMessage
-// @Title UpdateMessage
-// @Tag Message API
-// @Description update message
-// @Param   id     query    string  true        "The id ( owner/name ) of the message"
-// @Param   body    body   object.Message  true        "The details of the message"
-// @Success 200 {object} controllers.Response The Response object
-// @router /update-message [post]
-func (c *ApiController) UpdateMessage() {
-	id := c.Input().Get("id")
-
-	var message object.Message
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &message)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.UpdateMessage(id, &message))
-	c.ServeJSON()
-}
-
-// AddMessage
-// @Title AddMessage
-// @Tag Message API
-// @Description add message
-// @Param   body    body   object.Message  true        "The details of the message"
-// @Success 200 {object} controllers.Response The Response object
-// @router /add-message [post]
-func (c *ApiController) AddMessage() {
-	var message object.Message
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &message)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	var chat *object.Chat
-	if message.Chat != "" {
-		chatId := util.GetId("admin", message.Chat)
-		chat, err = object.GetChat(chatId)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		if chat == nil || chat.Organization != message.Organization {
-			c.ResponseError(fmt.Sprintf(c.T("chat:The chat: %s is not found"), chatId))
-			return
-		}
-	}
-
-	affected, err := object.AddMessage(&message)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	if affected {
-		if chat != nil && chat.Type == "AI" {
-			answerMessage := &object.Message{
-				Owner:        message.Owner,
-				Name:         fmt.Sprintf("message_%s", util.GetRandomName()),
-				CreatedTime:  util.GetCurrentTimeEx(message.CreatedTime),
-				Organization: message.Organization,
-				Chat:         message.Chat,
-				ReplyTo:      message.GetId(),
-				Author:       "AI",
-				Text:         "",
-			}
-			_, err = object.AddMessage(answerMessage)
-			if err != nil {
-				c.ResponseError(err.Error())
-				return
-			}
-		}
-	}
-
-	c.Data["json"] = wrapActionResponse(affected)
-	c.ServeJSON()
-}
-
-// DeleteMessage
-// @Title DeleteMessage
-// @Tag Message API
-// @Description delete message
-// @Param   body    body   object.Message  true        "The details of the message"
-// @Success 200 {object} controllers.Response The Response object
-// @router /delete-message [post]
-func (c *ApiController) DeleteMessage() {
-	var message object.Message
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &message)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.DeleteMessage(&message))
-	c.ServeJSON()
-}
--- a/controllers/organization.go
+++ b/controllers/organization.go
@@ -183,8 +183,6 @@ func (c *ApiController) DeleteOrganization() {
 func (c *ApiController) GetDefaultApplication() {
 	userId := c.GetSessionUsername()
 	id := c.Input().Get("id")
-	redirectUri := c.Input().Get("redirectUri")
-	typ := c.Input().Get("type")

 	application, err := object.GetDefaultApplication(id)
 	if err != nil {
@@ -192,14 +190,6 @@ func (c *ApiController) GetDefaultApplication() {
 		return
 	}

-	if typ == "cas" {
-		err = object.CheckCasRestrict(application, c.GetAcceptLanguage(), redirectUri)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-	}
-
 	maskedApplication := object.GetMaskedApplication(application, userId)
 	c.ResponseOk(maskedApplication)
 }
--- a/controllers/payment.go
+++ b/controllers/payment.go
@@ -31,7 +31,6 @@ import (
 // @router /get-payments [get]
 func (c *ApiController) GetPayments() {
 	owner := c.Input().Get("owner")
-	organization := c.Input().Get("organization")
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
 	field := c.Input().Get("field")
@@ -49,14 +48,14 @@ func (c *ApiController) GetPayments() {
 		c.ResponseOk(payments)
 	} else {
 		limit := util.ParseInt(limit)
-		count, err := object.GetPaymentCount(owner, organization, field, value)
+		count, err := object.GetPaymentCount(owner, field, value)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}

 		paginator := pagination.SetPaginator(c.Ctx, limit, count)
-		payments, err := object.GetPaginationPayments(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		payments, err := object.GetPaginationPayments(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@@ -77,10 +76,9 @@ func (c *ApiController) GetPayments() {
 // @router /get-user-payments [get]
 func (c *ApiController) GetUserPayments() {
 	owner := c.Input().Get("owner")
-	organization := c.Input().Get("organization")
 	user := c.Input().Get("user")

-	payments, err := object.GetUserPayments(owner, organization, user)
+	payments, err := object.GetUserPayments(owner, user)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@@ -177,24 +175,18 @@ func (c *ApiController) DeletePayment() {
 // @router /notify-payment [post]
 func (c *ApiController) NotifyPayment() {
 	owner := c.Ctx.Input.Param(":owner")
-	providerName := c.Ctx.Input.Param(":provider")
-	productName := c.Ctx.Input.Param(":product")
 	paymentName := c.Ctx.Input.Param(":payment")
 	orderId := c.Ctx.Input.Param("order")

 	body := c.Ctx.Input.RequestBody

-	err, errorResponse := object.NotifyPayment(c.Ctx.Request, body, owner, providerName, productName, paymentName, orderId)
-
-	_, err2 := c.Ctx.ResponseWriter.Write([]byte(errorResponse))
-	if err2 != nil {
-		panic(err2)
-	}
-
+	payment, err := object.NotifyPayment(c.Ctx.Request, body, owner, paymentName, orderId)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
+
+	c.ResponseOk(payment)
 }

 // InvoicePayment
--- a/controllers/permission_upload.go
+++ b/controllers/permission_upload.go
@@ -16,6 +16,7 @@ package controllers

 import (
 	"fmt"
+	"os"

 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
@@ -32,16 +33,15 @@ func (c *ApiController) UploadPermissions() {
 	}

 	fileId := fmt.Sprintf("%s_%s_%s", owner, user, util.RemoveExt(header.Filename))
-
 	path := util.GetUploadXlsxPath(fileId)
-	util.EnsureFileFolderExists(path)
+	defer os.Remove(path)
 	err = saveFile(path, &file)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	affected, err := object.UploadPermissions(owner, fileId)
+	affected, err := object.UploadPermissions(owner, path)
 	if err != nil {
 		c.ResponseError(err.Error())
 	}
--- a/controllers/plan.go
+++ b/controllers/plan.go
@@ -16,6 +16,7 @@ package controllers

 import (
 	"encoding/json"
+	"fmt"

 	"github.com/beego/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@@ -82,7 +83,10 @@ func (c *ApiController) GetPlan() {
 		c.ResponseError(err.Error())
 		return
 	}
-
+	if plan == nil {
+		c.ResponseError(fmt.Sprintf(c.T("plan:The plan: %s does not exist"), id))
+		return
+	}
 	if includeOption {
 		options, err := object.GetPermissionsByRole(plan.Role)
 		if err != nil {
@@ -110,14 +114,29 @@ func (c *ApiController) GetPlan() {
 // @router /update-plan [post]
 func (c *ApiController) UpdatePlan() {
 	id := c.Input().Get("id")
-
+	owner := util.GetOwnerFromId(id)
 	var plan object.Plan
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &plan)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
-
+	if plan.Product != "" {
+		productId := util.GetId(owner, plan.Product)
+		product, err := object.GetProduct(productId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		if product != nil {
+			object.UpdateProductForPlan(&plan, product)
+			_, err = object.UpdateProduct(productId, product)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+		}
+	}
 	c.Data["json"] = wrapActionResponse(object.UpdatePlan(id, &plan))
 	c.ServeJSON()
 }
@@ -136,7 +155,14 @@ func (c *ApiController) AddPlan() {
 		c.ResponseError(err.Error())
 		return
 	}
-
+	// Create a related product for plan
+	product := object.CreateProductForPlan(&plan)
+	_, err = object.AddProduct(product)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	plan.Product = product.Name
 	c.Data["json"] = wrapActionResponse(object.AddPlan(&plan))
 	c.ServeJSON()
 }
@@ -155,7 +181,13 @@ func (c *ApiController) DeletePlan() {
 		c.ResponseError(err.Error())
 		return
 	}
-
+	if plan.Product != "" {
+		_, err = object.DeleteProduct(&object.Product{Owner: plan.Owner, Name: plan.Product})
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	}
 	c.Data["json"] = wrapActionResponse(object.DeletePlan(&plan))
 	c.ServeJSON()
 }
--- a/controllers/pricing.go
+++ b/controllers/pricing.go
@@ -16,6 +16,7 @@ package controllers

 import (
 	"encoding/json"
+	"fmt"

 	"github.com/beego/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@@ -80,7 +81,10 @@ func (c *ApiController) GetPricing() {
 		c.ResponseError(err.Error())
 		return
 	}
-
+	if pricing == nil {
+		c.ResponseError(fmt.Sprintf(c.T("pricing:The pricing: %s does not exist"), id))
+		return
+	}
 	c.ResponseOk(pricing)
 }

--- a/controllers/product.go
+++ b/controllers/product.go
@@ -161,10 +161,17 @@ func (c *ApiController) DeleteProduct() {
 // @router /buy-product [post]
 func (c *ApiController) BuyProduct() {
 	id := c.Input().Get("id")
-	providerName := c.Input().Get("providerName")
 	host := c.Ctx.Request.Host
-
-	userId := c.GetSessionUsername()
+	providerName := c.Input().Get("providerName")
+	// buy `pricingName/planName` for `paidUserName`
+	pricingName := c.Input().Get("pricingName")
+	planName := c.Input().Get("planName")
+	paidUserName := c.Input().Get("userName")
+	owner, _ := util.GetOwnerAndNameFromId(id)
+	userId := util.GetId(owner, paidUserName)
+	if paidUserName == "" {
+		userId = c.GetSessionUsername()
+	}
 	if userId == "" {
 		c.ResponseError(c.T("general:Please login first"))
 		return
@@ -175,13 +182,12 @@ func (c *ApiController) BuyProduct() {
 		c.ResponseError(err.Error())
 		return
 	}
-
 	if user == nil {
 		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), userId))
 		return
 	}

-	payUrl, orderId, err := object.BuyProduct(id, providerName, user, host)
+	payUrl, orderId, err := object.BuyProduct(id, user, providerName, pricingName, planName, host)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
--- a/controllers/record.go
+++ b/controllers/record.go
@@ -1,121 +0,0 @@
-// Copyright 2021 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-
-	"github.com/beego/beego/utils/pagination"
-	"github.com/casdoor/casdoor/object"
-	"github.com/casdoor/casdoor/util"
-)
-
-// GetRecords
-// @Title GetRecords
-// @Tag Record API
-// @Description get all records
-// @Param   pageSize     query    string  true        "The size of each page"
-// @Param   p     query    string  true        "The number of the page"
-// @Success 200 {object} object.Record The Response object
-// @router /get-records [get]
-func (c *ApiController) GetRecords() {
-	organization, ok := c.RequireAdmin()
-	if !ok {
-		return
-	}
-
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
-	organizationName := c.Input().Get("organizationName")
-
-	if limit == "" || page == "" {
-		records, err := object.GetRecords()
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(records)
-	} else {
-		limit := util.ParseInt(limit)
-		if c.IsGlobalAdmin() && organizationName != "" {
-			organization = organizationName
-		}
-		filterRecord := &object.Record{Organization: organization}
-		count, err := object.GetRecordCount(field, value, filterRecord)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
-		records, err := object.GetPaginationRecords(paginator.Offset(), limit, field, value, sortField, sortOrder, filterRecord)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(records, paginator.Nums())
-	}
-}
-
-// GetRecordsByFilter
-// @Tag Record API
-// @Title GetRecordsByFilter
-// @Description get records by filter
-// @Param   filter  body string     true  "filter Record message"
-// @Success 200 {object} object.Record The Response object
-// @router /get-records-filter [post]
-func (c *ApiController) GetRecordsByFilter() {
-	body := string(c.Ctx.Input.RequestBody)
-
-	record := &object.Record{}
-	err := util.JsonToStruct(body, record)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	records, err := object.GetRecordsByField(record)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(records)
-}
-
-// AddRecord
-// @Title AddRecord
-// @Tag Record API
-// @Description add a record
-// @Param   body    body   object.Record  true        "The details of the record"
-// @Success 200 {object} controllers.Response The Response object
-// @router /add-record [post]
-func (c *ApiController) AddRecord() {
-	var record object.Record
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &record)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.AddRecord(&record))
-	c.ServeJSON()
-}
--- a/controllers/resource.go
+++ b/controllers/resource.go
@@ -52,15 +52,22 @@ func (c *ApiController) GetResources() {
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")

-	userObj, ok := c.RequireSignedInUser()
-	if !ok {
-		return
-	}
-	if userObj.IsAdmin {
-		user = ""
-	}
+	if sortField == "Direct" {
+		provider, err := c.GetProviderFromContext("Storage")
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}

-	if limit == "" || page == "" {
+		prefix := sortOrder
+		resources, err := object.GetDirectResources(owner, user, provider, prefix, c.GetAcceptLanguage())
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		c.ResponseOk(resources)
+	} else if limit == "" || page == "" {
 		resources, err := object.GetResources(owner, user)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -160,11 +167,16 @@ func (c *ApiController) DeleteResource() {
 		return
 	}

+	if resource.Provider != "" {
+		c.Input().Set("provider", resource.Provider)
+	}
+	c.Input().Set("fullFilePath", resource.Name)
 	provider, err := c.GetProviderFromContext("Storage")
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
+	_, resource.Name = refineFullFilePath(resource.Name)

 	err = object.DeleteFile(provider, resource.Name, c.GetAcceptLanguage())
 	if err != nil {
@@ -224,6 +236,7 @@ func (c *ApiController) UploadResource() {
 		c.ResponseError(err.Error())
 		return
 	}
+	_, fullFilePath = refineFullFilePath(fullFilePath)

 	fileType := "unknown"
 	contentType := header.Header.Get("Content-Type")
@@ -348,6 +361,9 @@ func (c *ApiController) UploadResource() {
 			return
 		}

+		if user.Properties == nil {
+			user.Properties = map[string]string{}
+		}
 		user.Properties[tag] = fileUrl
 		user.Properties["isIdCardVerified"] = "false"
 		_, err = object.UpdateUser(user.GetId(), user, []string{"properties"}, false)
--- a/controllers/role_upload.go
+++ b/controllers/role_upload.go
@@ -16,6 +16,7 @@ package controllers

 import (
 	"fmt"
+	"os"

 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
@@ -32,16 +33,15 @@ func (c *ApiController) UploadRoles() {
 	}

 	fileId := fmt.Sprintf("%s_%s_%s", owner, user, util.RemoveExt(header.Filename))
-
 	path := util.GetUploadXlsxPath(fileId)
-	util.EnsureFileFolderExists(path)
+	defer os.Remove(path)
 	err = saveFile(path, &file)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	affected, err := object.UploadRoles(owner, fileId)
+	affected, err := object.UploadRoles(owner, path)
 	if err != nil {
 		c.ResponseError(err.Error())
 	}
--- a/controllers/service.go
+++ b/controllers/service.go
@@ -40,6 +40,10 @@ type SmsForm struct {
 	OrgId     string   `json:"organizationId"` // e.g. "admin/built-in"
 }

+type NotificationForm struct {
+	Content string `json:"content"`
+}
+
 // SendEmail
 // @Title SendEmail
 // @Tag Service API
@@ -140,10 +144,12 @@ func (c *ApiController) SendSms() {
 		return
 	}

-	invalidReceivers := getInvalidSmsReceivers(smsForm)
-	if len(invalidReceivers) != 0 {
-		c.ResponseError(fmt.Sprintf(c.T("service:Invalid phone receivers: %s"), strings.Join(invalidReceivers, ", ")))
-		return
+	if provider.Type != "Custom HTTP SMS" {
+		invalidReceivers := getInvalidSmsReceivers(smsForm)
+		if len(invalidReceivers) != 0 {
+			c.ResponseError(fmt.Sprintf(c.T("service:Invalid phone receivers: %s"), strings.Join(invalidReceivers, ", ")))
+			return
+		}
 	}

 	err = object.SendSms(provider, smsForm.Content, smsForm.Receivers...)
@@ -154,3 +160,33 @@ func (c *ApiController) SendSms() {

 	c.ResponseOk()
 }
+
+// SendNotification
+// @Title SendNotification
+// @Tag Service API
+// @Description This API is not for Casdoor frontend to call, it is for Casdoor SDKs.
+// @Param   from    body   controllers.NotificationForm    true         "Details of the notification request"
+// @Success 200 {object}  Response object
+// @router /api/send-notification [post]
+func (c *ApiController) SendNotification() {
+	provider, err := c.GetProviderFromContext("Notification")
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	var notificationForm NotificationForm
+	err = json.Unmarshal(c.Ctx.Input.RequestBody, &notificationForm)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	err = object.SendNotification(provider, notificationForm.Content)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk()
+}
--- a/controllers/syncer.go
+++ b/controllers/syncer.go
@@ -160,7 +160,11 @@ func (c *ApiController) RunSyncer() {
 		return
 	}

-	object.RunSyncer(syncer)
+	err = object.RunSyncer(syncer)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}

 	c.ResponseOk()
 }
--- a/controllers/system_info.go
+++ b/controllers/system_info.go
@@ -47,16 +47,16 @@ func (c *ApiController) GetSystemInfo() {
 // @router /get-version-info [get]
 func (c *ApiController) GetVersionInfo() {
 	versionInfo, err := util.GetVersionInfo()
-
-	if versionInfo.Version == "" {
-		versionInfo, err = util.GetVersionInfoFromFile()
-
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
+	if versionInfo.Version != "" {
+		c.ResponseOk(versionInfo)
+		return
 	}

+	versionInfo, err = util.GetVersionInfoFromFile()
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 	c.ResponseOk(versionInfo)
 }

--- a/controllers/user.go
+++ b/controllers/user.go
@@ -90,7 +90,7 @@ func (c *ApiController) GetUsers() {

 	if limit == "" || page == "" {
 		if groupName != "" {
-			maskedUsers, err := object.GetMaskedUsers(object.GetGroupUsers(groupName))
+			maskedUsers, err := object.GetMaskedUsers(object.GetGroupUsers(util.GetId(owner, groupName)))
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
@@ -567,6 +567,22 @@ func (c *ApiController) RemoveUserFromGroup() {
 	name := c.Ctx.Request.Form.Get("name")
 	groupName := c.Ctx.Request.Form.Get("groupName")

-	c.Data["json"] = wrapActionResponse(object.RemoveUserFromGroup(owner, name, groupName))
-	c.ServeJSON()
+	organization, err := object.GetOrganization(util.GetId("admin", owner))
+	if err != nil {
+		return
+	}
+	item := object.GetAccountItemByName("Groups", organization)
+	res, msg := object.CheckAccountItemModifyRule(item, c.IsAdmin(), c.GetAcceptLanguage())
+	if !res {
+		c.ResponseError(msg)
+		return
+	}
+
+	affected, err := object.DeleteGroupForUser(util.GetId(owner, name), groupName)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(affected)
 }
--- a/controllers/user_upload.go
+++ b/controllers/user_upload.go
@@ -48,17 +48,17 @@ func (c *ApiController) UploadUsers() {
 		c.ResponseError(err.Error())
 		return
 	}
-	fileId := fmt.Sprintf("%s_%s_%s", owner, user, util.RemoveExt(header.Filename))

+	fileId := fmt.Sprintf("%s_%s_%s", owner, user, util.RemoveExt(header.Filename))
 	path := util.GetUploadXlsxPath(fileId)
-	util.EnsureFileFolderExists(path)
+	defer os.Remove(path)
 	err = saveFile(path, &file)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	affected, err := object.UploadUsers(owner, fileId)
+	affected, err := object.UploadUsers(owner, path)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
--- a/controllers/util.go
+++ b/controllers/util.go
@@ -16,6 +16,7 @@ package controllers

 import (
 	"fmt"
+	"strings"

 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/i18n"
@@ -143,8 +144,30 @@ func (c *ApiController) IsMaskedEnabled() (bool, bool) {
 	return true, isMaskEnabled
 }

+func refineFullFilePath(fullFilePath string) (string, string) {
+	tokens := strings.Split(fullFilePath, "/")
+	if len(tokens) >= 2 && tokens[0] == "Direct" && tokens[1] != "" {
+		providerName := tokens[1]
+		res := strings.Join(tokens[2:], "/")
+		return providerName, "/" + res
+	} else {
+		return "", fullFilePath
+	}
+}
+
 func (c *ApiController) GetProviderFromContext(category string) (*object.Provider, error) {
 	providerName := c.Input().Get("provider")
+	if providerName == "" {
+		field := c.Input().Get("field")
+		value := c.Input().Get("value")
+		if field == "provider" && value != "" {
+			providerName = value
+		} else {
+			fullFilePath := c.Input().Get("fullFilePath")
+			providerName, _ = refineFullFilePath(fullFilePath)
+		}
+	}
+
 	if providerName != "" {
 		provider, err := object.GetProvider(util.GetId("admin", providerName))
 		if err != nil {
--- a/controllers/webhook.go
+++ b/controllers/webhook.go
@@ -26,9 +26,10 @@ import (
 // @Title GetWebhooks
 // @Tag Webhook API
 // @Description get webhooks
-// @Param   owner     query    string  true        "The owner of webhooks"
+// @Param   owner     query    string  built-in/admin	true        "The owner of webhooks"
 // @Success 200 {array} object.Webhook The Response object
 // @router /get-webhooks [get]
+// @Security test_apiKey
 func (c *ApiController) GetWebhooks() {
 	owner := c.Input().Get("owner")
 	limit := c.Input().Get("pageSize")
@@ -71,7 +72,7 @@ func (c *ApiController) GetWebhooks() {
 // @Title GetWebhook
 // @Tag Webhook API
 // @Description get webhook
-// @Param   id     query    string  true        "The id ( owner/name ) of the webhook"
+// @Param   id     query    string  built-in/admin	true        "The id ( owner/name ) of the webhook"
 // @Success 200 {object} object.Webhook The Response object
 // @router /get-webhook [get]
 func (c *ApiController) GetWebhook() {
@@ -90,7 +91,7 @@ func (c *ApiController) GetWebhook() {
 // @Title UpdateWebhook
 // @Tag Webhook API
 // @Description update webhook
-// @Param   id     query    string  true        "The id ( owner/name ) of the webhook"
+// @Param   id     query    string  built-in/admin true        "The id ( owner/name ) of the webhook"
 // @Param   body    body   object.Webhook  true        "The details of the webhook"
 // @Success 200 {object} controllers.Response The Response object
 // @router /update-webhook [post]
--- a/form/auth.go
+++ b/form/auth.go
@@ -17,17 +17,18 @@ package form
 type AuthForm struct {
 	Type string `json:"type"`

-	Organization string `json:"organization"`
-	Username     string `json:"username"`
-	Password     string `json:"password"`
-	Name         string `json:"name"`
-	FirstName    string `json:"firstName"`
-	LastName     string `json:"lastName"`
-	Email        string `json:"email"`
-	Phone        string `json:"phone"`
-	Affiliation  string `json:"affiliation"`
-	IdCard       string `json:"idCard"`
-	Region       string `json:"region"`
+	Organization   string `json:"organization"`
+	Username       string `json:"username"`
+	Password       string `json:"password"`
+	Name           string `json:"name"`
+	FirstName      string `json:"firstName"`
+	LastName       string `json:"lastName"`
+	Email          string `json:"email"`
+	Phone          string `json:"phone"`
+	Affiliation    string `json:"affiliation"`
+	IdCard         string `json:"idCard"`
+	Region         string `json:"region"`
+	InvitationCode string `json:"invitationCode"`

 	Application string `json:"application"`
 	ClientId    string `json:"clientId"`
--- a/go.mod
+++ b/go.mod
@@ -12,13 +12,13 @@ require (
 	github.com/beevik/etree v1.1.0
 	github.com/casbin/casbin v1.9.1 // indirect
 	github.com/casbin/casbin/v2 v2.30.1
-	github.com/casdoor/go-sms-sender v0.6.1
+	github.com/casdoor/go-sms-sender v0.12.0
 	github.com/casdoor/gomail/v2 v2.0.1
-	github.com/casdoor/oss v1.2.0
+	github.com/casdoor/oss v1.3.0
 	github.com/casdoor/xorm-adapter/v3 v3.0.4
+	github.com/casvisor/casvisor-go-sdk v1.0.3
 	github.com/dchest/captcha v0.0.0-20200903113550-03f5f0333e1f
 	github.com/denisenkom/go-mssqldb v0.9.0
-	github.com/dlclark/regexp2 v1.9.0 // indirect
 	github.com/elazarl/go-bindata-assetfs v1.0.1 // indirect
 	github.com/fogleman/gg v1.3.0
 	github.com/forestmgy/ldapserver v1.1.0
@@ -27,36 +27,32 @@ require (
 	github.com/go-mysql-org/go-mysql v1.7.0
 	github.com/go-pay/gopay v1.5.72
 	github.com/go-sql-driver/mysql v1.6.0
+	github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible
 	github.com/go-webauthn/webauthn v0.6.0
 	github.com/golang-jwt/jwt/v4 v4.5.0
-	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/uuid v1.3.0
-	github.com/gorilla/mux v1.7.3 // indirect
 	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
 	github.com/lestrrat-go/jwx v1.2.21
-	github.com/lib/pq v1.10.2
+	github.com/lib/pq v1.10.9
 	github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3
 	github.com/markbates/goth v1.75.2
 	github.com/mitchellh/mapstructure v1.5.0
+	github.com/nikoksr/notify v0.41.0
 	github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d // indirect
 	github.com/nyaruka/phonenumbers v1.1.5
-	github.com/pkoukk/tiktoken-go v0.1.1
 	github.com/pquerna/otp v1.4.0
 	github.com/prometheus/client_golang v1.11.1
-	github.com/prometheus/client_model v0.2.0
+	github.com/prometheus/client_model v0.3.0
 	github.com/qiangmzsx/string-adapter/v2 v2.1.0
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/russellhaering/gosaml2 v0.9.0
 	github.com/russellhaering/goxmldsig v1.2.0
-	github.com/sashabaranov/go-openai v1.12.0
-	github.com/satori/go.uuid v1.2.0
 	github.com/shiena/ansicolor v0.0.0-20200904210342-c7312218db18 // indirect
 	github.com/shirou/gopsutil v3.21.11+incompatible
 	github.com/siddontang/go-log v0.0.0-20190221022429-1e957dd83bed
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
-	github.com/stretchr/testify v1.8.2
+	github.com/stretchr/testify v1.8.4
+	github.com/stripe/stripe-go/v74 v74.29.0
 	github.com/tealeg/xlsx v1.0.5
 	github.com/thanhpk/randstr v1.0.4
 	github.com/tklauser/go-sysconf v0.3.10 // indirect
@@ -64,12 +60,10 @@ require (
 	github.com/xorm-io/core v0.7.4
 	github.com/xorm-io/xorm v1.1.6
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
-	golang.org/x/crypto v0.6.0
-	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
-	golang.org/x/net v0.7.0
-	golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914
+	golang.org/x/crypto v0.11.0
+	golang.org/x/net v0.13.0
+	golang.org/x/oauth2 v0.10.0
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	modernc.org/sqlite v1.10.1-0.20210314190707-798bbeb9bb84
+	modernc.org/sqlite v1.18.2
 )
--- a/go.sum
+++ b/go.sum
--- a/i18n/generate_test.go
+++ b/i18n/generate_test.go
@@ -33,6 +33,12 @@ func TestGenerateI18nFrontend(t *testing.T) {
 	applyToOtherLanguage("frontend", "ru", data)
 	applyToOtherLanguage("frontend", "vi", data)
 	applyToOtherLanguage("frontend", "pt", data)
+	applyToOtherLanguage("frontend", "it", data)
+	applyToOtherLanguage("frontend", "ms", data)
+	applyToOtherLanguage("frontend", "tr", data)
+	applyToOtherLanguage("frontend", "ar", data)
+	applyToOtherLanguage("frontend", "he", data)
+	applyToOtherLanguage("frontend", "fi", data)
 }

