feat: fix bug in pricing when signup by phone (#2316 )

* fix: fix bug in pricing * fix: remove log
Add EmailVerified to UserInfo
2025-07-16 10:43:35 +08:00 · 2023-09-08 21:03:30 +08:00 · 2023-09-08 18:27:14 +08:00 · 2023-09-07 15:45:54 +08:00 · 2023-09-07 10:49:39 +08:00 · 2023-09-07 10:33:20 +08:00
243 changed files with 21956 additions and 3783 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -110,7 +110,7 @@ jobs:
        with:
          start: yarn start
          wait-on: 'http://localhost:7001'
-          wait-on-timeout: 180
+          wait-on-timeout: 210
          working-directory: ./web

      - uses: actions/upload-artifact@v3
--- a/README.md
+++ b/README.md
@ -11,7 +11,7 @@
    <img alt="GitHub Workflow Status (branch)" src="https://github.com/casdoor/casdoor/workflows/Build/badge.svg?style=flat-square">
  </a>
  <a href="https://github.com/casdoor/casdoor/releases/latest">
-    <img alt="GitHub Release" src="https://img.shields.io/github/v/release/casbin/casdoor.svg">
+    <img alt="GitHub Release" src="https://img.shields.io/github/v/release/casdoor/casdoor.svg">
  </a>
  <a href="https://hub.docker.com/repository/docker/casbin/casdoor">
    <img alt="Docker Image Version (latest semver)" src="https://img.shields.io/badge/Docker%20Hub-latest-brightgreen">
@ -23,16 +23,16 @@
    <img alt="Go Report Card" src="https://goreportcard.com/badge/github.com/casdoor/casdoor?style=flat-square">
  </a>
  <a href="https://github.com/casdoor/casdoor/blob/master/LICENSE">
-    <img src="https://img.shields.io/github/license/casbin/casdoor?style=flat-square" alt="license">
+    <img src="https://img.shields.io/github/license/casdoor/casdoor?style=flat-square" alt="license">
  </a>
  <a href="https://github.com/casdoor/casdoor/issues">
-    <img alt="GitHub issues" src="https://img.shields.io/github/issues/casbin/casdoor?style=flat-square">
+    <img alt="GitHub issues" src="https://img.shields.io/github/issues/casdoor/casdoor?style=flat-square">
  </a>
  <a href="#">
-    <img alt="GitHub stars" src="https://img.shields.io/github/stars/casbin/casdoor?style=flat-square">
+    <img alt="GitHub stars" src="https://img.shields.io/github/stars/casdoor/casdoor?style=flat-square">
  </a>
  <a href="https://github.com/casdoor/casdoor/network">
-    <img alt="GitHub forks" src="https://img.shields.io/github/forks/casbin/casdoor?style=flat-square">
+    <img alt="GitHub forks" src="https://img.shields.io/github/forks/casdoor/casdoor?style=flat-square">
  </a>
  <a href="https://crowdin.com/project/casdoor-site">
    <img alt="Crowdin" src="https://badges.crowdin.net/casdoor-site/localized.svg">
--- a/authz/authz.go
+++ b/authz/authz.go
@ -27,13 +27,7 @@ import (
 var Enforcer *casbin.Enforcer

 func InitApi() {
-	var err error
-
-	e, err := object.GetEnforcer(util.GetId("built-in", "api-enforcer-built-in"))
-	if err != nil {
-		panic(err)
-	}
-	err = e.InitEnforcer()
+	e, err := object.GetInitializedEnforcer(util.GetId("built-in", "api-enforcer-built-in"))
 	if err != nil {
 		panic(err)
 	}
@ -93,6 +87,8 @@ p, *, *, GET, /api/get-prometheus-info, *, *
 p, *, *, *, /api/metrics, *, *
 p, *, *, GET, /api/get-pricing, *, *
 p, *, *, GET, /api/get-plan, *, *
+p, *, *, GET, /api/get-subscription, *, *
+p, *, *, GET, /api/get-provider, *, *
 p, *, *, GET, /api/get-organization-names, *, *
 `

--- a/conf/conf.go
+++ b/conf/conf.go
@ -15,7 +15,7 @@
 package conf

 import (
-	"encoding/json"
+	"fmt"
 	"os"
 	"runtime"
 	"strconv"
@ -24,15 +24,6 @@ import (
 	"github.com/beego/beego"
 )

-type Quota struct {
-	Organization int `json:"organization"`
-	User         int `json:"user"`
-	Application  int `json:"application"`
-	Provider     int `json:"provider"`
-}
-
-var quota = &Quota{-1, -1, -1, -1}
-
 func init() {
 	// this array contains the beego configuration items that may be modified via env
 	presetConfigItems := []string{"httpport", "appname"}
@ -44,17 +35,6 @@ func init() {
 			}
 		}
 	}
-	initQuota()
-}
-
-func initQuota() {
-	res := beego.AppConfig.String("quota")
-	if res != "" {
-		err := json.Unmarshal([]byte(res), quota)
-		if err != nil {
-			panic(err)
-		}
-	}
 }

 func GetConfigString(key string) string {
@ -67,7 +47,7 @@ func GetConfigString(key string) string {
 		if key == "staticBaseUrl" {
 			res = "https://cdn.casbin.org"
 		} else if key == "logConfig" {
-			res = "{\"filename\": \"logs/casdoor.log\", \"maxdays\":99999, \"perm\":\"0770\"}"
+			res = fmt.Sprintf("{\"filename\": \"logs/%s.log\", \"maxdays\":99999, \"perm\":\"0770\"}", beego.AppConfig.String("appname"))
 		}
 	}

@ -129,10 +109,6 @@ func GetConfigBatchSize() int {
 	return res
 }

-func GetConfigQuota() *Quota {
-	return quota
-}
-
 func GetConfigRealDataSourceName(driverName string) string {
 	var dataSourceName string
 	if driverName != "mysql" {
--- a/conf/conf_quota.go
+++ b/conf/conf_quota.go
@ -0,0 +1,48 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package conf
+
+import (
+	"encoding/json"
+
+	"github.com/beego/beego"
+)
+
+type Quota struct {
+	Organization int `json:"organization"`
+	User         int `json:"user"`
+	Application  int `json:"application"`
+	Provider     int `json:"provider"`
+}
+
+var quota = &Quota{-1, -1, -1, -1}
+
+func init() {
+	initQuota()
+}
+
+func initQuota() {
+	res := beego.AppConfig.String("quota")
+	if res != "" {
+		err := json.Unmarshal([]byte(res), quota)
+		if err != nil {
+			panic(err)
+		}
+	}
+}
+
+func GetConfigQuota() *Quota {
+	return quota
+}
--- a/controllers/account.go
+++ b/controllers/account.go
@ -140,25 +140,28 @@ func (c *ApiController) Signup() {
 		username = id
 	}

-	password := authForm.Password
-	msg = object.CheckPasswordComplexityByOrg(organization, password)
-	if msg != "" {
-		c.ResponseError(msg)
-		return
-	}
-
 	initScore, err := organization.GetInitScore()
 	if err != nil {
 		c.ResponseError(fmt.Errorf(c.T("account:Get init score failed, error: %w"), err).Error())
 		return
 	}

+	userType := "normal-user"
+	if authForm.Plan != "" && authForm.Pricing != "" {
+		err = object.CheckPricingAndPlan(authForm.Organization, authForm.Pricing, authForm.Plan)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		userType = "paid-user"
+	}
+
 	user := &object.User{
 		Owner:             authForm.Organization,
 		Name:              username,
 		CreatedTime:       util.GetCurrentTime(),
 		Id:                id,
-		Type:              "normal-user",
+		Type:              userType,
 		Password:          authForm.Password,
 		DisplayName:       authForm.Name,
 		Avatar:            organization.DefaultAvatar,
@ -171,7 +174,6 @@ func (c *ApiController) Signup() {
 		Region:            authForm.Region,
 		Score:             initScore,
 		IsAdmin:           false,
-		IsGlobalAdmin:     false,
 		IsForbidden:       false,
 		IsDeleted:         false,
 		SignupApplication: application.Name,
@ -211,7 +213,7 @@ func (c *ApiController) Signup() {
 		return
 	}

-	if application.HasPromptPage() {
+	if application.HasPromptPage() && user.Type == "normal-user" {
 		// The prompt page needs the user to be signed in
 		c.SetSessionUsername(user.GetId())
 	}
@ -228,15 +230,6 @@ func (c *ApiController) Signup() {
 		return
 	}

-	isSignupFromPricing := authForm.Plan != "" && authForm.Pricing != ""
-	if isSignupFromPricing {
-		_, err = object.Subscribe(organization.Name, user.Name, authForm.Plan, authForm.Pricing)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-	}
-
 	record := object.NewRecord(c.Ctx)
 	record.Organization = application.Organization
 	record.User = user.Name
--- a/controllers/adapter.go
+++ b/controllers/adapter.go
@ -20,7 +20,6 @@ import (
 	"github.com/beego/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
-	xormadapter "github.com/casdoor/xorm-adapter/v3"
 )

 // GetAdapters
@ -144,92 +143,3 @@ func (c *ApiController) DeleteAdapter() {
 	c.Data["json"] = wrapActionResponse(object.DeleteAdapter(&adapter))
 	c.ServeJSON()
 }
-
-func (c *ApiController) GetPolicies() {
-	id := c.Input().Get("id")
-	adapter, err := object.GetAdapter(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	policies, err := object.GetPolicies(adapter)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(policies)
-}
-
-func (c *ApiController) UpdatePolicy() {
-	id := c.Input().Get("id")
-	adapter, err := object.GetAdapter(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	var policies []xormadapter.CasbinRule
-	err = json.Unmarshal(c.Ctx.Input.RequestBody, &policies)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	affected, err := object.UpdatePolicy(util.CasbinToSlice(policies[0]), util.CasbinToSlice(policies[1]), adapter)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	c.Data["json"] = wrapActionResponse(affected)
-	c.ServeJSON()
-}
-
-func (c *ApiController) AddPolicy() {
-	id := c.Input().Get("id")
-	adapter, err := object.GetAdapter(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	var policy xormadapter.CasbinRule
-	err = json.Unmarshal(c.Ctx.Input.RequestBody, &policy)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	affected, err := object.AddPolicy(util.CasbinToSlice(policy), adapter)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	c.Data["json"] = wrapActionResponse(affected)
-	c.ServeJSON()
-}
-
-func (c *ApiController) RemovePolicy() {
-	id := c.Input().Get("id")
-	adapter, err := object.GetAdapter(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	var policy xormadapter.CasbinRule
-	err = json.Unmarshal(c.Ctx.Input.RequestBody, &policy)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	affected, err := object.RemovePolicy(util.CasbinToSlice(policy), adapter)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	c.Data["json"] = wrapActionResponse(affected)
-	c.ServeJSON()
-}
--- a/controllers/application.go
+++ b/controllers/application.go
@ -62,13 +62,13 @@ func (c *ApiController) GetApplications() {
 		}

 		paginator := pagination.SetPaginator(c.Ctx, limit, count)
-		app, err := object.GetPaginationApplications(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		application, err := object.GetPaginationApplications(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}

-		applications := object.GetMaskedApplications(app, userId)
+		applications := object.GetMaskedApplications(application, userId)
 		c.ResponseOk(applications, paginator.Nums())
 	}
 }
@ -84,13 +84,23 @@ func (c *ApiController) GetApplication() {
 	userId := c.GetSessionUsername()
 	id := c.Input().Get("id")

-	app, err := object.GetApplication(id)
+	application, err := object.GetApplication(id)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	c.ResponseOk(object.GetMaskedApplication(app, userId))
+	if c.Input().Get("withKey") != "" && application.Cert != "" {
+		cert, err := object.GetCert(util.GetId(application.Owner, application.Cert))
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		application.CertPublicKey = cert.Certificate
+	}
+
+	c.ResponseOk(object.GetMaskedApplication(application, userId))
 }

 // GetUserApplication
@ -164,13 +174,13 @@ func (c *ApiController) GetOrganizationApplications() {
 		}

 		paginator := pagination.SetPaginator(c.Ctx, limit, count)
-		app, err := object.GetPaginationOrganizationApplications(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		application, err := object.GetPaginationOrganizationApplications(owner, organization, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}

-		applications := object.GetMaskedApplications(app, userId)
+		applications := object.GetMaskedApplications(application, userId)
 		c.ResponseOk(applications, paginator.Nums())
 	}
 }
--- a/controllers/auth.go
+++ b/controllers/auth.go
@ -70,7 +70,7 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 	}

 	// check user's tag
-	if !user.IsGlobalAdmin && !user.IsAdmin && len(application.Tags) > 0 {
+	if !user.IsGlobalAdmin() && !user.IsAdmin && len(application.Tags) > 0 {
 		// only users with the tag that is listed in the application tags can login
 		if !util.InSlice(application.Tags, user.Tag) {
 			c.ResponseError(fmt.Sprintf(c.T("auth:User's tag: %s is not listed in the application's tags"), user.Tag))
@ -78,6 +78,46 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		}
 	}

+	// check whether paid-user have active subscription
+	if user.Type == "paid-user" {
+		subscriptions, err := object.GetSubscriptionsByUser(user.Owner, user.Name)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		existActiveSubscription := false
+		for _, subscription := range subscriptions {
+			if subscription.State == object.SubStateActive {
+				existActiveSubscription = true
+				break
+			}
+		}
+		if !existActiveSubscription {
+			// check pending subscription
+			for _, sub := range subscriptions {
+				if sub.State == object.SubStatePending {
+					c.ResponseOk("BuyPlanResult", sub)
+					return
+				}
+			}
+			// paid-user does not have active or pending subscription, find the default pricing of application
+			pricing, err := object.GetApplicationDefaultPricing(application.Organization, application.Name)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+			if pricing == nil {
+				c.ResponseError(fmt.Sprintf(c.T("auth:paid-user %s does not have active or pending subscription and the application: %s does not have default pricing"), user.Name, application.Name))
+				return
+			} else {
+				// let the paid-user select plan
+				c.ResponseOk("SelectPlan", pricing)
+				return
+			}
+
+		}
+	}
+
 	if form.Type == ResponseTypeLogin {
 		c.SetSessionUsername(userId)
 		util.LogInfo(c.Ctx, "API: [%s] signed in", userId)
@ -187,11 +227,34 @@ func (c *ApiController) GetApplicationLogin() {
 	redirectUri := c.Input().Get("redirectUri")
 	scope := c.Input().Get("scope")
 	state := c.Input().Get("state")
+	id := c.Input().Get("id")
+	loginType := c.Input().Get("type")

-	msg, application, err := object.CheckOAuthLogin(clientId, responseType, redirectUri, scope, state, c.GetAcceptLanguage())
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
+	var application *object.Application
+	var msg string
+	var err error
+	if loginType == "code" {
+		msg, application, err = object.CheckOAuthLogin(clientId, responseType, redirectUri, scope, state, c.GetAcceptLanguage())
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	} else if loginType == "cas" {
+		application, err = object.GetApplication(id)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		if application == nil {
+			c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), id))
+			return
+		}
+
+		err = object.CheckCasLogin(application, c.GetAcceptLanguage(), redirectUri)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
 	}

 	application = object.GetMaskedApplication(application, "")
@ -566,7 +629,6 @@ func (c *ApiController) Login() {
 						Region:            userInfo.CountryCode,
 						Score:             initScore,
 						IsAdmin:           false,
-						IsGlobalAdmin:     false,
 						IsForbidden:       false,
 						IsDeleted:         false,
 						SignupApplication: application.Name,
--- a/controllers/base.go
+++ b/controllers/base.go
@ -61,6 +61,10 @@ func (c *ApiController) IsAdminOrSelf(user2 *object.User) bool {
 		return true
 	}

+	if user == nil || user2 == nil {
+		return false
+	}
+
 	if user.Owner == user2.Owner && user.Name == user2.Name {
 		return true
 	}
@ -79,7 +83,7 @@ func (c *ApiController) isGlobalAdmin() (bool, *object.User) {
 		return false, nil
 	}

-	return user.Owner == "built-in" || user.IsGlobalAdmin, user
+	return user.IsGlobalAdmin(), user
 }

 func (c *ApiController) getCurrentUser() *object.User {
--- a/controllers/cas.go
+++ b/controllers/cas.go
@ -35,6 +35,11 @@ const (
 	UnauthorizedService      string = "UNAUTHORIZED_SERVICE"
 )

+func queryUnescape(service string) string {
+	s, _ := url.QueryUnescape(service)
+	return s
+}
+
 func (c *RootController) CasValidate() {
 	ticket := c.Input().Get("ticket")
 	service := c.Input().Get("service")
@ -60,24 +65,25 @@ func (c *RootController) CasServiceValidate() {
 	if !strings.HasPrefix(ticket, "ST") {
 		c.sendCasAuthenticationResponseErr(InvalidTicket, fmt.Sprintf("Ticket %s not recognized", ticket), format)
 	}
-	c.CasP3ServiceAndProxyValidate()
+	c.CasP3ProxyValidate()
 }

 func (c *RootController) CasProxyValidate() {
+	// https://apereo.github.io/cas/6.6.x/protocol/CAS-Protocol-Specification.html#26-proxyvalidate-cas-20
+	// "/proxyValidate" should accept both service tickets and proxy tickets.
+	c.CasP3ProxyValidate()
+}
+
+func (c *RootController) CasP3ServiceValidate() {
 	ticket := c.Input().Get("ticket")
 	format := c.Input().Get("format")
-	if !strings.HasPrefix(ticket, "PT") {
+	if !strings.HasPrefix(ticket, "ST") {
 		c.sendCasAuthenticationResponseErr(InvalidTicket, fmt.Sprintf("Ticket %s not recognized", ticket), format)
 	}
-	c.CasP3ServiceAndProxyValidate()
+	c.CasP3ProxyValidate()
 }

-func queryUnescape(service string) string {
-	s, _ := url.QueryUnescape(service)
-	return s
-}
-
-func (c *RootController) CasP3ServiceAndProxyValidate() {
+func (c *RootController) CasP3ProxyValidate() {
 	ticket := c.Input().Get("ticket")
 	format := c.Input().Get("format")
 	service := c.Input().Get("service")
@ -115,15 +121,17 @@ func (c *RootController) CasP3ServiceAndProxyValidate() {
 		pgtiou := serviceResponse.Success.ProxyGrantingTicket
 		// todo: check whether it is https
 		pgtUrlObj, err := url.Parse(pgtUrl)
+		if err != nil {
+			c.sendCasAuthenticationResponseErr(InvalidProxyCallback, err.Error(), format)
+			return
+		}
+
 		if pgtUrlObj.Scheme != "https" {
 			c.sendCasAuthenticationResponseErr(InvalidProxyCallback, "callback is not https", format)
 			return
 		}
+
 		// make a request to pgturl passing pgt and pgtiou
-		if err != nil {
-			c.sendCasAuthenticationResponseErr(InternalError, err.Error(), format)
-			return
-		}
 		param := pgtUrlObj.Query()
 		param.Add("pgtId", pgt)
 		param.Add("pgtIou", pgtiou)
@ -263,7 +271,6 @@ func (c *RootController) sendCasAuthenticationResponseErr(code, msg, format stri
 			Message: msg,
 		},
 	}
-
 	if format == "json" {
 		c.Data["json"] = serviceResponse
 		c.ServeJSON()
--- a/controllers/casbin_api.go
+++ b/controllers/casbin_api.go
@ -45,13 +45,7 @@ func (c *ApiController) Enforce() {
 	}

 	if enforcerId != "" {
-		enforcer, err := object.GetEnforcer(enforcerId)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		err = enforcer.InitEnforcer()
+		enforcer, err := object.GetInitializedEnforcer(enforcerId)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@ -155,13 +149,7 @@ func (c *ApiController) BatchEnforce() {
 	}

 	if enforcerId != "" {
-		enforcer, err := object.GetEnforcer(enforcerId)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		err = enforcer.InitEnforcer()
+		enforcer, err := object.GetInitializedEnforcer(enforcerId)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
--- a/controllers/enforcer.go
+++ b/controllers/enforcer.go
@ -20,6 +20,7 @@ import (
 	"github.com/beego/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
+	xormadapter "github.com/casdoor/xorm-adapter/v3"
 )