 func TestGenerateI18nBackend(t *testing.T) {
@@ -49,4 +55,10 @@ func TestGenerateI18nBackend(t *testing.T) {
 	applyToOtherLanguage("backend", "ru", data)
 	applyToOtherLanguage("backend", "vi", data)
 	applyToOtherLanguage("backend", "pt", data)
+	applyToOtherLanguage("backend", "it", data)
+	applyToOtherLanguage("backend", "ms", data)
+	applyToOtherLanguage("backend", "tr", data)
+	applyToOtherLanguage("backend", "ar", data)
+	applyToOtherLanguage("backend", "he", data)
+	applyToOtherLanguage("backend", "fi", data)
 }
--- a/i18n/locales/ar/data.json
+++ b/i18n/locales/ar/data.json
@@ -0,0 +1,142 @@
+{
+  "account": {
+    "Failed to add user": "Failed to add user",
+    "Get init score failed, error: %w": "Get init score failed, error: %w",
+    "Please sign out first": "Please sign out first",
+    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+  },
+  "auth": {
+    "Challenge method should be S256": "Challenge method should be S256",
+    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
+    "Failed to login in: %s": "Failed to login in: %s",
+    "Invalid token": "Invalid token",
+    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
+    "The application: %s does not exist": "The application: %s does not exist",
+    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
+    "Unauthorized operation": "Unauthorized operation",
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
+  },
+  "cas": {
+    "Service %s and %s do not match": "Service %s and %s do not match"
+  },
+  "check": {
+    "Affiliation cannot be blank": "Affiliation cannot be blank",
+    "DisplayName cannot be blank": "DisplayName cannot be blank",
+    "DisplayName is not valid real name": "DisplayName is not valid real name",
+    "Email already exists": "Email already exists",
+    "Email cannot be empty": "Email cannot be empty",
+    "Email is invalid": "Email is invalid",
+    "Empty username.": "Empty username.",
+    "FirstName cannot be blank": "FirstName cannot be blank",
+    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
+    "LastName cannot be blank": "LastName cannot be blank",
+    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
+    "Organization does not exist": "Organization does not exist",
+    "Password must have at least 6 characters": "Password must have at least 6 characters",
+    "Phone already exists": "Phone already exists",
+    "Phone cannot be empty": "Phone cannot be empty",
+    "Phone number is invalid": "Phone number is invalid",
+    "Session outdated, please login again": "Session outdated, please login again",
+    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
+    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "Username already exists": "Username already exists",
+    "Username cannot be an email address": "Username cannot be an email address",
+    "Username cannot contain white spaces": "Username cannot contain white spaces",
+    "Username cannot start with a digit": "Username cannot start with a digit",
+    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
+    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
+    "unsupported password type: %s": "unsupported password type: %s"
+  },
+  "general": {
+    "Missing parameter": "Missing parameter",
+    "Please login first": "Please login first",
+    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "don't support captchaProvider: ": "don't support captchaProvider: ",
+    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+  },
+  "ldap": {
+    "Ldap server exist": "Ldap server exist"
+  },
+  "link": {
+    "Please link first": "Please link first",
+    "This application has no providers": "This application has no providers",
+    "This application has no providers of type": "This application has no providers of type",
+    "This provider can't be unlinked": "This provider can't be unlinked",
+    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
+    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+  },
+  "organization": {
+    "Only admin can modify the %s.": "Only admin can modify the %s.",
+    "The %s is immutable.": "The %s is immutable.",
+    "Unknown modify rule %s.": "Unknown modify rule %s."
+  },
+  "provider": {
+    "Invalid application id": "Invalid application id",
+    "the provider: %s does not exist": "the provider: %s does not exist"
+  },
+  "resource": {
+    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+  },
+  "saml": {
+    "Application %s not found": "Application %s not found"
+  },
+  "saml_sp": {
+    "provider %s's category is not SAML": "provider %s's category is not SAML"
+  },
+  "service": {
+    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
+    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
+    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+  },
+  "storage": {
+    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
+    "The provider type: %s is not supported": "The provider type: %s is not supported"
+  },
+  "token": {
+    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
+    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
+    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
+    "Invalid client_id": "Invalid client_id",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
+    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+  },
+  "user": {
+    "Display name cannot be empty": "Display name cannot be empty",
+    "New password cannot contain blank space.": "New password cannot contain blank space."
+  },
+  "user_upload": {
+    "Failed to import users": "Failed to import users"
+  },
+  "util": {
+    "No application is found for userId: %s": "No application is found for userId: %s",
+    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "verification": {
+    "Code has not been sent yet!": "Code has not been sent yet!",
+    "Invalid captcha provider.": "Invalid captcha provider.",
+    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Turing test failed.": "Turing test failed.",
+    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
+    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
+    "Unknown type": "Unknown type",
+    "Wrong verification code!": "Wrong verification code!",
+    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+  },
+  "webauthn": {
+    "Found no credentials for this user": "Found no credentials for this user",
+    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+  }
+}
--- a/i18n/locales/de/data.json
+++ b/i18n/locales/de/data.json
@@ -24,14 +24,6 @@
  "cas": {
    "Service %s and %s do not match": "Service %s und %s stimmen nicht überein"
  },
-  "chat": {
-    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
-    "The chat: %s is not found": "The chat: %s is not found",
-    "The message is invalid": "The message is invalid",
-    "The message: %s is not found": "The message: %s is not found",
-    "The provider: %s is invalid": "The provider: %s is invalid",
-    "The provider: %s is not found": "The provider: %s is not found"
-  },
  "check": {
    "Affiliation cannot be blank": "Zugehörigkeit darf nicht leer sein",
    "DisplayName cannot be blank": "Anzeigename kann nicht leer sein",
--- a/i18n/locales/en/data.json
+++ b/i18n/locales/en/data.json
@@ -24,14 +24,6 @@
  "cas": {
    "Service %s and %s do not match": "Service %s and %s do not match"
  },
-  "chat": {
-    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
-    "The chat: %s is not found": "The chat: %s is not found",
-    "The message is invalid": "The message is invalid",
-    "The message: %s is not found": "The message: %s is not found",
-    "The provider: %s is invalid": "The provider: %s is invalid",
-    "The provider: %s is not found": "The provider: %s is not found"
-  },
  "check": {
    "Affiliation cannot be blank": "Affiliation cannot be blank",
    "DisplayName cannot be blank": "DisplayName cannot be blank",
--- a/i18n/locales/es/data.json
+++ b/i18n/locales/es/data.json
@@ -24,14 +24,6 @@
  "cas": {
    "Service %s and %s do not match": "Los servicios %s y %s no coinciden"
  },
-  "chat": {
-    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
-    "The chat: %s is not found": "The chat: %s is not found",
-    "The message is invalid": "The message is invalid",
-    "The message: %s is not found": "The message: %s is not found",
-    "The provider: %s is invalid": "The provider: %s is invalid",
-    "The provider: %s is not found": "The provider: %s is not found"
-  },
  "check": {
    "Affiliation cannot be blank": "Afiliación no puede estar en blanco",
    "DisplayName cannot be blank": "El nombre de visualización no puede estar en blanco",
--- a/i18n/locales/fi/data.json
+++ b/i18n/locales/fi/data.json
@@ -0,0 +1,142 @@
+{
+  "account": {
+    "Failed to add user": "Failed to add user",
+    "Get init score failed, error: %w": "Get init score failed, error: %w",
+    "Please sign out first": "Please sign out first",
+    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+  },
+  "auth": {
+    "Challenge method should be S256": "Challenge method should be S256",
+    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
+    "Failed to login in: %s": "Failed to login in: %s",
+    "Invalid token": "Invalid token",
+    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
+    "The application: %s does not exist": "The application: %s does not exist",
+    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
+    "Unauthorized operation": "Unauthorized operation",
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
+  },
+  "cas": {
+    "Service %s and %s do not match": "Service %s and %s do not match"
+  },
+  "check": {
+    "Affiliation cannot be blank": "Affiliation cannot be blank",
+    "DisplayName cannot be blank": "DisplayName cannot be blank",
+    "DisplayName is not valid real name": "DisplayName is not valid real name",
+    "Email already exists": "Email already exists",
+    "Email cannot be empty": "Email cannot be empty",
+    "Email is invalid": "Email is invalid",
+    "Empty username.": "Empty username.",
+    "FirstName cannot be blank": "FirstName cannot be blank",
+    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
+    "LastName cannot be blank": "LastName cannot be blank",
+    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
+    "Organization does not exist": "Organization does not exist",
+    "Password must have at least 6 characters": "Password must have at least 6 characters",
+    "Phone already exists": "Phone already exists",
+    "Phone cannot be empty": "Phone cannot be empty",
+    "Phone number is invalid": "Phone number is invalid",
+    "Session outdated, please login again": "Session outdated, please login again",
+    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
+    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "Username already exists": "Username already exists",
+    "Username cannot be an email address": "Username cannot be an email address",
+    "Username cannot contain white spaces": "Username cannot contain white spaces",
+    "Username cannot start with a digit": "Username cannot start with a digit",
+    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
+    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
+    "unsupported password type: %s": "unsupported password type: %s"
+  },
+  "general": {
+    "Missing parameter": "Missing parameter",
+    "Please login first": "Please login first",
+    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "don't support captchaProvider: ": "don't support captchaProvider: ",
+    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+  },
+  "ldap": {
+    "Ldap server exist": "Ldap server exist"
+  },
+  "link": {
+    "Please link first": "Please link first",
+    "This application has no providers": "This application has no providers",
+    "This application has no providers of type": "This application has no providers of type",
+    "This provider can't be unlinked": "This provider can't be unlinked",
+    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
+    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+  },
+  "organization": {
+    "Only admin can modify the %s.": "Only admin can modify the %s.",
+    "The %s is immutable.": "The %s is immutable.",
+    "Unknown modify rule %s.": "Unknown modify rule %s."
+  },
+  "provider": {
+    "Invalid application id": "Invalid application id",
+    "the provider: %s does not exist": "the provider: %s does not exist"
+  },
+  "resource": {
+    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+  },
+  "saml": {
+    "Application %s not found": "Application %s not found"
+  },
+  "saml_sp": {
+    "provider %s's category is not SAML": "provider %s's category is not SAML"
+  },
+  "service": {
+    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
+    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
+    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+  },
+  "storage": {
+    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
+    "The provider type: %s is not supported": "The provider type: %s is not supported"
+  },
+  "token": {
+    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
+    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
+    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
+    "Invalid client_id": "Invalid client_id",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
+    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+  },
+  "user": {
+    "Display name cannot be empty": "Display name cannot be empty",
+    "New password cannot contain blank space.": "New password cannot contain blank space."
+  },
+  "user_upload": {
+    "Failed to import users": "Failed to import users"
+  },
+  "util": {
+    "No application is found for userId: %s": "No application is found for userId: %s",
+    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "verification": {
+    "Code has not been sent yet!": "Code has not been sent yet!",
+    "Invalid captcha provider.": "Invalid captcha provider.",
+    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Turing test failed.": "Turing test failed.",
+    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
+    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
+    "Unknown type": "Unknown type",
+    "Wrong verification code!": "Wrong verification code!",
+    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+  },
+  "webauthn": {
+    "Found no credentials for this user": "Found no credentials for this user",
+    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+  }
+}
--- a/i18n/locales/fr/data.json
+++ b/i18n/locales/fr/data.json
@@ -24,14 +24,6 @@
  "cas": {
    "Service %s and %s do not match": "Les services %s et %s ne correspondent pas"
  },
-  "chat": {
-    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
-    "The chat: %s is not found": "The chat: %s is not found",
-    "The message is invalid": "The message is invalid",
-    "The message: %s is not found": "The message: %s is not found",
-    "The provider: %s is invalid": "The provider: %s is invalid",
-    "The provider: %s is not found": "The provider: %s is not found"
-  },
  "check": {
    "Affiliation cannot be blank": "Affiliation ne peut pas être vide",
    "DisplayName cannot be blank": "Le nom d'affichage ne peut pas être vide",
--- a/i18n/locales/he/data.json
+++ b/i18n/locales/he/data.json
@@ -0,0 +1,142 @@
+{
+  "account": {
+    "Failed to add user": "Failed to add user",
+    "Get init score failed, error: %w": "Get init score failed, error: %w",
+    "Please sign out first": "Please sign out first",
+    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+  },
+  "auth": {
+    "Challenge method should be S256": "Challenge method should be S256",
+    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
+    "Failed to login in: %s": "Failed to login in: %s",
+    "Invalid token": "Invalid token",
+    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
+    "The application: %s does not exist": "The application: %s does not exist",
+    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
+    "Unauthorized operation": "Unauthorized operation",
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
+  },
+  "cas": {
+    "Service %s and %s do not match": "Service %s and %s do not match"
+  },
+  "check": {
+    "Affiliation cannot be blank": "Affiliation cannot be blank",
+    "DisplayName cannot be blank": "DisplayName cannot be blank",
+    "DisplayName is not valid real name": "DisplayName is not valid real name",
+    "Email already exists": "Email already exists",
+    "Email cannot be empty": "Email cannot be empty",
+    "Email is invalid": "Email is invalid",
+    "Empty username.": "Empty username.",
+    "FirstName cannot be blank": "FirstName cannot be blank",
+    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
+    "LastName cannot be blank": "LastName cannot be blank",
+    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
+    "Organization does not exist": "Organization does not exist",
+    "Password must have at least 6 characters": "Password must have at least 6 characters",
+    "Phone already exists": "Phone already exists",
+    "Phone cannot be empty": "Phone cannot be empty",
+    "Phone number is invalid": "Phone number is invalid",
+    "Session outdated, please login again": "Session outdated, please login again",
+    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
+    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "Username already exists": "Username already exists",
+    "Username cannot be an email address": "Username cannot be an email address",
+    "Username cannot contain white spaces": "Username cannot contain white spaces",
+    "Username cannot start with a digit": "Username cannot start with a digit",
+    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
+    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
+    "unsupported password type: %s": "unsupported password type: %s"
+  },
+  "general": {
+    "Missing parameter": "Missing parameter",
+    "Please login first": "Please login first",
+    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "don't support captchaProvider: ": "don't support captchaProvider: ",
+    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+  },
+  "ldap": {
+    "Ldap server exist": "Ldap server exist"
+  },
+  "link": {
+    "Please link first": "Please link first",
+    "This application has no providers": "This application has no providers",
+    "This application has no providers of type": "This application has no providers of type",
+    "This provider can't be unlinked": "This provider can't be unlinked",
+    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
+    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+  },
+  "organization": {
+    "Only admin can modify the %s.": "Only admin can modify the %s.",
+    "The %s is immutable.": "The %s is immutable.",
+    "Unknown modify rule %s.": "Unknown modify rule %s."
+  },
+  "provider": {
+    "Invalid application id": "Invalid application id",
+    "the provider: %s does not exist": "the provider: %s does not exist"
+  },
+  "resource": {
+    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+  },
+  "saml": {
+    "Application %s not found": "Application %s not found"
+  },
+  "saml_sp": {
+    "provider %s's category is not SAML": "provider %s's category is not SAML"
+  },
+  "service": {
+    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
+    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
+    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+  },
+  "storage": {
+    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
+    "The provider type: %s is not supported": "The provider type: %s is not supported"
+  },
+  "token": {
+    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
+    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
+    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
+    "Invalid client_id": "Invalid client_id",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
+    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+  },
+  "user": {
+    "Display name cannot be empty": "Display name cannot be empty",
+    "New password cannot contain blank space.": "New password cannot contain blank space."
+  },
+  "user_upload": {
+    "Failed to import users": "Failed to import users"
+  },
+  "util": {
+    "No application is found for userId: %s": "No application is found for userId: %s",
+    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "verification": {
+    "Code has not been sent yet!": "Code has not been sent yet!",
+    "Invalid captcha provider.": "Invalid captcha provider.",
+    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Turing test failed.": "Turing test failed.",
+    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
+    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
+    "Unknown type": "Unknown type",
+    "Wrong verification code!": "Wrong verification code!",
+    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+  },
+  "webauthn": {
+    "Found no credentials for this user": "Found no credentials for this user",
+    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+  }
+}
--- a/i18n/locales/id/data.json
+++ b/i18n/locales/id/data.json
@@ -24,14 +24,6 @@
  "cas": {
    "Service %s and %s do not match": "Layanan %s dan %s tidak cocok"
  },
-  "chat": {
-    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
-    "The chat: %s is not found": "The chat: %s is not found",
-    "The message is invalid": "The message is invalid",
-    "The message: %s is not found": "The message: %s is not found",
-    "The provider: %s is invalid": "The provider: %s is invalid",
-    "The provider: %s is not found": "The provider: %s is not found"
-  },
  "check": {
    "Affiliation cannot be blank": "Keterkaitan tidak boleh kosong",
    "DisplayName cannot be blank": "Nama Pengguna tidak boleh kosong",
--- a/i18n/locales/it/data.json
+++ b/i18n/locales/it/data.json
@@ -0,0 +1,150 @@
+{
+  "account": {
+    "Failed to add user": "Failed to add user",
+    "Get init score failed, error: %w": "Get init score failed, error: %w",
+    "Please sign out first": "Please sign out first",
+    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+  },
+  "auth": {
+    "Challenge method should be S256": "Challenge method should be S256",
+    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
+    "Failed to login in: %s": "Failed to login in: %s",
+    "Invalid token": "Invalid token",
+    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
+    "The application: %s does not exist": "The application: %s does not exist",
+    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
+    "Unauthorized operation": "Unauthorized operation",
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
+  },
+  "cas": {
+    "Service %s and %s do not match": "Service %s and %s do not match"
+  },
+  "chat": {
+    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
+    "The chat: %s is not found": "The chat: %s is not found",
+    "The message is invalid": "The message is invalid",
+    "The message: %s is not found": "The message: %s is not found",
+    "The provider: %s is invalid": "The provider: %s is invalid",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "check": {
+    "Affiliation cannot be blank": "Affiliation cannot be blank",
+    "DisplayName cannot be blank": "DisplayName cannot be blank",
+    "DisplayName is not valid real name": "DisplayName is not valid real name",
+    "Email already exists": "Email already exists",
+    "Email cannot be empty": "Email cannot be empty",
+    "Email is invalid": "Email is invalid",
+    "Empty username.": "Empty username.",
+    "FirstName cannot be blank": "FirstName cannot be blank",
+    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
+    "LastName cannot be blank": "LastName cannot be blank",
+    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
+    "Organization does not exist": "Organization does not exist",
+    "Password must have at least 6 characters": "Password must have at least 6 characters",
+    "Phone already exists": "Phone already exists",
+    "Phone cannot be empty": "Phone cannot be empty",
+    "Phone number is invalid": "Phone number is invalid",
+    "Session outdated, please login again": "Session outdated, please login again",
+    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
+    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "Username already exists": "Username already exists",
+    "Username cannot be an email address": "Username cannot be an email address",
+    "Username cannot contain white spaces": "Username cannot contain white spaces",
+    "Username cannot start with a digit": "Username cannot start with a digit",
+    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
+    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
+    "unsupported password type: %s": "unsupported password type: %s"
+  },
+  "general": {
+    "Missing parameter": "Missing parameter",
+    "Please login first": "Please login first",
+    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "don't support captchaProvider: ": "don't support captchaProvider: ",
+    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+  },
+  "ldap": {
+    "Ldap server exist": "Ldap server exist"
+  },
+  "link": {
+    "Please link first": "Please link first",
+    "This application has no providers": "This application has no providers",
+    "This application has no providers of type": "This application has no providers of type",
+    "This provider can't be unlinked": "This provider can't be unlinked",
+    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
+    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+  },
+  "organization": {
+    "Only admin can modify the %s.": "Only admin can modify the %s.",
+    "The %s is immutable.": "The %s is immutable.",
+    "Unknown modify rule %s.": "Unknown modify rule %s."
+  },
+  "provider": {
+    "Invalid application id": "Invalid application id",
+    "the provider: %s does not exist": "the provider: %s does not exist"
+  },
+  "resource": {
+    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+  },
+  "saml": {
+    "Application %s not found": "Application %s not found"
+  },
+  "saml_sp": {
+    "provider %s's category is not SAML": "provider %s's category is not SAML"
+  },
+  "service": {
+    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
+    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
+    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+  },
+  "storage": {
+    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
+    "The provider type: %s is not supported": "The provider type: %s is not supported"
+  },
+  "token": {
+    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
+    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
+    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
+    "Invalid client_id": "Invalid client_id",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
+    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+  },
+  "user": {
+    "Display name cannot be empty": "Display name cannot be empty",
+    "New password cannot contain blank space.": "New password cannot contain blank space."
+  },
+  "user_upload": {
+    "Failed to import users": "Failed to import users"
+  },
+  "util": {
+    "No application is found for userId: %s": "No application is found for userId: %s",
+    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "verification": {
+    "Code has not been sent yet!": "Code has not been sent yet!",
+    "Invalid captcha provider.": "Invalid captcha provider.",
+    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Turing test failed.": "Turing test failed.",
+    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
+    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
+    "Unknown type": "Unknown type",
+    "Wrong verification code!": "Wrong verification code!",
+    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+  },
+  "webauthn": {
+    "Found no credentials for this user": "Found no credentials for this user",
+    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+  }
+}
--- a/i18n/locales/ja/data.json
+++ b/i18n/locales/ja/data.json
@@ -24,14 +24,6 @@
  "cas": {
    "Service %s and %s do not match": "サービス%sと%sは一致しません"
  },
-  "chat": {
-    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
-    "The chat: %s is not found": "The chat: %s is not found",
-    "The message is invalid": "The message is invalid",
-    "The message: %s is not found": "The message: %s is not found",
-    "The provider: %s is invalid": "The provider: %s is invalid",
-    "The provider: %s is not found": "The provider: %s is not found"
-  },
  "check": {
    "Affiliation cannot be blank": "所属は空白にできません",
    "DisplayName cannot be blank": "表示名は空白にできません",
--- a/i18n/locales/ko/data.json
+++ b/i18n/locales/ko/data.json
@@ -24,14 +24,6 @@
  "cas": {
    "Service %s and %s do not match": "서비스 %s와 %s는 일치하지 않습니다"
  },
-  "chat": {
-    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
-    "The chat: %s is not found": "The chat: %s is not found",
-    "The message is invalid": "The message is invalid",
-    "The message: %s is not found": "The message: %s is not found",
-    "The provider: %s is invalid": "The provider: %s is invalid",
-    "The provider: %s is not found": "The provider: %s is not found"
-  },
  "check": {
    "Affiliation cannot be blank": "소속은 비워 둘 수 없습니다",
    "DisplayName cannot be blank": "DisplayName는 비어 있을 수 없습니다",
--- a/i18n/locales/ms/data.json
+++ b/i18n/locales/ms/data.json
@@ -0,0 +1,150 @@
+{
+  "account": {
+    "Failed to add user": "Failed to add user",
+    "Get init score failed, error: %w": "Get init score failed, error: %w",
+    "Please sign out first": "Please sign out first",
+    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+  },
+  "auth": {
+    "Challenge method should be S256": "Challenge method should be S256",
+    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
+    "Failed to login in: %s": "Failed to login in: %s",
+    "Invalid token": "Invalid token",
+    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
+    "The application: %s does not exist": "The application: %s does not exist",
+    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
+    "Unauthorized operation": "Unauthorized operation",
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
+  },
+  "cas": {
+    "Service %s and %s do not match": "Service %s and %s do not match"
+  },
+  "chat": {
+    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
+    "The chat: %s is not found": "The chat: %s is not found",
+    "The message is invalid": "The message is invalid",
+    "The message: %s is not found": "The message: %s is not found",
+    "The provider: %s is invalid": "The provider: %s is invalid",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "check": {
+    "Affiliation cannot be blank": "Affiliation cannot be blank",
+    "DisplayName cannot be blank": "DisplayName cannot be blank",
+    "DisplayName is not valid real name": "DisplayName is not valid real name",
+    "Email already exists": "Email already exists",
+    "Email cannot be empty": "Email cannot be empty",
+    "Email is invalid": "Email is invalid",
+    "Empty username.": "Empty username.",
+    "FirstName cannot be blank": "FirstName cannot be blank",
+    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
+    "LastName cannot be blank": "LastName cannot be blank",
+    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
+    "Organization does not exist": "Organization does not exist",
+    "Password must have at least 6 characters": "Password must have at least 6 characters",
+    "Phone already exists": "Phone already exists",
+    "Phone cannot be empty": "Phone cannot be empty",
+    "Phone number is invalid": "Phone number is invalid",
+    "Session outdated, please login again": "Session outdated, please login again",
+    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
+    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "Username already exists": "Username already exists",
+    "Username cannot be an email address": "Username cannot be an email address",
+    "Username cannot contain white spaces": "Username cannot contain white spaces",
+    "Username cannot start with a digit": "Username cannot start with a digit",
+    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
+    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
+    "unsupported password type: %s": "unsupported password type: %s"
+  },
+  "general": {
+    "Missing parameter": "Missing parameter",
+    "Please login first": "Please login first",
+    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "don't support captchaProvider: ": "don't support captchaProvider: ",
+    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+  },
+  "ldap": {
+    "Ldap server exist": "Ldap server exist"
+  },
+  "link": {
+    "Please link first": "Please link first",
+    "This application has no providers": "This application has no providers",
+    "This application has no providers of type": "This application has no providers of type",
+    "This provider can't be unlinked": "This provider can't be unlinked",
+    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
+    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+  },
+  "organization": {
+    "Only admin can modify the %s.": "Only admin can modify the %s.",
+    "The %s is immutable.": "The %s is immutable.",
+    "Unknown modify rule %s.": "Unknown modify rule %s."
+  },
+  "provider": {
+    "Invalid application id": "Invalid application id",
+    "the provider: %s does not exist": "the provider: %s does not exist"
+  },
+  "resource": {
+    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+  },
+  "saml": {
+    "Application %s not found": "Application %s not found"
+  },
+  "saml_sp": {
+    "provider %s's category is not SAML": "provider %s's category is not SAML"
+  },
+  "service": {
+    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
+    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
+    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+  },
+  "storage": {
+    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
+    "The provider type: %s is not supported": "The provider type: %s is not supported"
+  },
+  "token": {
+    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
+    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
+    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
+    "Invalid client_id": "Invalid client_id",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
+    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+  },
+  "user": {
+    "Display name cannot be empty": "Display name cannot be empty",
+    "New password cannot contain blank space.": "New password cannot contain blank space."
+  },
+  "user_upload": {
+    "Failed to import users": "Failed to import users"
+  },
+  "util": {
+    "No application is found for userId: %s": "No application is found for userId: %s",
+    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "verification": {
+    "Code has not been sent yet!": "Code has not been sent yet!",
+    "Invalid captcha provider.": "Invalid captcha provider.",
+    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Turing test failed.": "Turing test failed.",
+    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
+    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
+    "Unknown type": "Unknown type",
+    "Wrong verification code!": "Wrong verification code!",
+    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+  },
+  "webauthn": {
+    "Found no credentials for this user": "Found no credentials for this user",
+    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+  }
+}
--- a/i18n/locales/pt/data.json
+++ b/i18n/locales/pt/data.json
@@ -24,14 +24,6 @@
  "cas": {
    "Service %s and %s do not match": "Service %s and %s do not match"
  },
-  "chat": {
-    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
-    "The chat: %s is not found": "The chat: %s is not found",
-    "The message is invalid": "The message is invalid",
-    "The message: %s is not found": "The message: %s is not found",
-    "The provider: %s is invalid": "The provider: %s is invalid",
-    "The provider: %s is not found": "The provider: %s is not found"
-  },
  "check": {
    "Affiliation cannot be blank": "Affiliation cannot be blank",
    "DisplayName cannot be blank": "DisplayName cannot be blank",
--- a/i18n/locales/ru/data.json
+++ b/i18n/locales/ru/data.json
@@ -24,14 +24,6 @@
  "cas": {
    "Service %s and %s do not match": "Сервисы %s и %s не совпадают"
  },
-  "chat": {
-    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
-    "The chat: %s is not found": "The chat: %s is not found",
-    "The message is invalid": "The message is invalid",
-    "The message: %s is not found": "The message: %s is not found",
-    "The provider: %s is invalid": "The provider: %s is invalid",
-    "The provider: %s is not found": "The provider: %s is not found"
-  },
  "check": {
    "Affiliation cannot be blank": "Принадлежность не может быть пустым значением",
    "DisplayName cannot be blank": "Имя отображения не может быть пустым",
--- a/i18n/locales/tr/data.json
+++ b/i18n/locales/tr/data.json
@@ -0,0 +1,150 @@
+{
+  "account": {
+    "Failed to add user": "Failed to add user",
+    "Get init score failed, error: %w": "Get init score failed, error: %w",
+    "Please sign out first": "Please sign out first",
+    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+  },
+  "auth": {
+    "Challenge method should be S256": "Challenge method should be S256",
+    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
+    "Failed to login in: %s": "Failed to login in: %s",
+    "Invalid token": "Invalid token",
+    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
+    "The application: %s does not exist": "The application: %s does not exist",
+    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
+    "Unauthorized operation": "Unauthorized operation",
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
+  },
+  "cas": {
+    "Service %s and %s do not match": "Service %s and %s do not match"
+  },
+  "chat": {
+    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
+    "The chat: %s is not found": "The chat: %s is not found",
+    "The message is invalid": "The message is invalid",
+    "The message: %s is not found": "The message: %s is not found",
+    "The provider: %s is invalid": "The provider: %s is invalid",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "check": {
+    "Affiliation cannot be blank": "Affiliation cannot be blank",
+    "DisplayName cannot be blank": "DisplayName cannot be blank",
+    "DisplayName is not valid real name": "DisplayName is not valid real name",
+    "Email already exists": "Email already exists",
+    "Email cannot be empty": "Email cannot be empty",
+    "Email is invalid": "Email is invalid",
+    "Empty username.": "Empty username.",
+    "FirstName cannot be blank": "FirstName cannot be blank",
+    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
+    "LastName cannot be blank": "LastName cannot be blank",
+    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
+    "Organization does not exist": "Organization does not exist",
+    "Password must have at least 6 characters": "Password must have at least 6 characters",
+    "Phone already exists": "Phone already exists",
+    "Phone cannot be empty": "Phone cannot be empty",
+    "Phone number is invalid": "Phone number is invalid",
+    "Session outdated, please login again": "Session outdated, please login again",
+    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
+    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "Username already exists": "Username already exists",
+    "Username cannot be an email address": "Username cannot be an email address",
+    "Username cannot contain white spaces": "Username cannot contain white spaces",
+    "Username cannot start with a digit": "Username cannot start with a digit",
+    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
+    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
+    "unsupported password type: %s": "unsupported password type: %s"
+  },
+  "general": {
+    "Missing parameter": "Missing parameter",
+    "Please login first": "Please login first",
+    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "don't support captchaProvider: ": "don't support captchaProvider: ",
+    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+  },
+  "ldap": {
+    "Ldap server exist": "Ldap server exist"
+  },
+  "link": {
+    "Please link first": "Please link first",
+    "This application has no providers": "This application has no providers",
+    "This application has no providers of type": "This application has no providers of type",
+    "This provider can't be unlinked": "This provider can't be unlinked",
+    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
+    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+  },
+  "organization": {
+    "Only admin can modify the %s.": "Only admin can modify the %s.",
+    "The %s is immutable.": "The %s is immutable.",
+    "Unknown modify rule %s.": "Unknown modify rule %s."
+  },
+  "provider": {
+    "Invalid application id": "Invalid application id",
+    "the provider: %s does not exist": "the provider: %s does not exist"
+  },
+  "resource": {
+    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+  },
+  "saml": {
+    "Application %s not found": "Application %s not found"
+  },
+  "saml_sp": {
+    "provider %s's category is not SAML": "provider %s's category is not SAML"
+  },
+  "service": {
+    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
+    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
+    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+  },
+  "storage": {
+    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
+    "The provider type: %s is not supported": "The provider type: %s is not supported"
+  },
+  "token": {
+    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
+    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
+    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
+    "Invalid client_id": "Invalid client_id",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
+    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+  },
+  "user": {
+    "Display name cannot be empty": "Display name cannot be empty",
+    "New password cannot contain blank space.": "New password cannot contain blank space."
+  },
+  "user_upload": {
+    "Failed to import users": "Failed to import users"
+  },
+  "util": {
+    "No application is found for userId: %s": "No application is found for userId: %s",
+    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "verification": {
+    "Code has not been sent yet!": "Code has not been sent yet!",
+    "Invalid captcha provider.": "Invalid captcha provider.",
+    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Turing test failed.": "Turing test failed.",
+    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
+    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
+    "Unknown type": "Unknown type",
+    "Wrong verification code!": "Wrong verification code!",
+    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+  },
+  "webauthn": {
+    "Found no credentials for this user": "Found no credentials for this user",
+    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+  }
+}
--- a/i18n/locales/vi/data.json
+++ b/i18n/locales/vi/data.json
@@ -24,14 +24,6 @@
  "cas": {
    "Service %s and %s do not match": "Dịch sang tiếng Việt: Dịch vụ %s và %s không khớp"
  },
-  "chat": {
-    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
-    "The chat: %s is not found": "The chat: %s is not found",
-    "The message is invalid": "The message is invalid",
-    "The message: %s is not found": "The message: %s is not found",
-    "The provider: %s is invalid": "The provider: %s is invalid",
-    "The provider: %s is not found": "The provider: %s is not found"
-  },
  "check": {
    "Affiliation cannot be blank": "Tình trạng liên kết không thể để trống",
    "DisplayName cannot be blank": "Tên hiển thị không thể để trống",
--- a/i18n/locales/zh/data.json
+++ b/i18n/locales/zh/data.json
@@ -24,14 +24,6 @@
  "cas": {
    "Service %s and %s do not match": "服务%s与%s不匹配"
  },
-  "chat": {
-    "The chat type must be \\\"AI\\\"": "The chat type must be \\\"AI\\\"",
-    "The chat: %s is not found": "The chat: %s is not found",
-    "The message is invalid": "The message is invalid",
-    "The message: %s is not found": "The message: %s is not found",
-    "The provider: %s is invalid": "The provider: %s is invalid",
-    "The provider: %s is not found": "The provider: %s is not found"
-  },
  "check": {
    "Affiliation cannot be blank": "工作单位不可为空",
    "DisplayName cannot be blank": "显示名称不可为空",
--- a/idp/gitee.go
+++ b/idp/gitee.go
@@ -132,7 +132,7 @@ func (idp *GiteeIdProvider) GetToken(code string) (*oauth2.Token, error) {
    "type": "User",
    "blog": null,
    "weibo": null,
-    "bio": "个人博客：https://gitee.com/xxx/xxx/pages",
+    "bio": "bio",
    "public_repos": 2,
    "public_gists": 0,
    "followers": 0,
--- a/idp/metamask.go
+++ b/idp/metamask.go
@@ -24,20 +24,10 @@ import (
 	"golang.org/x/oauth2"
 )