 // GetEnforcers
@ -74,6 +75,7 @@ func (c *ApiController) GetEnforcers() {
 // @router /get-enforcer [get]
 func (c *ApiController) GetEnforcer() {
 	id := c.Input().Get("id")
+	loadModelCfg := c.Input().Get("loadModelCfg")

 	enforcer, err := object.GetEnforcer(id)
 	if err != nil {
@ -81,6 +83,13 @@ func (c *ApiController) GetEnforcer() {
 		return
 	}

+	if loadModelCfg == "true" && enforcer.Model != "" {
+		err := enforcer.LoadModelCfg()
+		if err != nil {
+			return
+		}
+	}
+
 	c.ResponseOk(enforcer)
 }

@ -143,3 +152,88 @@ func (c *ApiController) DeleteEnforcer() {
 	c.Data["json"] = wrapActionResponse(object.DeleteEnforcer(&enforcer))
 	c.ServeJSON()
 }
+
+func (c *ApiController) GetPolicies() {
+	id := c.Input().Get("id")
+	adapterId := c.Input().Get("adapterId")
+
+	if adapterId != "" {
+		adapter, err := object.GetAdapter(adapterId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		err = adapter.InitAdapter()
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		c.ResponseOk()
+		return
+	}
+
+	policies, err := object.GetPolicies(id)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(policies)
+}
+
+func (c *ApiController) UpdatePolicy() {
+	id := c.Input().Get("id")
+
+	var policies []xormadapter.CasbinRule
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &policies)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	affected, err := object.UpdatePolicy(id, util.CasbinToSlice(policies[0]), util.CasbinToSlice(policies[1]))
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	c.Data["json"] = wrapActionResponse(affected)
+	c.ServeJSON()
+}
+
+func (c *ApiController) AddPolicy() {
+	id := c.Input().Get("id")
+
+	var policy xormadapter.CasbinRule
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &policy)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	affected, err := object.AddPolicy(id, util.CasbinToSlice(policy))
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	c.Data["json"] = wrapActionResponse(affected)
+	c.ServeJSON()
+}
+
+func (c *ApiController) RemovePolicy() {
+	id := c.Input().Get("id")
+
+	var policy xormadapter.CasbinRule
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &policy)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	affected, err := object.RemovePolicy(id, util.CasbinToSlice(policy))
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	c.Data["json"] = wrapActionResponse(affected)
+	c.ServeJSON()
+}
--- a/controllers/get-dashboard.go
+++ b/controllers/get-dashboard.go
@ -0,0 +1,35 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import "github.com/casdoor/casdoor/object"
+
+// GetDashboard
+// @Title GetDashboard
+// @Tag GetDashboard API
+// @Description get information of dashboard
+// @Success 200 {object} controllers.Response The Response object
+// @router /get-dashboard [get]
+func (c *ApiController) GetDashboard() {
+	owner := c.Input().Get("owner")
+
+	data, err := object.GetDashboard(owner)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(data)
+}
--- a/controllers/link.go
+++ b/controllers/link.go
@ -45,13 +45,13 @@ func (c *ApiController) Unlink() {
 	// the user will be unlinked from the provider
 	unlinkedUser := form.User

-	if user.Id != unlinkedUser.Id && !user.IsGlobalAdmin {
+	if user.Id != unlinkedUser.Id && !user.IsGlobalAdmin() {
 		// if the user is not the same as the one we are unlinking, we need to make sure the user is the global admin.
 		c.ResponseError(c.T("link:You are not the global admin, you can't unlink other users"))
 		return
 	}

-	if user.Id == unlinkedUser.Id && !user.IsGlobalAdmin {
+	if user.Id == unlinkedUser.Id && !user.IsGlobalAdmin() {
 		// if the user is unlinking themselves, should check the provider can be unlinked, if not, we should return an error.
 		application, err := object.GetApplicationByUser(user)
 		if err != nil {
--- a/controllers/organization.go
+++ b/controllers/organization.go
@ -183,8 +183,6 @@ func (c *ApiController) DeleteOrganization() {
 func (c *ApiController) GetDefaultApplication() {
 	userId := c.GetSessionUsername()
 	id := c.Input().Get("id")
-	redirectUri := c.Input().Get("redirectUri")
-	typ := c.Input().Get("type")

 	application, err := object.GetDefaultApplication(id)
 	if err != nil {
@ -192,14 +190,6 @@ func (c *ApiController) GetDefaultApplication() {
 		return
 	}

-	if typ == "cas" {
-		err = object.CheckCasRestrict(application, c.GetAcceptLanguage(), redirectUri)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-	}
-
 	maskedApplication := object.GetMaskedApplication(application, userId)
 	c.ResponseOk(maskedApplication)
 }
--- a/controllers/payment.go
+++ b/controllers/payment.go
@ -176,11 +176,10 @@ func (c *ApiController) DeletePayment() {
 func (c *ApiController) NotifyPayment() {
 	owner := c.Ctx.Input.Param(":owner")
 	paymentName := c.Ctx.Input.Param(":payment")
-	orderId := c.Ctx.Input.Param("order")

 	body := c.Ctx.Input.RequestBody

-	payment, err := object.NotifyPayment(c.Ctx.Request, body, owner, paymentName, orderId)
+	payment, err := object.NotifyPayment(c.Ctx.Request, body, owner, paymentName)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
--- a/controllers/permission_upload.go
+++ b/controllers/permission_upload.go
@ -16,6 +16,7 @@ package controllers

 import (
 	"fmt"
+	"os"

 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
@ -32,16 +33,15 @@ func (c *ApiController) UploadPermissions() {
 	}

 	fileId := fmt.Sprintf("%s_%s_%s", owner, user, util.RemoveExt(header.Filename))
-
 	path := util.GetUploadXlsxPath(fileId)
-	util.EnsureFileFolderExists(path)
+	defer os.Remove(path)
 	err = saveFile(path, &file)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	affected, err := object.UploadPermissions(owner, fileId)
+	affected, err := object.UploadPermissions(owner, path)
 	if err != nil {
 		c.ResponseError(err.Error())
 	}
--- a/controllers/plan.go
+++ b/controllers/plan.go
@ -16,6 +16,7 @@ package controllers

 import (
 	"encoding/json"
+	"fmt"

 	"github.com/beego/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@ -82,7 +83,10 @@ func (c *ApiController) GetPlan() {
 		c.ResponseError(err.Error())
 		return
 	}
-
+	if plan == nil {
+		c.ResponseError(fmt.Sprintf(c.T("plan:The plan: %s does not exist"), id))
+		return
+	}
 	if includeOption {
 		options, err := object.GetPermissionsByRole(plan.Role)
 		if err != nil {
@ -110,14 +114,29 @@ func (c *ApiController) GetPlan() {
 // @router /update-plan [post]
 func (c *ApiController) UpdatePlan() {
 	id := c.Input().Get("id")
-
+	owner := util.GetOwnerFromId(id)
 	var plan object.Plan
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &plan)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
-
+	if plan.Product != "" {
+		productId := util.GetId(owner, plan.Product)
+		product, err := object.GetProduct(productId)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		if product != nil {
+			object.UpdateProductForPlan(&plan, product)
+			_, err = object.UpdateProduct(productId, product)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+		}
+	}
 	c.Data["json"] = wrapActionResponse(object.UpdatePlan(id, &plan))
 	c.ServeJSON()
 }
@ -136,7 +155,14 @@ func (c *ApiController) AddPlan() {
 		c.ResponseError(err.Error())
 		return
 	}
-
+	// Create a related product for plan
+	product := object.CreateProductForPlan(&plan)
+	_, err = object.AddProduct(product)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	plan.Product = product.Name
 	c.Data["json"] = wrapActionResponse(object.AddPlan(&plan))
 	c.ServeJSON()
 }
@ -155,7 +181,13 @@ func (c *ApiController) DeletePlan() {
 		c.ResponseError(err.Error())
 		return
 	}
-
+	if plan.Product != "" {
+		_, err = object.DeleteProduct(&object.Product{Owner: plan.Owner, Name: plan.Product})
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	}
 	c.Data["json"] = wrapActionResponse(object.DeletePlan(&plan))
 	c.ServeJSON()
 }
--- a/controllers/pricing.go
+++ b/controllers/pricing.go
@ -16,6 +16,7 @@ package controllers

 import (
 	"encoding/json"
+	"fmt"

 	"github.com/beego/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@ -80,7 +81,10 @@ func (c *ApiController) GetPricing() {
 		c.ResponseError(err.Error())
 		return
 	}
-
+	if pricing == nil {
+		c.ResponseError(fmt.Sprintf(c.T("pricing:The pricing: %s does not exist"), id))
+		return
+	}
 	c.ResponseOk(pricing)
 }

--- a/controllers/product.go
+++ b/controllers/product.go
@ -161,10 +161,17 @@ func (c *ApiController) DeleteProduct() {
 // @router /buy-product [post]
 func (c *ApiController) BuyProduct() {
 	id := c.Input().Get("id")
-	providerName := c.Input().Get("providerName")
 	host := c.Ctx.Request.Host
-
-	userId := c.GetSessionUsername()
+	providerName := c.Input().Get("providerName")
+	// buy `pricingName/planName` for `paidUserName`
+	pricingName := c.Input().Get("pricingName")
+	planName := c.Input().Get("planName")
+	paidUserName := c.Input().Get("userName")
+	owner, _ := util.GetOwnerAndNameFromId(id)
+	userId := util.GetId(owner, paidUserName)
+	if paidUserName == "" {
+		userId = c.GetSessionUsername()
+	}
 	if userId == "" {
 		c.ResponseError(c.T("general:Please login first"))
 		return
@ -175,17 +182,16 @@ func (c *ApiController) BuyProduct() {
 		c.ResponseError(err.Error())
 		return
 	}
-
 	if user == nil {
 		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), userId))
 		return
 	}

-	payUrl, orderId, err := object.BuyProduct(id, providerName, user, host)
+	payment, err := object.BuyProduct(id, user, providerName, pricingName, planName, host)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	c.ResponseOk(payUrl, orderId)
+	c.ResponseOk(payment)
 }
--- a/controllers/record.go
+++ b/controllers/record.go
@ -1,121 +0,0 @@
-// Copyright 2021 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-
-	"github.com/beego/beego/utils/pagination"
-	"github.com/casdoor/casdoor/object"
-	"github.com/casdoor/casdoor/util"
-)
-
-// GetRecords
-// @Title GetRecords
-// @Tag Record API
-// @Description get all records
-// @Param   pageSize     query    string  true        "The size of each page"
-// @Param   p     query    string  true        "The number of the page"
-// @Success 200 {object} object.Record The Response object
-// @router /get-records [get]
-func (c *ApiController) GetRecords() {
-	organization, ok := c.RequireAdmin()
-	if !ok {
-		return
-	}
-
-	limit := c.Input().Get("pageSize")
-	page := c.Input().Get("p")
-	field := c.Input().Get("field")
-	value := c.Input().Get("value")
-	sortField := c.Input().Get("sortField")
-	sortOrder := c.Input().Get("sortOrder")
-	organizationName := c.Input().Get("organizationName")
-
-	if limit == "" || page == "" {
-		records, err := object.GetRecords()
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(records)
-	} else {
-		limit := util.ParseInt(limit)
-		if c.IsGlobalAdmin() && organizationName != "" {
-			organization = organizationName
-		}
-		filterRecord := &object.Record{Organization: organization}
-		count, err := object.GetRecordCount(field, value, filterRecord)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
-		records, err := object.GetPaginationRecords(paginator.Offset(), limit, field, value, sortField, sortOrder, filterRecord)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(records, paginator.Nums())
-	}
-}
-
-// GetRecordsByFilter
-// @Tag Record API
-// @Title GetRecordsByFilter
-// @Description get records by filter
-// @Param   filter  body string     true  "filter Record message"
-// @Success 200 {object} object.Record The Response object
-// @router /get-records-filter [post]
-func (c *ApiController) GetRecordsByFilter() {
-	body := string(c.Ctx.Input.RequestBody)
-
-	record := &object.Record{}
-	err := util.JsonToStruct(body, record)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	records, err := object.GetRecordsByField(record)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(records)
-}
-
-// AddRecord
-// @Title AddRecord
-// @Tag Record API
-// @Description add a record
-// @Param   body    body   object.Record  true        "The details of the record"
-// @Success 200 {object} controllers.Response The Response object
-// @router /add-record [post]
-func (c *ApiController) AddRecord() {
-	var record object.Record
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &record)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.AddRecord(&record))
-	c.ServeJSON()
-}
--- a/controllers/resource.go
+++ b/controllers/resource.go
@ -361,6 +361,9 @@ func (c *ApiController) UploadResource() {
 			return
 		}

+		if user.Properties == nil {
+			user.Properties = map[string]string{}
+		}
 		user.Properties[tag] = fileUrl
 		user.Properties["isIdCardVerified"] = "false"
 		_, err = object.UpdateUser(user.GetId(), user, []string{"properties"}, false)
--- a/controllers/role_upload.go
+++ b/controllers/role_upload.go
@ -16,6 +16,7 @@ package controllers

 import (
 	"fmt"
+	"os"

 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
@ -32,16 +33,15 @@ func (c *ApiController) UploadRoles() {
 	}

 	fileId := fmt.Sprintf("%s_%s_%s", owner, user, util.RemoveExt(header.Filename))
-
 	path := util.GetUploadXlsxPath(fileId)
-	util.EnsureFileFolderExists(path)
+	defer os.Remove(path)
 	err = saveFile(path, &file)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	affected, err := object.UploadRoles(owner, fileId)
+	affected, err := object.UploadRoles(owner, path)
 	if err != nil {
 		c.ResponseError(err.Error())
 	}
--- a/controllers/service.go
+++ b/controllers/service.go
@ -40,6 +40,10 @@ type SmsForm struct {
 	OrgId     string   `json:"organizationId"` // e.g. "admin/built-in"
 }

+type NotificationForm struct {
+	Content string `json:"content"`
+}
+
 // SendEmail
 // @Title SendEmail
 // @Tag Service API
@ -140,10 +144,12 @@ func (c *ApiController) SendSms() {
 		return
 	}

-	invalidReceivers := getInvalidSmsReceivers(smsForm)
-	if len(invalidReceivers) != 0 {
-		c.ResponseError(fmt.Sprintf(c.T("service:Invalid phone receivers: %s"), strings.Join(invalidReceivers, ", ")))
-		return
+	if provider.Type != "Custom HTTP SMS" {
+		invalidReceivers := getInvalidSmsReceivers(smsForm)
+		if len(invalidReceivers) != 0 {
+			c.ResponseError(fmt.Sprintf(c.T("service:Invalid phone receivers: %s"), strings.Join(invalidReceivers, ", ")))
+			return
+		}
 	}

 	err = object.SendSms(provider, smsForm.Content, smsForm.Receivers...)
@ -154,3 +160,33 @@ func (c *ApiController) SendSms() {

 	c.ResponseOk()
 }
+
+// SendNotification
+// @Title SendNotification
+// @Tag Service API
+// @Description This API is not for Casdoor frontend to call, it is for Casdoor SDKs.
+// @Param   from    body   controllers.NotificationForm    true         "Details of the notification request"
+// @Success 200 {object}  Response object
+// @router /api/send-notification [post]
+func (c *ApiController) SendNotification() {
+	provider, err := c.GetProviderFromContext("Notification")
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	var notificationForm NotificationForm
+	err = json.Unmarshal(c.Ctx.Input.RequestBody, &notificationForm)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	err = object.SendNotification(provider, notificationForm.Content)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk()
+}
--- a/controllers/syncer.go
+++ b/controllers/syncer.go
@ -160,7 +160,11 @@ func (c *ApiController) RunSyncer() {
 		return
 	}

-	object.RunSyncer(syncer)
+	err = object.RunSyncer(syncer)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}

 	c.ResponseOk()
 }
--- a/controllers/system_info.go
+++ b/controllers/system_info.go
@ -47,16 +47,16 @@ func (c *ApiController) GetSystemInfo() {
 // @router /get-version-info [get]
 func (c *ApiController) GetVersionInfo() {
 	versionInfo, err := util.GetVersionInfo()
-
-	if versionInfo.Version == "" {
-		versionInfo, err = util.GetVersionInfoFromFile()
-
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
+	if versionInfo.Version != "" {
+		c.ResponseOk(versionInfo)
+		return
 	}

+	versionInfo, err = util.GetVersionInfoFromFile()
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
 	c.ResponseOk(versionInfo)
 }

--- a/controllers/user.go
+++ b/controllers/user.go
@ -90,7 +90,7 @@ func (c *ApiController) GetUsers() {

 	if limit == "" || page == "" {
 		if groupName != "" {
-			maskedUsers, err := object.GetMaskedUsers(object.GetGroupUsers(groupName))
+			maskedUsers, err := object.GetMaskedUsers(object.GetGroupUsers(util.GetId(owner, groupName)))
 			if err != nil {
 				c.ResponseError(err.Error())
 				return
@ -258,6 +258,13 @@ func (c *ApiController) UpdateUser() {
 		return
 	}

+	if c.Input().Get("allowEmpty") == "" {
+		if user.DisplayName == "" {
+			c.ResponseError(c.T("user:Display name cannot be empty"))
+			return
+		}
+	}
+
 	if msg := object.CheckUpdateUser(oldUser, &user, c.GetAcceptLanguage()); msg != "" {
 		c.ResponseError(msg)
 		return
@ -441,6 +448,10 @@ func (c *ApiController) SetPassword() {
 	}

 	targetUser, err := object.GetUser(userId)
+	if targetUser == nil {
+		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), userId))
+		return
+	}
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@ -567,6 +578,22 @@ func (c *ApiController) RemoveUserFromGroup() {
 	name := c.Ctx.Request.Form.Get("name")
 	groupName := c.Ctx.Request.Form.Get("groupName")

-	c.Data["json"] = wrapActionResponse(object.RemoveUserFromGroup(owner, name, groupName))
-	c.ServeJSON()
+	organization, err := object.GetOrganization(util.GetId("admin", owner))
+	if err != nil {
+		return
+	}
+	item := object.GetAccountItemByName("Groups", organization)
+	res, msg := object.CheckAccountItemModifyRule(item, c.IsAdmin(), c.GetAcceptLanguage())
+	if !res {
+		c.ResponseError(msg)
+		return
+	}
+
+	affected, err := object.DeleteGroupForUser(util.GetId(owner, name), groupName)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(affected)
 }
--- a/controllers/user_upload.go
+++ b/controllers/user_upload.go
@ -48,17 +48,17 @@ func (c *ApiController) UploadUsers() {
 		c.ResponseError(err.Error())
 		return
 	}
-	fileId := fmt.Sprintf("%s_%s_%s", owner, user, util.RemoveExt(header.Filename))

+	fileId := fmt.Sprintf("%s_%s_%s", owner, user, util.RemoveExt(header.Filename))
 	path := util.GetUploadXlsxPath(fileId)
-	util.EnsureFileFolderExists(path)
+	defer os.Remove(path)
 	err = saveFile(path, &file)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}

-	affected, err := object.UploadUsers(owner, fileId)
+	affected, err := object.UploadUsers(owner, path)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
--- a/form/auth.go
+++ b/form/auth.go
@ -17,17 +17,18 @@ package form
 type AuthForm struct {
 	Type string `json:"type"`

-	Organization string `json:"organization"`
-	Username     string `json:"username"`
-	Password     string `json:"password"`
-	Name         string `json:"name"`
-	FirstName    string `json:"firstName"`
-	LastName     string `json:"lastName"`
-	Email        string `json:"email"`
-	Phone        string `json:"phone"`
-	Affiliation  string `json:"affiliation"`
-	IdCard       string `json:"idCard"`
-	Region       string `json:"region"`
+	Organization   string `json:"organization"`
+	Username       string `json:"username"`
+	Password       string `json:"password"`
+	Name           string `json:"name"`
+	FirstName      string `json:"firstName"`
+	LastName       string `json:"lastName"`
+	Email          string `json:"email"`
+	Phone          string `json:"phone"`
+	Affiliation    string `json:"affiliation"`
+	IdCard         string `json:"idCard"`
+	Region         string `json:"region"`
+	InvitationCode string `json:"invitationCode"`