-const Web3AuthTokenKey = "web3AuthToken"
-
 type MetaMaskIdProvider struct {
 	Client *http.Client
 }

-type Web3AuthToken struct {
-	Address   string `json:"address"`
-	Nonce     string `json:"nonce"`
-	CreateAt  uint64 `json:"createAt"`
-	TypedData string `json:"typedData"`
-	Signature string `json:"signature"` // signature for typed data
-}
-
 func NewMetaMaskIdProvider() *MetaMaskIdProvider {
 	idp := &MetaMaskIdProvider{}
 	return idp
--- a/idp/provider.go
+++ b/idp/provider.go
@@ -111,6 +111,8 @@ func GetIdProvider(idpInfo *ProviderInfo, redirectUrl string) IdProvider {
 		return NewBilibiliIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
 	case "MetaMask":
 		return NewMetaMaskIdProvider()
+	case "Web3Onboard":
+		return NewWeb3OnboardIdProvider()
 	default:
 		if isGothSupport(idpInfo.Type) {
 			return NewGothIdProvider(idpInfo.Type, idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.HostUrl)
--- a/idp/web3onboard.go
+++ b/idp/web3onboard.go
@@ -0,0 +1,103 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+const Web3AuthTokenKey = "web3AuthToken"
+
+type Web3AuthToken struct {
+	Address    string `json:"address"`
+	Nonce      string `json:"nonce"`
+	CreateAt   uint64 `json:"createAt"`
+	TypedData  string `json:"typedData"`  // typed data use for application
+	Signature  string `json:"signature"`  // signature for typed data
+	WalletType string `json:"walletType"` // e.g."MetaMask", "Coinbase"
+}
+
+type Web3OnboardIdProvider struct {
+	Client *http.Client
+}
+
+func NewWeb3OnboardIdProvider() *Web3OnboardIdProvider {
+	idp := &Web3OnboardIdProvider{}
+	return idp
+}
+
+func (idp *Web3OnboardIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+func (idp *Web3OnboardIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	web3AuthToken := Web3AuthToken{}
+	if err := json.Unmarshal([]byte(code), &web3AuthToken); err != nil {
+		return nil, err
+	}
+	token := &oauth2.Token{
+		AccessToken: fmt.Sprintf("%v:%v", Web3AuthTokenKey, web3AuthToken.Address),
+		TokenType:   "Bearer",
+		Expiry:      time.Now().AddDate(0, 1, 0),
+	}
+
+	token = token.WithExtra(map[string]interface{}{
+		Web3AuthTokenKey: web3AuthToken,
+	})
+	return token, nil
+}
+
+func (idp *Web3OnboardIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	web3AuthToken, ok := token.Extra(Web3AuthTokenKey).(Web3AuthToken)
+	if !ok {
+		return nil, errors.New("invalid web3AuthToken")
+	}
+
+	fmtAddress := fmt.Sprintf("%v_%v",
+		strings.ReplaceAll(strings.TrimSpace(web3AuthToken.WalletType), " ", "_"),
+		web3AuthToken.Address,
+	)
+	userInfo := &UserInfo{
+		Id:          fmtAddress,
+		Username:    fmtAddress,
+		DisplayName: fmtAddress,
+		AvatarUrl:   fmt.Sprintf("metamask:%v", forceEthereumAddress(web3AuthToken.Address)),
+	}
+	return userInfo, nil
+}
+
+func forceEthereumAddress(address string) string {
+	// The required address to general MetaMask avatar is a string of length 42 that represents an Ethereum address.
+	// This function is used to force any address as an Ethereum address
+	address = strings.TrimSpace(address)
+	var builder strings.Builder
+	for _, ch := range address {
+		builder.WriteRune(ch)
+	}
+	for len(builder.String()) < 42 {
+		builder.WriteString("0")
+	}
+	if len(builder.String()) > 42 {
+		return builder.String()[:42]
+	}
+	return builder.String()
+}
--- a/init_data.json.template
+++ b/init_data.json.template
@@ -9,11 +9,11 @@
      "passwordType": "plain",
      "passwordSalt": "",
      "passwordOptions": ["AtLeast6"],
-      "countryCodes": ["US", "ES", "CN", "FR", "DE", "GB", "JP", "KR", "VN", "ID", "SG", "IN"],
+      "countryCodes": ["US", "ES", "CN", "FR", "DE", "GB", "JP", "KR", "VN", "ID", "SG", "IN", "IT", "MY", "TR", "DZ", "IL", "PH"],
      "defaultAvatar": "",
      "defaultApplication": "",
      "tags": [],
-      "languages": ["en", "zh", "es", "fr", "de", "id", "ja", "ko", "ru", "vi"],
+      "languages": ["en", "zh", "es", "fr", "de", "id", "ja", "ko", "ru", "vi", "it", "ms", "tr","ar", "he", "fi"],
      "masterPassword": "",
      "initScore": 2000,
      "enableSoftDeletion": false,
@@ -123,7 +123,6 @@
      "score": 2000,
      "ranking": 1,
      "isAdmin": true,
-      "isGlobalAdmin": true,
      "isForbidden": false,
      "isDeleted": false,
      "signupApplication": "",
--- a/ldap/server.go
+++ b/ldap/server.go
@@ -62,7 +62,7 @@ func handleBind(w ldap.ResponseWriter, m *ldap.Message) {
 			return
 		}

-		if bindOrg == "built-in" || bindUser.IsGlobalAdmin {
+		if bindOrg == "built-in" || bindUser.IsGlobalAdmin() {
 			m.Client.IsGlobalAdmin, m.Client.IsOrgAdmin = true, true
 		} else if bindUser.IsAdmin {
 			m.Client.IsOrgAdmin = true
--- a/main.go
+++ b/main.go
@@ -15,7 +15,6 @@
 package main

 import (
-	"flag"
 	"fmt"

 	"github.com/beego/beego"
@@ -30,17 +29,10 @@ import (
 	"github.com/casdoor/casdoor/util"
 )

-func getCreateDatabaseFlag() bool {
-	res := flag.Bool("createDatabase", false, "true if you need Casdoor to create database")
-	flag.Parse()
-	return *res
-}
-
 func main() {
-	createDatabase := getCreateDatabaseFlag()
-
-	object.InitAdapter(createDatabase)
-	object.CreateTables(createDatabase)
+	object.InitFlag()
+	object.InitAdapter()
+	object.CreateTables()
 	object.DoMigration()

 	object.InitDb()
@@ -48,7 +40,9 @@ func main() {
 	object.InitDefaultStorageProvider()
 	object.InitLdapAutoSynchronizer()
 	proxy.InitHttpClient()
-	authz.InitAuthz()
+	authz.InitApi()
+	object.InitUserManager()
+	object.InitCasvisorConfig()

 	util.SafeGoroutine(func() { object.RunSyncUsersJob() })

@@ -62,7 +56,7 @@ func main() {
 	beego.InsertFilter("*", beego.BeforeRouter, routers.StaticFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.AutoSigninFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.CorsFilter)
-	beego.InsertFilter("*", beego.BeforeRouter, routers.AuthzFilter)
+	beego.InsertFilter("*", beego.BeforeRouter, routers.ApiFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.PrometheusFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.RecordMessage)

--- a/notification/custom_http.go
+++ b/notification/custom_http.go
@@ -0,0 +1,73 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/casdoor/casdoor/proxy"
+)
+
+type HttpNotificationClient struct {
+	endpoint  string
+	method    string
+	paramName string
+}
+
+func NewCustomHttpProvider(endpoint string, method string, paramName string) (*HttpNotificationClient, error) {
+	client := &HttpNotificationClient{
+		endpoint:  endpoint,
+		method:    method,
+		paramName: paramName,
+	}
+	return client, nil
+}
+
+func (c *HttpNotificationClient) Send(ctx context.Context, subject string, content string) error {
+	var err error
+
+	httpClient := proxy.DefaultHttpClient
+
+	req, err := http.NewRequest(c.method, c.endpoint, bytes.NewBufferString(content))
+	if err != nil {
+		return err
+	}
+
+	if c.method == "POST" {
+		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+		req.PostForm = map[string][]string{
+			c.paramName: {content},
+		}
+	} else if c.method == "GET" {
+		q := req.URL.Query()
+		q.Add(c.paramName, content)
+		req.URL.RawQuery = q.Encode()
+	}
+
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("SendMessage() error, custom HTTP Notification request failed with status: %s", resp.Status)
+	}
+
+	return err
+}
--- a/notification/provider.go
+++ b/notification/provider.go
@@ -12,17 +12,16 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package ai
+package notification

-import "github.com/pkoukk/tiktoken-go"
+import "github.com/nikoksr/notify"

-func getTokenSize(model string, prompt string) (int, error) {
-	tkm, err := tiktoken.EncodingForModel(model)
-	if err != nil {
-		return 0, err
+func GetNotificationProvider(typ string, appId string, receiver string, method string, title string) (notify.Notifier, error) {
+	if typ == "Telegram" {
+		return NewTelegramProvider(appId, receiver)
+	} else if typ == "Custom HTTP" {
+		return NewCustomHttpProvider(receiver, method, title)
 	}

-	token := tkm.Encode(prompt, nil, nil)
-	res := len(token)
-	return res, nil
+	return nil, nil
 }
--- a/notification/telegram.go
+++ b/notification/telegram.go
@@ -0,0 +1,42 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"strconv"
+
+	"github.com/casdoor/casdoor/proxy"
+	api "github.com/go-telegram-bot-api/telegram-bot-api"
+	"github.com/nikoksr/notify"
+	"github.com/nikoksr/notify/service/telegram"
+)
+
+func NewTelegramProvider(apiToken string, chatIdStr string) (notify.Notifier, error) {
+	client, err := api.NewBotAPIWithClient(apiToken, proxy.ProxyHttpClient)
+	if err != nil {
+		return nil, err
+	}
+	t := &telegram.Telegram{}
+	t.SetClient(client)
+
+	chatId, err := strconv.ParseInt(chatIdStr, 10, 64)
+	if err != nil {
+		return nil, err
+	}
+
+	t.AddReceivers(chatId)
+
+	return t, nil
+}
--- a/object/adapter.go
+++ b/object/adapter.go
@@ -1,4 +1,4 @@
-// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -15,365 +15,214 @@
 package object

 import (
-	"database/sql"
 	"fmt"
-	"runtime"
 	"strings"

-	"github.com/beego/beego"
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/util"
 	xormadapter "github.com/casdoor/xorm-adapter/v3"
-	_ "github.com/denisenkom/go-mssqldb" // db = mssql
-	_ "github.com/go-sql-driver/mysql"   // db = mysql
-	_ "github.com/lib/pq"                // db = postgres
 	"github.com/xorm-io/core"
 	"github.com/xorm-io/xorm"
-	_ "modernc.org/sqlite" // db = sqlite
 )

-var adapter *Adapter
-
-func InitConfig() {
-	err := beego.LoadAppConfig("ini", "../conf/app.conf")
-	if err != nil {
-		panic(err)
-	}
-
-	beego.BConfig.WebConfig.Session.SessionOn = true
-
-	InitAdapter(true)
-	CreateTables(true)
-	DoMigration()
-}
-
-func InitAdapter(createDatabase bool) {
-	if createDatabase {
-		err := createDatabaseForPostgres(conf.GetConfigString("driverName"), conf.GetConfigDataSourceName(), conf.GetConfigString("dbName"))
-		if err != nil {
-			panic(err)
-		}
-	}
-
-	adapter = NewAdapter(conf.GetConfigString("driverName"), conf.GetConfigDataSourceName(), conf.GetConfigString("dbName"))
-
-	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
-	tbMapper := core.NewPrefixMapper(core.SnakeMapper{}, tableNamePrefix)
-	adapter.Engine.SetTableMapper(tbMapper)
-}
-
-func CreateTables(createDatabase bool) {
-	if createDatabase {
-		err := adapter.CreateDatabase()
-		if err != nil {
-			panic(err)
-		}
-	}
-
-	adapter.createTable()
-}
-
-// Adapter represents the MySQL adapter for policy storage.
 type Adapter struct {
-	driverName     string
-	dataSourceName string
-	dbName         string
-	Engine         *xorm.Engine
+	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
+	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
+	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
+
+	Type            string `xorm:"varchar(100)" json:"type"`
+	DatabaseType    string `xorm:"varchar(100)" json:"databaseType"`
+	Host            string `xorm:"varchar(100)" json:"host"`
+	Port            int    `json:"port"`
+	User            string `xorm:"varchar(100)" json:"user"`
+	Password        string `xorm:"varchar(100)" json:"password"`
+	Database        string `xorm:"varchar(100)" json:"database"`
+	Table           string `xorm:"varchar(100)" json:"table"`
+	TableNamePrefix string `xorm:"varchar(100)" json:"tableNamePrefix"`
+
+	*xormadapter.Adapter `xorm:"-" json:"-"`
 }

-// finalizer is the destructor for Adapter.
-func finalizer(a *Adapter) {
-	err := a.Engine.Close()
+func GetAdapterCount(owner, field, value string) (int64, error) {
+	session := GetSession(owner, -1, -1, field, value, "", "")
+	return session.Count(&Adapter{})
+}
+
+func GetAdapters(owner string) ([]*Adapter, error) {
+	adapters := []*Adapter{}
+	err := ormer.Engine.Desc("created_time").Find(&adapters, &Adapter{Owner: owner})
 	if err != nil {
-		panic(err)
+		return adapters, err
+	}
+
+	return adapters, nil
+}
+
+func GetPaginationAdapters(owner string, offset, limit int, field, value, sortField, sortOrder string) ([]*Adapter, error) {
+	adapters := []*Adapter{}
+	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
+	err := session.Find(&adapters)
+	if err != nil {
+		return adapters, err
+	}
+
+	return adapters, nil
+}
+
+func getAdapter(owner, name string) (*Adapter, error) {
+	if owner == "" || name == "" {
+		return nil, nil
+	}
+
+	adapter := Adapter{Owner: owner, Name: name}
+	existed, err := ormer.Engine.Get(&adapter)
+	if err != nil {
+		return nil, err
+	}
+
+	if existed {
+		return &adapter, nil
+	} else {
+		return nil, nil
 	}
 }

-// NewAdapter is the constructor for Adapter.
-func NewAdapter(driverName string, dataSourceName string, dbName string) *Adapter {
-	a := &Adapter{}
-	a.driverName = driverName
-	a.dataSourceName = dataSourceName
-	a.dbName = dbName
-
-	// Open the DB, create it if not existed.
-	a.open()
-
-	// Call the destructor when the object is released.
-	runtime.SetFinalizer(a, finalizer)
-
-	return a
+func GetAdapter(id string) (*Adapter, error) {
+	owner, name := util.GetOwnerAndNameFromId(id)
+	return getAdapter(owner, name)
 }

-func createDatabaseForPostgres(driverName string, dataSourceName string, dbName string) error {
-	if driverName == "postgres" {
-		db, err := sql.Open(driverName, dataSourceName)
+func UpdateAdapter(id string, adapter *Adapter) (bool, error) {
+	owner, name := util.GetOwnerAndNameFromId(id)
+	if adapter, err := getAdapter(owner, name); adapter == nil {
+		return false, err
+	}
+
+	if name != adapter.Name {
+		err := adapterChangeTrigger(name, adapter.Name)
+		if err != nil {
+			return false, err
+		}
+	}
+
+	session := ormer.Engine.ID(core.PK{owner, name}).AllCols()
+	if adapter.Password == "***" {
+		session.Omit("password")
+	}
+	affected, err := session.Update(adapter)
+	if err != nil {
+		return false, err
+	}
+
+	return affected != 0, nil
+}
+
+func AddAdapter(adapter *Adapter) (bool, error) {
+	affected, err := ormer.Engine.Insert(adapter)
+	if err != nil {
+		return false, err
+	}
+
+	return affected != 0, nil
+}
+
+func DeleteAdapter(adapter *Adapter) (bool, error) {
+	affected, err := ormer.Engine.ID(core.PK{adapter.Owner, adapter.Name}).Delete(&Adapter{})
+	if err != nil {
+		return false, err
+	}
+
+	return affected != 0, nil
+}
+
+func (adapter *Adapter) GetId() string {
+	return fmt.Sprintf("%s/%s", adapter.Owner, adapter.Name)
+}
+
+func (adapter *Adapter) getTable() string {
+	if adapter.DatabaseType == "mssql" {
+		return fmt.Sprintf("[%s]", adapter.Table)
+	} else {
+		return adapter.Table
+	}
+}
+
+func (adapter *Adapter) InitAdapter() error {
+	if adapter.Adapter == nil {
+		var dataSourceName string
+
+		if adapter.isBuiltIn() {
+			dataSourceName = conf.GetConfigString("dataSourceName")
+			if adapter.DatabaseType == "mysql" {
+				dataSourceName = dataSourceName + adapter.Database
+			}
+		} else {
+			switch adapter.DatabaseType {
+			case "mssql":
+				dataSourceName = fmt.Sprintf("sqlserver://%s:%s@%s:%d?database=%s", adapter.User,
+					adapter.Password, adapter.Host, adapter.Port, adapter.Database)
+			case "mysql":
+				dataSourceName = fmt.Sprintf("%s:%s@tcp(%s:%d)/%s", adapter.User,
+					adapter.Password, adapter.Host, adapter.Port, adapter.Database)
+			case "postgres":
+				dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%d sslmode=disable dbname=%s", adapter.User,
+					adapter.Password, adapter.Host, adapter.Port, adapter.Database)
+			case "CockroachDB":
+				dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%d sslmode=disable dbname=%s serial_normalization=virtual_sequence",
+					adapter.User, adapter.Password, adapter.Host, adapter.Port, adapter.Database)
+			case "sqlite3":
+				dataSourceName = fmt.Sprintf("file:%s", adapter.Host)
+			default:
+				return fmt.Errorf("unsupported database type: %s", adapter.DatabaseType)
+			}
+		}
+
+		if !isCloudIntranet {
+			dataSourceName = strings.ReplaceAll(dataSourceName, "dbi.", "db.")
+		}
+
+		var err error
+		engine, err := xorm.NewEngine(adapter.DatabaseType, dataSourceName)
+
+		if adapter.isBuiltIn() && adapter.DatabaseType == "postgres" {
+			schema := util.GetValueFromDataSourceName("search_path", dataSourceName)
+			if schema != "" {
+				engine.SetSchema(schema)
+			}
+		}
+
+		adapter.Adapter, err = xormadapter.NewAdapterByEngineWithTableName(engine, adapter.getTable(), adapter.TableNamePrefix)
 		if err != nil {
 			return err
 		}
-		defer db.Close()
-
-		_, err = db.Exec(fmt.Sprintf("CREATE DATABASE %s;", dbName))
-		if err != nil {
-			if !strings.Contains(err.Error(), "already exists") {
-				return err
-			}
-		}
-
-		return nil
-	} else {
-		return nil
 	}
+	return nil
 }

-func (a *Adapter) CreateDatabase() error {
-	if a.driverName == "postgres" {
-		return nil
-	}
+func adapterChangeTrigger(oldName string, newName string) error {
+	session := ormer.Engine.NewSession()
+	defer session.Close()

-	engine, err := xorm.NewEngine(a.driverName, a.dataSourceName)
+	err := session.Begin()
 	if err != nil {
 		return err
 	}
-	defer engine.Close()

-	_, err = engine.Exec(fmt.Sprintf("CREATE DATABASE IF NOT EXISTS %s default charset utf8mb4 COLLATE utf8mb4_general_ci", a.dbName))
-	return err
+	enforcer := new(Enforcer)
+	enforcer.Adapter = newName
+	_, err = session.Where("adapter=?", oldName).Update(enforcer)
+	if err != nil {
+		session.Rollback()
+		return err
+	}
+
+	return session.Commit()
 }

-func (a *Adapter) open() {
-	dataSourceName := a.dataSourceName + a.dbName
-	if a.driverName != "mysql" {
-		dataSourceName = a.dataSourceName
+func (adapter *Adapter) isBuiltIn() bool {
+	if adapter.Owner != "built-in" {
+		return false
 	}