 	Application string `json:"application"`
 	ClientId    string `json:"clientId"`
--- a/go.mod
+++ b/go.mod
@ -12,10 +12,12 @@ require (
 	github.com/beevik/etree v1.1.0
 	github.com/casbin/casbin v1.9.1 // indirect
 	github.com/casbin/casbin/v2 v2.30.1
-	github.com/casdoor/go-sms-sender v0.6.1
+	github.com/casdoor/go-sms-sender v0.12.0
 	github.com/casdoor/gomail/v2 v2.0.1
-	github.com/casdoor/oss v1.2.1
+	github.com/casdoor/notify v0.43.0
+	github.com/casdoor/oss v1.3.0
 	github.com/casdoor/xorm-adapter/v3 v3.0.4
+	github.com/casvisor/casvisor-go-sdk v1.0.3
 	github.com/dchest/captcha v0.0.0-20200903113550-03f5f0333e1f
 	github.com/denisenkom/go-mssqldb v0.9.0
 	github.com/elazarl/go-bindata-assetfs v1.0.1 // indirect
@ -26,16 +28,13 @@ require (
 	github.com/go-mysql-org/go-mysql v1.7.0
 	github.com/go-pay/gopay v1.5.72
 	github.com/go-sql-driver/mysql v1.6.0
+	github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible
 	github.com/go-webauthn/webauthn v0.6.0
 	github.com/golang-jwt/jwt/v4 v4.5.0
-	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/uuid v1.3.0
-	github.com/gorilla/mux v1.7.3 // indirect
 	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
 	github.com/lestrrat-go/jwx v1.2.21
-	github.com/lib/pq v1.10.2
+	github.com/lib/pq v1.10.9
 	github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3
 	github.com/markbates/goth v1.75.2
 	github.com/mitchellh/mapstructure v1.5.0
@ -43,17 +42,17 @@ require (
 	github.com/nyaruka/phonenumbers v1.1.5
 	github.com/pquerna/otp v1.4.0
 	github.com/prometheus/client_golang v1.11.1
-	github.com/prometheus/client_model v0.2.0
+	github.com/prometheus/client_model v0.3.0
 	github.com/qiangmzsx/string-adapter/v2 v2.1.0
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/russellhaering/gosaml2 v0.9.0
 	github.com/russellhaering/goxmldsig v1.2.0
-	github.com/satori/go.uuid v1.2.0
 	github.com/shiena/ansicolor v0.0.0-20200904210342-c7312218db18 // indirect
 	github.com/shirou/gopsutil v3.21.11+incompatible
 	github.com/siddontang/go-log v0.0.0-20190221022429-1e957dd83bed
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
-	github.com/stretchr/testify v1.8.2
+	github.com/stretchr/testify v1.8.4
+	github.com/stripe/stripe-go/v74 v74.29.0
 	github.com/tealeg/xlsx v1.0.5
 	github.com/thanhpk/randstr v1.0.4
 	github.com/tklauser/go-sysconf v0.3.10 // indirect
@ -61,12 +60,12 @@ require (
 	github.com/xorm-io/core v0.7.4
 	github.com/xorm-io/xorm v1.1.6
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
-	golang.org/x/crypto v0.6.0
-	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
-	golang.org/x/net v0.7.0
-	golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914
+	golang.org/x/crypto v0.12.0
+	golang.org/x/net v0.14.0
+	golang.org/x/oauth2 v0.11.0
+	google.golang.org/api v0.138.0
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	modernc.org/sqlite v1.10.1-0.20210314190707-798bbeb9bb84
+	maunium.net/go/mautrix v0.16.0
+	modernc.org/sqlite v1.18.2
 )
--- a/go.sum
+++ b/go.sum
--- a/i18n/generate_test.go
+++ b/i18n/generate_test.go
@ -36,6 +36,15 @@ func TestGenerateI18nFrontend(t *testing.T) {
 	applyToOtherLanguage("frontend", "it", data)
 	applyToOtherLanguage("frontend", "ms", data)
 	applyToOtherLanguage("frontend", "tr", data)
+	applyToOtherLanguage("frontend", "ar", data)
+	applyToOtherLanguage("frontend", "he", data)
+	applyToOtherLanguage("frontend", "nl", data)
+	applyToOtherLanguage("frontend", "pl", data)
+	applyToOtherLanguage("frontend", "fi", data)
+	applyToOtherLanguage("frontend", "sv", data)
+	applyToOtherLanguage("frontend", "uk", data)
+	applyToOtherLanguage("frontend", "kk", data)
+	applyToOtherLanguage("frontend", "fa", data)
 }