-	engine, err := xorm.NewEngine(a.driverName, dataSourceName)
-	if err != nil {
-		panic(err)
-	}
-
-	a.Engine = engine
-}
-
-func (a *Adapter) close() {
-	_ = a.Engine.Close()
-	a.Engine = nil
-}
-
-func (a *Adapter) createTable() {
-	showSql := conf.GetConfigBool("showSql")
-	a.Engine.ShowSQL(showSql)
-
-	err := a.Engine.Sync2(new(Organization))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(User))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Group))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Role))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Permission))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Model))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(CasbinAdapter))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Enforcer))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Provider))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Application))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Resource))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Token))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(VerificationRecord))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Record))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Webhook))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Syncer))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Cert))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Chat))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Message))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Product))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Payment))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Ldap))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(PermissionRule))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(xormadapter.CasbinRule))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Session))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Subscription))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Plan))
-	if err != nil {
-		panic(err)
-	}
-
-	err = a.Engine.Sync2(new(Pricing))
-	if err != nil {
-		panic(err)
-	}
-}
-
-func GetSession(owner string, offset, limit int, field, value, sortField, sortOrder string) *xorm.Session {
-	session := adapter.Engine.Prepare()
-	if offset != -1 && limit != -1 {
-		session.Limit(limit, offset)
-	}
-	if owner != "" {
-		session = session.And("owner=?", owner)
-	}
-	if field != "" && value != "" {
-		if util.FilterField(field) {
-			session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
-		}
-	}
-	if sortField == "" || sortOrder == "" {
-		sortField = "created_time"
-	}
-	if sortOrder == "ascend" {
-		session = session.Asc(util.SnakeString(sortField))
-	} else {
-		session = session.Desc(util.SnakeString(sortField))
-	}
-	return session
-}
-
-func GetSessionForUser(owner string, offset, limit int, field, value, sortField, sortOrder string) *xorm.Session {
-	session := adapter.Engine.Prepare()
-	if offset != -1 && limit != -1 {
-		session.Limit(limit, offset)
-	}
-	if owner != "" {
-		if offset == -1 {
-			session = session.And("owner=?", owner)
-		} else {
-			session = session.And("a.owner=?", owner)
-		}
-	}
-	if field != "" && value != "" {
-		if util.FilterField(field) {
-			if offset != -1 {
-				field = fmt.Sprintf("a.%s", field)
-			}
-			session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
-		}
-	}
-	if sortField == "" || sortOrder == "" {
-		sortField = "created_time"
-	}
-
-	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
-	tableName := tableNamePrefix + "user"
-	if offset == -1 {
-		if sortOrder == "ascend" {
-			session = session.Asc(util.SnakeString(sortField))
-		} else {
-			session = session.Desc(util.SnakeString(sortField))
-		}
-	} else {
-		if sortOrder == "ascend" {
-			session = session.Alias("a").
-				Join("INNER", []string{tableName, "b"}, "a.owner = b.owner and a.name = b.name").
-				Select("b.*").
-				Asc("a." + util.SnakeString(sortField))
-		} else {
-			session = session.Alias("a").
-				Join("INNER", []string{tableName, "b"}, "a.owner = b.owner and a.name = b.name").
-				Select("b.*").
-				Desc("a." + util.SnakeString(sortField))
-		}
-	}
-
-	return session
+	return adapter.Name == "user-adapter-built-in" || adapter.Name == "api-adapter-built-in"
 }
--- a/object/application.go
+++ b/object/application.go
@@ -57,7 +57,9 @@ type Application struct {
 	SignupItems         []*SignupItem   `xorm:"varchar(1000)" json:"signupItems"`
 	GrantTypes          []string        `xorm:"varchar(1000)" json:"grantTypes"`
 	OrganizationObj     *Organization   `xorm:"-" json:"organizationObj"`
+	CertPublicKey       string          `xorm:"-" json:"certPublicKey"`
 	Tags                []string        `xorm:"mediumtext" json:"tags"`
+	InvitationCodes     []string        `xorm:"varchar(200)" json:"invitationCodes"`

 	ClientId             string     `xorm:"varchar(100)" json:"clientId"`
 	ClientSecret         string     `xorm:"varchar(100)" json:"clientSecret"`
@@ -92,7 +94,7 @@ func GetOrganizationApplicationCount(owner, Organization, field, value string) (

 func GetApplications(owner string) ([]*Application, error) {
 	applications := []*Application{}
-	err := adapter.Engine.Desc("created_time").Find(&applications, &Application{Owner: owner})
+	err := ormer.Engine.Desc("created_time").Find(&applications, &Application{Owner: owner})
 	if err != nil {
 		return applications, err
 	}
@@ -102,7 +104,7 @@ func GetApplications(owner string) ([]*Application, error) {

 func GetOrganizationApplications(owner string, organization string) ([]*Application, error) {
 	applications := []*Application{}
-	err := adapter.Engine.Desc("created_time").Find(&applications, &Application{Organization: organization})
+	err := ormer.Engine.Desc("created_time").Find(&applications, &Application{Organization: organization})
 	if err != nil {
 		return applications, err
 	}
@@ -182,7 +184,7 @@ func getApplication(owner string, name string) (*Application, error) {
 	}

 	application := Application{Owner: owner, Name: name}
-	existed, err := adapter.Engine.Get(&application)
+	existed, err := ormer.Engine.Get(&application)
 	if err != nil {
 		return nil, err
 	}
@@ -206,7 +208,7 @@ func getApplication(owner string, name string) (*Application, error) {

 func GetApplicationByOrganizationName(organization string) (*Application, error) {
 	application := Application{}
-	existed, err := adapter.Engine.Where("organization=?", organization).Get(&application)
+	existed, err := ormer.Engine.Where("organization=?", organization).Get(&application)
 	if err != nil {
 		return nil, nil
 	}
@@ -253,7 +255,7 @@ func GetApplicationByUserId(userId string) (application *Application, err error)

 func GetApplicationByClientId(clientId string) (*Application, error) {
 	application := Application{}
-	existed, err := adapter.Engine.Where("client_id=?", clientId).Get(&application)
+	existed, err := ormer.Engine.Where("client_id=?", clientId).Get(&application)
 	if err != nil {
 		return nil, err
 	}
@@ -281,14 +283,21 @@ func GetApplication(id string) (*Application, error) {
 }

 func GetMaskedApplication(application *Application, userId string) *Application {
-	if isUserIdGlobalAdmin(userId) {
-		return application
-	}
-
 	if application == nil {
 		return nil
 	}

+	if userId != "" {
+		if isUserIdGlobalAdmin(userId) {
+			return application
+		}
+
+		user, _ := GetUser(userId)
+		if user != nil && user.IsApplicationAdmin(application) {
+			return application
+		}
+	}
+
 	if application.ClientSecret != "" {
 		application.ClientSecret = "***"
 	}
@@ -304,6 +313,11 @@ func GetMaskedApplication(application *Application, userId string) *Application
 			application.OrganizationObj.PasswordSalt = "***"
 		}
 	}
+
+	if application.InvitationCodes != nil {
+		application.InvitationCodes = []string{"***"}
+	}
+
 	return application
 }

@@ -349,7 +363,7 @@ func UpdateApplication(id string, application *Application) (bool, error) {
 		providerItem.Provider = nil
 	}

-	session := adapter.Engine.ID(core.PK{owner, name}).AllCols()
+	session := ormer.Engine.ID(core.PK{owner, name}).AllCols()
 	if application.ClientSecret == "***" {
 		session.Omit("client_secret")
 	}
@@ -388,7 +402,7 @@ func AddApplication(application *Application) (bool, error) {
 		providerItem.Provider = nil
 	}

-	affected, err := adapter.Engine.Insert(application)
+	affected, err := ormer.Engine.Insert(application)
 	if err != nil {
 		return false, nil
 	}
@@ -401,7 +415,7 @@ func DeleteApplication(application *Application) (bool, error) {
 		return false, nil
 	}

-	affected, err := adapter.Engine.ID(core.PK{application.Owner, application.Name}).Delete(&Application{})
+	affected, err := ormer.Engine.ID(core.PK{application.Owner, application.Name}).Delete(&Application{})
 	if err != nil {
 		return false, err
 	}
@@ -477,7 +491,7 @@ func ExtendManagedAccountsWithUser(user *User) (*User, error) {
 }

 func applicationChangeTrigger(oldName string, newName string) error {
-	session := adapter.Engine.NewSession()
+	session := ormer.Engine.NewSession()
 	defer session.Close()

 	err := session.Begin()
@@ -507,7 +521,7 @@ func applicationChangeTrigger(oldName string, newName string) error {
 	}

 	var permissions []*Permission
-	err = adapter.Engine.Find(&permissions)
+	err = ormer.Engine.Find(&permissions)
 	if err != nil {
 		return err
 	}
--- a/object/casbin_adapter.go
+++ b/object/casbin_adapter.go
@@ -1,313 +0,0 @@
-// Copyright 2022 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package object
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/casbin/casbin/v2"
-	"github.com/casbin/casbin/v2/model"
-	"github.com/casdoor/casdoor/util"
-	xormadapter "github.com/casdoor/xorm-adapter/v3"
-	"github.com/xorm-io/core"
-)
-
-type CasbinAdapter struct {
-	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
-	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
-	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
-
-	Type  string `xorm:"varchar(100)" json:"type"`
-	Model string `xorm:"varchar(100)" json:"model"`
-
-	Host         string `xorm:"varchar(100)" json:"host"`
-	Port         int    `json:"port"`
-	User         string `xorm:"varchar(100)" json:"user"`
-	Password     string `xorm:"varchar(100)" json:"password"`
-	DatabaseType string `xorm:"varchar(100)" json:"databaseType"`
-	Database     string `xorm:"varchar(100)" json:"database"`
-	Table        string `xorm:"varchar(100)" json:"table"`
-	IsEnabled    bool   `json:"isEnabled"`
-
-	Adapter *xormadapter.Adapter `xorm:"-" json:"-"`
-}
-
-func GetCasbinAdapterCount(owner, field, value string) (int64, error) {
-	session := GetSession(owner, -1, -1, field, value, "", "")
-	return session.Count(&CasbinAdapter{})
-}
-
-func GetCasbinAdapters(owner string) ([]*CasbinAdapter, error) {
-	adapters := []*CasbinAdapter{}
-	err := adapter.Engine.Desc("created_time").Find(&adapters, &CasbinAdapter{Owner: owner})
-	if err != nil {
-		return adapters, err
-	}
-
-	return adapters, nil
-}
-
-func GetPaginationCasbinAdapters(owner string, offset, limit int, field, value, sortField, sortOrder string) ([]*CasbinAdapter, error) {
-	adapters := []*CasbinAdapter{}
-	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
-	err := session.Find(&adapters)
-	if err != nil {
-		return adapters, err
-	}
-
-	return adapters, nil
-}
-
-func getCasbinAdapter(owner, name string) (*CasbinAdapter, error) {
-	if owner == "" || name == "" {
-		return nil, nil
-	}
-
-	casbinAdapter := CasbinAdapter{Owner: owner, Name: name}
-	existed, err := adapter.Engine.Get(&casbinAdapter)
-	if err != nil {
-		return nil, err
-	}
-
-	if existed {
-		return &casbinAdapter, nil
-	} else {
-		return nil, nil
-	}
-}
-
-func GetCasbinAdapter(id string) (*CasbinAdapter, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
-	return getCasbinAdapter(owner, name)
-}
-
-func UpdateCasbinAdapter(id string, casbinAdapter *CasbinAdapter) (bool, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
-	if casbinAdapter, err := getCasbinAdapter(owner, name); casbinAdapter == nil {
-		return false, err
-	}
-
-	if name != casbinAdapter.Name {
-		err := casbinAdapterChangeTrigger(name, casbinAdapter.Name)
-		if err != nil {
-			return false, err
-		}
-	}
-
-	session := adapter.Engine.ID(core.PK{owner, name}).AllCols()
-	if casbinAdapter.Password == "***" {
-		session.Omit("password")
-	}
-	affected, err := session.Update(casbinAdapter)
-	if err != nil {
-		return false, err
-	}
-
-	return affected != 0, nil
-}
-
-func AddCasbinAdapter(casbinAdapter *CasbinAdapter) (bool, error) {
-	affected, err := adapter.Engine.Insert(casbinAdapter)
-	if err != nil {
-		return false, err
-	}
-
-	return affected != 0, nil
-}
-
-func DeleteCasbinAdapter(casbinAdapter *CasbinAdapter) (bool, error) {
-	affected, err := adapter.Engine.ID(core.PK{casbinAdapter.Owner, casbinAdapter.Name}).Delete(&CasbinAdapter{})
-	if err != nil {
-		return false, err
-	}
-
-	return affected != 0, nil
-}
-
-func (casbinAdapter *CasbinAdapter) GetId() string {
-	return fmt.Sprintf("%s/%s", casbinAdapter.Owner, casbinAdapter.Name)
-}
-
-func (casbinAdapter *CasbinAdapter) getTable() string {
-	if casbinAdapter.DatabaseType == "mssql" {
-		return fmt.Sprintf("[%s]", casbinAdapter.Table)
-	} else {
-		return casbinAdapter.Table
-	}
-}
-
-func initEnforcer(modelObj *Model, casbinAdapter *CasbinAdapter) (*casbin.Enforcer, error) {
-	// init Adapter
-	if casbinAdapter.Adapter == nil {
-		var dataSourceName string
-		if casbinAdapter.DatabaseType == "mssql" {
-			dataSourceName = fmt.Sprintf("sqlserver://%s:%s@%s:%d?database=%s", casbinAdapter.User, casbinAdapter.Password, casbinAdapter.Host, casbinAdapter.Port, casbinAdapter.Database)
-		} else if casbinAdapter.DatabaseType == "postgres" {
-			dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%d sslmode=disable dbname=%s", casbinAdapter.User, casbinAdapter.Password, casbinAdapter.Host, casbinAdapter.Port, casbinAdapter.Database)
-		} else {
-			dataSourceName = fmt.Sprintf("%s:%s@tcp(%s:%d)/", casbinAdapter.User, casbinAdapter.Password, casbinAdapter.Host, casbinAdapter.Port)
-		}
-
-		if !isCloudIntranet {
-			dataSourceName = strings.ReplaceAll(dataSourceName, "dbi.", "db.")
-		}
-
-		var err error
-		casbinAdapter.Adapter, err = xormadapter.NewAdapterByEngineWithTableName(NewAdapter(casbinAdapter.DatabaseType, dataSourceName, casbinAdapter.Database).Engine, casbinAdapter.getTable(), "")
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	// init Model
-	m, err := model.NewModelFromString(modelObj.ModelText)
-	if err != nil {
-		return nil, err
-	}
-
-	// init Enforcer
-	enforcer, err := casbin.NewEnforcer(m, casbinAdapter.Adapter)
-	if err != nil {
-		return nil, err
-	}
-
-	return enforcer, nil
-}
-
-func casbinAdapterChangeTrigger(oldName string, newName string) error {
-	session := adapter.Engine.NewSession()
-	defer session.Close()
-
-	err := session.Begin()
-	if err != nil {
-		return err
-	}
-
-	enforcer := new(Enforcer)
-	enforcer.Adapter = newName
-	_, err = session.Where("adapter=?", oldName).Update(enforcer)
-	if err != nil {
-		session.Rollback()
-		return err
-	}
-
-	return session.Commit()
-}
-
-func safeReturn(policy []string, i int) string {
-	if len(policy) > i {
-		return policy[i]
-	} else {
-		return ""
-	}
-}
-
-func matrixToCasbinRules(Ptype string, policies [][]string) []*xormadapter.CasbinRule {
-	res := []*xormadapter.CasbinRule{}
-
-	for _, policy := range policies {
-		line := xormadapter.CasbinRule{
-			Ptype: Ptype,
-			V0:    safeReturn(policy, 0),
-			V1:    safeReturn(policy, 1),
-			V2:    safeReturn(policy, 2),
-			V3:    safeReturn(policy, 3),
-			V4:    safeReturn(policy, 4),
-			V5:    safeReturn(policy, 5),
-		}
-		res = append(res, &line)
-	}
-
-	return res
-}
-
-func SyncPolicies(casbinAdapter *CasbinAdapter) ([]*xormadapter.CasbinRule, error) {
-	modelObj, err := getModel(casbinAdapter.Owner, casbinAdapter.Model)
-	if err != nil {
-		return nil, err
-	}
-
-	if modelObj == nil {
-		return nil, fmt.Errorf("The model: %s does not exist", util.GetId(casbinAdapter.Owner, casbinAdapter.Model))
-	}
-
-	enforcer, err := initEnforcer(modelObj, casbinAdapter)
-	if err != nil {
-		return nil, err
-	}
-
-	policies := matrixToCasbinRules("p", enforcer.GetPolicy())
-	if strings.Contains(modelObj.ModelText, "[role_definition]") {
-		policies = append(policies, matrixToCasbinRules("g", enforcer.GetGroupingPolicy())...)
-	}
-
-	return policies, nil
-}
-
-func UpdatePolicy(oldPolicy, newPolicy []string, casbinAdapter *CasbinAdapter) (bool, error) {
-	modelObj, err := getModel(casbinAdapter.Owner, casbinAdapter.Model)
-	if err != nil {
-		return false, err
-	}
-
-	enforcer, err := initEnforcer(modelObj, casbinAdapter)
-	if err != nil {
-		return false, err
-	}
-
-	affected, err := enforcer.UpdatePolicy(oldPolicy, newPolicy)
-	if err != nil {
-		return affected, err
-	}
-	return affected, nil
-}
-
-func AddPolicy(policy []string, casbinAdapter *CasbinAdapter) (bool, error) {
-	modelObj, err := getModel(casbinAdapter.Owner, casbinAdapter.Model)
-	if err != nil {
-		return false, err
-	}
-
-	enforcer, err := initEnforcer(modelObj, casbinAdapter)
-	if err != nil {
-		return false, err
-	}
-
-	affected, err := enforcer.AddPolicy(policy)
-	if err != nil {
-		return affected, err
-	}
-	return affected, nil
-}
-
-func RemovePolicy(policy []string, casbinAdapter *CasbinAdapter) (bool, error) {
-	modelObj, err := getModel(casbinAdapter.Owner, casbinAdapter.Model)
-	if err != nil {
-		return false, err
-	}
-
-	enforcer, err := initEnforcer(modelObj, casbinAdapter)
-	if err != nil {
-		return false, err
-	}
-
-	affected, err := enforcer.RemovePolicy(policy)
-	if err != nil {
-		return affected, err
-	}
-
-	return affected, nil
-}
--- a/object/cert.go
+++ b/object/cert.go
@@ -65,7 +65,7 @@ func GetCertCount(owner, field, value string) (int64, error) {

 func GetCerts(owner string) ([]*Cert, error) {
 	certs := []*Cert{}
-	err := adapter.Engine.Where("owner = ? or owner = ? ", "admin", owner).Desc("created_time").Find(&certs, &Cert{})
+	err := ormer.Engine.Where("owner = ? or owner = ? ", "admin", owner).Desc("created_time").Find(&certs, &Cert{})
 	if err != nil {
 		return certs, err
 	}
@@ -91,7 +91,7 @@ func GetGlobalCertsCount(field, value string) (int64, error) {

 func GetGlobleCerts() ([]*Cert, error) {
 	certs := []*Cert{}
-	err := adapter.Engine.Desc("created_time").Find(&certs)
+	err := ormer.Engine.Desc("created_time").Find(&certs)
 	if err != nil {
 		return certs, err
 	}
@@ -116,7 +116,7 @@ func getCert(owner string, name string) (*Cert, error) {
 	}

 	cert := Cert{Owner: owner, Name: name}
-	existed, err := adapter.Engine.Get(&cert)
+	existed, err := ormer.Engine.Get(&cert)
 	if err != nil {
 		return &cert, err
 	}
@@ -134,7 +134,7 @@ func getCertByName(name string) (*Cert, error) {
 	}

 	cert := Cert{Name: name}
-	existed, err := adapter.Engine.Get(&cert)
+	existed, err := ormer.Engine.Get(&cert)
 	if err != nil {
 		return &cert, nil
 	}
@@ -162,10 +162,10 @@ func UpdateCert(id string, cert *Cert) (bool, error) {
 	if name != cert.Name {
 		err := certChangeTrigger(name, cert.Name)
 		if err != nil {
-			return false, nil
+			return false, err
 		}
 	}
-	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(cert)
+	affected, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(cert)
 	if err != nil {
 		return false, err
 	}
@@ -180,7 +180,7 @@ func AddCert(cert *Cert) (bool, error) {
 		cert.PrivateKey = privateKey
 	}

-	affected, err := adapter.Engine.Insert(cert)
+	affected, err := ormer.Engine.Insert(cert)
 	if err != nil {
 		return false, err
 	}
@@ -189,7 +189,7 @@ func AddCert(cert *Cert) (bool, error) {
 }

 func DeleteCert(cert *Cert) (bool, error) {
-	affected, err := adapter.Engine.ID(core.PK{cert.Owner, cert.Name}).Delete(&Cert{})
+	affected, err := ormer.Engine.ID(core.PK{cert.Owner, cert.Name}).Delete(&Cert{})
 	if err != nil {
 		return false, err
 	}
@@ -214,7 +214,7 @@ func GetDefaultCert() (*Cert, error) {
 }

 func certChangeTrigger(oldName string, newName string) error {
-	session := adapter.Engine.NewSession()
+	session := ormer.Engine.NewSession()
 	defer session.Close()

 	err := session.Begin()
--- a/object/chat.go
+++ b/object/chat.go
@@ -1,166 +0,0 @@
-// Copyright 2023 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package object
-
-import (
-	"fmt"
-
-	"github.com/casdoor/casdoor/util"
-	"github.com/xorm-io/core"
-)
-
-type Chat struct {
-	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
-	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
-	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
-	UpdatedTime string `xorm:"varchar(100)" json:"updatedTime"`
-
-	Organization string   `xorm:"varchar(100)" json:"organization"`
-	DisplayName  string   `xorm:"varchar(100)" json:"displayName"`
-	Type         string   `xorm:"varchar(100)" json:"type"`
-	Category     string   `xorm:"varchar(100)" json:"category"`
-	User1        string   `xorm:"varchar(100)" json:"user1"`
-	User2        string   `xorm:"varchar(100)" json:"user2"`
-	Users        []string `xorm:"varchar(100)" json:"users"`
-	MessageCount int      `json:"messageCount"`
-}
-
-func GetMaskedChat(chat *Chat, err ...error) (*Chat, error) {
-	if len(err) > 0 && err[0] != nil {
-		return nil, err[0]
-	}
-
-	if chat == nil {
-		return nil, nil
-	}
-
-	return chat, nil
-}
-
-func GetMaskedChats(chats []*Chat, errs ...error) ([]*Chat, error) {
-	if len(errs) > 0 && errs[0] != nil {
-		return nil, errs[0]
-	}
-	var err error
-	for _, chat := range chats {
-		chat, err = GetMaskedChat(chat)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return chats, nil
-}
-
-func GetChatCount(owner, field, value string) (int64, error) {
-	session := GetSession(owner, -1, -1, field, value, "", "")
-	return session.Count(&Chat{})
-}
-
-func GetChats(owner string) ([]*Chat, error) {
-	chats := []*Chat{}
-	err := adapter.Engine.Desc("created_time").Find(&chats, &Chat{Owner: owner})
-	if err != nil {
-		return chats, err
-	}
-
-	return chats, nil
-}
-
-func GetPaginationChats(owner string, offset, limit int, field, value, sortField, sortOrder string) ([]*Chat, error) {
-	chats := []*Chat{}
-	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
-	err := session.Find(&chats)
-	if err != nil {
-		return chats, err
-	}
-
-	return chats, nil
-}
-
-func getChat(owner string, name string) (*Chat, error) {
-	if owner == "" || name == "" {
-		return nil, nil
-	}
-
-	chat := Chat{Owner: owner, Name: name}
-	existed, err := adapter.Engine.Get(&chat)
-	if err != nil {
-		return &chat, err
-	}
-
-	if existed {
-		return &chat, nil
-	} else {
-		return nil, nil
-	}
-}
-
-func GetChat(id string) (*Chat, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
-	return getChat(owner, name)
-}
-
-func UpdateChat(id string, chat *Chat) (bool, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
-	if c, err := getChat(owner, name); err != nil {
-		return false, err
-	} else if c == nil {
-		return false, nil
-	}
-
-	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(chat)
-	if err != nil {
-		return false, nil
-	}
-
-	return affected != 0, nil
-}
-
-func AddChat(chat *Chat) (bool, error) {
-	if chat.Type == "AI" && chat.User2 == "" {
-		provider, err := getDefaultAiProvider()
-		if err != nil {
-			return false, err
-		}
-
-		if provider != nil {
-			chat.User2 = provider.Name
-		}
-	}
-
-	affected, err := adapter.Engine.Insert(chat)
-	if err != nil {
-		return false, nil
-	}
-
-	return affected != 0, nil
-}
-
-func DeleteChat(chat *Chat) (bool, error) {
-	affected, err := adapter.Engine.ID(core.PK{chat.Owner, chat.Name}).Delete(&Chat{})
-	if err != nil {
-		return false, err
-	}
-
-	if affected != 0 {
-		return DeleteChatMessages(chat.Name)
-	}
-
-	return affected != 0, nil
-}
-
-func (p *Chat) GetId() string {
-	return fmt.Sprintf("%s/%s", p.Owner, p.Name)
-}
--- a/object/check.go
+++ b/object/check.go
@@ -66,8 +66,11 @@ func CheckUserSignup(application *Application, organization *Organization, form
 		}
 	}

-	if len(form.Password) <= 5 {
-		return i18n.Translate(lang, "check:Password must have at least 6 characters")
+	if application.IsSignupItemVisible("Password") {
+		msg := CheckPasswordComplexityByOrg(organization, form.Password)
+		if msg != "" {
+			return msg
+		}
 	}

 	if application.IsSignupItemVisible("Email") {
@@ -124,6 +127,18 @@ func CheckUserSignup(application *Application, organization *Organization, form
 		}
 	}

+	if len(application.InvitationCodes) > 0 {
+		if form.InvitationCode == "" {
+			if application.IsSignupItemRequired("Invitation code") {
+				return i18n.Translate(lang, "check:Invitation code cannot be blank")
+			}
+		} else {
+			if !util.InSlice(application.InvitationCodes, form.InvitationCode) {
+				return i18n.Translate(lang, "check:Invitation code is invalid")
+			}
+		}
+	}
+
 	return ""
 }

@@ -141,7 +156,7 @@ func checkSigninErrorTimes(user *User, lang string) string {
 		// reset the error times
 		user.SigninWrongTimes = 0

-		UpdateUser(user.GetId(), user, []string{"signin_wrong_times"}, user.IsGlobalAdmin)
+		UpdateUser(user.GetId(), user, []string{"signin_wrong_times"}, false)
 	}

 	return ""
@@ -319,7 +334,7 @@ func CheckUserPermission(requestUserId, userId string, strict bool, lang string)
 		if requestUser == nil {
 			return false, fmt.Errorf(i18n.Translate(lang, "check:Session outdated, please login again"))
 		}
-		if requestUser.IsGlobalAdmin {
+		if requestUser.IsGlobalAdmin() {
 			hasPermission = true
 		} else if requestUserId == userId {
 			hasPermission = true
@@ -404,7 +419,7 @@ func CheckUpdateUser(oldUser, user *User, lang string) string {
 		}
 	}
 	if oldUser.Email != user.Email {
-		if HasUserByField(user.Name, "email", user.Email) {
+		if HasUserByField(user.Owner, "email", user.Email) {
 			return i18n.Translate(lang, "check:Email already exists")
 		}
 	}
--- a/object/check_util.go
+++ b/object/check_util.go
@@ -42,7 +42,7 @@ func resetUserSigninErrorTimes(user *User) {
 		return
 	}
 	user.SigninWrongTimes = 0
-	UpdateUser(user.GetId(), user, []string{"signin_wrong_times", "last_signin_wrong_time"}, user.IsGlobalAdmin)
+	UpdateUser(user.GetId(), user, []string{"signin_wrong_times", "last_signin_wrong_time"}, false)
 }

 func recordSigninErrorInfo(user *User, lang string, options ...bool) string {
@@ -61,7 +61,7 @@ func recordSigninErrorInfo(user *User, lang string, options ...bool) string {
 	}

 	// update user
-	UpdateUser(user.GetId(), user, []string{"signin_wrong_times", "last_signin_wrong_time"}, user.IsGlobalAdmin)
+	UpdateUser(user.GetId(), user, []string{"signin_wrong_times", "last_signin_wrong_time"}, false)
 	leftChances := SigninWrongTimesLimit - user.SigninWrongTimes
 	if leftChances == 0 && enableCaptcha {
 		return fmt.Sprint(i18n.Translate(lang, "check:password or code is incorrect"))
--- a/object/enforcer.go
+++ b/object/enforcer.go
@@ -15,8 +15,12 @@
 package object

 import (
+	"fmt"
+
 	"github.com/casbin/casbin/v2"
+	"github.com/casbin/casbin/v2/config"
 	"github.com/casdoor/casdoor/util"
+	xormadapter "github.com/casdoor/xorm-adapter/v3"
 	"github.com/xorm-io/core"
 )

@@ -28,10 +32,10 @@ type Enforcer struct {
 	DisplayName string `xorm:"varchar(100)" json:"displayName"`
 	Description string `xorm:"varchar(100)" json:"description"`

-	Model     string `xorm:"varchar(100)" json:"model"`
-	Adapter   string `xorm:"varchar(100)" json:"adapter"`
-	IsEnabled bool   `json:"isEnabled"`
+	Model   string `xorm:"varchar(100)" json:"model"`
+	Adapter string `xorm:"varchar(100)" json:"adapter"`

+	ModelCfg map[string]string `xorm:"-" json:"modelCfg"`
 	*casbin.Enforcer
 }

@@ -42,7 +46,7 @@ func GetEnforcerCount(owner, field, value string) (int64, error) {

 func GetEnforcers(owner string) ([]*Enforcer, error) {
 	enforcers := []*Enforcer{}
-	err := adapter.Engine.Desc("created_time").Find(&enforcers, &Enforcer{Owner: owner})
+	err := ormer.Engine.Desc("created_time").Find(&enforcers, &Enforcer{Owner: owner})
 	if err != nil {
 		return enforcers, err
 	}
@@ -67,7 +71,7 @@ func getEnforcer(owner string, name string) (*Enforcer, error) {
 	}

 	enforcer := Enforcer{Owner: owner, Name: name}
-	existed, err := adapter.Engine.Get(&enforcer)
+	existed, err := ormer.Engine.Get(&enforcer)
 	if err != nil {
 		return &enforcer, err
 	}
@@ -92,7 +96,7 @@ func UpdateEnforcer(id string, enforcer *Enforcer) (bool, error) {
 		return false, nil
 	}

-	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(enforcer)
+	affected, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(enforcer)
 	if err != nil {
 		return false, err
 	}
@@ -101,7 +105,7 @@ func UpdateEnforcer(id string, enforcer *Enforcer) (bool, error) {
 }

 func AddEnforcer(enforcer *Enforcer) (bool, error) {
-	affected, err := adapter.Engine.Insert(enforcer)
+	affected, err := ormer.Engine.Insert(enforcer)
 	if err != nil {
 		return false, err
 	}
@@ -110,10 +114,140 @@ func AddEnforcer(enforcer *Enforcer) (bool, error) {
 }

 func DeleteEnforcer(enforcer *Enforcer) (bool, error) {
-	affected, err := adapter.Engine.ID(core.PK{enforcer.Owner, enforcer.Name}).Delete(&Enforcer{})
+	affected, err := ormer.Engine.ID(core.PK{enforcer.Owner, enforcer.Name}).Delete(&Enforcer{})
 	if err != nil {
 		return false, err
 	}

 	return affected != 0, nil
 }
+
+func (enforcer *Enforcer) GetId() string {
+	return fmt.Sprintf("%s/%s", enforcer.Owner, enforcer.Name)
+}
+
+func (enforcer *Enforcer) InitEnforcer() error {
+	if enforcer.Enforcer != nil {
+		return nil
+	}
+
+	if enforcer.Model == "" {
+		return fmt.Errorf("the model for enforcer: %s should not be empty", enforcer.GetId())
+	}
+	if enforcer.Adapter == "" {
+		return fmt.Errorf("the adapter for enforcer: %s should not be empty", enforcer.GetId())
+	}
+
+	m, err := GetModel(enforcer.Model)
+	if err != nil {
+		return err
+	} else if m == nil {
+		return fmt.Errorf("the model: %s for enforcer: %s is not found", enforcer.Model, enforcer.GetId())
+	}
+
+	a, err := GetAdapter(enforcer.Adapter)
+	if err != nil {
+		return err
+	} else if a == nil {
+		return fmt.Errorf("the adapter: %s for enforcer: %s is not found", enforcer.Adapter, enforcer.GetId())
+	}
+
+	err = m.initModel()
+	if err != nil {
+		return err
+	}
+	err = a.InitAdapter()
+	if err != nil {
+		return err
+	}
+
+	casbinEnforcer, err := casbin.NewEnforcer(m.Model, a.Adapter)
+	if err != nil {
+		return err
+	}
+
+	enforcer.Enforcer = casbinEnforcer
+	return nil
+}
+
+func GetInitializedEnforcer(enforcerId string) (*Enforcer, error) {
+	enforcer, err := GetEnforcer(enforcerId)
+	if err != nil {
+		return nil, err
+	} else if enforcer == nil {
+		return nil, fmt.Errorf("the enforcer: %s is not found", enforcerId)
+	}
+
+	err = enforcer.InitEnforcer()
+	if err != nil {
+		return nil, err
+	}
+	return enforcer, nil
+}
+
+func GetPolicies(id string) ([]*xormadapter.CasbinRule, error) {
+	enforcer, err := GetInitializedEnforcer(id)
+	if err != nil {
+		return nil, err
+	}
+
+	policies := util.MatrixToCasbinRules("p", enforcer.GetPolicy())
+	if enforcer.GetModel()["g"] != nil {
+		policies = append(policies, util.MatrixToCasbinRules("g", enforcer.GetGroupingPolicy())...)
+	}
+
+	return policies, nil
+}
+
+func UpdatePolicy(id string, oldPolicy, newPolicy []string) (bool, error) {
+	enforcer, err := GetInitializedEnforcer(id)
+	if err != nil {
+		return false, err
+	}
+
+	return enforcer.UpdatePolicy(oldPolicy, newPolicy)
+}
+
+func AddPolicy(id string, policy []string) (bool, error) {
+	enforcer, err := GetInitializedEnforcer(id)
+	if err != nil {
+		return false, err
+	}
+
+	return enforcer.AddPolicy(policy)
+}
+
+func RemovePolicy(id string, policy []string) (bool, error) {
+	enforcer, err := GetInitializedEnforcer(id)
+	if err != nil {
+		return false, err
+	}
+
+	return enforcer.RemovePolicy(policy)
+}
+
+func (enforcer *Enforcer) LoadModelCfg() error {
+	if enforcer.ModelCfg != nil {
+		return nil
+	}
+
+	model, err := GetModel(enforcer.Model)
+	if err != nil {
+		return err
+	} else if model == nil {
+		return fmt.Errorf("the model: %s for enforcer: %s is not found", enforcer.Model, enforcer.GetId())
+	}
+
+	cfg, err := config.NewConfigFromText(model.ModelText)
+	if err != nil {
+		return err
+	}
+
+	enforcer.ModelCfg = make(map[string]string)
+	enforcer.ModelCfg["p"] = cfg.String("policy_definition::p")
+	if cfg.String("role_definition::g") != "" {
+		enforcer.ModelCfg["g"] = cfg.String("role_definition::g")
+	}
+
+	return nil
+}
--- a/object/get-dashboard.go
+++ b/object/get-dashboard.go
@@ -0,0 +1,140 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"sync"
+	"time"
+)
+
+type Dashboard struct {
+	OrganizationCounts []int `json:"organizationCounts"`
+	UserCounts         []int `json:"userCounts"`
+	ProviderCounts     []int `json:"providerCounts"`
+	ApplicationCounts  []int `json:"applicationCounts"`
+	SubscriptionCounts []int `json:"subscriptionCounts"`
+}
+
+func GetDashboard(owner string) (*Dashboard, error) {
+	dashboard := &Dashboard{
+		OrganizationCounts: make([]int, 31),
+		UserCounts:         make([]int, 31),
+		ProviderCounts:     make([]int, 31),
+		ApplicationCounts:  make([]int, 31),
+		SubscriptionCounts: make([]int, 31),
+	}
+
+	var wg sync.WaitGroup
+
+	organizations := []Organization{}
+	users := []User{}
+	providers := []Provider{}
+	applications := []Application{}
+	subscriptions := []Subscription{}
+
+	wg.Add(5)
+	go func() {
+		defer wg.Done()
+		if err := ormer.Engine.Find(&organizations, &Organization{Owner: owner}); err != nil {
+			panic(err)
+		}
+	}()
+
+	go func() {
+		defer wg.Done()
+
+		if err := ormer.Engine.Find(&users, &User{Owner: owner}); err != nil {
+			panic(err)
+		}
+	}()
+
+	go func() {
+		defer wg.Done()
+
+		if err := ormer.Engine.Find(&providers, &Provider{Owner: owner}); err != nil {
+			panic(err)
+		}
+	}()
+
+	go func() {
+		defer wg.Done()
+
+		if err := ormer.Engine.Find(&applications, &Application{Owner: owner}); err != nil {
+			panic(err)
+		}
+	}()
+
+	go func() {
+		defer wg.Done()
+
+		if err := ormer.Engine.Find(&subscriptions, &Subscription{Owner: owner}); err != nil {
+			panic(err)
+		}
+	}()
+	wg.Wait()
+
+	nowTime := time.Now()
+	for i := 30; i >= 0; i-- {
+		cutTime := nowTime.AddDate(0, 0, -i)
+		dashboard.OrganizationCounts[30-i] = countCreatedBefore(organizations, cutTime)
+		dashboard.UserCounts[30-i] = countCreatedBefore(users, cutTime)
+		dashboard.ProviderCounts[30-i] = countCreatedBefore(providers, cutTime)
+		dashboard.ApplicationCounts[30-i] = countCreatedBefore(applications, cutTime)
+		dashboard.SubscriptionCounts[30-i] = countCreatedBefore(subscriptions, cutTime)
+	}
+	return dashboard, nil
+}
+
+func countCreatedBefore(objects interface{}, before time.Time) int {
+	count := 0
+	switch obj := objects.(type) {
+	case []Organization:
+		for _, o := range obj {
+			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", o.CreatedTime)
+			if createdTime.Before(before) {
+				count++
+			}
+		}
+	case []User:
+		for _, u := range obj {
+			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", u.CreatedTime)
+			if createdTime.Before(before) {
+				count++
+			}
+		}
+	case []Provider:
+		for _, p := range obj {
+			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", p.CreatedTime)
+			if createdTime.Before(before) {
+				count++
+			}
+		}
+	case []Application:
+		for _, a := range obj {
+			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", a.CreatedTime)
+			if createdTime.Before(before) {
+				count++
+			}
+		}
+	case []Subscription:
+		for _, s := range obj {
+			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", s.CreatedTime)
+			if createdTime.Before(before) {
+				count++
+			}
+		}
+	}
+	return count
+}
--- a/object/group.go
+++ b/object/group.go
@@ -58,7 +58,7 @@ func GetGroupCount(owner, field, value string) (int64, error) {

 func GetGroups(owner string) ([]*Group, error) {
 	groups := []*Group{}
-	err := adapter.Engine.Desc("created_time").Find(&groups, &Group{Owner: owner})
+	err := ormer.Engine.Desc("created_time").Find(&groups, &Group{Owner: owner})
 	if err != nil {
 		return nil, err
 	}
@@ -83,7 +83,7 @@ func getGroup(owner string, name string) (*Group, error) {
 	}

 	group := Group{Owner: owner, Name: name}
-	existed, err := adapter.Engine.Get(&group)
+	existed, err := ormer.Engine.Get(&group)
 	if err != nil {
 		return nil, err
 	}
@@ -119,7 +119,7 @@ func UpdateGroup(id string, group *Group) (bool, error) {
 		}
 	}

-	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(group)
+	affected, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(group)
 	if err != nil {
 		return false, err
 	}
@@ -133,7 +133,7 @@ func AddGroup(group *Group) (bool, error) {
 		return false, err
 	}

-	affected, err := adapter.Engine.Insert(group)
+	affected, err := ormer.Engine.Insert(group)
 	if err != nil {
 		return false, err
 	}
@@ -145,7 +145,7 @@ func AddGroups(groups []*Group) (bool, error) {
 	if len(groups) == 0 {
 		return false, nil
 	}
-	affected, err := adapter.Engine.Insert(groups)
+	affected, err := ormer.Engine.Insert(groups)
 	if err != nil {
 		return false, err
 	}
@@ -153,24 +153,24 @@ func AddGroups(groups []*Group) (bool, error) {
 }

 func DeleteGroup(group *Group) (bool, error) {
-	_, err := adapter.Engine.Get(group)
+	_, err := ormer.Engine.Get(group)
 	if err != nil {
 		return false, err
 	}

-	if count, err := adapter.Engine.Where("parent_id = ?", group.Name).Count(&Group{}); err != nil {
+	if count, err := ormer.Engine.Where("parent_id = ?", group.Name).Count(&Group{}); err != nil {
 		return false, err
 	} else if count > 0 {
 		return false, errors.New("group has children group")
 	}

-	if count, err := GetGroupUserCount(group.Name, "", ""); err != nil {
+	if count, err := GetGroupUserCount(group.GetId(), "", ""); err != nil {
 		return false, err
 	} else if count > 0 {
 		return false, errors.New("group has users")
 	}

-	affected, err := adapter.Engine.ID(core.PK{group.Owner, group.Name}).Delete(&Group{})
+	affected, err := ormer.Engine.ID(core.PK{group.Owner, group.Name}).Delete(&Group{})
 	if err != nil {
 		return false, err
 	}
@@ -179,7 +179,7 @@ func DeleteGroup(group *Group) (bool, error) {
 }

 func checkGroupName(name string) error {
-	exist, err := adapter.Engine.Exist(&Organization{Owner: "admin", Name: name})
+	exist, err := ormer.Engine.Exist(&Organization{Owner: "admin", Name: name})
 	if err != nil {
 		return err
 	}
@@ -214,39 +214,33 @@ func ConvertToTreeData(groups []*Group, parentId string) []*Group {
 	return treeData
 }

-func RemoveUserFromGroup(owner, name, groupName string) (bool, error) {
-	user, err := getUser(owner, name)
+func GetGroupUserCount(groupId string, field, value string) (int64, error) {
+	owner, _ := util.GetOwnerAndNameFromId(groupId)
+	names, err := userEnforcer.GetUserNamesByGroupName(groupId)
 	if err != nil {
-		return false, err
-	}
-	if user == nil {
-		return false, errors.New("user not exist")
+		return 0, err
 	}

-	user.Groups = util.DeleteVal(user.Groups, groupName)
-	affected, err := updateUser(user.GetId(), user, []string{"groups"})
-	if err != nil {
-		return false, err
-	}
-	return affected != 0, err
-}
-
-func GetGroupUserCount(groupName string, field, value string) (int64, error) {
 	if field == "" && value == "" {
-		return adapter.Engine.Where(builder.Like{"`groups`", groupName}).
-			Count(&User{})
+		return int64(len(names)), nil
 	} else {
-		return adapter.Engine.Table("user").
-			Where(builder.Like{"`groups`", groupName}).
+		return ormer.Engine.Table("user").
+			Where("owner = ?", owner).In("name", names).
 			And(fmt.Sprintf("user.%s LIKE ?", util.CamelToSnakeCase(field)), "%"+value+"%").
 			Count()
 	}
 }

-func GetPaginationGroupUsers(groupName string, offset, limit int, field, value, sortField, sortOrder string) ([]*User, error) {
+func GetPaginationGroupUsers(groupId string, offset, limit int, field, value, sortField, sortOrder string) ([]*User, error) {
 	users := []*User{}
-	session := adapter.Engine.Table("user").
-		Where(builder.Like{"`groups`", groupName + "\""})
+	owner, _ := util.GetOwnerAndNameFromId(groupId)
+	names, err := userEnforcer.GetUserNamesByGroupName(groupId)
+	if err != nil {
+		return nil, err
+	}
+
+	session := ormer.Engine.Table("user").
+		Where("owner = ?", owner).In("name", names)

 	if offset != -1 && limit != -1 {
 		session.Limit(limit, offset)
@@ -265,7 +259,7 @@ func GetPaginationGroupUsers(groupName string, offset, limit int, field, value,
 		session = session.Desc(fmt.Sprintf("user.%s", util.SnakeString(sortField)))
 	}

-	err := session.Find(&users)
+	err = session.Find(&users)
 	if err != nil {
 		return nil, err
 	}
@@ -273,20 +267,20 @@ func GetPaginationGroupUsers(groupName string, offset, limit int, field, value,
 	return users, nil
 }

-func GetGroupUsers(groupName string) ([]*User, error) {
+func GetGroupUsers(groupId string) ([]*User, error) {
 	users := []*User{}
-	err := adapter.Engine.Table("user").
-		Where(builder.Like{"`groups`", groupName + "\""}).
-		Find(&users)
+	owner, _ := util.GetOwnerAndNameFromId(groupId)
+	names, err := userEnforcer.GetUserNamesByGroupName(groupId)
+
+	err = ormer.Engine.Where("owner = ?", owner).In("name", names).Find(&users)
 	if err != nil {
 		return nil, err
 	}
-
 	return users, nil
 }

 func GroupChangeTrigger(oldName, newName string) error {
-	session := adapter.Engine.NewSession()
+	session := ormer.Engine.NewSession()
 	defer session.Close()
 	err := session.Begin()
 	if err != nil {
--- a/object/init.go
+++ b/object/init.go
@@ -27,7 +27,6 @@ import (
 func InitDb() {
 	existed := initBuiltInOrganization()
 	if !existed {
-		initBuiltInModel()
 		initBuiltInPermission()
 		initBuiltInProvider()
 		initBuiltInUser()
@@ -36,6 +35,15 @@ func InitDb() {
 		initBuiltInLdap()
 	}

+	existed = initBuiltInApiModel()
+	if !existed {
+		initBuiltInApiAdapter()
+		initBuiltInApiEnforcer()
+		initBuiltInUserModel()
+		initBuiltInUserAdapter()
+		initBuiltInUserEnforcer()
+	}
+
 	initWebAuthn()
 }

@@ -65,7 +73,6 @@ func getBuiltInAccountItems() []*AccountItem {
 		{Name: "3rd-party logins", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
 		{Name: "Properties", Visible: false, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Is admin", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
-		{Name: "Is global admin", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Is forbidden", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Is deleted", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Multi-factor authentication", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
@@ -137,7 +144,6 @@ func initBuiltInUser() {
 		Score:             2000,
 		Ranking:           1,
 		IsAdmin:           true,
-		IsGlobalAdmin:     true,
 		IsForbidden:       false,
 		IsDeleted:         false,
 		SignupApplication: "app-built-in",
@@ -295,8 +301,8 @@ func initWebAuthn() {
 	gob.Register(webauthn.SessionData{})
 }

-func initBuiltInModel() {
-	model, err := GetModel("built-in/model-built-in")
+func initBuiltInUserModel() {
+	model, err := GetModel("built-in/user-model-built-in")
 	if err != nil {
 		panic(err)
 	}
@@ -307,21 +313,23 @@ func initBuiltInModel() {

 	model = &Model{
 		Owner:       "built-in",
-		Name:        "model-built-in",
+		Name:        "user-model-built-in",
 		CreatedTime: util.GetCurrentTime(),
 		DisplayName: "Built-in Model",
-		IsEnabled:   true,
 		ModelText: `[request_definition]
 r = sub, obj, act

 [policy_definition]
 p = sub, obj, act

+[role_definition]
+g = _, _
+
 [policy_effect]
 e = some(where (p.eft == allow))

 [matchers]
-m = r.sub == p.sub && r.obj == p.obj && r.act == p.act`,
+m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act`,
 	}
 	_, err = AddModel(model)
 	if err != nil {
@@ -329,6 +337,51 @@ m = r.sub == p.sub && r.obj == p.obj && r.act == p.act`,
 	}
 }

+func initBuiltInApiModel() bool {
+	model, err := GetModel("built-in/api-model-built-in")
+	if err != nil {
+		panic(err)
+	}
+
+	if model != nil {
+		return true
+	}
+
+	modelText := `[request_definition]
+r = subOwner, subName, method, urlPath, objOwner, objName
+
+[policy_definition]
+p = subOwner, subName, method, urlPath, objOwner, objName
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = (r.subOwner == p.subOwner || p.subOwner == "*") && \
+    (r.subName == p.subName || p.subName == "*" || r.subName != "anonymous" && p.subName == "!anonymous") && \
+    (r.method == p.method || p.method == "*") && \
+    (r.urlPath == p.urlPath || p.urlPath == "*") && \
+    (r.objOwner == p.objOwner || p.objOwner == "*") && \
+    (r.objName == p.objName || p.objName == "*") || \
+    (r.subOwner == r.objOwner && r.subName == r.objName)`
+
+	model = &Model{
+		Owner:       "built-in",
+		Name:        "api-model-built-in",
+		CreatedTime: util.GetCurrentTime(),
+		DisplayName: "API Model",
+		ModelText:   modelText,
+	}
+	_, err = AddModel(model)
+	if err != nil {
+		panic(err)
+	}
+	return false
+}
+
 func initBuiltInPermission() {
 	permission, err := GetPermission("built-in/permission-built-in")
 	if err != nil {
@@ -358,3 +411,105 @@ func initBuiltInPermission() {
 		panic(err)
 	}
 }
+
+func initBuiltInUserAdapter() {
+	adapter, err := GetAdapter("built-in/user-adapter-built-in")
+	if err != nil {
+		panic(err)
+	}
+
+	if adapter != nil {
+		return
+	}
+
+	adapter = &Adapter{
+		Owner:           "built-in",
+		Name:            "user-adapter-built-in",
+		CreatedTime:     util.GetCurrentTime(),
+		Type:            "Database",
+		DatabaseType:    conf.GetConfigString("driverName"),
+		TableNamePrefix: conf.GetConfigString("tableNamePrefix"),
+		Database:        conf.GetConfigString("dbName"),
+		Table:           "casbin_user_rule",
+	}
+	_, err = AddAdapter(adapter)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func initBuiltInApiAdapter() {
+	adapter, err := GetAdapter("built-in/api-adapter-built-in")
+	if err != nil {
+		panic(err)
+	}
+
+	if adapter != nil {
+		return
+	}
+
+	adapter = &Adapter{
+		Owner:           "built-in",
+		Name:            "api-adapter-built-in",
+		CreatedTime:     util.GetCurrentTime(),
+		Type:            "Database",
+		DatabaseType:    conf.GetConfigString("driverName"),
+		TableNamePrefix: conf.GetConfigString("tableNamePrefix"),
+		Database:        conf.GetConfigString("dbName"),
+		Table:           "casbin_api_rule",
+	}
+	_, err = AddAdapter(adapter)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func initBuiltInUserEnforcer() {
+	enforcer, err := GetEnforcer("built-in/user-enforcer-built-in")
+	if err != nil {
+		panic(err)
+	}
+
+	if enforcer != nil {
+		return
+	}
+
+	enforcer = &Enforcer{
+		Owner:       "built-in",
+		Name:        "user-enforcer-built-in",
+		CreatedTime: util.GetCurrentTime(),
+		DisplayName: "User Enforcer",
+		Model:       "built-in/user-model-built-in",
+		Adapter:     "built-in/user-adapter-built-in",
+	}
+
+	_, err = AddEnforcer(enforcer)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func initBuiltInApiEnforcer() {
+	enforcer, err := GetEnforcer("built-in/api-enforcer-built-in")
+	if err != nil {
+		panic(err)
+	}
+
+	if enforcer != nil {
+		return
+	}
+
+	enforcer = &Enforcer{
+		Owner:       "built-in",
+		Name:        "api-enforcer-built-in",
+		CreatedTime: util.GetCurrentTime(),
+		DisplayName: "API Enforcer",
+		Model:       "built-in/api-model-built-in",
+		Adapter:     "built-in/api-adapter-built-in",
+	}
+
+	_, err = AddEnforcer(enforcer)
+	if err != nil {
+		panic(err)
+	}
+}
--- a/object/ldap.go
+++ b/object/ldap.go
@@ -46,7 +46,7 @@ func AddLdap(ldap *Ldap) (bool, error) {
 		ldap.CreatedTime = util.GetCurrentTime()
 	}

-	affected, err := adapter.Engine.Insert(ldap)
+	affected, err := ormer.Engine.Insert(ldap)
 	if err != nil {
 		return false, err
 	}
@@ -56,7 +56,7 @@ func AddLdap(ldap *Ldap) (bool, error) {

 func CheckLdapExist(ldap *Ldap) (bool, error) {
 	var result []*Ldap
-	err := adapter.Engine.Find(&result, &Ldap{
+	err := ormer.Engine.Find(&result, &Ldap{
 		Owner:    ldap.Owner,
 		Host:     ldap.Host,
 		Port:     ldap.Port,
@@ -77,7 +77,7 @@ func CheckLdapExist(ldap *Ldap) (bool, error) {

 func GetLdaps(owner string) ([]*Ldap, error) {
 	var ldaps []*Ldap
-	err := adapter.Engine.Desc("created_time").Find(&ldaps, &Ldap{Owner: owner})
+	err := ormer.Engine.Desc("created_time").Find(&ldaps, &Ldap{Owner: owner})
 	if err != nil {
 		return ldaps, err
 	}
@@ -91,7 +91,7 @@ func GetLdap(id string) (*Ldap, error) {
 	}

 	ldap := Ldap{Id: id}
-	existed, err := adapter.Engine.Get(&ldap)
+	existed, err := ormer.Engine.Get(&ldap)
 	if err != nil {
 		return &ldap, nil
 	}
@@ -135,13 +135,19 @@ func GetMaskedLdaps(ldaps []*Ldap, errs ...error) ([]*Ldap, error) {
 }

 func UpdateLdap(ldap *Ldap) (bool, error) {
-	if l, err := GetLdap(ldap.Id); err != nil {
+	var l *Ldap
+	var err error
+	if l, err = GetLdap(ldap.Id); err != nil {
 		return false, nil
 	} else if l == nil {
 		return false, nil
 	}

-	affected, err := adapter.Engine.ID(ldap.Id).Cols("owner", "server_name", "host",
+	if ldap.Password == "***" {
+		ldap.Password = l.Password
+	}
+
+	affected, err := ormer.Engine.ID(ldap.Id).Cols("owner", "server_name", "host",
 		"port", "enable_ssl", "username", "password", "base_dn", "filter", "filter_fields", "auto_sync").Update(ldap)
 	if err != nil {
 		return false, nil
@@ -151,7 +157,7 @@ func UpdateLdap(ldap *Ldap) (bool, error) {
 }

 func DeleteLdap(ldap *Ldap) (bool, error) {
-	affected, err := adapter.Engine.ID(ldap.Id).Delete(&Ldap{})
+	affected, err := ormer.Engine.ID(ldap.Id).Delete(&Ldap{})
 	if err != nil {
 		return false, err
 	}
--- a/object/ldap_autosync.go
+++ b/object/ldap_autosync.go
@@ -118,7 +118,7 @@ func (l *LdapAutoSynchronizer) syncRoutine(ldap *Ldap, stopChan chan struct{}) e
 // start all autosync goroutine for existing ldap servers in each organizations
 func (l *LdapAutoSynchronizer) LdapAutoSynchronizerStartUpAll() error {
 	organizations := []*Organization{}
-	err := adapter.Engine.Desc("created_time").Find(&organizations)
+	err := ormer.Engine.Desc("created_time").Find(&organizations)
 	if err != nil {
 		logs.Info("failed to Star up LdapAutoSynchronizer; ")
 	}
@@ -141,7 +141,7 @@ func (l *LdapAutoSynchronizer) LdapAutoSynchronizerStartUpAll() error {
 }

 func UpdateLdapSyncTime(ldapId string) error {
-	_, err := adapter.Engine.ID(ldapId).Update(&Ldap{LastSync: util.GetCurrentTime()})
+	_, err := ormer.Engine.ID(ldapId).Update(&Ldap{LastSync: util.GetCurrentTime()})
 	if err != nil {
 		return err
 	}
--- a/object/ldap_conn.go
+++ b/object/ldap_conn.go
@@ -41,19 +41,20 @@ type LdapUser struct {
 	GidNumber string `json:"gidNumber"`
 	// Gcn                   string
 	Uuid                  string `json:"uuid"`
+	UserPrincipalName     string `json:"userPrincipalName"`
 	DisplayName           string `json:"displayName"`
 	Mail                  string
 	Email                 string `json:"email"`
 	EmailAddress          string
 	TelephoneNumber       string
-	Mobile                string
+	Mobile                string `json:"mobile"`
 	MobileTelephoneNumber string
 	RegisteredAddress     string
 	PostalAddress         string