 func TestGenerateI18nBackend(t *testing.T) {
@ -55,4 +64,13 @@ func TestGenerateI18nBackend(t *testing.T) {
 	applyToOtherLanguage("backend", "it", data)
 	applyToOtherLanguage("backend", "ms", data)
 	applyToOtherLanguage("backend", "tr", data)
+	applyToOtherLanguage("backend", "ar", data)
+	applyToOtherLanguage("backend", "he", data)
+	applyToOtherLanguage("backend", "nl", data)
+	applyToOtherLanguage("backend", "pl", data)
+	applyToOtherLanguage("backend", "fi", data)
+	applyToOtherLanguage("backend", "sv", data)
+	applyToOtherLanguage("backend", "uk", data)
+	applyToOtherLanguage("backend", "kk", data)
+	applyToOtherLanguage("backend", "fa", data)
 }
--- a/i18n/locales/ar/data.json
+++ b/i18n/locales/ar/data.json
@ -0,0 +1,142 @@
+{
+  "account": {
+    "Failed to add user": "Failed to add user",
+    "Get init score failed, error: %w": "Get init score failed, error: %w",
+    "Please sign out first": "Please sign out first",
+    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+  },
+  "auth": {
+    "Challenge method should be S256": "Challenge method should be S256",
+    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
+    "Failed to login in: %s": "Failed to login in: %s",
+    "Invalid token": "Invalid token",
+    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
+    "The application: %s does not exist": "The application: %s does not exist",
+    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
+    "Unauthorized operation": "Unauthorized operation",
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
+  },
+  "cas": {
+    "Service %s and %s do not match": "Service %s and %s do not match"
+  },
+  "check": {
+    "Affiliation cannot be blank": "Affiliation cannot be blank",
+    "DisplayName cannot be blank": "DisplayName cannot be blank",
+    "DisplayName is not valid real name": "DisplayName is not valid real name",
+    "Email already exists": "Email already exists",
+    "Email cannot be empty": "Email cannot be empty",
+    "Email is invalid": "Email is invalid",
+    "Empty username.": "Empty username.",
+    "FirstName cannot be blank": "FirstName cannot be blank",
+    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
+    "LastName cannot be blank": "LastName cannot be blank",
+    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
+    "Organization does not exist": "Organization does not exist",
+    "Password must have at least 6 characters": "Password must have at least 6 characters",
+    "Phone already exists": "Phone already exists",
+    "Phone cannot be empty": "Phone cannot be empty",
+    "Phone number is invalid": "Phone number is invalid",
+    "Session outdated, please login again": "Session outdated, please login again",
+    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
+    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "Username already exists": "Username already exists",
+    "Username cannot be an email address": "Username cannot be an email address",
+    "Username cannot contain white spaces": "Username cannot contain white spaces",
+    "Username cannot start with a digit": "Username cannot start with a digit",
+    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
+    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
+    "unsupported password type: %s": "unsupported password type: %s"
+  },
+  "general": {
+    "Missing parameter": "Missing parameter",
+    "Please login first": "Please login first",
+    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "don't support captchaProvider: ": "don't support captchaProvider: ",
+    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+  },
+  "ldap": {
+    "Ldap server exist": "Ldap server exist"
+  },
+  "link": {
+    "Please link first": "Please link first",
+    "This application has no providers": "This application has no providers",
+    "This application has no providers of type": "This application has no providers of type",
+    "This provider can't be unlinked": "This provider can't be unlinked",
+    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
+    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+  },
+  "organization": {
+    "Only admin can modify the %s.": "Only admin can modify the %s.",
+    "The %s is immutable.": "The %s is immutable.",
+    "Unknown modify rule %s.": "Unknown modify rule %s."
+  },
+  "provider": {
+    "Invalid application id": "Invalid application id",
+    "the provider: %s does not exist": "the provider: %s does not exist"
+  },
+  "resource": {
+    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+  },
+  "saml": {
+    "Application %s not found": "Application %s not found"
+  },
+  "saml_sp": {
+    "provider %s's category is not SAML": "provider %s's category is not SAML"
+  },
+  "service": {
+    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
+    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
+    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+  },
+  "storage": {
+    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
+    "The provider type: %s is not supported": "The provider type: %s is not supported"
+  },
+  "token": {
+    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
+    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
+    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
+    "Invalid client_id": "Invalid client_id",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
+    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+  },
+  "user": {
+    "Display name cannot be empty": "Display name cannot be empty",
+    "New password cannot contain blank space.": "New password cannot contain blank space."
+  },
+  "user_upload": {
+    "Failed to import users": "Failed to import users"
+  },
+  "util": {
+    "No application is found for userId: %s": "No application is found for userId: %s",
+    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "verification": {
+    "Code has not been sent yet!": "Code has not been sent yet!",
+    "Invalid captcha provider.": "Invalid captcha provider.",
+    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Turing test failed.": "Turing test failed.",
+    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
+    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
+    "Unknown type": "Unknown type",
+    "Wrong verification code!": "Wrong verification code!",
+    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+  },
+  "webauthn": {
+    "Found no credentials for this user": "Found no credentials for this user",
+    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+  }
+}
--- a/i18n/locales/fa/data.json
+++ b/i18n/locales/fa/data.json
@ -0,0 +1,142 @@
+{
+  "account": {
+    "Failed to add user": "Failed to add user",
+    "Get init score failed, error: %w": "Get init score failed, error: %w",
+    "Please sign out first": "Please sign out first",
+    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+  },
+  "auth": {
+    "Challenge method should be S256": "Challenge method should be S256",
+    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
+    "Failed to login in: %s": "Failed to login in: %s",
+    "Invalid token": "Invalid token",
+    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
+    "The application: %s does not exist": "The application: %s does not exist",
+    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
+    "Unauthorized operation": "Unauthorized operation",
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
+  },
+  "cas": {
+    "Service %s and %s do not match": "Service %s and %s do not match"
+  },
+  "check": {
+    "Affiliation cannot be blank": "Affiliation cannot be blank",
+    "DisplayName cannot be blank": "DisplayName cannot be blank",
+    "DisplayName is not valid real name": "DisplayName is not valid real name",
+    "Email already exists": "Email already exists",
+    "Email cannot be empty": "Email cannot be empty",
+    "Email is invalid": "Email is invalid",
+    "Empty username.": "Empty username.",
+    "FirstName cannot be blank": "FirstName cannot be blank",
+    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
+    "LastName cannot be blank": "LastName cannot be blank",
+    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
+    "Organization does not exist": "Organization does not exist",
+    "Password must have at least 6 characters": "Password must have at least 6 characters",
+    "Phone already exists": "Phone already exists",
+    "Phone cannot be empty": "Phone cannot be empty",
+    "Phone number is invalid": "Phone number is invalid",
+    "Session outdated, please login again": "Session outdated, please login again",
+    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
+    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "Username already exists": "Username already exists",
+    "Username cannot be an email address": "Username cannot be an email address",
+    "Username cannot contain white spaces": "Username cannot contain white spaces",
+    "Username cannot start with a digit": "Username cannot start with a digit",
+    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
+    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
+    "unsupported password type: %s": "unsupported password type: %s"
+  },
+  "general": {
+    "Missing parameter": "Missing parameter",
+    "Please login first": "Please login first",
+    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "don't support captchaProvider: ": "don't support captchaProvider: ",
+    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+  },
+  "ldap": {
+    "Ldap server exist": "Ldap server exist"
+  },
+  "link": {
+    "Please link first": "Please link first",
+    "This application has no providers": "This application has no providers",
+    "This application has no providers of type": "This application has no providers of type",
+    "This provider can't be unlinked": "This provider can't be unlinked",
+    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
+    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+  },
+  "organization": {
+    "Only admin can modify the %s.": "Only admin can modify the %s.",
+    "The %s is immutable.": "The %s is immutable.",
+    "Unknown modify rule %s.": "Unknown modify rule %s."
+  },
+  "provider": {
+    "Invalid application id": "Invalid application id",
+    "the provider: %s does not exist": "the provider: %s does not exist"
+  },
+  "resource": {
+    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+  },
+  "saml": {
+    "Application %s not found": "Application %s not found"
+  },
+  "saml_sp": {
+    "provider %s's category is not SAML": "provider %s's category is not SAML"
+  },
+  "service": {
+    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
+    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
+    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+  },
+  "storage": {
+    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
+    "The provider type: %s is not supported": "The provider type: %s is not supported"
+  },
+  "token": {
+    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
+    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
+    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
+    "Invalid client_id": "Invalid client_id",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
+    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+  },
+  "user": {
+    "Display name cannot be empty": "Display name cannot be empty",
+    "New password cannot contain blank space.": "New password cannot contain blank space."
+  },
+  "user_upload": {
+    "Failed to import users": "Failed to import users"
+  },
+  "util": {
+    "No application is found for userId: %s": "No application is found for userId: %s",
+    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "verification": {
+    "Code has not been sent yet!": "Code has not been sent yet!",
+    "Invalid captcha provider.": "Invalid captcha provider.",
+    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Turing test failed.": "Turing test failed.",
+    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
+    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
+    "Unknown type": "Unknown type",
+    "Wrong verification code!": "Wrong verification code!",
+    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+  },
+  "webauthn": {
+    "Found no credentials for this user": "Found no credentials for this user",
+    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+  }
+}
--- a/i18n/locales/fi/data.json
+++ b/i18n/locales/fi/data.json
@ -0,0 +1,142 @@
+{
+  "account": {
+    "Failed to add user": "Failed to add user",
+    "Get init score failed, error: %w": "Get init score failed, error: %w",
+    "Please sign out first": "Please sign out first",
+    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+  },
+  "auth": {
+    "Challenge method should be S256": "Challenge method should be S256",
+    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
+    "Failed to login in: %s": "Failed to login in: %s",
+    "Invalid token": "Invalid token",
+    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
+    "The application: %s does not exist": "The application: %s does not exist",
+    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
+    "Unauthorized operation": "Unauthorized operation",
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
+  },
+  "cas": {
+    "Service %s and %s do not match": "Service %s and %s do not match"
+  },
+  "check": {
+    "Affiliation cannot be blank": "Affiliation cannot be blank",
+    "DisplayName cannot be blank": "DisplayName cannot be blank",
+    "DisplayName is not valid real name": "DisplayName is not valid real name",
+    "Email already exists": "Email already exists",
+    "Email cannot be empty": "Email cannot be empty",
+    "Email is invalid": "Email is invalid",
+    "Empty username.": "Empty username.",
+    "FirstName cannot be blank": "FirstName cannot be blank",
+    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
+    "LastName cannot be blank": "LastName cannot be blank",
+    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
+    "Organization does not exist": "Organization does not exist",
+    "Password must have at least 6 characters": "Password must have at least 6 characters",
+    "Phone already exists": "Phone already exists",
+    "Phone cannot be empty": "Phone cannot be empty",
+    "Phone number is invalid": "Phone number is invalid",
+    "Session outdated, please login again": "Session outdated, please login again",
+    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
+    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "Username already exists": "Username already exists",
+    "Username cannot be an email address": "Username cannot be an email address",
+    "Username cannot contain white spaces": "Username cannot contain white spaces",
+    "Username cannot start with a digit": "Username cannot start with a digit",
+    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
+    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
+    "unsupported password type: %s": "unsupported password type: %s"
+  },
+  "general": {
+    "Missing parameter": "Missing parameter",
+    "Please login first": "Please login first",
+    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "don't support captchaProvider: ": "don't support captchaProvider: ",
+    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+  },
+  "ldap": {
+    "Ldap server exist": "Ldap server exist"
+  },
+  "link": {
+    "Please link first": "Please link first",
+    "This application has no providers": "This application has no providers",
+    "This application has no providers of type": "This application has no providers of type",
+    "This provider can't be unlinked": "This provider can't be unlinked",
+    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
+    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+  },
+  "organization": {
+    "Only admin can modify the %s.": "Only admin can modify the %s.",
+    "The %s is immutable.": "The %s is immutable.",
+    "Unknown modify rule %s.": "Unknown modify rule %s."
+  },
+  "provider": {
+    "Invalid application id": "Invalid application id",
+    "the provider: %s does not exist": "the provider: %s does not exist"
+  },
+  "resource": {
+    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+  },
+  "saml": {
+    "Application %s not found": "Application %s not found"
+  },
+  "saml_sp": {
+    "provider %s's category is not SAML": "provider %s's category is not SAML"
+  },
+  "service": {
+    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
+    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
+    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+  },
+  "storage": {
+    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
+    "The provider type: %s is not supported": "The provider type: %s is not supported"
+  },
+  "token": {
+    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
+    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
+    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
+    "Invalid client_id": "Invalid client_id",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
+    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+  },
+  "user": {
+    "Display name cannot be empty": "Display name cannot be empty",
+    "New password cannot contain blank space.": "New password cannot contain blank space."
+  },
+  "user_upload": {
+    "Failed to import users": "Failed to import users"
+  },
+  "util": {
+    "No application is found for userId: %s": "No application is found for userId: %s",
+    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "verification": {
+    "Code has not been sent yet!": "Code has not been sent yet!",
+    "Invalid captcha provider.": "Invalid captcha provider.",
+    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Turing test failed.": "Turing test failed.",
+    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
+    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
+    "Unknown type": "Unknown type",
+    "Wrong verification code!": "Wrong verification code!",
+    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+  },
+  "webauthn": {
+    "Found no credentials for this user": "Found no credentials for this user",
+    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+  }
+}
--- a/i18n/locales/he/data.json
+++ b/i18n/locales/he/data.json
@ -0,0 +1,142 @@
+{
+  "account": {
+    "Failed to add user": "Failed to add user",
+    "Get init score failed, error: %w": "Get init score failed, error: %w",
+    "Please sign out first": "Please sign out first",
+    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+  },
+  "auth": {
+    "Challenge method should be S256": "Challenge method should be S256",
+    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
+    "Failed to login in: %s": "Failed to login in: %s",
+    "Invalid token": "Invalid token",
+    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
+    "The application: %s does not exist": "The application: %s does not exist",
+    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
+    "Unauthorized operation": "Unauthorized operation",
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
+  },
+  "cas": {
+    "Service %s and %s do not match": "Service %s and %s do not match"
+  },
+  "check": {
+    "Affiliation cannot be blank": "Affiliation cannot be blank",
+    "DisplayName cannot be blank": "DisplayName cannot be blank",
+    "DisplayName is not valid real name": "DisplayName is not valid real name",
+    "Email already exists": "Email already exists",
+    "Email cannot be empty": "Email cannot be empty",
+    "Email is invalid": "Email is invalid",
+    "Empty username.": "Empty username.",
+    "FirstName cannot be blank": "FirstName cannot be blank",
+    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
+    "LastName cannot be blank": "LastName cannot be blank",
+    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
+    "Organization does not exist": "Organization does not exist",
+    "Password must have at least 6 characters": "Password must have at least 6 characters",
+    "Phone already exists": "Phone already exists",
+    "Phone cannot be empty": "Phone cannot be empty",
+    "Phone number is invalid": "Phone number is invalid",
+    "Session outdated, please login again": "Session outdated, please login again",
+    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
+    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "Username already exists": "Username already exists",
+    "Username cannot be an email address": "Username cannot be an email address",
+    "Username cannot contain white spaces": "Username cannot contain white spaces",
+    "Username cannot start with a digit": "Username cannot start with a digit",
+    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
+    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
+    "unsupported password type: %s": "unsupported password type: %s"
+  },
+  "general": {
+    "Missing parameter": "Missing parameter",
+    "Please login first": "Please login first",
+    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "don't support captchaProvider: ": "don't support captchaProvider: ",
+    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+  },
+  "ldap": {
+    "Ldap server exist": "Ldap server exist"
+  },
+  "link": {
+    "Please link first": "Please link first",
+    "This application has no providers": "This application has no providers",
+    "This application has no providers of type": "This application has no providers of type",
+    "This provider can't be unlinked": "This provider can't be unlinked",
+    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
+    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+  },
+  "organization": {
+    "Only admin can modify the %s.": "Only admin can modify the %s.",
+    "The %s is immutable.": "The %s is immutable.",
+    "Unknown modify rule %s.": "Unknown modify rule %s."
+  },
+  "provider": {
+    "Invalid application id": "Invalid application id",
+    "the provider: %s does not exist": "the provider: %s does not exist"
+  },
+  "resource": {
+    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+  },
+  "saml": {
+    "Application %s not found": "Application %s not found"
+  },
+  "saml_sp": {
+    "provider %s's category is not SAML": "provider %s's category is not SAML"
+  },
+  "service": {
+    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
+    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
+    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+  },
+  "storage": {
+    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
+    "The provider type: %s is not supported": "The provider type: %s is not supported"
+  },
+  "token": {
+    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
+    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
+    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
+    "Invalid client_id": "Invalid client_id",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
+    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+  },
+  "user": {
+    "Display name cannot be empty": "Display name cannot be empty",
+    "New password cannot contain blank space.": "New password cannot contain blank space."
+  },
+  "user_upload": {
+    "Failed to import users": "Failed to import users"
+  },
+  "util": {
+    "No application is found for userId: %s": "No application is found for userId: %s",
+    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "verification": {
+    "Code has not been sent yet!": "Code has not been sent yet!",
+    "Invalid captcha provider.": "Invalid captcha provider.",
+    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Turing test failed.": "Turing test failed.",
+    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
+    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
+    "Unknown type": "Unknown type",
+    "Wrong verification code!": "Wrong verification code!",
+    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+  },
+  "webauthn": {
+    "Found no credentials for this user": "Found no credentials for this user",
+    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+  }
+}
--- a/i18n/locales/kk/data.json
+++ b/i18n/locales/kk/data.json
@ -0,0 +1,142 @@
+{
+  "account": {
+    "Failed to add user": "Failed to add user",
+    "Get init score failed, error: %w": "Get init score failed, error: %w",
+    "Please sign out first": "Please sign out first",
+    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+  },
+  "auth": {
+    "Challenge method should be S256": "Challenge method should be S256",
+    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
+    "Failed to login in: %s": "Failed to login in: %s",
+    "Invalid token": "Invalid token",
+    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
+    "The application: %s does not exist": "The application: %s does not exist",
+    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
+    "Unauthorized operation": "Unauthorized operation",
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
+  },
+  "cas": {
+    "Service %s and %s do not match": "Service %s and %s do not match"
+  },
+  "check": {
+    "Affiliation cannot be blank": "Affiliation cannot be blank",
+    "DisplayName cannot be blank": "DisplayName cannot be blank",
+    "DisplayName is not valid real name": "DisplayName is not valid real name",
+    "Email already exists": "Email already exists",
+    "Email cannot be empty": "Email cannot be empty",
+    "Email is invalid": "Email is invalid",
+    "Empty username.": "Empty username.",
+    "FirstName cannot be blank": "FirstName cannot be blank",
+    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
+    "LastName cannot be blank": "LastName cannot be blank",
+    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
+    "Organization does not exist": "Organization does not exist",
+    "Password must have at least 6 characters": "Password must have at least 6 characters",
+    "Phone already exists": "Phone already exists",
+    "Phone cannot be empty": "Phone cannot be empty",
+    "Phone number is invalid": "Phone number is invalid",
+    "Session outdated, please login again": "Session outdated, please login again",
+    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
+    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "Username already exists": "Username already exists",
+    "Username cannot be an email address": "Username cannot be an email address",
+    "Username cannot contain white spaces": "Username cannot contain white spaces",
+    "Username cannot start with a digit": "Username cannot start with a digit",
+    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
+    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
+    "unsupported password type: %s": "unsupported password type: %s"
+  },
+  "general": {
+    "Missing parameter": "Missing parameter",
+    "Please login first": "Please login first",
+    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "don't support captchaProvider: ": "don't support captchaProvider: ",
+    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+  },
+  "ldap": {
+    "Ldap server exist": "Ldap server exist"
+  },
+  "link": {
+    "Please link first": "Please link first",
+    "This application has no providers": "This application has no providers",
+    "This application has no providers of type": "This application has no providers of type",
+    "This provider can't be unlinked": "This provider can't be unlinked",
+    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
+    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+  },
+  "organization": {
+    "Only admin can modify the %s.": "Only admin can modify the %s.",
+    "The %s is immutable.": "The %s is immutable.",
+    "Unknown modify rule %s.": "Unknown modify rule %s."
+  },
+  "provider": {
+    "Invalid application id": "Invalid application id",
+    "the provider: %s does not exist": "the provider: %s does not exist"
+  },
+  "resource": {
+    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+  },
+  "saml": {
+    "Application %s not found": "Application %s not found"
+  },
+  "saml_sp": {
+    "provider %s's category is not SAML": "provider %s's category is not SAML"
+  },
+  "service": {
+    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
+    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
+    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+  },
+  "storage": {
+    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
+    "The provider type: %s is not supported": "The provider type: %s is not supported"
+  },
+  "token": {
+    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
+    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
+    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
+    "Invalid client_id": "Invalid client_id",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
+    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+  },
+  "user": {
+    "Display name cannot be empty": "Display name cannot be empty",
+    "New password cannot contain blank space.": "New password cannot contain blank space."
+  },
+  "user_upload": {
+    "Failed to import users": "Failed to import users"
+  },
+  "util": {
+    "No application is found for userId: %s": "No application is found for userId: %s",
+    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "verification": {
+    "Code has not been sent yet!": "Code has not been sent yet!",
+    "Invalid captcha provider.": "Invalid captcha provider.",
+    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Turing test failed.": "Turing test failed.",
+    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
+    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
+    "Unknown type": "Unknown type",
+    "Wrong verification code!": "Wrong verification code!",
+    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+  },
+  "webauthn": {
+    "Found no credentials for this user": "Found no credentials for this user",
+    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+  }
+}
--- a/i18n/locales/nl/data.json
+++ b/i18n/locales/nl/data.json
@ -0,0 +1,142 @@
+{
+  "account": {
+    "Failed to add user": "Failed to add user",
+    "Get init score failed, error: %w": "Get init score failed, error: %w",
+    "Please sign out first": "Please sign out first",
+    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+  },
+  "auth": {
+    "Challenge method should be S256": "Challenge method should be S256",
+    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
+    "Failed to login in: %s": "Failed to login in: %s",
+    "Invalid token": "Invalid token",
+    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
+    "The application: %s does not exist": "The application: %s does not exist",
+    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
+    "Unauthorized operation": "Unauthorized operation",
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
+  },
+  "cas": {
+    "Service %s and %s do not match": "Service %s and %s do not match"
+  },
+  "check": {
+    "Affiliation cannot be blank": "Affiliation cannot be blank",
+    "DisplayName cannot be blank": "DisplayName cannot be blank",
+    "DisplayName is not valid real name": "DisplayName is not valid real name",
+    "Email already exists": "Email already exists",
+    "Email cannot be empty": "Email cannot be empty",
+    "Email is invalid": "Email is invalid",
+    "Empty username.": "Empty username.",
+    "FirstName cannot be blank": "FirstName cannot be blank",
+    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
+    "LastName cannot be blank": "LastName cannot be blank",
+    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
+    "Organization does not exist": "Organization does not exist",
+    "Password must have at least 6 characters": "Password must have at least 6 characters",
+    "Phone already exists": "Phone already exists",
+    "Phone cannot be empty": "Phone cannot be empty",
+    "Phone number is invalid": "Phone number is invalid",
+    "Session outdated, please login again": "Session outdated, please login again",
+    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
+    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "Username already exists": "Username already exists",
+    "Username cannot be an email address": "Username cannot be an email address",
+    "Username cannot contain white spaces": "Username cannot contain white spaces",
+    "Username cannot start with a digit": "Username cannot start with a digit",
+    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
+    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
+    "unsupported password type: %s": "unsupported password type: %s"
+  },
+  "general": {
+    "Missing parameter": "Missing parameter",
+    "Please login first": "Please login first",
+    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "don't support captchaProvider: ": "don't support captchaProvider: ",
+    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+  },
+  "ldap": {
+    "Ldap server exist": "Ldap server exist"
+  },
+  "link": {
+    "Please link first": "Please link first",
+    "This application has no providers": "This application has no providers",
+    "This application has no providers of type": "This application has no providers of type",
+    "This provider can't be unlinked": "This provider can't be unlinked",
+    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
+    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+  },
+  "organization": {
+    "Only admin can modify the %s.": "Only admin can modify the %s.",
+    "The %s is immutable.": "The %s is immutable.",
+    "Unknown modify rule %s.": "Unknown modify rule %s."
+  },
+  "provider": {
+    "Invalid application id": "Invalid application id",
+    "the provider: %s does not exist": "the provider: %s does not exist"
+  },
+  "resource": {
+    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+  },
+  "saml": {
+    "Application %s not found": "Application %s not found"
+  },
+  "saml_sp": {
+    "provider %s's category is not SAML": "provider %s's category is not SAML"
+  },
+  "service": {
+    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
+    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
+    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+  },
+  "storage": {
+    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
+    "The provider type: %s is not supported": "The provider type: %s is not supported"
+  },
+  "token": {
+    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
+    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
+    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
+    "Invalid client_id": "Invalid client_id",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
+    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+  },
+  "user": {
+    "Display name cannot be empty": "Display name cannot be empty",
+    "New password cannot contain blank space.": "New password cannot contain blank space."
+  },
+  "user_upload": {
+    "Failed to import users": "Failed to import users"
+  },
+  "util": {
+    "No application is found for userId: %s": "No application is found for userId: %s",
+    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "verification": {
+    "Code has not been sent yet!": "Code has not been sent yet!",
+    "Invalid captcha provider.": "Invalid captcha provider.",
+    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Turing test failed.": "Turing test failed.",
+    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
+    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
+    "Unknown type": "Unknown type",
+    "Wrong verification code!": "Wrong verification code!",
+    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+  },
+  "webauthn": {
+    "Found no credentials for this user": "Found no credentials for this user",
+    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+  }
+}
--- a/i18n/locales/pl/data.json
+++ b/i18n/locales/pl/data.json
@ -0,0 +1,142 @@
+{
+  "account": {
+    "Failed to add user": "Failed to add user",
+    "Get init score failed, error: %w": "Get init score failed, error: %w",
+    "Please sign out first": "Please sign out first",
+    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+  },
+  "auth": {
+    "Challenge method should be S256": "Challenge method should be S256",
+    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
+    "Failed to login in: %s": "Failed to login in: %s",
+    "Invalid token": "Invalid token",
+    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
+    "The application: %s does not exist": "The application: %s does not exist",
+    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
+    "Unauthorized operation": "Unauthorized operation",
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
+  },
+  "cas": {
+    "Service %s and %s do not match": "Service %s and %s do not match"
+  },
+  "check": {
+    "Affiliation cannot be blank": "Affiliation cannot be blank",
+    "DisplayName cannot be blank": "DisplayName cannot be blank",
+    "DisplayName is not valid real name": "DisplayName is not valid real name",
+    "Email already exists": "Email already exists",
+    "Email cannot be empty": "Email cannot be empty",
+    "Email is invalid": "Email is invalid",
+    "Empty username.": "Empty username.",
+    "FirstName cannot be blank": "FirstName cannot be blank",
+    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
+    "LastName cannot be blank": "LastName cannot be blank",
+    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
+    "Organization does not exist": "Organization does not exist",
+    "Password must have at least 6 characters": "Password must have at least 6 characters",
+    "Phone already exists": "Phone already exists",
+    "Phone cannot be empty": "Phone cannot be empty",
+    "Phone number is invalid": "Phone number is invalid",
+    "Session outdated, please login again": "Session outdated, please login again",
+    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
+    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "Username already exists": "Username already exists",
+    "Username cannot be an email address": "Username cannot be an email address",
+    "Username cannot contain white spaces": "Username cannot contain white spaces",
+    "Username cannot start with a digit": "Username cannot start with a digit",
+    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
+    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
+    "unsupported password type: %s": "unsupported password type: %s"
+  },
+  "general": {
+    "Missing parameter": "Missing parameter",
+    "Please login first": "Please login first",
+    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "don't support captchaProvider: ": "don't support captchaProvider: ",
+    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+  },
+  "ldap": {
+    "Ldap server exist": "Ldap server exist"
+  },
+  "link": {
+    "Please link first": "Please link first",
+    "This application has no providers": "This application has no providers",
+    "This application has no providers of type": "This application has no providers of type",
+    "This provider can't be unlinked": "This provider can't be unlinked",
+    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
+    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+  },
+  "organization": {
+    "Only admin can modify the %s.": "Only admin can modify the %s.",
+    "The %s is immutable.": "The %s is immutable.",
+    "Unknown modify rule %s.": "Unknown modify rule %s."
+  },
+  "provider": {
+    "Invalid application id": "Invalid application id",
+    "the provider: %s does not exist": "the provider: %s does not exist"
+  },
+  "resource": {
+    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+  },
+  "saml": {
+    "Application %s not found": "Application %s not found"
+  },
+  "saml_sp": {
+    "provider %s's category is not SAML": "provider %s's category is not SAML"
+  },
+  "service": {
+    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
+    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
+    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+  },
+  "storage": {
+    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
+    "The provider type: %s is not supported": "The provider type: %s is not supported"
+  },
+  "token": {
+    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
+    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
+    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
+    "Invalid client_id": "Invalid client_id",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
+    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+  },
+  "user": {
+    "Display name cannot be empty": "Display name cannot be empty",
+    "New password cannot contain blank space.": "New password cannot contain blank space."
+  },
+  "user_upload": {
+    "Failed to import users": "Failed to import users"
+  },
+  "util": {
+    "No application is found for userId: %s": "No application is found for userId: %s",
+    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "verification": {
+    "Code has not been sent yet!": "Code has not been sent yet!",
+    "Invalid captcha provider.": "Invalid captcha provider.",
+    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Turing test failed.": "Turing test failed.",
+    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
+    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
+    "Unknown type": "Unknown type",
+    "Wrong verification code!": "Wrong verification code!",
+    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+  },
+  "webauthn": {
+    "Found no credentials for this user": "Found no credentials for this user",
+    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+  }
+}
--- a/i18n/locales/sv/data.json
+++ b/i18n/locales/sv/data.json
@ -0,0 +1,142 @@
+{
+  "account": {
+    "Failed to add user": "Failed to add user",
+    "Get init score failed, error: %w": "Get init score failed, error: %w",
+    "Please sign out first": "Please sign out first",
+    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+  },
+  "auth": {
+    "Challenge method should be S256": "Challenge method should be S256",
+    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
+    "Failed to login in: %s": "Failed to login in: %s",
+    "Invalid token": "Invalid token",
+    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
+    "The application: %s does not exist": "The application: %s does not exist",
+    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
+    "Unauthorized operation": "Unauthorized operation",
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
+  },
+  "cas": {
+    "Service %s and %s do not match": "Service %s and %s do not match"
+  },
+  "check": {
+    "Affiliation cannot be blank": "Affiliation cannot be blank",
+    "DisplayName cannot be blank": "DisplayName cannot be blank",
+    "DisplayName is not valid real name": "DisplayName is not valid real name",
+    "Email already exists": "Email already exists",
+    "Email cannot be empty": "Email cannot be empty",
+    "Email is invalid": "Email is invalid",
+    "Empty username.": "Empty username.",
+    "FirstName cannot be blank": "FirstName cannot be blank",
+    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
+    "LastName cannot be blank": "LastName cannot be blank",
+    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
+    "Organization does not exist": "Organization does not exist",
+    "Password must have at least 6 characters": "Password must have at least 6 characters",
+    "Phone already exists": "Phone already exists",
+    "Phone cannot be empty": "Phone cannot be empty",
+    "Phone number is invalid": "Phone number is invalid",
+    "Session outdated, please login again": "Session outdated, please login again",
+    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
+    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "Username already exists": "Username already exists",
+    "Username cannot be an email address": "Username cannot be an email address",
+    "Username cannot contain white spaces": "Username cannot contain white spaces",
+    "Username cannot start with a digit": "Username cannot start with a digit",
+    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
+    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
+    "unsupported password type: %s": "unsupported password type: %s"
+  },
+  "general": {
+    "Missing parameter": "Missing parameter",
+    "Please login first": "Please login first",
+    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "don't support captchaProvider: ": "don't support captchaProvider: ",
+    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+  },
+  "ldap": {
+    "Ldap server exist": "Ldap server exist"
+  },
+  "link": {
+    "Please link first": "Please link first",
+    "This application has no providers": "This application has no providers",
+    "This application has no providers of type": "This application has no providers of type",
+    "This provider can't be unlinked": "This provider can't be unlinked",
+    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
+    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+  },
+  "organization": {
+    "Only admin can modify the %s.": "Only admin can modify the %s.",
+    "The %s is immutable.": "The %s is immutable.",
+    "Unknown modify rule %s.": "Unknown modify rule %s."
+  },
+  "provider": {
+    "Invalid application id": "Invalid application id",
+    "the provider: %s does not exist": "the provider: %s does not exist"
+  },
+  "resource": {
+    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+  },
+  "saml": {
+    "Application %s not found": "Application %s not found"
+  },
+  "saml_sp": {
+    "provider %s's category is not SAML": "provider %s's category is not SAML"
+  },
+  "service": {
+    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
+    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
+    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+  },
+  "storage": {
+    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
+    "The provider type: %s is not supported": "The provider type: %s is not supported"
+  },
+  "token": {
+    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
+    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
+    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
+    "Invalid client_id": "Invalid client_id",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
+    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+  },
+  "user": {
+    "Display name cannot be empty": "Display name cannot be empty",
+    "New password cannot contain blank space.": "New password cannot contain blank space."
+  },
+  "user_upload": {
+    "Failed to import users": "Failed to import users"
+  },
+  "util": {
+    "No application is found for userId: %s": "No application is found for userId: %s",
+    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "verification": {
+    "Code has not been sent yet!": "Code has not been sent yet!",
+    "Invalid captcha provider.": "Invalid captcha provider.",
+    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Turing test failed.": "Turing test failed.",
+    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
+    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
+    "Unknown type": "Unknown type",
+    "Wrong verification code!": "Wrong verification code!",
+    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+  },
+  "webauthn": {
+    "Found no credentials for this user": "Found no credentials for this user",
+    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+  }
+}
--- a/i18n/locales/uk/data.json
+++ b/i18n/locales/uk/data.json
@ -0,0 +1,142 @@
+{
+  "account": {
+    "Failed to add user": "Failed to add user",
+    "Get init score failed, error: %w": "Get init score failed, error: %w",
+    "Please sign out first": "Please sign out first",
+    "The application does not allow to sign up new account": "The application does not allow to sign up new account"
+  },
+  "auth": {
+    "Challenge method should be S256": "Challenge method should be S256",
+    "Failed to create user, user information is invalid: %s": "Failed to create user, user information is invalid: %s",
+    "Failed to login in: %s": "Failed to login in: %s",
+    "Invalid token": "Invalid token",
+    "State expected: %s, but got: %s": "State expected: %s, but got: %s",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %%s, please use another way to sign up",
+    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support",
+    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)",
+    "The application: %s does not exist": "The application: %s does not exist",
+    "The login method: login with password is not enabled for the application": "The login method: login with password is not enabled for the application",
+    "The provider: %s is not enabled for the application": "The provider: %s is not enabled for the application",
+    "Unauthorized operation": "Unauthorized operation",
+    "Unknown authentication type (not password or provider), form = %s": "Unknown authentication type (not password or provider), form = %s",
+    "User's tag: %s is not listed in the application's tags": "User's tag: %s is not listed in the application's tags"
+  },
+  "cas": {
+    "Service %s and %s do not match": "Service %s and %s do not match"
+  },
+  "check": {
+    "Affiliation cannot be blank": "Affiliation cannot be blank",
+    "DisplayName cannot be blank": "DisplayName cannot be blank",
+    "DisplayName is not valid real name": "DisplayName is not valid real name",
+    "Email already exists": "Email already exists",
+    "Email cannot be empty": "Email cannot be empty",
+    "Email is invalid": "Email is invalid",
+    "Empty username.": "Empty username.",
+    "FirstName cannot be blank": "FirstName cannot be blank",
+    "LDAP user name or password incorrect": "LDAP user name or password incorrect",
+    "LastName cannot be blank": "LastName cannot be blank",
+    "Multiple accounts with same uid, please check your ldap server": "Multiple accounts with same uid, please check your ldap server",
+    "Organization does not exist": "Organization does not exist",
+    "Password must have at least 6 characters": "Password must have at least 6 characters",
+    "Phone already exists": "Phone already exists",
+    "Phone cannot be empty": "Phone cannot be empty",
+    "Phone number is invalid": "Phone number is invalid",
+    "Session outdated, please login again": "Session outdated, please login again",
+    "The user is forbidden to sign in, please contact the administrator": "The user is forbidden to sign in, please contact the administrator",
+    "The user: %s doesn't exist in LDAP server": "The user: %s doesn't exist in LDAP server",
+    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.",
+    "Username already exists": "Username already exists",
+    "Username cannot be an email address": "Username cannot be an email address",
+    "Username cannot contain white spaces": "Username cannot contain white spaces",
+    "Username cannot start with a digit": "Username cannot start with a digit",
+    "Username is too long (maximum is 39 characters).": "Username is too long (maximum is 39 characters).",
+    "Username must have at least 2 characters": "Username must have at least 2 characters",
+    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "You have entered the wrong password or code too many times, please wait for %d minutes and try again",
+    "Your region is not allow to signup by phone": "Your region is not allow to signup by phone",
+    "password or code is incorrect": "password or code is incorrect",
+    "password or code is incorrect, you have %d remaining chances": "password or code is incorrect, you have %d remaining chances",
+    "unsupported password type: %s": "unsupported password type: %s"
+  },
+  "general": {
+    "Missing parameter": "Missing parameter",
+    "Please login first": "Please login first",
+    "The user: %s doesn't exist": "The user: %s doesn't exist",
+    "don't support captchaProvider: ": "don't support captchaProvider: ",
+    "this operation is not allowed in demo mode": "this operation is not allowed in demo mode"
+  },
+  "ldap": {
+    "Ldap server exist": "Ldap server exist"
+  },
+  "link": {
+    "Please link first": "Please link first",
+    "This application has no providers": "This application has no providers",
+    "This application has no providers of type": "This application has no providers of type",
+    "This provider can't be unlinked": "This provider can't be unlinked",
+    "You are not the global admin, you can't unlink other users": "You are not the global admin, you can't unlink other users",
+    "You can't unlink yourself, you are not a member of any application": "You can't unlink yourself, you are not a member of any application"
+  },
+  "organization": {
+    "Only admin can modify the %s.": "Only admin can modify the %s.",
+    "The %s is immutable.": "The %s is immutable.",
+    "Unknown modify rule %s.": "Unknown modify rule %s."
+  },
+  "provider": {
+    "Invalid application id": "Invalid application id",
+    "the provider: %s does not exist": "the provider: %s does not exist"
+  },
+  "resource": {
+    "User is nil for tag: avatar": "User is nil for tag: avatar",
+    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Username or fullFilePath is empty: username = %s, fullFilePath = %s"
+  },
+  "saml": {
+    "Application %s not found": "Application %s not found"
+  },
+  "saml_sp": {
+    "provider %s's category is not SAML": "provider %s's category is not SAML"
+  },
+  "service": {
+    "Empty parameters for emailForm: %v": "Empty parameters for emailForm: %v",
+    "Invalid Email receivers: %s": "Invalid Email receivers: %s",
+    "Invalid phone receivers: %s": "Invalid phone receivers: %s"
+  },
+  "storage": {
+    "The objectKey: %s is not allowed": "The objectKey: %s is not allowed",
+    "The provider type: %s is not supported": "The provider type: %s is not supported"
+  },
+  "token": {
+    "Empty clientId or clientSecret": "Empty clientId or clientSecret",
+    "Grant_type: %s is not supported in this application": "Grant_type: %s is not supported in this application",
+    "Invalid application or wrong clientSecret": "Invalid application or wrong clientSecret",
+    "Invalid client_id": "Invalid client_id",
+    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "Redirect URI: %s doesn't exist in the allowed Redirect URI list",
+    "Token not found, invalid accessToken": "Token not found, invalid accessToken"
+  },
+  "user": {
+    "Display name cannot be empty": "Display name cannot be empty",
+    "New password cannot contain blank space.": "New password cannot contain blank space."
+  },
+  "user_upload": {
+    "Failed to import users": "Failed to import users"
+  },
+  "util": {
+    "No application is found for userId: %s": "No application is found for userId: %s",
+    "No provider for category: %s is found for application: %s": "No provider for category: %s is found for application: %s",
+    "The provider: %s is not found": "The provider: %s is not found"
+  },
+  "verification": {
+    "Code has not been sent yet!": "Code has not been sent yet!",
+    "Invalid captcha provider.": "Invalid captcha provider.",
+    "Phone number is invalid in your region %s": "Phone number is invalid in your region %s",
+    "Turing test failed.": "Turing test failed.",
+    "Unable to get the email modify rule.": "Unable to get the email modify rule.",
+    "Unable to get the phone modify rule.": "Unable to get the phone modify rule.",
+    "Unknown type": "Unknown type",
+    "Wrong verification code!": "Wrong verification code!",
+    "You should verify your code in %d min!": "You should verify your code in %d min!",
+    "the user does not exist, please sign up first": "the user does not exist, please sign up first"
+  },
+  "webauthn": {
+    "Found no credentials for this user": "Found no credentials for this user",
+    "Please call WebAuthnSigninBegin first": "Please call WebAuthnSigninBegin first"
+  }
+}
--- a/idp/facebook.go
+++ b/idp/facebook.go
@ -72,13 +72,13 @@ type FacebookCheckToken struct {
 }