-	GroupId string `json:"groupId"`
-	Phone   string `json:"phone"`
-	Address string `json:"address"`
+	GroupId  string `json:"groupId"`
+	Address  string `json:"address"`
+	MemberOf string `json:"memberOf"`
 }

 func (ldap *Ldap) GetLdapConn() (c *LdapConn, err error) {
@@ -168,6 +169,8 @@ func (l *LdapConn) GetLdapUsers(ldapServer *Ldap) ([]LdapUser, error) {
 				user.Uuid = attribute.Values[0]
 			case "objectGUID":
 				user.Uuid = attribute.Values[0]
+			case "userPrincipalName":
+				user.UserPrincipalName = attribute.Values[0]
 			case "displayName":
 				user.DisplayName = attribute.Values[0]
 			case "mail":
@@ -186,6 +189,8 @@ func (l *LdapConn) GetLdapUsers(ldapServer *Ldap) ([]LdapUser, error) {
 				user.RegisteredAddress = attribute.Values[0]
 			case "postalAddress":
 				user.PostalAddress = attribute.Values[0]
+			case "memberOf":
+				user.MemberOf = attribute.Values[0]
 			}
 		}
 		ldapUsers = append(ldapUsers, user)
@@ -306,18 +311,20 @@ func SyncLdapUsers(owner string, syncUsers []LdapUser, ldapId string) (existUser
 			}

 			newUser := &User{
-				Owner:       owner,
-				Name:        name,
-				CreatedTime: util.GetCurrentTime(),
-				DisplayName: syncUser.buildLdapDisplayName(),
-				Avatar:      organization.DefaultAvatar,
-				Email:       syncUser.Email,
-				Phone:       syncUser.Phone,
-				Address:     []string{syncUser.Address},
-				Affiliation: affiliation,
-				Tag:         tag,
-				Score:       score,
-				Ldap:        syncUser.Uuid,
+				Owner:             owner,
+				Name:              name,
+				CreatedTime:       util.GetCurrentTime(),
+				DisplayName:       syncUser.buildLdapDisplayName(),
+				SignupApplication: organization.DefaultApplication,
+				Type:              "normal-user",
+				Avatar:            organization.DefaultAvatar,
+				Email:             syncUser.Email,
+				Phone:             syncUser.Mobile,
+				Address:           []string{syncUser.Address},
+				Affiliation:       affiliation,
+				Tag:               tag,
+				Score:             score,
+				Ldap:              syncUser.Uuid,
 			}

 			affected, err := AddUser(newUser)
@@ -338,7 +345,7 @@ func SyncLdapUsers(owner string, syncUsers []LdapUser, ldapId string) (existUser
 func GetExistUuids(owner string, uuids []string) ([]string, error) {
 	var existUuids []string

-	err := adapter.Engine.Table("user").Where("owner = ?", owner).Cols("ldap").
+	err := ormer.Engine.Table("user").Where("owner = ?", owner).Cols("ldap").
 		In("ldap", uuids).Select("DISTINCT ldap").Find(&existUuids)
 	if err != nil {
 		return existUuids, err
@@ -350,7 +357,7 @@ func GetExistUuids(owner string, uuids []string) ([]string, error) {
 func (ldapUser *LdapUser) buildLdapUserName() (string, error) {
 	user := User{}
 	uidWithNumber := fmt.Sprintf("%s_%s", ldapUser.Uid, ldapUser.UidNumber)
-	has, err := adapter.Engine.Where("name = ? or name = ?", ldapUser.Uid, uidWithNumber).Get(&user)
+	has, err := ormer.Engine.Where("name = ? or name = ?", ldapUser.Uid, uidWithNumber).Get(&user)
 	if err != nil {
 		return "", err
 	}
--- a/object/message.go
+++ b/object/message.go
@@ -1,143 +0,0 @@
-// Copyright 2023 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package object
-
-import (
-	"fmt"
-
-	"github.com/casdoor/casdoor/util"
-	"github.com/xorm-io/core"
-)
-
-type Message struct {
-	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
-	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
-	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
-
-	Organization string `xorm:"varchar(100)" json:"organization"`
-	Chat         string `xorm:"varchar(100) index" json:"chat"`
-	ReplyTo      string `xorm:"varchar(100) index" json:"replyTo"`
-	Author       string `xorm:"varchar(100)" json:"author"`
-	Text         string `xorm:"mediumtext" json:"text"`
-}
-
-func GetMaskedMessage(message *Message) *Message {
-	if message == nil {
-		return nil
-	}
-
-	return message
-}
-
-func GetMaskedMessages(messages []*Message) []*Message {
-	for _, message := range messages {
-		message = GetMaskedMessage(message)
-	}
-	return messages
-}
-
-func GetMessageCount(owner, organization, field, value string) (int64, error) {
-	session := GetSession(owner, -1, -1, field, value, "", "")
-	return session.Count(&Message{Organization: organization})
-}
-
-func GetMessages(owner string) ([]*Message, error) {
-	messages := []*Message{}
-	err := adapter.Engine.Desc("created_time").Find(&messages, &Message{Owner: owner})
-	return messages, err
-}
-
-func GetChatMessages(chat string) ([]*Message, error) {
-	messages := []*Message{}
-	err := adapter.Engine.Asc("created_time").Find(&messages, &Message{Chat: chat})
-	return messages, err
-}
-
-func GetPaginationMessages(owner, organization string, offset, limit int, field, value, sortField, sortOrder string) ([]*Message, error) {
-	messages := []*Message{}
-	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
-	err := session.Find(&messages, &Message{Organization: organization})
-	return messages, err
-}
-
-func getMessage(owner string, name string) (*Message, error) {
-	if owner == "" || name == "" {
-		return nil, nil
-	}
-
-	message := Message{Owner: owner, Name: name}
-	existed, err := adapter.Engine.Get(&message)
-	if err != nil {
-		return nil, err
-	}
-
-	if existed {
-		return &message, nil
-	} else {
-		return nil, nil
-	}
-}
-
-func GetMessage(id string) (*Message, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
-	return getMessage(owner, name)
-}
-
-func UpdateMessage(id string, message *Message) (bool, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
-	if m, err := getMessage(owner, name); err != nil {
-		return false, err
-	} else if m == nil {
-		return false, nil
-	}
-
-	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(message)
-	if err != nil {
-		return false, err
-	}
-
-	return affected != 0, nil
-}
-
-func AddMessage(message *Message) (bool, error) {
-	affected, err := adapter.Engine.Insert(message)
-	if err != nil {
-		return false, err
-	}
-
-	return affected != 0, nil
-}
-
-func DeleteMessage(message *Message) (bool, error) {
-	affected, err := adapter.Engine.ID(core.PK{message.Owner, message.Name}).Delete(&Message{})
-	if err != nil {
-		return false, err
-	}
-
-	return affected != 0, nil
-}
-
-func DeleteChatMessages(chat string) (bool, error) {
-	affected, err := adapter.Engine.Delete(&Message{Chat: chat})
-	if err != nil {
-		return false, err
-	}
-
-	return affected != 0, nil
-}
-
-func (p *Message) GetId() string {
-	return fmt.Sprintf("%s/%s", p.Owner, p.Name)
-}
--- a/object/mfa.go
+++ b/object/mfa.go
@@ -84,7 +84,7 @@ func MfaRecover(user *User, recoveryCode string) error {
 		return fmt.Errorf("recovery code not found")
 	}

-	_, err := UpdateUser(user.GetId(), user, []string{"recovery_codes"}, user.IsAdminUser())
+	_, err := UpdateUser(user.GetId(), user, []string{"recovery_codes"}, false)
 	if err != nil {
 		return err
 	}
@@ -181,7 +181,7 @@ func DisabledMultiFactorAuth(user *User) error {
 func SetPreferredMultiFactorAuth(user *User, mfaType string) error {
 	user.PreferredMfaType = mfaType

-	_, err := UpdateUser(user.GetId(), user, []string{"preferred_mfa_type"}, user.IsAdminUser())
+	_, err := UpdateUser(user.GetId(), user, []string{"preferred_mfa_type"}, false)
 	if err != nil {
 		return err
 	}
--- a/object/mfa_totp.go
+++ b/object/mfa_totp.go
@@ -17,6 +17,7 @@ package object
 import (
 	"errors"
 	"fmt"
+	"time"

 	"github.com/beego/beego"
 	"github.com/beego/beego/context"
@@ -25,7 +26,10 @@ import (
 	"github.com/pquerna/otp/totp"
 )

-const MfaTotpSecretSession = "mfa_totp_secret"
+const (
+	MfaTotpSecretSession   = "mfa_totp_secret"
+	MfaTotpPeriodInSeconds = 30
+)

 type TotpMfa struct {
 	Config     *MfaProps
@@ -76,7 +80,13 @@ func (mfa *TotpMfa) SetupVerify(ctx *context.Context, passcode string) error {
 	if secret == nil {
 		return errors.New("totp secret is missing")
 	}
-	result := totp.Validate(passcode, secret.(string))
+
+	result, _ := totp.ValidateCustom(passcode, secret.(string), time.Now().UTC(), totp.ValidateOpts{
+		Period:    MfaTotpPeriodInSeconds,
+		Skew:      1,
+		Digits:    otp.DigitsSix,
+		Algorithm: otp.AlgorithmSHA1,
+	})

 	if result {
 		return nil
@@ -133,7 +143,7 @@ func NewTotpMfaUtil(config *MfaProps) *TotpMfa {

 	return &TotpMfa{
 		Config:     config,
-		period:     30,
+		period:     MfaTotpPeriodInSeconds,
 		secretSize: 20,
 		digits:     otp.DigitsSix,
 	}
--- a/object/migrator.go
+++ b/object/migrator.go
@@ -43,7 +43,7 @@ func DoMigration() {
 		IDColumnName: "id",
 	}

-	m := migrate.New(adapter.Engine, options, migrations)
+	m := migrate.New(ormer.Engine, options, migrations)
 	err := m.Migrate()
 	if err != nil {
 		panic(err)
--- a/object/migrator_1_101_0_PR_1083.go
+++ b/object/migrator_1_101_0_PR_1083.go
@@ -24,9 +24,9 @@ import (
 type Migrator_1_101_0_PR_1083 struct{}

 func (*Migrator_1_101_0_PR_1083) IsMigrationNeeded() bool {
-	exist1, _ := adapter.Engine.IsTableExist("model")
-	exist2, _ := adapter.Engine.IsTableExist("permission")
-	exist3, _ := adapter.Engine.IsTableExist("permission_rule")
+	exist1, _ := ormer.Engine.IsTableExist("model")
+	exist2, _ := ormer.Engine.IsTableExist("permission")
+	exist3, _ := ormer.Engine.IsTableExist("permission_rule")

 	if exist1 && exist2 && exist3 {
 		return true
--- a/object/migrator_1_235_0_PR_1530.go
+++ b/object/migrator_1_235_0_PR_1530.go
@@ -23,7 +23,7 @@ import (
 type Migrator_1_235_0_PR_1530 struct{}

 func (*Migrator_1_235_0_PR_1530) IsMigrationNeeded() bool {
-	exist, _ := adapter.Engine.IsTableExist("casbin_rule")
+	exist, _ := ormer.Engine.IsTableExist("casbin_rule")

 	return exist
 }
--- a/object/migrator_1_240_0_PR_1539.go
+++ b/object/migrator_1_240_0_PR_1539.go
@@ -24,8 +24,8 @@ import (
 type Migrator_1_240_0_PR_1539 struct{}

 func (*Migrator_1_240_0_PR_1539) IsMigrationNeeded() bool {
-	exist, _ := adapter.Engine.IsTableExist("session")
-	err := adapter.Engine.Table("session").Find(&[]*Session{})
+	exist, _ := ormer.Engine.IsTableExist("session")
+	err := ormer.Engine.Table("session").Find(&[]*Session{})

 	if exist && err != nil {
 		return true
--- a/object/migrator_1_314_0_PR_1841.go
+++ b/object/migrator_1_314_0_PR_1841.go
@@ -22,7 +22,7 @@ import (
 type Migrator_1_314_0_PR_1841 struct{}

 func (*Migrator_1_314_0_PR_1841) IsMigrationNeeded() bool {
-	count, err := adapter.Engine.Where("password_type=?", "").Count(&User{})
+	count, err := ormer.Engine.Where("password_type=?", "").Count(&User{})
 	if err != nil {
 		// table doesn't exist
 		return false
--- a/object/model.go
+++ b/object/model.go
@@ -30,7 +30,8 @@ type Model struct {
 	Description string `xorm:"varchar(100)" json:"description"`

 	ModelText string `xorm:"mediumtext" json:"modelText"`
-	IsEnabled bool   `json:"isEnabled"`
+
+	model.Model `xorm:"-" json:"-"`
 }

 func GetModelCount(owner, field, value string) (int64, error) {
@@ -40,7 +41,7 @@ func GetModelCount(owner, field, value string) (int64, error) {

 func GetModels(owner string) ([]*Model, error) {
 	models := []*Model{}
-	err := adapter.Engine.Desc("created_time").Find(&models, &Model{Owner: owner})
+	err := ormer.Engine.Desc("created_time").Find(&models, &Model{Owner: owner})
 	if err != nil {
 		return models, err
 	}
@@ -65,7 +66,7 @@ func getModel(owner string, name string) (*Model, error) {
 	}

 	m := Model{Owner: owner, Name: name}
-	existed, err := adapter.Engine.Get(&m)
+	existed, err := ormer.Engine.Get(&m)
 	if err != nil {
 		return &m, err
 	}
@@ -111,7 +112,7 @@ func UpdateModel(id string, modelObj *Model) (bool, error) {
 		}
 	}

-	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(modelObj)
+	affected, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(modelObj)
 	if err != nil {
 		return false, err
 	}
@@ -120,7 +121,7 @@ func UpdateModel(id string, modelObj *Model) (bool, error) {
 }

 func AddModel(model *Model) (bool, error) {
-	affected, err := adapter.Engine.Insert(model)
+	affected, err := ormer.Engine.Insert(model)
 	if err != nil {
 		return false, err
 	}
@@ -129,7 +130,7 @@ func AddModel(model *Model) (bool, error) {
 }

 func DeleteModel(model *Model) (bool, error) {
-	affected, err := adapter.Engine.ID(core.PK{model.Owner, model.Name}).Delete(&Model{})
+	affected, err := ormer.Engine.ID(core.PK{model.Owner, model.Name}).Delete(&Model{})
 	if err != nil {
 		return false, err
 	}
@@ -137,12 +138,12 @@ func DeleteModel(model *Model) (bool, error) {
 	return affected != 0, nil
 }

-func (model *Model) GetId() string {
-	return fmt.Sprintf("%s/%s", model.Owner, model.Name)
+func (m *Model) GetId() string {
+	return fmt.Sprintf("%s/%s", m.Owner, m.Name)
 }

 func modelChangeTrigger(oldName string, newName string) error {
-	session := adapter.Engine.NewSession()
+	session := ormer.Engine.NewSession()
 	defer session.Close()

 	err := session.Begin()
@@ -175,3 +176,15 @@ func HasRoleDefinition(m model.Model) bool {
 	}
 	return m["g"] != nil
 }
+
+func (m *Model) initModel() error {
+	if m.Model == nil {
+		casbinModel, err := model.NewModelFromString(m.ModelText)
+		if err != nil {
+			return err
+		}
+		m.Model = casbinModel
+	}
+
+	return nil
+}
--- a/object/notification.go
+++ b/object/notification.go
@@ -0,0 +1,42 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"context"
+
+	"github.com/casdoor/casdoor/notification"
+	"github.com/nikoksr/notify"
+)
+
+func getNotificationClient(provider *Provider) (notify.Notifier, error) {
+	var client notify.Notifier
+	client, err := notification.GetNotificationProvider(provider.Type, provider.AppId, provider.Receiver, provider.Method, provider.Title)
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
+
+func SendNotification(provider *Provider, content string) error {
+	client, err := getNotificationClient(provider)
+	if err != nil {
+		return err
+	}
+
+	err = client.Send(context.Background(), "", content)
+	return err
+}
--- a/object/oidc_discovery.go
+++ b/object/oidc_discovery.go
@@ -103,7 +103,7 @@ func GetOidcDiscovery(host string) OidcDiscovery {
 		SubjectTypesSupported:                  []string{"public"},
 		IdTokenSigningAlgValuesSupported:       []string{"RS256"},
 		ScopesSupported:                        []string{"openid", "email", "profile", "address", "phone", "offline_access"},
-		ClaimsSupported:                        []string{"iss", "ver", "sub", "aud", "iat", "exp", "id", "type", "displayName", "avatar", "permanentAvatar", "email", "phone", "location", "affiliation", "title", "homepage", "bio", "tag", "region", "language", "score", "ranking", "isOnline", "isAdmin", "isGlobalAdmin", "isForbidden", "signupApplication", "ldap"},
+		ClaimsSupported:                        []string{"iss", "ver", "sub", "aud", "iat", "exp", "id", "type", "displayName", "avatar", "permanentAvatar", "email", "phone", "location", "affiliation", "title", "homepage", "bio", "tag", "region", "language", "score", "ranking", "isOnline", "isAdmin", "isForbidden", "signupApplication", "ldap"},
 		RequestParameterSupported:              true,
 		RequestObjectSigningAlgValuesSupported: []string{"HS256", "HS384", "HS512"},
 		EndSessionEndpoint:                     fmt.Sprintf("%s/api/logout", originBackend),
--- a/object/organization.go
+++ b/object/organization.go
@@ -80,12 +80,12 @@ func GetOrganizationCount(owner, field, value string) (int64, error) {
 func GetOrganizations(owner string, name ...string) ([]*Organization, error) {
 	organizations := []*Organization{}
 	if name != nil && len(name) > 0 {
-		err := adapter.Engine.Desc("created_time").Where(builder.In("name", name)).Find(&organizations)
+		err := ormer.Engine.Desc("created_time").Where(builder.In("name", name)).Find(&organizations)
 		if err != nil {
 			return nil, err
 		}
 	} else {
-		err := adapter.Engine.Desc("created_time").Find(&organizations, &Organization{Owner: owner})
+		err := ormer.Engine.Desc("created_time").Find(&organizations, &Organization{Owner: owner})
 		if err != nil {
 			return nil, err
 		}
@@ -96,7 +96,7 @@ func GetOrganizations(owner string, name ...string) ([]*Organization, error) {

 func GetOrganizationsByFields(owner string, fields ...string) ([]*Organization, error) {
 	organizations := []*Organization{}
-	err := adapter.Engine.Desc("created_time").Cols(fields...).Find(&organizations, &Organization{Owner: owner})
+	err := ormer.Engine.Desc("created_time").Cols(fields...).Find(&organizations, &Organization{Owner: owner})
 	if err != nil {
 		return nil, err
 	}
@@ -126,7 +126,7 @@ func getOrganization(owner string, name string) (*Organization, error) {
 	}

 	organization := Organization{Owner: owner, Name: name}
-	existed, err := adapter.Engine.Get(&organization)
+	existed, err := ormer.Engine.Get(&organization)
 	if err != nil {
 		return nil, err
 	}
@@ -189,7 +189,7 @@ func UpdateOrganization(id string, organization *Organization) (bool, error) {
 	if name != organization.Name {
 		err := organizationChangeTrigger(name, organization.Name)
 		if err != nil {
-			return false, nil
+			return false, err
 		}
 	}

@@ -201,7 +201,7 @@ func UpdateOrganization(id string, organization *Organization) (bool, error) {
 		}
 	}

-	session := adapter.Engine.ID(core.PK{owner, name}).AllCols()
+	session := ormer.Engine.ID(core.PK{owner, name}).AllCols()
 	if organization.MasterPassword == "***" {
 		session.Omit("master_password")
 	}
@@ -214,7 +214,7 @@ func UpdateOrganization(id string, organization *Organization) (bool, error) {
 }

 func AddOrganization(organization *Organization) (bool, error) {
-	affected, err := adapter.Engine.Insert(organization)
+	affected, err := ormer.Engine.Insert(organization)
 	if err != nil {
 		return false, err
 	}
@@ -227,7 +227,7 @@ func DeleteOrganization(organization *Organization) (bool, error) {
 		return false, nil
 	}

-	affected, err := adapter.Engine.ID(core.PK{organization.Owner, organization.Name}).Delete(&Organization{})
+	affected, err := ormer.Engine.ID(core.PK{organization.Owner, organization.Name}).Delete(&Organization{})
 	if err != nil {
 		return false, err
 	}
@@ -299,7 +299,7 @@ func GetDefaultApplication(id string) (*Application, error) {
 	}

 	applications := []*Application{}
-	err = adapter.Engine.Asc("created_time").Find(&applications, &Application{Organization: organization.Name})
+	err = ormer.Engine.Asc("created_time").Find(&applications, &Application{Organization: organization.Name})
 	if err != nil {
 		return nil, err
 	}
@@ -330,7 +330,7 @@ func GetDefaultApplication(id string) (*Application, error) {
 }

 func organizationChangeTrigger(oldName string, newName string) error {
-	session := adapter.Engine.NewSession()
+	session := ormer.Engine.NewSession()
 	defer session.Close()

 	err := session.Begin()
@@ -360,7 +360,7 @@ func organizationChangeTrigger(oldName string, newName string) error {
 	}

 	role := new(Role)
-	_, err = adapter.Engine.Where("owner=?", oldName).Get(role)
+	_, err = ormer.Engine.Where("owner=?", oldName).Get(role)
 	if err != nil {
 		return err
 	}
@@ -385,7 +385,7 @@ func organizationChangeTrigger(oldName string, newName string) error {
 	}

 	permission := new(Permission)
-	_, err = adapter.Engine.Where("owner=?", oldName).Get(permission)
+	_, err = ormer.Engine.Where("owner=?", oldName).Get(permission)
 	if err != nil {
 		return err
 	}
@@ -409,9 +409,9 @@ func organizationChangeTrigger(oldName string, newName string) error {
 		return err
 	}

-	casbinAdapter := new(CasbinAdapter)
-	casbinAdapter.Owner = newName
-	_, err = session.Where("owner=?", oldName).Update(casbinAdapter)
+	adapter := new(Adapter)
+	adapter.Owner = newName
+	_, err = session.Where("owner=?", oldName).Update(adapter)
 	if err != nil {
 		return err
 	}
@@ -431,16 +431,8 @@ func organizationChangeTrigger(oldName string, newName string) error {
 	}

 	payment := new(Payment)
-	payment.Organization = newName
-	_, err = session.Where("organization=?", oldName).Update(payment)
-	if err != nil {
-		return err
-	}
-
-	record := new(Record)
-	record.Owner = newName
-	record.Organization = newName
-	_, err = session.Where("organization=?", oldName).Update(record)
+	payment.Owner = newName
+	_, err = session.Where("owner=?", oldName).Update(payment)
 	if err != nil {
 		return err
 	}
--- a/object/ormer.go
+++ b/object/ormer.go
@@ -0,0 +1,348 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"database/sql"
+	"flag"
+	"fmt"
+	"os"
+	"regexp"
+	"runtime"
+	"strings"
+
+	"github.com/beego/beego"
+	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/util"
+	xormadapter "github.com/casdoor/xorm-adapter/v3"
+	_ "github.com/denisenkom/go-mssqldb" // db = mssql
+	_ "github.com/go-sql-driver/mysql"   // db = mysql
+	_ "github.com/lib/pq"                // db = postgres
+	"github.com/xorm-io/core"
+	"github.com/xorm-io/xorm"
+	_ "modernc.org/sqlite" // db = sqlite
+)
+
+var (
+	ormer                   *Ormer = nil
+	isCreateDatabaseDefined        = false
+	createDatabase                 = true
+)
+
+func InitFlag() {
+	if !isCreateDatabaseDefined {
+		isCreateDatabaseDefined = true
+		createDatabase = getCreateDatabaseFlag()
+	}
+}
+
+func getCreateDatabaseFlag() bool {
+	res := flag.Bool("createDatabase", false, "true if you need to create database")
+	flag.Parse()
+	return *res
+}
+
+func InitConfig() {
+	err := beego.LoadAppConfig("ini", "../conf/app.conf")
+	if err != nil {
+		panic(err)
+	}
+
+	beego.BConfig.WebConfig.Session.SessionOn = true
+
+	InitAdapter()
+	CreateTables()
+	DoMigration()
+}
+
+func InitAdapter() {
+	if conf.GetConfigString("driverName") == "" {
+		if !util.FileExist("conf/app.conf") {
+			dir, err := os.Getwd()
+			if err != nil {
+				panic(err)
+			}
+			dir = strings.ReplaceAll(dir, "\\", "/")
+			panic(fmt.Sprintf("The Casdoor config file: \"app.conf\" was not found, it should be placed at: \"%s/conf/app.conf\"", dir))
+		}
+	}
+
+	if createDatabase {
+		err := createDatabaseForPostgres(conf.GetConfigString("driverName"), conf.GetConfigDataSourceName(), conf.GetConfigString("dbName"))
+		if err != nil {
+			panic(err)
+		}
+	}
+
+	ormer = NewAdapter(conf.GetConfigString("driverName"), conf.GetConfigDataSourceName(), conf.GetConfigString("dbName"))
+
+	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
+	tbMapper := core.NewPrefixMapper(core.SnakeMapper{}, tableNamePrefix)
+	ormer.Engine.SetTableMapper(tbMapper)
+}
+
+func CreateTables() {
+	if createDatabase {
+		err := ormer.CreateDatabase()
+		if err != nil {
+			panic(err)
+		}
+	}
+
+	ormer.createTable()
+}
+
+// Ormer represents the MySQL adapter for policy storage.
+type Ormer struct {
+	driverName     string
+	dataSourceName string
+	dbName         string
+	Engine         *xorm.Engine
+}
+
+// finalizer is the destructor for Ormer.
+func finalizer(a *Ormer) {
+	err := a.Engine.Close()
+	if err != nil {
+		panic(err)
+	}
+}
+
+// NewAdapter is the constructor for Ormer.
+func NewAdapter(driverName string, dataSourceName string, dbName string) *Ormer {
+	a := &Ormer{}
+	a.driverName = driverName
+	a.dataSourceName = dataSourceName
+	a.dbName = dbName
+
+	// Open the DB, create it if not existed.
+	a.open()
+
+	// Call the destructor when the object is released.
+	runtime.SetFinalizer(a, finalizer)
+
+	return a
+}
+
+func refineDataSourceNameForPostgres(dataSourceName string) string {
+	reg := regexp.MustCompile(`dbname=[^ ]+\s*`)
+	return reg.ReplaceAllString(dataSourceName, "")
+}
+
+func createDatabaseForPostgres(driverName string, dataSourceName string, dbName string) error {
+	if driverName == "postgres" {
+		db, err := sql.Open(driverName, refineDataSourceNameForPostgres(dataSourceName))
+		if err != nil {
+			return err
+		}
+		defer db.Close()
+
+		_, err = db.Exec(fmt.Sprintf("CREATE DATABASE %s;", dbName))
+		if err != nil {
+			if !strings.Contains(err.Error(), "already exists") {
+				return err
+			}
+		}
+		schema := util.GetValueFromDataSourceName("search_path", dataSourceName)
+		if schema != "" {
+			db, err = sql.Open(driverName, dataSourceName)
+			if err != nil {
+				return err
+			}
+			defer db.Close()
+
+			_, err = db.Exec(fmt.Sprintf("CREATE SCHEMA %s;", schema))
+			if err != nil {
+				if !strings.Contains(err.Error(), "already exists") {
+					return err
+				}
+			}
+		}
+
+		return nil
+	} else {
+		return nil
+	}
+}
+
+func (a *Ormer) CreateDatabase() error {
+	if a.driverName == "postgres" {
+		return nil
+	}
+
+	engine, err := xorm.NewEngine(a.driverName, a.dataSourceName)
+	if err != nil {
+		return err
+	}
+	defer engine.Close()
+
+	_, err = engine.Exec(fmt.Sprintf("CREATE DATABASE IF NOT EXISTS %s default charset utf8mb4 COLLATE utf8mb4_general_ci", a.dbName))
+	return err
+}
+
+func (a *Ormer) open() {
+	dataSourceName := a.dataSourceName + a.dbName
+	if a.driverName != "mysql" {
+		dataSourceName = a.dataSourceName
+	}
+
+	engine, err := xorm.NewEngine(a.driverName, dataSourceName)
+	if err != nil {
+		panic(err)
+	}
+	if a.driverName == "postgres" {
+		schema := util.GetValueFromDataSourceName("search_path", dataSourceName)
+		if schema != "" {
+			engine.SetSchema(schema)
+		}
+	}
+
+	a.Engine = engine
+}
+
+func (a *Ormer) close() {
+	_ = a.Engine.Close()
+	a.Engine = nil
+}
+
+func (a *Ormer) createTable() {
+	showSql := conf.GetConfigBool("showSql")
+	a.Engine.ShowSQL(showSql)
+
+	err := a.Engine.Sync2(new(Organization))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(User))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Group))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Role))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Permission))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Model))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Adapter))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Enforcer))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Provider))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Application))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Resource))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Token))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(VerificationRecord))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Webhook))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Syncer))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Cert))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Product))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Payment))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Ldap))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(PermissionRule))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(xormadapter.CasbinRule))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Session))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Subscription))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Plan))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Pricing))
+	if err != nil {
+		panic(err)
+	}
+}
--- a/object/ormer_session.go
+++ b/object/ormer_session.go
@@ -0,0 +1,96 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+
+	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/util"
+	"github.com/xorm-io/xorm"
+)
+
+func GetSession(owner string, offset, limit int, field, value, sortField, sortOrder string) *xorm.Session {
+	session := ormer.Engine.Prepare()
+	if offset != -1 && limit != -1 {
+		session.Limit(limit, offset)
+	}
+	if owner != "" {
+		session = session.And("owner=?", owner)
+	}
+	if field != "" && value != "" {
+		if util.FilterField(field) {
+			session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
+		}
+	}
+	if sortField == "" || sortOrder == "" {
+		sortField = "created_time"
+	}
+	if sortOrder == "ascend" {
+		session = session.Asc(util.SnakeString(sortField))
+	} else {
+		session = session.Desc(util.SnakeString(sortField))
+	}
+	return session
+}
+
+func GetSessionForUser(owner string, offset, limit int, field, value, sortField, sortOrder string) *xorm.Session {
+	session := ormer.Engine.Prepare()
+	if offset != -1 && limit != -1 {
+		session.Limit(limit, offset)
+	}
+	if owner != "" {
+		if offset == -1 {
+			session = session.And("owner=?", owner)
+		} else {
+			session = session.And("a.owner=?", owner)
+		}
+	}
+	if field != "" && value != "" {
+		if util.FilterField(field) {
+			if offset != -1 {
+				field = fmt.Sprintf("a.%s", field)
+			}
+			session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
+		}
+	}
+	if sortField == "" || sortOrder == "" {
+		sortField = "created_time"
+	}
+
+	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
+	tableName := tableNamePrefix + "user"
+	if offset == -1 {
+		if sortOrder == "ascend" {
+			session = session.Asc(util.SnakeString(sortField))
+		} else {
+			session = session.Desc(util.SnakeString(sortField))
+		}
+	} else {
+		if sortOrder == "ascend" {
+			session = session.Alias("a").
+				Join("INNER", []string{tableName, "b"}, "a.owner = b.owner and a.name = b.name").
+				Select("b.*").
+				Asc("a." + util.SnakeString(sortField))
+		} else {
+			session = session.Alias("a").
+				Join("INNER", []string{tableName, "b"}, "a.owner = b.owner and a.name = b.name").
+				Select("b.*").
+				Desc("a." + util.SnakeString(sortField))
+		}
+	}
+
+	return session
+}
--- a/object/payment.go
+++ b/object/payment.go
@@ -18,6 +18,8 @@ import (
 	"fmt"
 	"net/http"