 // FacebookCheckTokenData
-// Get more detail via: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#checktoken
+// Get more detail via: https://developers.facebook.com/docs/facebook-login/guides/advanced/manual-flow#checktoken
 type FacebookCheckTokenData struct {
 	UserId string `json:"user_id"`
 }

 // GetToken use code get access_token (*operation of getting code ought to be done in front)
-// get more detail via: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#confirm
+// get more detail via: https://developers.facebook.com/docs/facebook-login/guides/advanced/manual-flow#confirm
 func (idp *FacebookIdProvider) GetToken(code string) (*oauth2.Token, error) {
 	params := url.Values{}
 	params.Add("client_id", idp.Config.ClientID)
--- a/idp/gitee.go
+++ b/idp/gitee.go
@ -132,7 +132,7 @@ func (idp *GiteeIdProvider) GetToken(code string) (*oauth2.Token, error) {
    "type": "User",
    "blog": null,
    "weibo": null,
-    "bio": "个人博客：https://gitee.com/xxx/xxx/pages",
+    "bio": "bio",
    "public_repos": 2,
    "public_gists": 0,
    "followers": 0,
--- a/idp/metamask.go
+++ b/idp/metamask.go
@ -24,20 +24,10 @@ import (
 	"golang.org/x/oauth2"
 )

-const Web3AuthTokenKey = "web3AuthToken"
-
 type MetaMaskIdProvider struct {
 	Client *http.Client
 }

-type Web3AuthToken struct {
-	Address   string `json:"address"`
-	Nonce     string `json:"nonce"`
-	CreateAt  uint64 `json:"createAt"`
-	TypedData string `json:"typedData"`
-	Signature string `json:"signature"` // signature for typed data
-}
-
 func NewMetaMaskIdProvider() *MetaMaskIdProvider {
 	idp := &MetaMaskIdProvider{}
 	return idp
--- a/idp/provider.go
+++ b/idp/provider.go
@ -111,6 +111,8 @@ func GetIdProvider(idpInfo *ProviderInfo, redirectUrl string) IdProvider {
 		return NewBilibiliIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl)
 	case "MetaMask":
 		return NewMetaMaskIdProvider()
+	case "Web3Onboard":
+		return NewWeb3OnboardIdProvider()
 	default:
 		if isGothSupport(idpInfo.Type) {
 			return NewGothIdProvider(idpInfo.Type, idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.HostUrl)
--- a/idp/web3onboard.go
+++ b/idp/web3onboard.go
@ -0,0 +1,103 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+const Web3AuthTokenKey = "web3AuthToken"
+
+type Web3AuthToken struct {
+	Address    string `json:"address"`
+	Nonce      string `json:"nonce"`
+	CreateAt   uint64 `json:"createAt"`
+	TypedData  string `json:"typedData"`  // typed data use for application
+	Signature  string `json:"signature"`  // signature for typed data
+	WalletType string `json:"walletType"` // e.g."MetaMask", "Coinbase"
+}
+
+type Web3OnboardIdProvider struct {
+	Client *http.Client
+}
+
+func NewWeb3OnboardIdProvider() *Web3OnboardIdProvider {
+	idp := &Web3OnboardIdProvider{}
+	return idp
+}
+
+func (idp *Web3OnboardIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+func (idp *Web3OnboardIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	web3AuthToken := Web3AuthToken{}
+	if err := json.Unmarshal([]byte(code), &web3AuthToken); err != nil {
+		return nil, err
+	}
+	token := &oauth2.Token{
+		AccessToken: fmt.Sprintf("%v:%v", Web3AuthTokenKey, web3AuthToken.Address),
+		TokenType:   "Bearer",
+		Expiry:      time.Now().AddDate(0, 1, 0),
+	}
+
+	token = token.WithExtra(map[string]interface{}{
+		Web3AuthTokenKey: web3AuthToken,
+	})
+	return token, nil
+}
+
+func (idp *Web3OnboardIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	web3AuthToken, ok := token.Extra(Web3AuthTokenKey).(Web3AuthToken)
+	if !ok {
+		return nil, errors.New("invalid web3AuthToken")
+	}
+
+	fmtAddress := fmt.Sprintf("%v_%v",
+		strings.ReplaceAll(strings.TrimSpace(web3AuthToken.WalletType), " ", "_"),
+		web3AuthToken.Address,
+	)
+	userInfo := &UserInfo{
+		Id:          fmtAddress,
+		Username:    fmtAddress,
+		DisplayName: fmtAddress,
+		AvatarUrl:   fmt.Sprintf("metamask:%v", forceEthereumAddress(web3AuthToken.Address)),
+	}
+	return userInfo, nil
+}
+
+func forceEthereumAddress(address string) string {
+	// The required address to general MetaMask avatar is a string of length 42 that represents an Ethereum address.
+	// This function is used to force any address as an Ethereum address
+	address = strings.TrimSpace(address)
+	var builder strings.Builder
+	for _, ch := range address {
+		builder.WriteRune(ch)
+	}
+	for len(builder.String()) < 42 {
+		builder.WriteString("0")
+	}
+	if len(builder.String()) > 42 {
+		return builder.String()[:42]
+	}
+	return builder.String()
+}
--- a/init_data.json.template
+++ b/init_data.json.template
@ -9,11 +9,11 @@
      "passwordType": "plain",
      "passwordSalt": "",
      "passwordOptions": ["AtLeast6"],
-      "countryCodes": ["US", "ES", "CN", "FR", "DE", "GB", "JP", "KR", "VN", "ID", "SG", "IN", "IT", "MY", "TR"],
+      "countryCodes": ["US", "GB", "ES", "FR", "DE", "CN", "JP", "KR", "VN", "ID", "SG", "IN", "IT", "MY", "TR", "DZ", "IL", "PH", "NL", "PL", "FI", "SE", "UA", "KZ"],
      "defaultAvatar": "",
      "defaultApplication": "",
      "tags": [],
-      "languages": ["en", "zh", "es", "fr", "de", "id", "ja", "ko", "ru", "vi", "it", "ms", "tr"],
+      "languages": ["en", "zh", "es", "fr", "de", "id", "ja", "ko", "ru", "vi", "it", "ms", "tr","ar", "he", "nl", "pl", "fi", "sv", "uk", "kk", "fa"],
      "masterPassword": "",
      "initScore": 2000,
      "enableSoftDeletion": false,
@ -123,7 +123,6 @@
      "score": 2000,
      "ranking": 1,
      "isAdmin": true,
-      "isGlobalAdmin": true,
      "isForbidden": false,
      "isDeleted": false,
      "signupApplication": "",
--- a/ldap/server.go
+++ b/ldap/server.go
@ -62,7 +62,7 @@ func handleBind(w ldap.ResponseWriter, m *ldap.Message) {
 			return
 		}

-		if bindOrg == "built-in" || bindUser.IsGlobalAdmin {
+		if bindOrg == "built-in" || bindUser.IsGlobalAdmin() {
 			m.Client.IsGlobalAdmin, m.Client.IsOrgAdmin = true, true
 		} else if bindUser.IsAdmin {
 			m.Client.IsOrgAdmin = true
--- a/main.go
+++ b/main.go
@ -15,7 +15,6 @@
 package main

 import (
-	"flag"
 	"fmt"

 	"github.com/beego/beego"
@ -30,17 +29,10 @@ import (
 	"github.com/casdoor/casdoor/util"
 )

-func getCreateDatabaseFlag() bool {
-	res := flag.Bool("createDatabase", false, "true if you need Casdoor to create database")
-	flag.Parse()
-	return *res
-}
-
 func main() {
-	createDatabase := getCreateDatabaseFlag()
-
-	object.InitAdapter(createDatabase)
-	object.CreateTables(createDatabase)
+	object.InitFlag()
+	object.InitAdapter()
+	object.CreateTables()
 	object.DoMigration()

 	object.InitDb()
@ -49,6 +41,8 @@ func main() {
 	object.InitLdapAutoSynchronizer()
 	proxy.InitHttpClient()
 	authz.InitApi()
+	object.InitUserManager()
+	object.InitCasvisorConfig()

 	util.SafeGoroutine(func() { object.RunSyncUsersJob() })

--- a/notification/bark.go
+++ b/notification/bark.go
@ -1,4 +1,4 @@
-// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -12,18 +12,18 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package util
+package notification

-import xormadapter "github.com/casdoor/xorm-adapter/v3"
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/bark"
+)

-func CasbinToSlice(casbinRule xormadapter.CasbinRule) []string {
-	s := []string{
-		casbinRule.V0,
-		casbinRule.V1,
-		casbinRule.V2,
-		casbinRule.V3,
-		casbinRule.V4,
-		casbinRule.V5,
-	}
-	return s
+func NewBarkProvider(deviceKey string) (notify.Notifier, error) {
+	barkSrv := bark.New(deviceKey)
+
+	notifier := notify.New()
+	notifier.UseServices(barkSrv)
+
+	return notifier, nil
 }
--- a/notification/custom_http.go
+++ b/notification/custom_http.go
@ -0,0 +1,73 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/casdoor/casdoor/proxy"
+)
+
+type HttpNotificationClient struct {
+	endpoint  string
+	method    string
+	paramName string
+}
+
+func NewCustomHttpProvider(endpoint string, method string, paramName string) (*HttpNotificationClient, error) {
+	client := &HttpNotificationClient{
+		endpoint:  endpoint,
+		method:    method,
+		paramName: paramName,
+	}
+	return client, nil
+}
+
+func (c *HttpNotificationClient) Send(ctx context.Context, subject string, content string) error {
+	var err error
+
+	httpClient := proxy.DefaultHttpClient
+
+	req, err := http.NewRequest(c.method, c.endpoint, bytes.NewBufferString(content))
+	if err != nil {
+		return err
+	}
+
+	if c.method == "POST" {
+		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+		req.PostForm = map[string][]string{
+			c.paramName: {content},
+		}
+	} else if c.method == "GET" {
+		q := req.URL.Query()
+		q.Add(c.paramName, content)
+		req.URL.RawQuery = q.Encode()
+	}
+
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("SendMessage() error, custom HTTP Notification request failed with status: %s", resp.Status)
+	}
+
+	return err
+}
--- a/notification/dingtalk.go
+++ b/notification/dingtalk.go
@ -0,0 +1,33 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/dingding"
+)
+
+func NewDingTalkProvider(token string, secret string) (notify.Notifier, error) {
+	cfg := dingding.Config{
+		Token:  token,
+		Secret: secret,
+	}
+	dingtalkSrv := dingding.New(&cfg)
+
+	notifier := notify.New()
+	notifier.UseServices(dingtalkSrv)
+
+	return notifier, nil
+}
--- a/notification/discord.go
+++ b/notification/discord.go
@ -0,0 +1,37 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/discord"
+)
+
+func NewDiscordProvider(token string, channelId string) (*notify.Notify, error) {
+	discordSrv := discord.New()
+
+	err := discordSrv.AuthenticateWithBotToken(token)
+	if err != nil {
+		return nil, err
+	}
+
+	discordSrv.SetHttpClient(proxy.ProxyHttpClient)
+	discordSrv.AddReceivers(channelId)
+
+	notifier := notify.NewWithServices(discordSrv)
+
+	return notifier, nil
+}
--- a/notification/google_chat.go
+++ b/notification/google_chat.go
@ -0,0 +1,53 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"context"
+	"strings"
+
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/googlechat"
+	"google.golang.org/api/chat/v1"
+	"google.golang.org/api/option"
+)
+
+func NewGoogleChatProvider(credentials string) (*notify.Notify, error) {
+	withCred := option.WithCredentialsJSON([]byte(credentials))
+	withSpacesScope := option.WithScopes("https://www.googleapis.com/auth/chat.spaces")
+
+	listSvc, err := chat.NewService(context.Background(), withCred, withSpacesScope)
+	spaces, err := listSvc.Spaces.List().Do()
+	if err != nil {
+		return nil, err
+	}
+
+	receivers := make([]string, 0)
+	for _, space := range spaces.Spaces {
+		name := strings.Replace(space.Name, "spaces/", "", 1)
+		receivers = append(receivers, name)
+	}
+
+	googleChatSrv, err := googlechat.New(withCred)
+	if err != nil {
+		return nil, err
+	}
+
+	googleChatSrv.AddReceivers(receivers...)
+
+	notifier := notify.NewWithServices(googleChatSrv)
+
+	return notifier, nil
+}
--- a/notification/lark.go
+++ b/notification/lark.go
@ -0,0 +1,29 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/lark"
+)
+
+func NewLarkProvider(webhookURL string) (notify.Notifier, error) {
+	larkSrv := lark.NewWebhookService(webhookURL)
+
+	notifier := notify.New()
+	notifier.UseServices(larkSrv)
+
+	return notifier, nil
+}
--- a/notification/line.go
+++ b/notification/line.go
@ -0,0 +1,32 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/line"
+)
+
+func NewLineProvider(channelSecret string, accessToken string, receiver string) (*notify.Notify, error) {
+	lineSrv, _ := line.NewWithHttpClient(channelSecret, accessToken, proxy.ProxyHttpClient)
+
+	lineSrv.AddReceivers(receiver)
+
+	notifier := notify.New()
+	notifier.UseServices(lineSrv)
+
+	return notifier, nil
+}
--- a/notification/matrix.go
+++ b/notification/matrix.go
@ -0,0 +1,36 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/matrix"
+	"maunium.net/go/mautrix/id"
+)
+
+func NewMatrixProvider(userId string, roomId string, accessToken string, homeServer string) (*notify.Notify, error) {
+	matrixSrv, err := matrix.New(id.UserID(userId), id.RoomID(roomId), homeServer, accessToken)
+	if err != nil {
+		return nil, err
+	}
+
+	matrixSrv.SetHttpClient(proxy.ProxyHttpClient)
+
+	notifier := notify.New()
+	notifier.UseServices(matrixSrv)
+
+	return notifier, nil
+}
--- a/notification/microsoft_teams.go
+++ b/notification/microsoft_teams.go
@ -0,0 +1,31 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/msteams"
+)
+
+func NewMicrosoftTeamsProvider(webhookURL string) (notify.Notifier, error) {
+	msTeamsSrv := msteams.New()
+
+	msTeamsSrv.AddReceivers(webhookURL)
+
+	notifier := notify.New()
+	notifier.UseServices(msTeamsSrv)
+
+	return notifier, nil
+}
--- a/notification/provider.go
+++ b/notification/provider.go
@ -0,0 +1,59 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import "github.com/casdoor/notify"
+
+func GetNotificationProvider(typ string, clientId string, clientSecret string, clientId2 string, clientSecret2 string, appId string, receiver string, method string, title string, metaData string) (notify.Notifier, error) {
+	if typ == "Telegram" {
+		return NewTelegramProvider(appId, receiver)
+	} else if typ == "Custom HTTP" {
+		return NewCustomHttpProvider(receiver, method, title)
+	} else if typ == "DingTalk" {
+		return NewDingTalkProvider(appId, receiver)
+	} else if typ == "Lark" {
+		return NewLarkProvider(receiver)
+	} else if typ == "Microsoft Teams" {
+		return NewMicrosoftTeamsProvider(receiver)
+	} else if typ == "Bark" {
+		return NewBarkProvider(receiver)
+	} else if typ == "Pushover" {
+		return NewPushoverProvider(appId, receiver)
+	} else if typ == "Pushbullet" {
+		return NewPushbulletProvider(appId, receiver)
+	} else if typ == "Slack" {
+		return NewSlackProvider(appId, receiver)
+	} else if typ == "Webpush" {
+		return NewWebpushProvider(clientId, clientSecret, receiver)
+	} else if typ == "Discord" {
+		return NewDiscordProvider(appId, receiver)
+	} else if typ == "Google Chat" {
+		return NewGoogleChatProvider(metaData)
+	} else if typ == "Line" {
+		return NewLineProvider(clientSecret, appId, receiver)
+	} else if typ == "Matrix" {
+		return NewMatrixProvider(clientId, clientSecret, appId, receiver)
+	} else if typ == "Twitter" {
+		return NewTwitterProvider(clientId, clientSecret, clientId2, clientSecret2, receiver)
+	} else if typ == "Reddit" {
+		return NewRedditProvider(clientId, clientSecret, clientId2, clientSecret2, receiver)
+	} else if typ == "Rocket Chat" {
+		return NewRocketChatProvider(clientId, clientSecret, appId, receiver)
+	} else if typ == "Viber" {
+		return NewViberProvider(clientId, clientSecret, appId, receiver)
+	}
+
+	return nil, nil
+}
--- a/notification/pushbullet.go
+++ b/notification/pushbullet.go
@ -0,0 +1,31 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/pushbullet"
+)
+
+func NewPushbulletProvider(apiToken string, deviceNickname string) (notify.Notifier, error) {
+	pushbulletSrv := pushbullet.New(apiToken)
+
+	pushbulletSrv.AddReceivers(deviceNickname)
+
+	notifier := notify.New()
+	notifier.UseServices(pushbulletSrv)
+
+	return notifier, nil
+}
--- a/notification/pushover.go
+++ b/notification/pushover.go
@ -0,0 +1,31 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/pushover"
+)
+
+func NewPushoverProvider(appToken string, recipientID string) (notify.Notifier, error) {
+	pushoverSrv := pushover.New(appToken)
+
+	pushoverSrv.AddReceivers(recipientID)
+
+	notifier := notify.New()
+	notifier.UseServices(pushoverSrv)
+
+	return notifier, nil
+}
--- a/notification/reddit.go
+++ b/notification/reddit.go
@ -0,0 +1,34 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/reddit"
+)
+
+func NewRedditProvider(clientId string, clientSecret string, username string, password string, recipient string) (notify.Notifier, error) {
+	redditSrv, err := reddit.New(clientId, clientSecret, username, password)
+	if err != nil {
+		return nil, err
+	}
+
+	redditSrv.AddReceivers(recipient)
+
+	notifier := notify.New()
+	notifier.UseServices(redditSrv)
+
+	return notifier, nil
+}
--- a/notification/rocket_chat.go
+++ b/notification/rocket_chat.go
@ -0,0 +1,47 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/rocketchat"
+)
+
+func NewRocketChatProvider(clientId string, clientSecret string, endpoint string, channelName string) (notify.Notifier, error) {
+	parts := strings.Split(endpoint, "://")
+
+	var scheme, serverURL string
+	if len(parts) >= 2 {
+		scheme = parts[0]
+		serverURL = parts[1]
+	} else {
+		return nil, fmt.Errorf("parse endpoint error")
+	}
+
+	rocketChatSrv, err := rocketchat.New(serverURL, scheme, clientId, clientSecret)
+	if err != nil {
+		return nil, err
+	}
+
+	rocketChatSrv.AddReceivers(channelName)
+
+	notifier := notify.New()
+	notifier.UseServices(rocketChatSrv)
+
+	return notifier, nil
+}
--- a/notification/slack.go
+++ b/notification/slack.go
@ -0,0 +1,30 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/slack"
+)
+
+func NewSlackProvider(apiToken string, channelID string) (*notify.Notify, error) {
+	slackSrv := slack.New(apiToken)
+	slackSrv.AddReceivers(channelID)
+
+	notifier := notify.New()
+	notifier.UseServices(slackSrv)
+
+	return notifier, nil
+}
--- a/notification/telegram.go
+++ b/notification/telegram.go
@ -0,0 +1,45 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"strconv"
+
+	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/telegram"
+	api "github.com/go-telegram-bot-api/telegram-bot-api"
+)
+
+func NewTelegramProvider(apiToken string, chatIdStr string) (notify.Notifier, error) {
+	client, err := api.NewBotAPIWithClient(apiToken, proxy.ProxyHttpClient)
+	if err != nil {
+		return nil, err
+	}
+	telegramSrv := &telegram.Telegram{}
+	telegramSrv.SetClient(client)
+
+	chatId, err := strconv.ParseInt(chatIdStr, 10, 64)
+	if err != nil {
+		return nil, err
+	}
+
+	telegramSrv.AddReceivers(chatId)
+
+	notifier := notify.New()
+	notifier.UseServices(telegramSrv)
+
+	return notifier, nil
+}
--- a/notification/twitter.go
+++ b/notification/twitter.go
@ -0,0 +1,41 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/twitter"
+)
+
+func NewTwitterProvider(consumerKey string, consumerSecret string, accessToken string, accessTokenSecret string, twitterId string) (*notify.Notify, error) {
+	credentials := twitter.Credentials{
+		ConsumerKey:       consumerKey,
+		ConsumerSecret:    consumerSecret,
+		AccessToken:       accessToken,
+		AccessTokenSecret: accessTokenSecret,
+	}
+	twitterSrv, err := twitter.NewWithHttpClient(credentials, proxy.ProxyHttpClient)
+	if err != nil {
+		return nil, err
+	}
+
+	twitterSrv.AddReceivers(twitterId)
+
+	notifier := notify.New()
+	notifier.UseServices(twitterSrv)
+
+	return notifier, nil
+}
--- a/notification/viber.go
+++ b/notification/viber.go
@ -0,0 +1,36 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/viber"
+)
+
+func NewViberProvider(senderName string, appKey string, webhookURL string, receiverId string) (notify.Notifier, error) {
+	viberSrv := viber.New(appKey, senderName, "")
+
+	err := viberSrv.SetWebhook(webhookURL)
+	if err != nil {
+		return nil, err
+	}
+
+	viberSrv.AddReceivers(receiverId)
+
+	notifier := notify.New()
+	notifier.UseServices(viberSrv)
+
+	return notifier, nil
+}
--- a/notification/webpush.go
+++ b/notification/webpush.go
@ -0,0 +1,33 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notification
+
+import (
+	"github.com/casdoor/notify"
+	"github.com/casdoor/notify/service/webpush"
+)
+
+func NewWebpushProvider(publicKey string, privateKey string, endpoint string) (*notify.Notify, error) {
+	webpushSrv := webpush.New(publicKey, privateKey)
+
+	subscription := webpush.Subscription{
+		Endpoint: endpoint,
+	}
+	webpushSrv.AddReceivers(subscription)
+
+	notifier := notify.NewWithServices(webpushSrv)
+
+	return notifier, nil
+}
--- a/object/adapter.go
+++ b/object/adapter.go
@ -18,11 +18,11 @@ import (
 	"fmt"
 	"strings"

-	"github.com/casbin/casbin/v2/model"
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/util"
 	xormadapter "github.com/casdoor/xorm-adapter/v3"
 	"github.com/xorm-io/core"
+	"github.com/xorm-io/xorm"
 )

 type Adapter struct {
@ -33,15 +33,13 @@ type Adapter struct {
 	Type            string `xorm:"varchar(100)" json:"type"`
 	DatabaseType    string `xorm:"varchar(100)" json:"databaseType"`
 	Host            string `xorm:"varchar(100)" json:"host"`
-	Port            string `xorm:"varchar(20)" json:"port"`
+	Port            int    `json:"port"`
 	User            string `xorm:"varchar(100)" json:"user"`
 	Password        string `xorm:"varchar(100)" json:"password"`
 	Database        string `xorm:"varchar(100)" json:"database"`
 	Table           string `xorm:"varchar(100)" json:"table"`
 	TableNamePrefix string `xorm:"varchar(100)" json:"tableNamePrefix"`

-	IsEnabled bool `json:"isEnabled"`
-
 	*xormadapter.Adapter `xorm:"-" json:"-"`
 }

@ -149,25 +147,28 @@ func (adapter *Adapter) getTable() string {
 	}
 }

-func (adapter *Adapter) initAdapter() error {
+func (adapter *Adapter) InitAdapter() error {
 	if adapter.Adapter == nil {
 		var dataSourceName string

-		if adapter.buildInAdapter() {
+		if adapter.isBuiltIn() {
 			dataSourceName = conf.GetConfigString("dataSourceName")
+			if adapter.DatabaseType == "mysql" {
+				dataSourceName = dataSourceName + adapter.Database
+			}
 		} else {
 			switch adapter.DatabaseType {
 			case "mssql":
-				dataSourceName = fmt.Sprintf("sqlserver://%s:%s@%s:%s?database=%s", adapter.User,
+				dataSourceName = fmt.Sprintf("sqlserver://%s:%s@%s:%d?database=%s", adapter.User,
 					adapter.Password, adapter.Host, adapter.Port, adapter.Database)
 			case "mysql":
-				dataSourceName = fmt.Sprintf("%s:%s@tcp(%s:%s)/", adapter.User,
-					adapter.Password, adapter.Host, adapter.Port)
+				dataSourceName = fmt.Sprintf("%s:%s@tcp(%s:%d)/%s", adapter.User,
+					adapter.Password, adapter.Host, adapter.Port, adapter.Database)
 			case "postgres":
-				dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%s sslmode=disable dbname=%s", adapter.User,
+				dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%d sslmode=disable dbname=%s", adapter.User,
 					adapter.Password, adapter.Host, adapter.Port, adapter.Database)
 			case "CockroachDB":
-				dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%s sslmode=disable dbname=%s serial_normalization=virtual_sequence",
+				dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%d sslmode=disable dbname=%s serial_normalization=virtual_sequence",
 					adapter.User, adapter.Password, adapter.Host, adapter.Port, adapter.Database)
 			case "sqlite3":
 				dataSourceName = fmt.Sprintf("file:%s", adapter.Host)
@ -181,7 +182,16 @@ func (adapter *Adapter) initAdapter() error {
 		}

 		var err error
-		adapter.Adapter, err = xormadapter.NewAdapterByEngineWithTableName(NewAdapter(adapter.DatabaseType, dataSourceName, adapter.Database).Engine, adapter.getTable(), adapter.TableNamePrefix)
+		engine, err := xorm.NewEngine(adapter.DatabaseType, dataSourceName)
+
+		if adapter.isBuiltIn() && adapter.DatabaseType == "postgres" {
+			schema := util.GetValueFromDataSourceName("search_path", dataSourceName)
+			if schema != "" {
+				engine.SetSchema(schema)
+			}
+		}
+
+		adapter.Adapter, err = xormadapter.NewAdapterByEngineWithTableName(engine, adapter.getTable(), adapter.TableNamePrefix)
 		if err != nil {
 			return err
 		}
@ -209,116 +219,10 @@ func adapterChangeTrigger(oldName string, newName string) error {
 	return session.Commit()
 }

-func safeReturn(policy []string, i int) string {
-	if len(policy) > i {
-		return policy[i]
-	} else {
-		return ""
-	}
-}
-
-func matrixToCasbinRules(Ptype string, policies [][]string) []*xormadapter.CasbinRule {
-	res := []*xormadapter.CasbinRule{}
-
-	for _, policy := range policies {
-		line := xormadapter.CasbinRule{
-			Ptype: Ptype,
-			V0:    safeReturn(policy, 0),
-			V1:    safeReturn(policy, 1),
-			V2:    safeReturn(policy, 2),
-			V3:    safeReturn(policy, 3),
-			V4:    safeReturn(policy, 4),
-			V5:    safeReturn(policy, 5),
-		}
-		res = append(res, &line)
-	}
-
-	return res
-}
-
-func GetPolicies(adapter *Adapter) ([]*xormadapter.CasbinRule, error) {
-	err := adapter.initAdapter()
-	if err != nil {
-		return nil, err
-	}
-
-	casbinModel := getModelDef()
-	err = adapter.LoadPolicy(casbinModel)
-	if err != nil {
-		return nil, err
-	}
-
-	policies := matrixToCasbinRules("p", casbinModel.GetPolicy("p", "p"))
-	policies = append(policies, matrixToCasbinRules("g", casbinModel.GetPolicy("g", "g"))...)
-	return policies, nil
-}
-
-func UpdatePolicy(oldPolicy, newPolicy []string, adapter *Adapter) (bool, error) {
-	err := adapter.initAdapter()
-	if err != nil {
-		return false, err
-	}
-
-	casbinModel := getModelDef()
-	err = adapter.LoadPolicy(casbinModel)
-	if err != nil {
-		return false, err
-	}
-
-	affected := casbinModel.UpdatePolicy("p", "p", oldPolicy, newPolicy)
-	if err != nil {
-		return affected, err
-	}
-	return affected, nil
-}
-
-func AddPolicy(policy []string, adapter *Adapter) (bool, error) {
-	err := adapter.initAdapter()
-	if err != nil {
-		return false, err
-	}
-
-	casbinModel := getModelDef()
-	err = adapter.LoadPolicy(casbinModel)
-	if err != nil {
-		return false, err
-	}
-
-	casbinModel.AddPolicy("p", "p", policy)
-
-	return true, nil
-}
-
-func RemovePolicy(policy []string, adapter *Adapter) (bool, error) {
-	err := adapter.initAdapter()
-	if err != nil {
-		return false, err
-	}
-
-	casbinModel := getModelDef()
-	err = adapter.LoadPolicy(casbinModel)
-	if err != nil {
-		return false, err
-	}
-
-	affected := casbinModel.RemovePolicy("p", "p", policy)
-	if err != nil {
-		return affected, err
-	}
-	return affected, nil
-}
-
-func (adapter *Adapter) buildInAdapter() bool {
+func (adapter *Adapter) isBuiltIn() bool {
 	if adapter.Owner != "built-in" {
 		return false
 	}

-	return adapter.Name == "permission-adapter-built-in" || adapter.Name == "api-adapter-built-in"
-}
-
-func getModelDef() model.Model {
-	casbinModel := model.NewModel()
-	casbinModel.AddDef("p", "p", "_, _, _, _, _, _")
-	casbinModel.AddDef("g", "g", "_, _, _, _, _, _")
-	return casbinModel
+	return adapter.Name == "user-adapter-built-in" || adapter.Name == "api-adapter-built-in"
 }
--- a/object/application.go
+++ b/object/application.go
@ -57,7 +57,9 @@ type Application struct {
 	SignupItems         []*SignupItem   `xorm:"varchar(1000)" json:"signupItems"`
 	GrantTypes          []string        `xorm:"varchar(1000)" json:"grantTypes"`
 	OrganizationObj     *Organization   `xorm:"-" json:"organizationObj"`
+	CertPublicKey       string          `xorm:"-" json:"certPublicKey"`
 	Tags                []string        `xorm:"mediumtext" json:"tags"`
+	InvitationCodes     []string        `xorm:"varchar(200)" json:"invitationCodes"`

 	ClientId             string     `xorm:"varchar(100)" json:"clientId"`
 	ClientSecret         string     `xorm:"varchar(100)" json:"clientSecret"`
@ -311,6 +313,11 @@ func GetMaskedApplication(application *Application, userId string) *Application
 			application.OrganizationObj.PasswordSalt = "***"
 		}
 	}
+
+	if application.InvitationCodes != nil {
+		application.InvitationCodes = []string{"***"}
+	}
+
 	return application
 }

@ -421,15 +428,14 @@ func (application *Application) GetId() string {
 }

 func (application *Application) IsRedirectUriValid(redirectUri string) bool {
-	isValid := false
-	for _, targetUri := range application.RedirectUris {
+	redirectUris := append([]string{"http://localhost:"}, application.RedirectUris...)
+	for _, targetUri := range redirectUris {
 		targetUriRegex := regexp.MustCompile(targetUri)
 		if targetUriRegex.MatchString(redirectUri) || strings.Contains(redirectUri, targetUri) {
-			isValid = true
-			break
+			return true
 		}
 	}
-	return isValid
+	return false
 }

 func IsOriginAllowed(origin string) (bool, error) {
--- a/object/cert.go
+++ b/object/cert.go
@ -162,7 +162,7 @@ func UpdateCert(id string, cert *Cert) (bool, error) {
 	if name != cert.Name {
 		err := certChangeTrigger(name, cert.Name)
 		if err != nil {
-			return false, nil
+			return false, err
 		}
 	}
 	affected, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(cert)
--- a/object/check.go
+++ b/object/check.go
@ -66,8 +66,11 @@ func CheckUserSignup(application *Application, organization *Organization, form
 		}
 	}

-	if len(form.Password) <= 5 {
-		return i18n.Translate(lang, "check:Password must have at least 6 characters")
+	if application.IsSignupItemVisible("Password") {
+		msg := CheckPasswordComplexityByOrg(organization, form.Password)
+		if msg != "" {
+			return msg
+		}
 	}

 	if application.IsSignupItemVisible("Email") {
@ -124,6 +127,18 @@ func CheckUserSignup(application *Application, organization *Organization, form
 		}
 	}

+	if len(application.InvitationCodes) > 0 {
+		if form.InvitationCode == "" {
+			if application.IsSignupItemRequired("Invitation code") {
+				return i18n.Translate(lang, "check:Invitation code cannot be blank")
+			}
+		} else {
+			if !util.InSlice(application.InvitationCodes, form.InvitationCode) {
+				return i18n.Translate(lang, "check:Invitation code is invalid")
+			}
+		}
+	}
+
 	return ""
 }

@ -141,7 +156,7 @@ func checkSigninErrorTimes(user *User, lang string) string {
 		// reset the error times
 		user.SigninWrongTimes = 0

-		UpdateUser(user.GetId(), user, []string{"signin_wrong_times"}, user.IsGlobalAdmin)
+		UpdateUser(user.GetId(), user, []string{"signin_wrong_times"}, false)
 	}

 	return ""
@ -319,7 +334,7 @@ func CheckUserPermission(requestUserId, userId string, strict bool, lang string)
 		if requestUser == nil {
 			return false, fmt.Errorf(i18n.Translate(lang, "check:Session outdated, please login again"))
 		}
-		if requestUser.IsGlobalAdmin {
+		if requestUser.IsGlobalAdmin() {
 			hasPermission = true
 		} else if requestUserId == userId {
 			hasPermission = true
@ -391,10 +406,6 @@ func CheckUsername(username string, lang string) string {
 }

 func CheckUpdateUser(oldUser, user *User, lang string) string {
-	if user.DisplayName == "" {
-		return i18n.Translate(lang, "user:Display name cannot be empty")
-	}
-
 	if oldUser.Name != user.Name {
 		if msg := CheckUsername(user.Name, lang); msg != "" {
 			return msg
@ -404,7 +415,7 @@ func CheckUpdateUser(oldUser, user *User, lang string) string {
 		}
 	}
 	if oldUser.Email != user.Email {
-		if HasUserByField(user.Name, "email", user.Email) {
+		if HasUserByField(user.Owner, "email", user.Email) {
 			return i18n.Translate(lang, "check:Email already exists")
 		}
 	}
--- a/object/check_util.go
+++ b/object/check_util.go
@ -42,7 +42,7 @@ func resetUserSigninErrorTimes(user *User) {
 		return
 	}
 	user.SigninWrongTimes = 0
-	UpdateUser(user.GetId(), user, []string{"signin_wrong_times", "last_signin_wrong_time"}, user.IsGlobalAdmin)
+	UpdateUser(user.GetId(), user, []string{"signin_wrong_times", "last_signin_wrong_time"}, false)
 }

 func recordSigninErrorInfo(user *User, lang string, options ...bool) string {
@ -61,7 +61,7 @@ func recordSigninErrorInfo(user *User, lang string, options ...bool) string {
 	}