+	"github.com/casdoor/casdoor/pp"
+
 	"github.com/casdoor/casdoor/util"
 	"github.com/xorm-io/core"
 )
@@ -27,43 +29,44 @@ type Payment struct {
 	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
 	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
 	DisplayName string `xorm:"varchar(100)" json:"displayName"`
-
-	Provider           string `xorm:"varchar(100)" json:"provider"`
-	Type               string `xorm:"varchar(100)" json:"type"`
-	Organization       string `xorm:"varchar(100)" json:"organization"`
-	User               string `xorm:"varchar(100)" json:"user"`
-	ProductName        string `xorm:"varchar(100)" json:"productName"`
-	ProductDisplayName string `xorm:"varchar(100)" json:"productDisplayName"`
-
-	Detail   string  `xorm:"varchar(255)" json:"detail"`
-	Tag      string  `xorm:"varchar(100)" json:"tag"`
-	Currency string  `xorm:"varchar(100)" json:"currency"`
-	Price    float64 `json:"price"`
-
-	PayUrl    string `xorm:"varchar(2000)" json:"payUrl"`
-	ReturnUrl string `xorm:"varchar(1000)" json:"returnUrl"`
-	State     string `xorm:"varchar(100)" json:"state"`
-	Message   string `xorm:"varchar(2000)" json:"message"`
-
-	PersonName    string `xorm:"varchar(100)" json:"personName"`
-	PersonIdCard  string `xorm:"varchar(100)" json:"personIdCard"`
-	PersonEmail   string `xorm:"varchar(100)" json:"personEmail"`
-	PersonPhone   string `xorm:"varchar(100)" json:"personPhone"`
+	// Payment Provider Info
+	Provider string `xorm:"varchar(100)" json:"provider"`
+	Type     string `xorm:"varchar(100)" json:"type"`
+	// Product Info
+	ProductName        string  `xorm:"varchar(100)" json:"productName"`
+	ProductDisplayName string  `xorm:"varchar(100)" json:"productDisplayName"`
+	Detail             string  `xorm:"varchar(255)" json:"detail"`
+	Tag                string  `xorm:"varchar(100)" json:"tag"`
+	Currency           string  `xorm:"varchar(100)" json:"currency"`
+	Price              float64 `json:"price"`
+	ReturnUrl          string  `xorm:"varchar(1000)" json:"returnUrl"`
+	// Payer Info
+	User         string `xorm:"varchar(100)" json:"user"`
+	PersonName   string `xorm:"varchar(100)" json:"personName"`
+	PersonIdCard string `xorm:"varchar(100)" json:"personIdCard"`
+	PersonEmail  string `xorm:"varchar(100)" json:"personEmail"`
+	PersonPhone  string `xorm:"varchar(100)" json:"personPhone"`
+	// Invoice Info
 	InvoiceType   string `xorm:"varchar(100)" json:"invoiceType"`
 	InvoiceTitle  string `xorm:"varchar(100)" json:"invoiceTitle"`
 	InvoiceTaxId  string `xorm:"varchar(100)" json:"invoiceTaxId"`
 	InvoiceRemark string `xorm:"varchar(100)" json:"invoiceRemark"`
 	InvoiceUrl    string `xorm:"varchar(255)" json:"invoiceUrl"`
+	// Order Info
+	OutOrderId string          `xorm:"varchar(100)" json:"outOrderId"`
+	PayUrl     string          `xorm:"varchar(2000)" json:"payUrl"`
+	State      pp.PaymentState `xorm:"varchar(100)" json:"state"`
+	Message    string          `xorm:"varchar(2000)" json:"message"`
 }

-func GetPaymentCount(owner, organization, field, value string) (int64, error) {
+func GetPaymentCount(owner, field, value string) (int64, error) {
 	session := GetSession(owner, -1, -1, field, value, "", "")
-	return session.Count(&Payment{Organization: organization})
+	return session.Count(&Payment{Owner: owner})
 }

 func GetPayments(owner string) ([]*Payment, error) {
 	payments := []*Payment{}
-	err := adapter.Engine.Desc("created_time").Find(&payments, &Payment{Owner: owner})
+	err := ormer.Engine.Desc("created_time").Find(&payments, &Payment{Owner: owner})
 	if err != nil {
 		return nil, err
 	}
@@ -71,9 +74,9 @@ func GetPayments(owner string) ([]*Payment, error) {
 	return payments, nil
 }

-func GetUserPayments(owner string, organization string, user string) ([]*Payment, error) {
+func GetUserPayments(owner, user string) ([]*Payment, error) {
 	payments := []*Payment{}
-	err := adapter.Engine.Desc("created_time").Find(&payments, &Payment{Owner: owner, Organization: organization, User: user})
+	err := ormer.Engine.Desc("created_time").Find(&payments, &Payment{Owner: owner, User: user})
 	if err != nil {
 		return nil, err
 	}
@@ -81,10 +84,10 @@ func GetUserPayments(owner string, organization string, user string) ([]*Payment
 	return payments, nil
 }

-func GetPaginationPayments(owner, organization string, offset, limit int, field, value, sortField, sortOrder string) ([]*Payment, error) {
+func GetPaginationPayments(owner string, offset, limit int, field, value, sortField, sortOrder string) ([]*Payment, error) {
 	payments := []*Payment{}
 	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
-	err := session.Find(&payments, &Payment{Organization: organization})
+	err := session.Find(&payments, &Payment{Owner: owner})
 	if err != nil {
 		return nil, err
 	}
@@ -98,7 +101,7 @@ func getPayment(owner string, name string) (*Payment, error) {
 	}

 	payment := Payment{Owner: owner, Name: name}
-	existed, err := adapter.Engine.Get(&payment)
+	existed, err := ormer.Engine.Get(&payment)
 	if err != nil {
 		return nil, err
 	}
@@ -123,16 +126,16 @@ func UpdatePayment(id string, payment *Payment) (bool, error) {
 		return false, nil
 	}

-	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(payment)
+	affected, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(payment)
 	if err != nil {
-		panic(err)
+		return false, err
 	}

 	return affected != 0, nil
 }

 func AddPayment(payment *Payment) (bool, error) {
-	affected, err := adapter.Engine.Insert(payment)
+	affected, err := ormer.Engine.Insert(payment)
 	if err != nil {
 		return false, err
 	}
@@ -141,7 +144,7 @@ func AddPayment(payment *Payment) (bool, error) {
 }

 func DeletePayment(payment *Payment) (bool, error) {
-	affected, err := adapter.Engine.ID(core.PK{payment.Owner, payment.Name}).Delete(&Payment{})
+	affected, err := ormer.Engine.ID(core.PK{payment.Owner, payment.Name}).Delete(&Payment{})
 	if err != nil {
 		return false, err
 	}
@@ -149,73 +152,76 @@ func DeletePayment(payment *Payment) (bool, error) {
 	return affected != 0, nil
 }

-func notifyPayment(request *http.Request, body []byte, owner string, providerName string, productName string, paymentName string, orderId string) (*Payment, error, string) {
-	provider, err := getProvider(owner, providerName)
-	if err != nil {
-		panic(err)
-	}
-
-	pProvider, cert, err := provider.getPaymentProvider()
-	if err != nil {
-		panic(err)
-	}
-
+func notifyPayment(request *http.Request, body []byte, owner string, paymentName string, orderId string) (*Payment, *pp.NotifyResult, error) {
 	payment, err := getPayment(owner, paymentName)
 	if err != nil {
-		panic(err)
+		return nil, nil, err
 	}
-
 	if payment == nil {
 		err = fmt.Errorf("the payment: %s does not exist", paymentName)
-		return nil, err, pProvider.GetResponseError(err)
+		return nil, nil, err
 	}

-	product, err := getProduct(owner, productName)
+	provider, err := getProvider(owner, payment.Provider)
 	if err != nil {
-		panic(err)
+		return nil, nil, err
+	}
+	pProvider, cert, err := provider.getPaymentProvider()
+	if err != nil {
+		return nil, nil, err
 	}

+	product, err := getProduct(owner, payment.ProductName)
+	if err != nil {
+		return nil, nil, err
+	}
 	if product == nil {
-		err = fmt.Errorf("the product: %s does not exist", productName)
-		return payment, err, pProvider.GetResponseError(err)
+		err = fmt.Errorf("the product: %s does not exist", payment.ProductName)
+		return nil, nil, err
 	}

-	productDisplayName, paymentName, price, productName, providerName, err := pProvider.Notify(request, body, cert.AuthorityPublicKey, orderId)
+	if orderId == "" {
+		orderId = payment.OutOrderId
+	}
+
+	notifyResult, err := pProvider.Notify(request, body, cert.AuthorityPublicKey, orderId)
 	if err != nil {
-		return payment, err, pProvider.GetResponseError(err)
+		return payment, nil, err
+	}
+	if notifyResult.PaymentStatus != pp.PaymentStatePaid {
+		return payment, notifyResult, nil
+	}
+	// Only check paid payment
+	if notifyResult.ProductDisplayName != "" && notifyResult.ProductDisplayName != product.DisplayName {
+		err = fmt.Errorf("the payment's product name: %s doesn't equal to the expected product name: %s", notifyResult.ProductDisplayName, product.DisplayName)
+		return payment, nil, err
 	}

-	if productDisplayName != "" && productDisplayName != product.DisplayName {
-		err = fmt.Errorf("the payment's product name: %s doesn't equal to the expected product name: %s", productDisplayName, product.DisplayName)
-		return payment, err, pProvider.GetResponseError(err)
+	if notifyResult.Price != product.Price {
+		err = fmt.Errorf("the payment's price: %f doesn't equal to the expected price: %f", notifyResult.Price, product.Price)
+		return payment, nil, err
 	}

-	if price != product.Price {
-		err = fmt.Errorf("the payment's price: %f doesn't equal to the expected price: %f", price, product.Price)
-		return payment, err, pProvider.GetResponseError(err)
-	}
-
-	err = nil
-	return payment, err, pProvider.GetResponseError(err)
+	return payment, notifyResult, nil
 }

-func NotifyPayment(request *http.Request, body []byte, owner string, providerName string, productName string, paymentName string, orderId string) (error, string) {
-	payment, err, errorResponse := notifyPayment(request, body, owner, providerName, productName, paymentName, orderId)
+func NotifyPayment(request *http.Request, body []byte, owner string, paymentName string, orderId string) (*Payment, error) {
+	payment, notifyResult, err := notifyPayment(request, body, owner, paymentName, orderId)
 	if payment != nil {
 		if err != nil {
-			payment.State = "Error"
+			payment.State = pp.PaymentStateError
 			payment.Message = err.Error()
 		} else {
-			payment.State = "Paid"
+			payment.State = notifyResult.PaymentStatus
+			payment.Message = notifyResult.NotifyMessage
 		}
-
 		_, err = UpdatePayment(payment.GetId(), payment)
 		if err != nil {
-			panic(err)
+			return nil, err
 		}
 	}

-	return err, errorResponse
+	return payment, nil
 }

 func invoicePayment(payment *Payment) (string, error) {
@@ -242,7 +248,7 @@ func invoicePayment(payment *Payment) (string, error) {
 }

 func InvoicePayment(payment *Payment) (string, error) {
-	if payment.State != "Paid" {
+	if payment.State != pp.PaymentStatePaid {
 		return "", fmt.Errorf("the payment state is supposed to be: \"%s\", got: \"%s\"", "Paid", payment.State)
 	}

--- a/object/permission.go
+++ b/object/permission.go
@@ -58,10 +58,7 @@ type PermissionRule struct {
 	Id    string `xorm:"varchar(100) index not null default ''" json:"id"`
 }

-const (
-	builtInAvailableField = 5 // Casdoor built-in adapter, use V5 to filter permission, so has 5 available field
-	builtInAdapter        = "permission_rule"
-)
+const builtInAvailableField = 5 // Casdoor built-in adapter, use V5 to filter permission, so has 5 available field

 func (p *Permission) GetId() string {
 	return util.GetId(p.Owner, p.Name)
@@ -74,7 +71,7 @@ func GetPermissionCount(owner, field, value string) (int64, error) {

 func GetPermissions(owner string) ([]*Permission, error) {
 	permissions := []*Permission{}
-	err := adapter.Engine.Desc("created_time").Find(&permissions, &Permission{Owner: owner})
+	err := ormer.Engine.Desc("created_time").Find(&permissions, &Permission{Owner: owner})
 	if err != nil {
 		return permissions, err
 	}
@@ -99,7 +96,7 @@ func getPermission(owner string, name string) (*Permission, error) {
 	}

 	permission := Permission{Owner: owner, Name: name}
-	existed, err := adapter.Engine.Get(&permission)
+	existed, err := ormer.Engine.Get(&permission)
 	if err != nil {
 		return &permission, err
 	}
@@ -112,7 +109,7 @@ func getPermission(owner string, name string) (*Permission, error) {
 }

 func GetPermission(id string) (*Permission, error) {
-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name := util.GetOwnerAndNameFromIdNoCheck(id)
 	return getPermission(owner, name)
 }

@@ -149,13 +146,13 @@ func UpdatePermission(id string, permission *Permission) (bool, error) {
 		return false, err
 	}

-	owner, name := util.GetOwnerAndNameFromId(id)
+	owner, name := util.GetOwnerAndNameFromIdNoCheck(id)
 	oldPermission, err := getPermission(owner, name)
 	if oldPermission == nil {
 		return false, nil
 	}

-	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(permission)
+	affected, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(permission)
 	if err != nil {
 		return false, err
 	}
@@ -164,9 +161,9 @@ func UpdatePermission(id string, permission *Permission) (bool, error) {
 		removeGroupingPolicies(oldPermission)
 		removePolicies(oldPermission)
 		if oldPermission.Adapter != "" && oldPermission.Adapter != permission.Adapter {
-			isEmpty, _ := adapter.Engine.IsTableEmpty(oldPermission.Adapter)
+			isEmpty, _ := ormer.Engine.IsTableEmpty(oldPermission.Adapter)
 			if isEmpty {
-				err = adapter.Engine.DropTables(oldPermission.Adapter)
+				err = ormer.Engine.DropTables(oldPermission.Adapter)
 				if err != nil {
 					return false, err
 				}
@@ -180,7 +177,7 @@ func UpdatePermission(id string, permission *Permission) (bool, error) {
 }

 func AddPermission(permission *Permission) (bool, error) {
-	affected, err := adapter.Engine.Insert(permission)
+	affected, err := ormer.Engine.Insert(permission)
 	if err != nil {
 		return false, err
 	}
@@ -198,7 +195,7 @@ func AddPermissions(permissions []*Permission) bool {
 		return false
 	}

-	affected, err := adapter.Engine.Insert(permissions)
+	affected, err := ormer.Engine.Insert(permissions)
 	if err != nil {
 		if !strings.Contains(err.Error(), "Duplicate entry") {
 			panic(err)
@@ -242,7 +239,7 @@ func AddPermissionsInBatch(permissions []*Permission) bool {
 }

 func DeletePermission(permission *Permission) (bool, error) {
-	affected, err := adapter.Engine.ID(core.PK{permission.Owner, permission.Name}).Delete(&Permission{})
+	affected, err := ormer.Engine.ID(core.PK{permission.Owner, permission.Name}).Delete(&Permission{})
 	if err != nil {
 		return false, err
 	}
@@ -251,9 +248,9 @@ func DeletePermission(permission *Permission) (bool, error) {
 		removeGroupingPolicies(permission)
 		removePolicies(permission)
 		if permission.Adapter != "" && permission.Adapter != "permission_rule" {
-			isEmpty, _ := adapter.Engine.IsTableEmpty(permission.Adapter)
+			isEmpty, _ := ormer.Engine.IsTableEmpty(permission.Adapter)
 			if isEmpty {
-				err = adapter.Engine.DropTables(permission.Adapter)
+				err = ormer.Engine.DropTables(permission.Adapter)
 				if err != nil {
 					return false, err
 				}
@@ -266,7 +263,7 @@ func DeletePermission(permission *Permission) (bool, error) {

 func GetPermissionsAndRolesByUser(userId string) ([]*Permission, []*Role, error) {
 	permissions := []*Permission{}
-	err := adapter.Engine.Where("users like ?", "%"+userId+"\"%").Find(&permissions)
+	err := ormer.Engine.Where("users like ?", "%"+userId+"\"%").Find(&permissions)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -290,7 +287,7 @@ func GetPermissionsAndRolesByUser(userId string) ([]*Permission, []*Role, error)

 	for _, role := range roles {
 		perms := []*Permission{}
-		err := adapter.Engine.Where("roles like ?", "%"+role.Name+"\"%").Find(&perms)
+		err := ormer.Engine.Where("roles like ?", "%"+role.GetId()+"\"%").Find(&perms)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -310,7 +307,7 @@ func GetPermissionsAndRolesByUser(userId string) ([]*Permission, []*Role, error)

 func GetPermissionsByRole(roleId string) ([]*Permission, error) {
 	permissions := []*Permission{}
-	err := adapter.Engine.Where("roles like ?", "%"+roleId+"\"%").Find(&permissions)
+	err := ormer.Engine.Where("roles like ?", "%"+roleId+"\"%").Find(&permissions)
 	if err != nil {
 		return permissions, err
 	}
@@ -320,7 +317,7 @@ func GetPermissionsByRole(roleId string) ([]*Permission, error) {

 func GetPermissionsByResource(resourceId string) ([]*Permission, error) {
 	permissions := []*Permission{}
-	err := adapter.Engine.Where("resources like ?", "%"+resourceId+"\"%").Find(&permissions)
+	err := ormer.Engine.Where("resources like ?", "%"+resourceId+"\"%").Find(&permissions)
 	if err != nil {
 		return permissions, err
 	}
@@ -330,7 +327,7 @@ func GetPermissionsByResource(resourceId string) ([]*Permission, error) {

 func GetPermissionsBySubmitter(owner string, submitter string) ([]*Permission, error) {
 	permissions := []*Permission{}
-	err := adapter.Engine.Desc("created_time").Find(&permissions, &Permission{Owner: owner, Submitter: submitter})
+	err := ormer.Engine.Desc("created_time").Find(&permissions, &Permission{Owner: owner, Submitter: submitter})
 	if err != nil {
 		return permissions, err
 	}
@@ -340,7 +337,7 @@ func GetPermissionsBySubmitter(owner string, submitter string) ([]*Permission, e

 func GetPermissionsByModel(owner string, model string) ([]*Permission, error) {
 	permissions := []*Permission{}
-	err := adapter.Engine.Desc("created_time").Find(&permissions, &Permission{Owner: owner, Model: model})
+	err := ormer.Engine.Desc("created_time").Find(&permissions, &Permission{Owner: owner, Model: model})
 	if err != nil {
 		return permissions, err
 	}
--- a/object/permission_enforcer.go
+++ b/object/permission_enforcer.go
@@ -69,7 +69,7 @@ func getPermissionEnforcer(p *Permission, permissionIDs ...string) *casbin.Enfor
 func (p *Permission) setEnforcerAdapter(enforcer *casbin.Enforcer) error {
 	tableName := "permission_rule"
 	if len(p.Adapter) != 0 {
-		adapterObj, err := getCasbinAdapter(p.Owner, p.Adapter)
+		adapterObj, err := getAdapter(p.Owner, p.Adapter)
 		if err != nil {
 			return err
 		}
@@ -79,14 +79,12 @@ func (p *Permission) setEnforcerAdapter(enforcer *casbin.Enforcer) error {
 		}
 	}
 	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
-	driverName := conf.GetConfigString("driverName")
-	dataSourceName := conf.GetConfigRealDataSourceName(driverName)
-	casbinAdapter, err := xormadapter.NewAdapterWithTableName(driverName, dataSourceName, tableName, tableNamePrefix, true)
+	adapter, err := xormadapter.NewAdapterByEngineWithTableName(ormer.Engine, tableName, tableNamePrefix)
 	if err != nil {
 		return err
 	}

-	enforcer.SetAdapter(casbinAdapter)
+	enforcer.SetAdapter(adapter)
 	return nil
 }

@@ -309,8 +307,7 @@ func GetAllRoles(userId string) []string {

 func GetBuiltInModel(modelText string) (model.Model, error) {
 	if modelText == "" {
-		modelText = `
-[request_definition]
+		modelText = `[request_definition]
 r = sub, obj, act

 [policy_definition]
@@ -335,7 +332,7 @@ m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act`
 		policyDefinition := strings.Split(cfg.String("policy_definition::p"), ",")
 		fieldsNum := len(policyDefinition)
 		if fieldsNum > builtInAvailableField {
-			panic(fmt.Errorf("the maximum policy_definition field number cannot exceed %d", builtInAvailableField))
+			panic(fmt.Errorf("the maximum policy_definition field number cannot exceed %d, got %d", builtInAvailableField, fieldsNum))
 		}
 		// filled empty field with "" and V5 with "permissionId"
 		for i := builtInAvailableField - fieldsNum; i > 0; i-- {
--- a/object/permission_upload.go
+++ b/object/permission_upload.go
@@ -33,8 +33,8 @@ func getPermissionMap(owner string) (map[string]*Permission, error) {
 	return m, err
 }

-func UploadPermissions(owner string, fileId string) (bool, error) {
-	table := xlsx.ReadXlsxFile(fileId)
+func UploadPermissions(owner string, path string) (bool, error) {
+	table := xlsx.ReadXlsxFile(path)

 	oldUserMap, err := getPermissionMap(owner)
 	if err != nil {
--- a/object/plan.go
+++ b/object/plan.go
@@ -16,6 +16,7 @@ package object

 import (
 	"fmt"
+	"time"

 	"github.com/casdoor/casdoor/util"
 	"github.com/xorm-io/core"
@@ -28,15 +29,39 @@ type Plan struct {
 	DisplayName string `xorm:"varchar(100)" json:"displayName"`
 	Description string `xorm:"varchar(100)" json:"description"`

-	PricePerMonth float64 `json:"pricePerMonth"`
-	PricePerYear  float64 `json:"pricePerYear"`
-	Currency      string  `xorm:"varchar(100)" json:"currency"`
-	IsEnabled     bool    `json:"isEnabled"`
+	Price            float64  `json:"price"`
+	Currency         string   `xorm:"varchar(100)" json:"currency"`
+	Period           string   `xorm:"varchar(100)" json:"period"`
+	Product          string   `xorm:"varchar(100)" json:"product"`
+	PaymentProviders []string `xorm:"varchar(100)" json:"paymentProviders"` // payment providers for related product
+	IsEnabled        bool     `json:"isEnabled"`

 	Role    string   `xorm:"varchar(100)" json:"role"`
 	Options []string `xorm:"-" json:"options"`
 }

+const (
+	PeriodMonthly = "Monthly"
+	PeriodYearly  = "Yearly"
+)
+
+func (plan *Plan) GetId() string {
+	return fmt.Sprintf("%s/%s", plan.Owner, plan.Name)
+}
+
+func GetDuration(period string) (startTime time.Time, endTime time.Time) {
+	if period == PeriodYearly {
+		startTime = time.Now()
+		endTime = startTime.AddDate(1, 0, 0)
+	} else if period == PeriodMonthly {
+		startTime = time.Now()
+		endTime = startTime.AddDate(0, 1, 0)
+	} else {
+		panic(fmt.Sprintf("invalid period: %s", period))
+	}
+	return
+}
+
 func GetPlanCount(owner, field, value string) (int64, error) {
 	session := GetSession(owner, -1, -1, field, value, "", "")
 	return session.Count(&Plan{})
@@ -44,7 +69,7 @@ func GetPlanCount(owner, field, value string) (int64, error) {

 func GetPlans(owner string) ([]*Plan, error) {
 	plans := []*Plan{}
-	err := adapter.Engine.Desc("created_time").Find(&plans, &Plan{Owner: owner})
+	err := ormer.Engine.Desc("created_time").Find(&plans, &Plan{Owner: owner})
 	if err != nil {
 		return plans, err
 	}
@@ -67,7 +92,7 @@ func getPlan(owner, name string) (*Plan, error) {
 	}

 	plan := Plan{Owner: owner, Name: name}
-	existed, err := adapter.Engine.Get(&plan)
+	existed, err := ormer.Engine.Get(&plan)
 	if err != nil {
 		return &plan, err
 	}
@@ -91,7 +116,7 @@ func UpdatePlan(id string, plan *Plan) (bool, error) {
 		return false, nil
 	}

-	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(plan)
+	affected, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(plan)
 	if err != nil {
 		return false, err
 	}
@@ -100,7 +125,7 @@ func UpdatePlan(id string, plan *Plan) (bool, error) {
 }

 func AddPlan(plan *Plan) (bool, error) {
-	affected, err := adapter.Engine.Insert(plan)
+	affected, err := ormer.Engine.Insert(plan)
 	if err != nil {
 		return false, err
 	}
@@ -108,44 +133,9 @@ func AddPlan(plan *Plan) (bool, error) {
 }

 func DeletePlan(plan *Plan) (bool, error) {
-	affected, err := adapter.Engine.ID(core.PK{plan.Owner, plan.Name}).Delete(plan)
+	affected, err := ormer.Engine.ID(core.PK{plan.Owner, plan.Name}).Delete(plan)
 	if err != nil {
 		return false, err
 	}
 	return affected != 0, nil
 }
-
-func (plan *Plan) GetId() string {
-	return fmt.Sprintf("%s/%s", plan.Owner, plan.Name)
-}
-
-func Subscribe(owner string, user string, plan string, pricing string) (*Subscription, error) {
-	selectedPricing, err := GetPricing(fmt.Sprintf("%s/%s", owner, pricing))
-	if err != nil {
-		return nil, err
-	}
-
-	valid := selectedPricing != nil && selectedPricing.IsEnabled
-
-	if !valid {
-		return nil, nil
-	}
-
-	planBelongToPricing, err := selectedPricing.HasPlan(owner, plan)
-	if err != nil {
-		return nil, err
-	}
-
-	if planBelongToPricing {
-		newSubscription := NewSubscription(owner, user, plan, selectedPricing.TrialDuration)
-		affected, err := AddSubscription(newSubscription)
-		if err != nil {
-			return nil, err
-		}
-
-		if affected {
-			return newSubscription, nil
-		}
-	}
-	return nil, nil
-}
--- a/object/pricing.go
+++ b/object/pricing.go
@@ -16,7 +16,6 @@ package object

 import (
 	"fmt"
-	"strings"