 	// update user
-	UpdateUser(user.GetId(), user, []string{"signin_wrong_times", "last_signin_wrong_time"}, user.IsGlobalAdmin)
+	UpdateUser(user.GetId(), user, []string{"signin_wrong_times", "last_signin_wrong_time"}, false)
 	leftChances := SigninWrongTimesLimit - user.SigninWrongTimes
 	if leftChances == 0 && enableCaptcha {
 		return fmt.Sprint(i18n.Translate(lang, "check:password or code is incorrect"))
--- a/object/enforcer.go
+++ b/object/enforcer.go
@ -15,10 +15,12 @@
 package object

 import (
-	"errors"
+	"fmt"

 	"github.com/casbin/casbin/v2"
+	"github.com/casbin/casbin/v2/config"
 	"github.com/casdoor/casdoor/util"
+	xormadapter "github.com/casdoor/xorm-adapter/v3"
 	"github.com/xorm-io/core"
 )

@ -30,10 +32,10 @@ type Enforcer struct {
 	DisplayName string `xorm:"varchar(100)" json:"displayName"`
 	Description string `xorm:"varchar(100)" json:"description"`

-	Model     string `xorm:"varchar(100)" json:"model"`
-	Adapter   string `xorm:"varchar(100)" json:"adapter"`
-	IsEnabled bool   `json:"isEnabled"`
+	Model   string `xorm:"varchar(100)" json:"model"`
+	Adapter string `xorm:"varchar(100)" json:"adapter"`

+	ModelCfg map[string]string `xorm:"-" json:"modelCfg"`
 	*casbin.Enforcer
 }

@ -120,44 +122,131 @@ func DeleteEnforcer(enforcer *Enforcer) (bool, error) {
 	return affected != 0, nil
 }

+func (enforcer *Enforcer) GetId() string {
+	return fmt.Sprintf("%s/%s", enforcer.Owner, enforcer.Name)
+}
+
 func (enforcer *Enforcer) InitEnforcer() error {
-	if enforcer.Enforcer == nil {
-		if enforcer == nil {
-			return errors.New("enforcer is nil")
-		}
-		if enforcer.Model == "" || enforcer.Adapter == "" {
-			return errors.New("missing model or adapter")
-		}
+	if enforcer.Enforcer != nil {
+		return nil
+	}

-		var err error
-		var m *Model
-		var a *Adapter
+	if enforcer.Model == "" {
+		return fmt.Errorf("the model for enforcer: %s should not be empty", enforcer.GetId())
+	}
+	if enforcer.Adapter == "" {
+		return fmt.Errorf("the adapter for enforcer: %s should not be empty", enforcer.GetId())
+	}

-		if m, err = GetModel(enforcer.Model); err != nil {
-			return err
-		} else if m == nil {
-			return errors.New("model not found")
-		}
-		if a, err = GetAdapter(enforcer.Adapter); err != nil {
-			return err
-		} else if a == nil {
-			return errors.New("adapter not found")
-		}
+	m, err := GetModel(enforcer.Model)
+	if err != nil {
+		return err
+	} else if m == nil {
+		return fmt.Errorf("the model: %s for enforcer: %s is not found", enforcer.Model, enforcer.GetId())
+	}

-		err = m.initModel()
-		if err != nil {
-			return err
-		}
-		err = a.initAdapter()
-		if err != nil {
-			return err
-		}
+	a, err := GetAdapter(enforcer.Adapter)
+	if err != nil {
+		return err
+	} else if a == nil {
+		return fmt.Errorf("the adapter: %s for enforcer: %s is not found", enforcer.Adapter, enforcer.GetId())
+	}

-		casbinEnforcer, err := casbin.NewEnforcer(m.Model, a.Adapter)
-		if err != nil {
-			return err
-		}
-		enforcer.Enforcer = casbinEnforcer
+	err = m.initModel()
+	if err != nil {
+		return err
+	}
+	err = a.InitAdapter()
+	if err != nil {
+		return err
+	}
+
+	casbinEnforcer, err := casbin.NewEnforcer(m.Model, a.Adapter)
+	if err != nil {
+		return err
+	}
+
+	enforcer.Enforcer = casbinEnforcer
+	return nil
+}
+
+func GetInitializedEnforcer(enforcerId string) (*Enforcer, error) {
+	enforcer, err := GetEnforcer(enforcerId)
+	if err != nil {
+		return nil, err
+	} else if enforcer == nil {
+		return nil, fmt.Errorf("the enforcer: %s is not found", enforcerId)
+	}
+
+	err = enforcer.InitEnforcer()
+	if err != nil {
+		return nil, err
+	}
+	return enforcer, nil
+}
+
+func GetPolicies(id string) ([]*xormadapter.CasbinRule, error) {
+	enforcer, err := GetInitializedEnforcer(id)
+	if err != nil {
+		return nil, err
+	}
+
+	policies := util.MatrixToCasbinRules("p", enforcer.GetPolicy())
+	if enforcer.GetModel()["g"] != nil {
+		policies = append(policies, util.MatrixToCasbinRules("g", enforcer.GetGroupingPolicy())...)
+	}
+
+	return policies, nil
+}
+
+func UpdatePolicy(id string, oldPolicy, newPolicy []string) (bool, error) {
+	enforcer, err := GetInitializedEnforcer(id)
+	if err != nil {
+		return false, err
+	}
+
+	return enforcer.UpdatePolicy(oldPolicy, newPolicy)
+}
+
+func AddPolicy(id string, policy []string) (bool, error) {
+	enforcer, err := GetInitializedEnforcer(id)
+	if err != nil {
+		return false, err
+	}
+
+	return enforcer.AddPolicy(policy)
+}
+
+func RemovePolicy(id string, policy []string) (bool, error) {
+	enforcer, err := GetInitializedEnforcer(id)
+	if err != nil {
+		return false, err
+	}
+
+	return enforcer.RemovePolicy(policy)
+}
+
+func (enforcer *Enforcer) LoadModelCfg() error {
+	if enforcer.ModelCfg != nil {
+		return nil
+	}
+
+	model, err := GetModel(enforcer.Model)
+	if err != nil {
+		return err
+	} else if model == nil {
+		return fmt.Errorf("the model: %s for enforcer: %s is not found", enforcer.Model, enforcer.GetId())
+	}
+
+	cfg, err := config.NewConfigFromText(model.ModelText)
+	if err != nil {
+		return err
+	}
+
+	enforcer.ModelCfg = make(map[string]string)
+	enforcer.ModelCfg["p"] = cfg.String("policy_definition::p")
+	if cfg.String("role_definition::g") != "" {
+		enforcer.ModelCfg["g"] = cfg.String("role_definition::g")
 	}

 	return nil
--- a/object/get-dashboard.go
+++ b/object/get-dashboard.go
@ -0,0 +1,140 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"sync"
+	"time"
+)
+
+type Dashboard struct {
+	OrganizationCounts []int `json:"organizationCounts"`
+	UserCounts         []int `json:"userCounts"`
+	ProviderCounts     []int `json:"providerCounts"`
+	ApplicationCounts  []int `json:"applicationCounts"`
+	SubscriptionCounts []int `json:"subscriptionCounts"`
+}
+
+func GetDashboard(owner string) (*Dashboard, error) {
+	dashboard := &Dashboard{
+		OrganizationCounts: make([]int, 31),
+		UserCounts:         make([]int, 31),
+		ProviderCounts:     make([]int, 31),
+		ApplicationCounts:  make([]int, 31),
+		SubscriptionCounts: make([]int, 31),
+	}
+
+	var wg sync.WaitGroup
+
+	organizations := []Organization{}
+	users := []User{}
+	providers := []Provider{}
+	applications := []Application{}
+	subscriptions := []Subscription{}
+
+	wg.Add(5)
+	go func() {
+		defer wg.Done()
+		if err := ormer.Engine.Find(&organizations, &Organization{Owner: owner}); err != nil {
+			panic(err)
+		}
+	}()
+
+	go func() {
+		defer wg.Done()
+
+		if err := ormer.Engine.Find(&users, &User{Owner: owner}); err != nil {
+			panic(err)
+		}
+	}()
+
+	go func() {
+		defer wg.Done()
+
+		if err := ormer.Engine.Find(&providers, &Provider{Owner: owner}); err != nil {
+			panic(err)
+		}
+	}()
+
+	go func() {
+		defer wg.Done()
+
+		if err := ormer.Engine.Find(&applications, &Application{Owner: owner}); err != nil {
+			panic(err)
+		}
+	}()
+
+	go func() {
+		defer wg.Done()
+
+		if err := ormer.Engine.Find(&subscriptions, &Subscription{Owner: owner}); err != nil {
+			panic(err)
+		}
+	}()
+	wg.Wait()
+
+	nowTime := time.Now()
+	for i := 30; i >= 0; i-- {
+		cutTime := nowTime.AddDate(0, 0, -i)
+		dashboard.OrganizationCounts[30-i] = countCreatedBefore(organizations, cutTime)
+		dashboard.UserCounts[30-i] = countCreatedBefore(users, cutTime)
+		dashboard.ProviderCounts[30-i] = countCreatedBefore(providers, cutTime)
+		dashboard.ApplicationCounts[30-i] = countCreatedBefore(applications, cutTime)
+		dashboard.SubscriptionCounts[30-i] = countCreatedBefore(subscriptions, cutTime)
+	}
+	return dashboard, nil
+}
+
+func countCreatedBefore(objects interface{}, before time.Time) int {
+	count := 0
+	switch obj := objects.(type) {
+	case []Organization:
+		for _, o := range obj {
+			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", o.CreatedTime)
+			if createdTime.Before(before) {
+				count++
+			}
+		}
+	case []User:
+		for _, u := range obj {
+			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", u.CreatedTime)
+			if createdTime.Before(before) {
+				count++
+			}
+		}
+	case []Provider:
+		for _, p := range obj {
+			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", p.CreatedTime)
+			if createdTime.Before(before) {
+				count++
+			}
+		}
+	case []Application:
+		for _, a := range obj {
+			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", a.CreatedTime)
+			if createdTime.Before(before) {
+				count++
+			}
+		}
+	case []Subscription:
+		for _, s := range obj {
+			createdTime, _ := time.Parse("2006-01-02T15:04:05-07:00", s.CreatedTime)
+			if createdTime.Before(before) {
+				count++
+			}
+		}
+	}
+	return count
+}
--- a/object/group.go
+++ b/object/group.go
@ -164,7 +164,7 @@ func DeleteGroup(group *Group) (bool, error) {
 		return false, errors.New("group has children group")
 	}

-	if count, err := GetGroupUserCount(group.Name, "", ""); err != nil {
+	if count, err := GetGroupUserCount(group.GetId(), "", ""); err != nil {
 		return false, err
 	} else if count > 0 {
 		return false, errors.New("group has users")
@ -214,39 +214,33 @@ func ConvertToTreeData(groups []*Group, parentId string) []*Group {
 	return treeData
 }

-func RemoveUserFromGroup(owner, name, groupName string) (bool, error) {
-	user, err := getUser(owner, name)
+func GetGroupUserCount(groupId string, field, value string) (int64, error) {
+	owner, _ := util.GetOwnerAndNameFromId(groupId)
+	names, err := userEnforcer.GetUserNamesByGroupName(groupId)
 	if err != nil {
-		return false, err
-	}
-	if user == nil {
-		return false, errors.New("user not exist")
+		return 0, err
 	}

-	user.Groups = util.DeleteVal(user.Groups, groupName)
-	affected, err := updateUser(user.GetId(), user, []string{"groups"})
-	if err != nil {
-		return false, err
-	}
-	return affected != 0, err
-}
-
-func GetGroupUserCount(groupName string, field, value string) (int64, error) {
 	if field == "" && value == "" {
-		return ormer.Engine.Where(builder.Like{"`groups`", groupName}).
-			Count(&User{})
+		return int64(len(names)), nil
 	} else {
 		return ormer.Engine.Table("user").
-			Where(builder.Like{"`groups`", groupName}).
+			Where("owner = ?", owner).In("name", names).
 			And(fmt.Sprintf("user.%s LIKE ?", util.CamelToSnakeCase(field)), "%"+value+"%").
 			Count()
 	}
 }

-func GetPaginationGroupUsers(groupName string, offset, limit int, field, value, sortField, sortOrder string) ([]*User, error) {
+func GetPaginationGroupUsers(groupId string, offset, limit int, field, value, sortField, sortOrder string) ([]*User, error) {
 	users := []*User{}
+	owner, _ := util.GetOwnerAndNameFromId(groupId)
+	names, err := userEnforcer.GetUserNamesByGroupName(groupId)
+	if err != nil {
+		return nil, err
+	}
+
 	session := ormer.Engine.Table("user").
-		Where(builder.Like{"`groups`", groupName + "\""})
+		Where("owner = ?", owner).In("name", names)

 	if offset != -1 && limit != -1 {
 		session.Limit(limit, offset)
@ -265,7 +259,7 @@ func GetPaginationGroupUsers(groupName string, offset, limit int, field, value,
 		session = session.Desc(fmt.Sprintf("user.%s", util.SnakeString(sortField)))
 	}

-	err := session.Find(&users)
+	err = session.Find(&users)
 	if err != nil {
 		return nil, err
 	}
@ -273,15 +267,15 @@ func GetPaginationGroupUsers(groupName string, offset, limit int, field, value,
 	return users, nil
 }

-func GetGroupUsers(groupName string) ([]*User, error) {
+func GetGroupUsers(groupId string) ([]*User, error) {
 	users := []*User{}
-	err := ormer.Engine.Table("user").
-		Where(builder.Like{"`groups`", groupName + "\""}).
-		Find(&users)
+	owner, _ := util.GetOwnerAndNameFromId(groupId)
+	names, err := userEnforcer.GetUserNamesByGroupName(groupId)
+
+	err = ormer.Engine.Where("owner = ?", owner).In("name", names).Find(&users)
 	if err != nil {
 		return nil, err
 	}
-
 	return users, nil
 }

--- a/object/init.go
+++ b/object/init.go
@ -37,11 +37,11 @@ func InitDb() {

 	existed = initBuiltInApiModel()
 	if !existed {
-		initBuildInApiAdapter()
+		initBuiltInApiAdapter()
 		initBuiltInApiEnforcer()
-		initBuiltInPermissionModel()
-		initBuildInPermissionAdapter()
-		initBuiltInPermissionEnforcer()
+		initBuiltInUserModel()
+		initBuiltInUserAdapter()
+		initBuiltInUserEnforcer()
 	}

 	initWebAuthn()
@ -73,7 +73,6 @@ func getBuiltInAccountItems() []*AccountItem {
 		{Name: "3rd-party logins", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
 		{Name: "Properties", Visible: false, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Is admin", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
-		{Name: "Is global admin", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Is forbidden", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Is deleted", Visible: true, ViewRule: "Admin", ModifyRule: "Admin"},
 		{Name: "Multi-factor authentication", Visible: true, ViewRule: "Self", ModifyRule: "Self"},
@ -145,7 +144,6 @@ func initBuiltInUser() {
 		Score:             2000,
 		Ranking:           1,
 		IsAdmin:           true,
-		IsGlobalAdmin:     true,
 		IsForbidden:       false,
 		IsDeleted:         false,
 		SignupApplication: "app-built-in",
@ -303,8 +301,8 @@ func initWebAuthn() {
 	gob.Register(webauthn.SessionData{})
 }

-func initBuiltInPermissionModel() {
-	model, err := GetModel("built-in/permission-model-built-in")
+func initBuiltInUserModel() {
+	model, err := GetModel("built-in/user-model-built-in")
 	if err != nil {
 		panic(err)
 	}
@ -315,21 +313,23 @@ func initBuiltInPermissionModel() {

 	model = &Model{
 		Owner:       "built-in",
-		Name:        "permission-model-built-in",
+		Name:        "user-model-built-in",
 		CreatedTime: util.GetCurrentTime(),
 		DisplayName: "Built-in Model",
-		IsEnabled:   true,
 		ModelText: `[request_definition]
 r = sub, obj, act

 [policy_definition]
 p = sub, obj, act

+[role_definition]
+g = _, _
+
 [policy_effect]
 e = some(where (p.eft == allow))

 [matchers]
-m = r.sub == p.sub && r.obj == p.obj && r.act == p.act`,
+m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act`,
 	}
 	_, err = AddModel(model)
 	if err != nil {
@ -347,8 +347,7 @@ func initBuiltInApiModel() bool {
 		return true
 	}

-	modelText := `
-[request_definition]
+	modelText := `[request_definition]
 r = subOwner, subName, method, urlPath, objOwner, objName

 [policy_definition]
@ -367,15 +366,13 @@ m = (r.subOwner == p.subOwner || p.subOwner == "*") && \
    (r.urlPath == p.urlPath || p.urlPath == "*") && \
    (r.objOwner == p.objOwner || p.objOwner == "*") && \
    (r.objName == p.objName || p.objName == "*") || \
-    (r.subOwner == r.objOwner && r.subName == r.objName)
-`
+    (r.subOwner == r.objOwner && r.subName == r.objName)`

 	model = &Model{
 		Owner:       "built-in",
 		Name:        "api-model-built-in",
 		CreatedTime: util.GetCurrentTime(),
 		DisplayName: "API Model",
-		IsEnabled:   true,
 		ModelText:   modelText,
 	}
 	_, err = AddModel(model)
@ -415,44 +412,43 @@ func initBuiltInPermission() {
 	}
 }

-func initBuildInPermissionAdapter() {
-	permissionAdapter, err := GetAdapter("built-in/permission-adapter-built-in")
+func initBuiltInUserAdapter() {
+	adapter, err := GetAdapter("built-in/user-adapter-built-in")
 	if err != nil {
 		panic(err)
 	}

-	if permissionAdapter != nil {
+	if adapter != nil {
 		return
 	}

-	permissionAdapter = &Adapter{
+	adapter = &Adapter{
 		Owner:           "built-in",
-		Name:            "permission-adapter-built-in",
+		Name:            "user-adapter-built-in",
 		CreatedTime:     util.GetCurrentTime(),
 		Type:            "Database",
 		DatabaseType:    conf.GetConfigString("driverName"),
 		TableNamePrefix: conf.GetConfigString("tableNamePrefix"),
 		Database:        conf.GetConfigString("dbName"),
 		Table:           "casbin_user_rule",
-		IsEnabled:       true,
 	}
-	_, err = AddAdapter(permissionAdapter)
+	_, err = AddAdapter(adapter)
 	if err != nil {
 		panic(err)
 	}
 }

-func initBuildInApiAdapter() {
-	apiAdapter, err := GetAdapter("built-in/api-adapter-built-in")
+func initBuiltInApiAdapter() {
+	adapter, err := GetAdapter("built-in/api-adapter-built-in")
 	if err != nil {
 		panic(err)
 	}

-	if apiAdapter != nil {
+	if adapter != nil {
 		return
 	}

-	apiAdapter = &Adapter{
+	adapter = &Adapter{
 		Owner:           "built-in",
 		Name:            "api-adapter-built-in",
 		CreatedTime:     util.GetCurrentTime(),
@ -461,61 +457,58 @@ func initBuildInApiAdapter() {
 		TableNamePrefix: conf.GetConfigString("tableNamePrefix"),
 		Database:        conf.GetConfigString("dbName"),
 		Table:           "casbin_api_rule",
-		IsEnabled:       true,
 	}
-	_, err = AddAdapter(apiAdapter)
+	_, err = AddAdapter(adapter)
 	if err != nil {
 		panic(err)
 	}
 }

-func initBuiltInPermissionEnforcer() {
-	permissionEnforcer, err := GetEnforcer("built-in/permission-enforcer-built-in")
+func initBuiltInUserEnforcer() {
+	enforcer, err := GetEnforcer("built-in/user-enforcer-built-in")
 	if err != nil {
 		panic(err)
 	}

-	if permissionEnforcer != nil {
+	if enforcer != nil {
 		return
 	}

-	permissionEnforcer = &Enforcer{
+	enforcer = &Enforcer{
 		Owner:       "built-in",
-		Name:        "permission-enforcer-built-in",
+		Name:        "user-enforcer-built-in",
 		CreatedTime: util.GetCurrentTime(),
-		DisplayName: "Permission Enforcer",
-		Model:       "built-in/permission-model-built-in",
-		Adapter:     "built-in/permission-adapter-built-in",
-		IsEnabled:   true,
+		DisplayName: "User Enforcer",
+		Model:       "built-in/user-model-built-in",
+		Adapter:     "built-in/user-adapter-built-in",
 	}