 	"github.com/casdoor/casdoor/util"
 	"github.com/xorm-io/core"
@@ -33,12 +32,26 @@ type Pricing struct {
 	IsEnabled     bool     `json:"isEnabled"`
 	TrialDuration int      `json:"trialDuration"`
 	Application   string   `xorm:"varchar(100)" json:"application"`
+}

-	Submitter   string `xorm:"varchar(100)" json:"submitter"`
-	Approver    string `xorm:"varchar(100)" json:"approver"`
-	ApproveTime string `xorm:"varchar(100)" json:"approveTime"`
+func (pricing *Pricing) GetId() string {
+	return fmt.Sprintf("%s/%s", pricing.Owner, pricing.Name)
+}

-	State string `xorm:"varchar(100)" json:"state"`
+func (pricing *Pricing) HasPlan(planName string) (bool, error) {
+	planId := util.GetId(pricing.Owner, planName)
+	plan, err := GetPlan(planId)
+	if err != nil {
+		return false, err
+	}
+	if plan == nil {
+		return false, fmt.Errorf("plan: %s does not exist", planId)
+	}
+
+	if util.InSlice(pricing.Plans, plan.Name) {
+		return true, nil
+	}
+	return false, nil
 }

 func GetPricingCount(owner, field, value string) (int64, error) {
@@ -48,7 +61,7 @@ func GetPricingCount(owner, field, value string) (int64, error) {

 func GetPricings(owner string) ([]*Pricing, error) {
 	pricings := []*Pricing{}
-	err := adapter.Engine.Desc("created_time").Find(&pricings, &Pricing{Owner: owner})
+	err := ormer.Engine.Desc("created_time").Find(&pricings, &Pricing{Owner: owner})
 	if err != nil {
 		return pricings, err
 	}
@@ -72,9 +85,9 @@ func getPricing(owner, name string) (*Pricing, error) {
 	}

 	pricing := Pricing{Owner: owner, Name: name}
-	existed, err := adapter.Engine.Get(&pricing)
+	existed, err := ormer.Engine.Get(&pricing)
 	if err != nil {
-		return &pricing, err
+		return nil, err
 	}
 	if existed {
 		return &pricing, nil
@@ -88,6 +101,20 @@ func GetPricing(id string) (*Pricing, error) {
 	return getPricing(owner, name)
 }

+func GetApplicationDefaultPricing(owner, appName string) (*Pricing, error) {
+	pricings := make([]*Pricing, 0, 1)
+	err := ormer.Engine.Asc("created_time").Find(&pricings, &Pricing{Owner: owner, Application: appName})
+	if err != nil {
+		return nil, err
+	}
+	for _, pricing := range pricings {
+		if pricing.IsEnabled {
+			return pricing, nil
+		}
+	}
+	return nil, nil
+}
+
 func UpdatePricing(id string, pricing *Pricing) (bool, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
 	if p, err := getPricing(owner, name); err != nil {
@@ -96,7 +123,7 @@ func UpdatePricing(id string, pricing *Pricing) (bool, error) {
 		return false, nil
 	}

-	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(pricing)
+	affected, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(pricing)
 	if err != nil {
 		return false, err
 	}
@@ -105,7 +132,7 @@ func UpdatePricing(id string, pricing *Pricing) (bool, error) {
 }

 func AddPricing(pricing *Pricing) (bool, error) {
-	affected, err := adapter.Engine.Insert(pricing)
+	affected, err := ormer.Engine.Insert(pricing)
 	if err != nil {
 		return false, err
 	}
@@ -113,35 +140,28 @@ func AddPricing(pricing *Pricing) (bool, error) {
 }

 func DeletePricing(pricing *Pricing) (bool, error) {
-	affected, err := adapter.Engine.ID(core.PK{pricing.Owner, pricing.Name}).Delete(pricing)
+	affected, err := ormer.Engine.ID(core.PK{pricing.Owner, pricing.Name}).Delete(pricing)
 	if err != nil {
 		return false, err
 	}
 	return affected != 0, nil
 }

-func (pricing *Pricing) GetId() string {
-	return fmt.Sprintf("%s/%s", pricing.Owner, pricing.Name)
-}
-
-func (pricing *Pricing) HasPlan(owner string, plan string) (bool, error) {
-	selectedPlan, err := GetPlan(fmt.Sprintf("%s/%s", owner, plan))
-	if err != nil {
-		return false, err
-	}
-
-	if selectedPlan == nil {
-		return false, nil
-	}
-
-	result := false
-
-	for _, pricingPlan := range pricing.Plans {
-		if strings.Contains(pricingPlan, selectedPlan.Name) {
-			result = true
-			break
+func CheckPricingAndPlan(owner, pricingName, planName string) error {
+	pricingId := util.GetId(owner, pricingName)
+	pricing, err := GetPricing(pricingId)
+	if pricing == nil || err != nil {
+		if pricing == nil && err == nil {
+			err = fmt.Errorf("pricing: %s does not exist", pricingName)
 		}
+		return err
 	}
-
-	return result, nil
+	ok, err := pricing.HasPlan(planName)
+	if err != nil {
+		return err
+	}
+	if !ok {
+		return fmt.Errorf("pricing: %s does not have plan: %s", pricingName, planName)
+	}
+	return nil
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
YunShu	6700d2e244	fix: show error when frontend HTML entry does not exist (#2289 ) * fix: add response when web file not found The error flow is as follows: Assuming my directory structure is as follows: ```tree ├── GitHub │ ├── casdoor # code repository ├── casdoor # compiled binary file ``` Execute the program in the `GitHub` directory: ```bash ./casdoor/casdoor ``` The working directory at this time is `GitHub`. According to the code: ```go func StaticFilter(ctx context.Context) { urlPath := ctx.Request.URL.Path /// omitted path := "web/build" if urlPath == "/" { path += "/index.html" } else { path += urlPath } if !util.FileExist(path) { path = "web/build/index.html" } if !util.FileExist(path) { return } /// omitted } ``` If the user accesses `/`, according to this code, the returned value is actually `web/build/index.html`. But the current directory is GitHub, and there is no `web/build/index.html` file. According to the following code, it will directly return: ```go if !util.FileExist(path) { return } ``` Then in `main.go`: ```go beego.InsertFilter("", beego.BeforeRouter, routers.StaticFilter) beego.InsertFilter("", beego.BeforeRouter, routers.AutoSigninFilter) beego.InsertFilter("", beego.BeforeRouter, routers.CorsFilter) beego.InsertFilter("", beego.BeforeRouter, routers.ApiFilter) beego.InsertFilter("", beego.BeforeRouter, routers.PrometheusFilter) beego.InsertFilter("", beego.BeforeRouter, routers.RecordMessage) ``` The introduction of `beego.InsertFilter` is as follows: ``` func InsertFilter(pattern string, pos int, filter FilterFunc, params ...bool) App InsertFilter adds a FilterFunc with pattern condition and action constant. The pos means action constant including beego.BeforeStatic, beego.BeforeRouter, beego.BeforeExec, beego.AfterExec and beego.FinishRouter. The bool params is for setting the returnOnOutput value (false allows multiple filters to execute) ``` When the `params` parameter is `false`, it runs multiple filters. The default is `true`. So normally, if ```go beego.InsertFilter("", beego.BeforeRouter, routers.StaticFilter) ``` response something, the following filters will not be executed. But because the file does not exist, the function directly returns, causing the subsequent filters to continue executing. When it reaches ```go beego.InsertFilter("", beego.BeforeRouter, routers.ApiFilter) ``` it will start to check permissions: ``` subOwner = anonymous, subName = anonymous, method = GET, urlPath = /login, obj.Owner = , obj.Name = , result = deny ``` Then it will report this error: ```json { "status": "error", "msg": "Unauthorized operation", "data": null, "data2": null } ``` The solution should be: ```go func StaticFilter(ctx context.Context) { urlPath := ctx.Request.URL.Path /// omitted path := "web/build" if urlPath == "/" { path += "/index.html" } else { path += urlPath } if !util.FileExist(path) { // todo: response error: page not found return } /// omitted } ``` Update static_filter.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-09-02 00:06:04 +08:00
Cattī Crūdēlēs	0c5c308071	fix: sendCasAuthenticationResponseErr when pgtUrlObj if not valid url (#2287 ) * fix: sendCasAuthenticationResponseErr when pgtUrlObj if not valid url check pgtUrlObj.Scheme first will cause panic if url.Parse returns error. * Update cas.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-09-01 22:26:57 +08:00
Yang Luo	0b859197da	Fix CAS "/proxyValidate" API	2023-09-01 21:47:26 +08:00
Yang Luo	3078409343	Add CertPublicKey to Application	2023-09-01 21:16:51 +08:00
Tower He	bbf2db2e00	feat: support to use a different db schema for pg (#2281 )	2023-09-01 18:02:13 +08:00
Yang Luo	0c7b911ce7	Fix enforcer edit page logic	2023-09-01 01:30:50 +08:00
Yang Luo	2cc55715ac	Add app.conf existence check	2023-09-01 01:25:45 +08:00
Yang Luo	c829bf1769	Fix DummyPaymentProvider's return URL	2023-09-01 01:25:15 +08:00
Yang Luo	ec956c12ca	Fix Email duplicated issue in update-user	2023-08-31 23:44:40 +08:00
Tower He	d3d4646c56	feat: fix can not create db when using pg with a dbname in DSN (#2280 ) * fix: can not create db when using pg with a dbname in DSN * Update ormer.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-08-31 18:05:38 +08:00
Yang Luo	669ac7c618	Don't encrypt user pass when user.PasswordType is non-empty when adding users	2023-08-31 17:49:36 +08:00
Yang Luo	6715efd781	Fix enforcer edit page	2023-08-31 17:32:36 +08:00
haiwu	953be4a7b6	feat: support subscription periods (yearly/monthly) (#2265 ) * feat: support year/month subscription * feat: add GetPrice() for plan * feat: add GetDuration * feat: gofumpt * feat: add subscription mode for pricing * feat: restrict auto create product operation * fix: format code * feat: add period for plan,remove period from pricing * feat: format code * feat: remove space * feat: remove period in signup page	2023-08-30 17:13:45 +08:00
Yang Luo	943cc43427	Fix payment list and product edit actions	2023-08-28 21:01:23 +08:00
Yang Luo	1e5ce7a045	Fix crash in syncUsersNoError()	2023-08-28 01:51:06 +08:00
Baihhh	7a85b74573	fix: fix tour disabled state (#2264 ) * fix: distinguish between pages that can tour or not * Update OpenTour.js --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-08-27 23:18:14 +08:00
Yang Luo	7e349c1768	feat: fix crash bug in getSteps()	2023-08-27 21:58:58 +08:00
Baihhh	b19be2df88	fix: change the id to key in syncer (#2263 )	2023-08-27 20:57:27 +08:00
Yang Luo	fc3866db1c	Use XORM grammar in syncer	2023-08-27 18:15:23 +08:00
Yang Luo	bf2bb31e41	Add sslMode for syncer	2023-08-27 17:07:19 +08:00
Baihhh	ec8bd6f01d	feat: add tour for list pages (#2243 )	2023-08-27 16:40:31 +08:00
Yang Luo	98722fd681	Fix crash in app list page for normal user	2023-08-27 11:31:48 +08:00
Yang Luo	221c55aa93	Fix yarn build cmd	2023-08-27 11:17:18 +08:00
Yang Luo	988b26b3c2	Return error for RunSyncer()	2023-08-27 02:22:37 +08:00
Yang Luo	7e3c361ce7	Add all webhook events	2023-08-26 23:50:24 +08:00
Yang Luo	a637707e77	Fix null bug in IsAdminOrSelf()	2023-08-26 10:39:46 +08:00
Yaodong Yu	7970edeaa7	feat: password and invitation code verification rules (#2258 )	2023-08-25 21:16:21 +08:00
haiwu	9da2f0775f	fix: fix bug in Pricing (#2255 )	2023-08-25 19:27:46 +08:00
Yang Luo	739a9bcd0d	feat: add CasvisorUrl	2023-08-25 11:56:12 +08:00
Yang Luo	fb0949b9ed	Fix docker cannot get version bug	2023-08-25 11:49:47 +08:00
Yang Luo	27ed901167	Restrict sysinfo page to global admin	2023-08-25 11:20:11 +08:00
Yang Luo	ceab662b88	Remove dup swagger page	2023-08-25 11:09:59 +08:00
haiwu	05b2f00057	feat: support Pricings flow (#2250 ) * feat: fix price display * feat: support subscription * feat: fix select-plan-> signup -> buy-plan -> login flow * feat: support paid-user to login and jump to the pricing page * feat: support more subscription state * feat: add payment providers for plan * feat: format code * feat: gofumpt * feat: redirect to buy-plan-result page when user have pending subscription * feat: response err when pricing don't exit * Update PricingListPage.js * Update ProductBuyPage.js * Update LoginPage.js --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-08-24 23:20:50 +08:00
Yang Luo	8073dfa88c	Remove tmpFiles folder usage	2023-08-24 22:03:36 +08:00
Yang Luo	1eeeb64a0c	Add checkModel() for UserGroupEnforcer	2023-08-24 18:22:23 +08:00
Yaodong Yu	f5e0461cae	feat: add invitation code for signup feature (#2249 ) * feat: add invitation code for signup feature * feat: add invitation code for signup feature	2023-08-24 13:42:17 +08:00
Andrey	a0c5eb241f	feat: add fields to syncer (PreferredMfaType, TotpSecret, SignupApplication) #2239 (#2245 )	2023-08-23 21:40:00 +08:00
Lars Lehtonen	4d8edcc446	fix: dropped controllers err (#2244 ) Signed-off-by: Lars Lehtonen <lars.lehtonen@gmail.com>	2023-08-23 21:37:51 +08:00
Yaodong Yu	2b23c04f49	fix: add SignupApplication and type for user synced from LDAP (#2240 )	2023-08-21 22:52:35 +08:00
Cattī Crūdēlēs	e60ee52d91	feat: replace satori/go.uuid with google/uuid (#2238 )	2023-08-21 13:58:15 +08:00
UsherFall	c54b54ca19	fix: Adjust custom http to notification provider (#2237 ) * feat: Adjust custom http to notification provider * fix go linter * update ProviderEditPage * update ProviderEditPage	2023-08-20 21:04:30 +08:00
Yaodong Yu	f0e097e138	feat: fix home page (#2236 ) * fix: home page * fix: home page	2023-08-20 00:58:39 +08:00
Yang Luo	25ec1bdfa8	Fix bug in getUserOrganization()	2023-08-20 00:53:51 +08:00
Yang Luo	ea7718d7b7	Use Casvisor for records	2023-08-20 00:44:01 +08:00
Yang Luo	463fa8b636	Add ormer_session.go	2023-08-19 18:41:08 +08:00
Yang Luo	11895902f4	Move getCreateDatabaseFlag() to ormer	2023-08-19 16:44:34 +08:00
Yang Luo	15269d3315	Refactor out conf_quota.go	2023-08-19 16:39:21 +08:00
Yang Luo	4468859795	Improve sendTest msg	2023-08-19 12:47:51 +08:00
UsherFall	914128a78a	fix: Support Telegram Notification provider (#2225 ) * fear: support telegram provider * fix: fix telegram logo * fix: fix telegram bot package * Update telegram.go * Update notification.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-08-19 12:33:00 +08:00
Yaodong Yu	e5a189e0f4	fix: remove isGlobalAdmin field in user (#2235 ) * refactor: remove isGlobalAdmin field in user * fix: upload xlsx * fix: remove field in account table	2023-08-19 12:23:15 +08:00
Yang Luo	a07216d0e1	Improve contentType parsing in downloadImage()	2023-08-19 02:35:45 +08:00
haiwu	fec54944dd	feat: fix CAS login bug (#2230 ) * fix: cas login * fix: cas login * feat: rollback get-default-app change * fix : move cas restrict logic to GetApplicationLogin() * fix: format code * fix: fix getOAuthGetParameters for cas * fix: fix getOAuthGetParameters for cas * fix: cas login	2023-08-19 01:15:41 +08:00
hsluoyz	a2db61cc1a	chore: Revert "feat: restrict redirectUrls for CAS login" (#2234 ) This reverts commit `b7a37126ad`.	2023-08-19 00:30:35 +08:00
Yaodong Yu	134541acde	chore: put some dev dependency package to right place (#2232 )	2023-08-18 22:17:16 +08:00
Yaodong Yu	59fca0342e	chore: fix yarn build warning (#2231 )	2023-08-18 21:25:57 +08:00
Yang Luo	abfc464155	Remove isEnabled for model, adapter and enforcer, improve UI	2023-08-18 19:22:47 +08:00
Yaodong Yu	a41f6880a2	feat: move policy table from adapter to enforcer and improve it (#2228 ) * feat: improve policiy table * feat: add connection test in AdapterEditPage.js * feat: update button style	2023-08-18 19:00:21 +08:00
Yaodong Yu	d12117324c	feat: support admin to enable MFA for other users (#2221 ) * feat: support admin enable user sms and email mfa * chore: update ci * chore: update ci	2023-08-17 17:19:24 +08:00
hsluoyz	1a6c9fbf69	Fix typo in README	2023-08-17 14:47:09 +08:00
hsluoyz	dd60d79af9	Fix typo in README	2023-08-17 14:46:10 +08:00
Yang Luo	73d314c7fe	Add MfaTotpPeriodInSeconds param	2023-08-16 21:48:54 +08:00
Yaodong Yu	27959e0f6f	fix: fix crash in UserEditPage.js	2023-08-16 15:57:48 +08:00
Baihhh	47f40c5b24	feat: support 3 more UI languages (#2218 ) Signed-off-by: baihhh <2542274498@qq.com>	2023-08-16 15:54:34 +08:00
haiwu	2ff9020884	feat: support Stripe payment provider (#2204 ) * feat: add stripe payment provider * feat: support stripe payment * feat: delete todo comment * feat: remove description struct * feat: change outOrderId->orderId	2023-08-15 00:16:30 +08:00
Yang Luo	abaf4ca8d9	Make GetDashboard() faster	2023-08-14 15:43:09 +08:00
珩	8ff0cfd6ec	feat: support dashboard in homepage (#2207 ) * feat: support dashboard * feat: support dashboard	2023-08-14 15:31:29 +08:00
Yang Luo	7a2a40edcc	Improve table columns	2023-08-14 12:19:02 +08:00
Yang Luo	b7a001ea39	Fix property empty issue	2023-08-14 12:09:50 +08:00
haiwu	891e8e21d8	feat: support Web3-Onboard provider (#2209 ) * feat: add Web3-Onboard idp * feat: update Web3-Onboard logo * feat: update package.json * feat: remove unused package * feat: add yarn build param --max_old_space_size=4096 * feat: remove log * feat: add Wallet configure * feat: remove hardware wallets	2023-08-13 23:58:57 +08:00
Baihhh	80b0d26813	fix: synchronize update the syncers (#2201 ) Signed-off-by: baihhh <2542274498@qq.com>	2023-08-13 22:30:57 +08:00
Yaodong Yu	db4ac60bb6	feat: fix LDAP mobile field incorrect mapped (#2206 )	2023-08-12 13:45:26 +08:00
Yang Luo	33a922f026	Add custom HTTP SMS provider	2023-08-12 12:52:53 +08:00
Yang Luo	9f65053d04	Improve i18n	2023-08-12 02:44:38 +08:00
Yang Luo	be969e5efa	Fix typo	2023-08-11 22:18:35 +08:00
Yang Luo	9156bd426b	ci: Show provider.displayName in signin button	2023-08-11 16:29:52 +08:00
Yang Luo	fe4a4328aa	feat: refactor code in InitApi()	2023-08-11 16:17:29 +08:00
Yaodong Yu	9899022bcd	fix: check enforcer should not be nil (#2199 ) * fix: check enforcer should not be nil * fix: check enforcer should not be nil * Update user.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-08-11 12:31:49 +08:00
Yaodong Yu	1a9d02be46	feat: use the casbin model to store relationships between users and groups (#2178 ) * fix:reslove conflict * fix: remove interface	2023-08-11 10:59:18 +08:00
Yang Luo	eafaa135b4	Change builtInAvailableField back to 5	2023-08-11 02:45:11 +08:00
Yang Luo	6746551447	Improve error message in InitEnforcer()	2023-08-11 02:36:29 +08:00
Yang Luo	3cb46c3628	Add isKey to syncer's table	2023-08-09 00:33:04 +08:00
Yaodong Yu	558bcf95d6	feat: save policy in adapter edit page (#2190 ) * fix: save policy in adapter * fix: disable edit for builtin adapter	2023-08-09 00:12:53 +08:00
Yang Luo	bb937c30c1	Fix empty cert in getPaymentProvider()	2023-08-08 22:37:48 +08:00
Baihhh	8dfdf7f767	ci: add GoogleCloud and QiNiu in Storage (#2188 ) * feat: add GoogleCloud and QiNiu in Storage Signed-off-by: baihhh <2542274498@qq.com> * Update qiniu_cloud.go * Update storage.go --------- Signed-off-by: baihhh <2542274498@qq.com> Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-08-08 22:34:55 +08:00
Yang Luo	62b2082e82	Add getUserOrganization() to user edit page	2023-08-08 21:58:27 +08:00
Yang Luo	a1806439f8	Add UserPrincipalName and MemberOf to get-ldap-users API	2023-08-08 20:18:47 +08:00
Yang Luo	01e58158b7	feat: Remove useless code	2023-08-08 19:16:55 +08:00
Yaodong Yu	15427ad9d6	fix: fix add provider error (#2184 )	2023-08-07 17:22:32 +08:00
YunShu	d058f78dc6	fix: fix broken links (#2181 )	2023-08-07 01:02:03 +08:00
UsherFall	fd9dbf8251	feat: add multiple SMS providers (#2182 ) * feat: add amazon sns and azure acs provider * feat: add msg91 sms provider * feat: add infobip sms provider * feat: add ucloud sms provider * feat: add baidu cloud sms provider * fix: fix logo and azure acs	2023-08-07 00:59:17 +08:00
Yaodong Yu	3220a04fa9	fix: use org/groupName replace groupName (#2180 )	2023-08-06 20:16:44 +08:00
Yaodong Yu	f06a4990bd	fix: rename in init.go (#2179 ) * fix: rename in init.go * fix: remove blank line * fix: remove blank line * Update init.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-08-06 13:07:30 +08:00
Yang Luo	9df7de5f27	Improve menu icons	2023-08-05 18:00:24 +08:00
Yang Luo	56c808c091	Improve menu	2023-08-05 17:41:35 +08:00
Yang Luo	9fd2421564	Update @ant-design/cssinjs dependency to avoid build error	2023-08-04 01:22:57 +08:00
Yang Luo	689d45c7fa	feat: fix org name cannot be changed bug	2023-08-03 18:48:37 +08:00
Yang Luo	c24343bd53	Fix XxxChangeTrigger() doesn't return error bug	2023-08-03 18:45:49 +08:00
Yang Luo	979f43638d	Change builtInAvailableField to 10	2023-08-03 18:17:15 +08:00
Yaodong Yu	685a4514cd	fix: revert adapter port vartype to int (#2174 )	2023-08-03 09:35:16 +08:00
Yaodong Yu	a05ca3af24	feat: use role ID to search in GetPermissionsAndRolesByUser() (#2170 )	2023-08-02 20:58:06 +08:00
Yang Luo	c6f301ff9e	Support svg in downloadImage()	2023-07-31 20:23:28 +08:00
haiwu	d7b2bcf288	feat: support payment cancel state (#2165 )	2023-07-31 15:24:13 +08:00
Yang Luo	67ac3d6d21	Fix typo	2023-07-31 15:23:44 +08:00
Yaodong Yu	912d5c6a7f	fix: support enforcerId parameter in Enforce API (#2164 )	2023-07-31 00:20:53 +08:00
Yang Luo	32fbb5b534	Support custom provider for storage API	2023-07-30 23:19:45 +08:00
Yang Luo	21004f3009	Fix GetResources() missing items bug	2023-07-30 22:47:14 +08:00
Yang Luo	463bacd53b	Add GetDirectResources()	2023-07-30 22:01:10 +08:00
Baihhh	78dc660041	feat: support 3 more language (#2163 ) Signed-off-by: baihhh <2542274498@qq.com>	2023-07-30 20:45:47 +08:00
Yang Luo	2fb9674171	Fix file not exist panic in StaticFilter()	2023-07-30 19:03:21 +08:00
Yang Luo	55c522d3b7	Improve provider type input box	2023-07-30 17:31:36 +08:00
Yang Luo	f879170663	Remove AI related code	2023-07-30 14:39:27 +08:00
Yang Luo	12e5d9b583	Remove adapter.file	2023-07-30 12:08:05 +08:00
haiwu	eefa1e6df4	fix: fix paypal payment provider and refactor payment code (#2159 ) * feat: support paypal payment provider * feat: support paypal flow * feat: use owner replace org for payment * feat: update paypal logic * feat: gofumpt * feat: update payment * fix: fix notify * feat: delete log	2023-07-30 11:54:42 +08:00
Yaodong Yu	026fb207b3	fix: remove model in adapter page (#2161 )	2023-07-29 23:42:08 +08:00
Yaodong Yu	ea10f8e615	feat: make hard-coded authz adapter editable, rename adapter to ormer (#2149 ) * refactor: rename casbinAdapter to casdoorAdapter * feat: add initEnforcer * fix: router * refactor: make hard-coded code configurable * fix: data type * feat: support sqlite3 * feat: disable delete and edit name for built in resources * feat: optimize code * fix: init * fix: e2e * fix: remove datasourcename * fix: revert rename * refactor: change all ORM's Adatper to Ormer * refactor: name	2023-07-29 15:07:04 +08:00
Yang Luo	74b058aa3f	Fix sync-ldap-users() bug, brought by: `666ff48837`	2023-07-29 13:14:55 +08:00
Yang Luo	6c628d7893	Fix static path not changed bug in makeGzipResponse()	2023-07-29 12:23:48 +08:00
Yang Luo	a38896e4d8	Improve swagger docs	2023-07-29 11:35:03 +08:00
Yang Luo	5f054c4989	Fix product links	2023-07-28 15:08:45 +08:00
Tower He	fb16d8cee6	fix: not set count of enforcers to the response (#2155 )	2023-07-28 14:46:11 +08:00
Baihhh	5e4ba4f338	feat: add authorize button and defaultValue (#2152 ) Signed-off-by: baihhh <2542274498@qq.com>	2023-07-27 23:55:35 +08:00
Yang Luo	ca47af2ee1	Make post_logout_redirect_uri optional for logout	2023-07-27 23:26:30 +08:00
Ilya Sulimanov	59da104463	fix: update ldap admin pwd only if changed (#2146 ) * fix ldap pwd update * fix: linter * fix: simplify check	2023-07-27 17:49:15 +08:00
Yaodong Yu	c5bb916651	fix: fix response data in PricingPage.js (#2143 )	2023-07-27 10:46:31 +08:00
WintBit	e98264f957	fix: application fails to call /api/get-resources (#2139 ) just like other apis, resource.go.GetResources() no longer calls ApiController.RequireSignedInUser() to auth or check	2023-07-26 17:19:00 +08:00
June	6a952952a8	fix: unmask application for org admin (#2138 ) * feat: unmask application with user admin * Update application.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-07-26 17:17:49 +08:00
Yang Luo	ba8a0f36be	Support custom actions in permission edit page	2023-07-26 14:49:45 +08:00
June	b5e9084e5d	feat: en/decodeURI in permission/role name (#2137 )	2023-07-26 13:08:35 +08:00