-	_, err = AddEnforcer(permissionEnforcer)
+	_, err = AddEnforcer(enforcer)
 	if err != nil {
 		panic(err)
 	}
 }

 func initBuiltInApiEnforcer() {
-	apiEnforcer, err := GetEnforcer("built-in/api-enforcer-built-in")
+	enforcer, err := GetEnforcer("built-in/api-enforcer-built-in")
 	if err != nil {
 		panic(err)
 	}

-	if apiEnforcer != nil {
+	if enforcer != nil {
 		return
 	}

-	apiEnforcer = &Enforcer{
+	enforcer = &Enforcer{
 		Owner:       "built-in",
 		Name:        "api-enforcer-built-in",
 		CreatedTime: util.GetCurrentTime(),
 		DisplayName: "API Enforcer",
 		Model:       "built-in/api-model-built-in",
 		Adapter:     "built-in/api-adapter-built-in",
-		IsEnabled:   true,
 	}

-	_, err = AddEnforcer(apiEnforcer)
+	_, err = AddEnforcer(enforcer)
 	if err != nil {
 		panic(err)
 	}
--- a/object/ldap_conn.go
+++ b/object/ldap_conn.go
@ -41,19 +41,20 @@ type LdapUser struct {
 	GidNumber string `json:"gidNumber"`
 	// Gcn                   string
 	Uuid                  string `json:"uuid"`
+	UserPrincipalName     string `json:"userPrincipalName"`
 	DisplayName           string `json:"displayName"`
 	Mail                  string
 	Email                 string `json:"email"`
 	EmailAddress          string
 	TelephoneNumber       string
-	Mobile                string
+	Mobile                string `json:"mobile"`
 	MobileTelephoneNumber string
 	RegisteredAddress     string
 	PostalAddress         string

-	GroupId string `json:"groupId"`
-	Phone   string `json:"phone"`
-	Address string `json:"address"`
+	GroupId  string `json:"groupId"`
+	Address  string `json:"address"`
+	MemberOf string `json:"memberOf"`
 }

 func (ldap *Ldap) GetLdapConn() (c *LdapConn, err error) {
@ -168,6 +169,8 @@ func (l *LdapConn) GetLdapUsers(ldapServer *Ldap) ([]LdapUser, error) {
 				user.Uuid = attribute.Values[0]
 			case "objectGUID":
 				user.Uuid = attribute.Values[0]
+			case "userPrincipalName":
+				user.UserPrincipalName = attribute.Values[0]
 			case "displayName":
 				user.DisplayName = attribute.Values[0]
 			case "mail":
@ -186,6 +189,8 @@ func (l *LdapConn) GetLdapUsers(ldapServer *Ldap) ([]LdapUser, error) {
 				user.RegisteredAddress = attribute.Values[0]
 			case "postalAddress":
 				user.PostalAddress = attribute.Values[0]
+			case "memberOf":
+				user.MemberOf = attribute.Values[0]
 			}
 		}
 		ldapUsers = append(ldapUsers, user)
@ -306,18 +311,20 @@ func SyncLdapUsers(owner string, syncUsers []LdapUser, ldapId string) (existUser
 			}

 			newUser := &User{
-				Owner:       owner,
-				Name:        name,
-				CreatedTime: util.GetCurrentTime(),
-				DisplayName: syncUser.buildLdapDisplayName(),
-				Avatar:      organization.DefaultAvatar,
-				Email:       syncUser.Email,
-				Phone:       syncUser.Phone,
-				Address:     []string{syncUser.Address},
-				Affiliation: affiliation,
-				Tag:         tag,
-				Score:       score,
-				Ldap:        syncUser.Uuid,
+				Owner:             owner,
+				Name:              name,
+				CreatedTime:       util.GetCurrentTime(),
+				DisplayName:       syncUser.buildLdapDisplayName(),
+				SignupApplication: organization.DefaultApplication,
+				Type:              "normal-user",
+				Avatar:            organization.DefaultAvatar,
+				Email:             syncUser.Email,
+				Phone:             syncUser.Mobile,
+				Address:           []string{syncUser.Address},
+				Affiliation:       affiliation,
+				Tag:               tag,
+				Score:             score,
+				Ldap:              syncUser.Uuid,
 			}

 			affected, err := AddUser(newUser)
--- a/object/mfa.go
+++ b/object/mfa.go
@ -84,7 +84,7 @@ func MfaRecover(user *User, recoveryCode string) error {
 		return fmt.Errorf("recovery code not found")
 	}

-	_, err := UpdateUser(user.GetId(), user, []string{"recovery_codes"}, user.IsAdminUser())
+	_, err := UpdateUser(user.GetId(), user, []string{"recovery_codes"}, false)
 	if err != nil {
 		return err
 	}
@ -181,7 +181,7 @@ func DisabledMultiFactorAuth(user *User) error {
 func SetPreferredMultiFactorAuth(user *User, mfaType string) error {
 	user.PreferredMfaType = mfaType

-	_, err := UpdateUser(user.GetId(), user, []string{"preferred_mfa_type"}, user.IsAdminUser())
+	_, err := UpdateUser(user.GetId(), user, []string{"preferred_mfa_type"}, false)
 	if err != nil {
 		return err
 	}
--- a/object/mfa_totp.go
+++ b/object/mfa_totp.go
@ -17,6 +17,7 @@ package object
 import (
 	"errors"
 	"fmt"
+	"time"

 	"github.com/beego/beego"
 	"github.com/beego/beego/context"
@ -25,7 +26,10 @@ import (
 	"github.com/pquerna/otp/totp"
 )

-const MfaTotpSecretSession = "mfa_totp_secret"
+const (
+	MfaTotpSecretSession   = "mfa_totp_secret"
+	MfaTotpPeriodInSeconds = 30
+)

 type TotpMfa struct {
 	Config     *MfaProps
@ -76,7 +80,16 @@ func (mfa *TotpMfa) SetupVerify(ctx *context.Context, passcode string) error {
 	if secret == nil {
 		return errors.New("totp secret is missing")
 	}
-	result := totp.Validate(passcode, secret.(string))
+
+	result, err := totp.ValidateCustom(passcode, secret.(string), time.Now().UTC(), totp.ValidateOpts{
+		Period:    MfaTotpPeriodInSeconds,
+		Skew:      1,
+		Digits:    otp.DigitsSix,
+		Algorithm: otp.AlgorithmSHA1,
+	})
+	if err != nil {
+		return err
+	}

 	if result {
 		return nil
@ -115,7 +128,15 @@ func (mfa *TotpMfa) Enable(ctx *context.Context, user *User) error {
 }

 func (mfa *TotpMfa) Verify(passcode string) error {
-	result := totp.Validate(passcode, mfa.Config.Secret)
+	result, err := totp.ValidateCustom(passcode, mfa.Config.Secret, time.Now().UTC(), totp.ValidateOpts{
+		Period:    MfaTotpPeriodInSeconds,
+		Skew:      1,
+		Digits:    otp.DigitsSix,
+		Algorithm: otp.AlgorithmSHA1,
+	})
+	if err != nil {
+		return err
+	}

 	if result {
 		return nil
@ -133,7 +154,7 @@ func NewTotpMfaUtil(config *MfaProps) *TotpMfa {

 	return &TotpMfa{
 		Config:     config,
-		period:     30,
+		period:     MfaTotpPeriodInSeconds,
 		secretSize: 20,
 		digits:     otp.DigitsSix,
 	}
--- a/object/model.go
+++ b/object/model.go
@ -30,7 +30,6 @@ type Model struct {
 	Description string `xorm:"varchar(100)" json:"description"`

 	ModelText string `xorm:"mediumtext" json:"modelText"`
-	IsEnabled bool   `json:"isEnabled"`

 	model.Model `xorm:"-" json:"-"`
 }
--- a/object/notification.go
+++ b/object/notification.go
@ -0,0 +1,42 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"context"
+
+	"github.com/casdoor/casdoor/notification"
+	"github.com/casdoor/notify"
+)
+
+func getNotificationClient(provider *Provider) (notify.Notifier, error) {
+	var client notify.Notifier
+	client, err := notification.GetNotificationProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.ClientId2, provider.ClientSecret2, provider.AppId, provider.Receiver, provider.Method, provider.Title, provider.Metadata)
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
+
+func SendNotification(provider *Provider, content string) error {
+	client, err := getNotificationClient(provider)
+	if err != nil {
+		return err
+	}
+
+	err = client.Send(context.Background(), "", content)
+	return err
+}
--- a/object/oidc_discovery.go
+++ b/object/oidc_discovery.go
@ -103,7 +103,7 @@ func GetOidcDiscovery(host string) OidcDiscovery {
 		SubjectTypesSupported:                  []string{"public"},
 		IdTokenSigningAlgValuesSupported:       []string{"RS256"},
 		ScopesSupported:                        []string{"openid", "email", "profile", "address", "phone", "offline_access"},
-		ClaimsSupported:                        []string{"iss", "ver", "sub", "aud", "iat", "exp", "id", "type", "displayName", "avatar", "permanentAvatar", "email", "phone", "location", "affiliation", "title", "homepage", "bio", "tag", "region", "language", "score", "ranking", "isOnline", "isAdmin", "isGlobalAdmin", "isForbidden", "signupApplication", "ldap"},
+		ClaimsSupported:                        []string{"iss", "ver", "sub", "aud", "iat", "exp", "id", "type", "displayName", "avatar", "permanentAvatar", "email", "phone", "location", "affiliation", "title", "homepage", "bio", "tag", "region", "language", "score", "ranking", "isOnline", "isAdmin", "isForbidden", "signupApplication", "ldap"},
 		RequestParameterSupported:              true,
 		RequestObjectSigningAlgValuesSupported: []string{"HS256", "HS384", "HS512"},
 		EndSessionEndpoint:                     fmt.Sprintf("%s/api/logout", originBackend),
--- a/object/organization.go
+++ b/object/organization.go
@ -189,7 +189,7 @@ func UpdateOrganization(id string, organization *Organization) (bool, error) {
 	if name != organization.Name {
 		err := organizationChangeTrigger(name, organization.Name)
 		if err != nil {
-			return false, nil
+			return false, err
 		}
 	}

@ -432,15 +432,7 @@ func organizationChangeTrigger(oldName string, newName string) error {

 	payment := new(Payment)
 	payment.Owner = newName
-	_, err = session.Where("organization=?", oldName).Update(payment)
-	if err != nil {
-		return err
-	}
-
-	record := new(Record)
-	record.Owner = newName
-	record.Organization = newName
-	_, err = session.Where("organization=?", oldName).Update(record)
+	_, err = session.Where("owner=?", oldName).Update(payment)
 	if err != nil {
 		return err
 	}
--- a/object/ormer.go
+++ b/object/ormer.go
@ -16,7 +16,10 @@ package object

 import (
 	"database/sql"
+	"flag"
 	"fmt"
+	"os"
+	"regexp"
 	"runtime"
 	"strings"

@ -32,7 +35,24 @@ import (
 	_ "modernc.org/sqlite" // db = sqlite
 )

-var ormer *Ormer
+var (
+	ormer                   *Ormer = nil
+	isCreateDatabaseDefined        = false
+	createDatabase                 = true
+)
+
+func InitFlag() {
+	if !isCreateDatabaseDefined {
+		isCreateDatabaseDefined = true
+		createDatabase = getCreateDatabaseFlag()
+	}
+}
+
+func getCreateDatabaseFlag() bool {
+	res := flag.Bool("createDatabase", false, "true if you need to create database")
+	flag.Parse()
+	return *res
+}

 func InitConfig() {
 	err := beego.LoadAppConfig("ini", "../conf/app.conf")
@ -42,12 +62,23 @@ func InitConfig() {

 	beego.BConfig.WebConfig.Session.SessionOn = true

-	InitAdapter(true)
-	CreateTables(true)
+	InitAdapter()
+	CreateTables()
 	DoMigration()
 }

-func InitAdapter(createDatabase bool) {
+func InitAdapter() {
+	if conf.GetConfigString("driverName") == "" {
+		if !util.FileExist("conf/app.conf") {
+			dir, err := os.Getwd()
+			if err != nil {
+				panic(err)
+			}
+			dir = strings.ReplaceAll(dir, "\\", "/")
+			panic(fmt.Sprintf("The Casdoor config file: \"app.conf\" was not found, it should be placed at: \"%s/conf/app.conf\"", dir))
+		}
+	}
+
 	if createDatabase {
 		err := createDatabaseForPostgres(conf.GetConfigString("driverName"), conf.GetConfigDataSourceName(), conf.GetConfigString("dbName"))
 		if err != nil {
@ -62,7 +93,7 @@ func InitAdapter(createDatabase bool) {
 	ormer.Engine.SetTableMapper(tbMapper)
 }

-func CreateTables(createDatabase bool) {
+func CreateTables() {
 	if createDatabase {
 		err := ormer.CreateDatabase()
 		if err != nil {
@ -105,9 +136,14 @@ func NewAdapter(driverName string, dataSourceName string, dbName string) *Ormer
 	return a
 }

+func refineDataSourceNameForPostgres(dataSourceName string) string {
+	reg := regexp.MustCompile(`dbname=[^ ]+\s*`)
+	return reg.ReplaceAllString(dataSourceName, "")
+}
+
 func createDatabaseForPostgres(driverName string, dataSourceName string, dbName string) error {
 	if driverName == "postgres" {
-		db, err := sql.Open(driverName, dataSourceName)
+		db, err := sql.Open(driverName, refineDataSourceNameForPostgres(dataSourceName))
 		if err != nil {
 			return err
 		}
@ -119,6 +155,21 @@ func createDatabaseForPostgres(driverName string, dataSourceName string, dbName
 				return err
 			}
 		}
+		schema := util.GetValueFromDataSourceName("search_path", dataSourceName)
+		if schema != "" {
+			db, err = sql.Open(driverName, dataSourceName)
+			if err != nil {
+				return err
+			}
+			defer db.Close()
+
+			_, err = db.Exec(fmt.Sprintf("CREATE SCHEMA %s;", schema))
+			if err != nil {
+				if !strings.Contains(err.Error(), "already exists") {
+					return err
+				}
+			}
+		}

 		return nil
 	} else {
@ -151,6 +202,12 @@ func (a *Ormer) open() {
 	if err != nil {
 		panic(err)
 	}
+	if a.driverName == "postgres" {
+		schema := util.GetValueFromDataSourceName("search_path", dataSourceName)
+		if schema != "" {
+			engine.SetSchema(schema)
+		}
+	}

 	a.Engine = engine
 }
@ -229,11 +286,6 @@ func (a *Ormer) createTable() {
 		panic(err)
 	}

-	err = a.Engine.Sync2(new(Record))
-	if err != nil {
-		panic(err)
-	}
-
 	err = a.Engine.Sync2(new(Webhook))
 	if err != nil {
 		panic(err)
@ -294,76 +346,3 @@ func (a *Ormer) createTable() {
 		panic(err)
 	}
 }
-
-func GetSession(owner string, offset, limit int, field, value, sortField, sortOrder string) *xorm.Session {
-	session := ormer.Engine.Prepare()
-	if offset != -1 && limit != -1 {
-		session.Limit(limit, offset)
-	}
-	if owner != "" {
-		session = session.And("owner=?", owner)
-	}
-	if field != "" && value != "" {
-		if util.FilterField(field) {
-			session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
-		}
-	}
-	if sortField == "" || sortOrder == "" {
-		sortField = "created_time"
-	}
-	if sortOrder == "ascend" {
-		session = session.Asc(util.SnakeString(sortField))
-	} else {
-		session = session.Desc(util.SnakeString(sortField))
-	}
-	return session
-}
-
-func GetSessionForUser(owner string, offset, limit int, field, value, sortField, sortOrder string) *xorm.Session {
-	session := ormer.Engine.Prepare()
-	if offset != -1 && limit != -1 {
-		session.Limit(limit, offset)
-	}
-	if owner != "" {
-		if offset == -1 {
-			session = session.And("owner=?", owner)
-		} else {
-			session = session.And("a.owner=?", owner)
-		}
-	}
-	if field != "" && value != "" {
-		if util.FilterField(field) {
-			if offset != -1 {
-				field = fmt.Sprintf("a.%s", field)
-			}
-			session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
-		}
-	}
-	if sortField == "" || sortOrder == "" {
-		sortField = "created_time"
-	}
-
-	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
-	tableName := tableNamePrefix + "user"
-	if offset == -1 {
-		if sortOrder == "ascend" {
-			session = session.Asc(util.SnakeString(sortField))
-		} else {
-			session = session.Desc(util.SnakeString(sortField))
-		}
-	} else {
-		if sortOrder == "ascend" {
-			session = session.Alias("a").
-				Join("INNER", []string{tableName, "b"}, "a.owner = b.owner and a.name = b.name").
-				Select("b.*").
-				Asc("a." + util.SnakeString(sortField))
-		} else {
-			session = session.Alias("a").
-				Join("INNER", []string{tableName, "b"}, "a.owner = b.owner and a.name = b.name").
-				Select("b.*").
-				Desc("a." + util.SnakeString(sortField))
-		}
-	}
-
-	return session
-}
--- a/object/ormer_session.go
+++ b/object/ormer_session.go
@ -0,0 +1,96 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+
+	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/util"
+	"github.com/xorm-io/xorm"
+)
+
+func GetSession(owner string, offset, limit int, field, value, sortField, sortOrder string) *xorm.Session {
+	session := ormer.Engine.Prepare()
+	if offset != -1 && limit != -1 {
+		session.Limit(limit, offset)
+	}
+	if owner != "" {
+		session = session.And("owner=?", owner)
+	}
+	if field != "" && value != "" {
+		if util.FilterField(field) {
+			session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
+		}
+	}
+	if sortField == "" || sortOrder == "" {
+		sortField = "created_time"
+	}
+	if sortOrder == "ascend" {
+		session = session.Asc(util.SnakeString(sortField))
+	} else {
+		session = session.Desc(util.SnakeString(sortField))
+	}
+	return session
+}
+
+func GetSessionForUser(owner string, offset, limit int, field, value, sortField, sortOrder string) *xorm.Session {
+	session := ormer.Engine.Prepare()
+	if offset != -1 && limit != -1 {
+		session.Limit(limit, offset)
+	}
+	if owner != "" {
+		if offset == -1 {
+			session = session.And("owner=?", owner)
+		} else {
+			session = session.And("a.owner=?", owner)
+		}
+	}
+	if field != "" && value != "" {
+		if util.FilterField(field) {
+			if offset != -1 {
+				field = fmt.Sprintf("a.%s", field)
+			}
+			session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
+		}
+	}
+	if sortField == "" || sortOrder == "" {
+		sortField = "created_time"
+	}
+
+	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
+	tableName := tableNamePrefix + "user"
+	if offset == -1 {
+		if sortOrder == "ascend" {
+			session = session.Asc(util.SnakeString(sortField))
+		} else {
+			session = session.Desc(util.SnakeString(sortField))
+		}
+	} else {
+		if sortOrder == "ascend" {
+			session = session.Alias("a").
+				Join("INNER", []string{tableName, "b"}, "a.owner = b.owner and a.name = b.name").
+				Select("b.*").
+				Asc("a." + util.SnakeString(sortField))
+		} else {
+			session = session.Alias("a").
+				Join("INNER", []string{tableName, "b"}, "a.owner = b.owner and a.name = b.name").
+				Select("b.*").
+				Desc("a." + util.SnakeString(sortField))
+		}
+	}
+
+	return session
+}
--- a/object/payment.go
+++ b/object/payment.go
@ -55,6 +55,7 @@ type Payment struct {
 	// Order Info
 	OutOrderId string          `xorm:"varchar(100)" json:"outOrderId"`
 	PayUrl     string          `xorm:"varchar(2000)" json:"payUrl"`
+	SuccessUrl string          `xorm:"varchar(2000)" json:"successUrl""` // `successUrl` is redirected from `payUrl` after pay success
 	State      pp.PaymentState `xorm:"varchar(100)" json:"state"`
 	Message    string          `xorm:"varchar(2000)" json:"message"`
 }
@ -152,7 +153,7 @@ func DeletePayment(payment *Payment) (bool, error) {
 	return affected != 0, nil
 }

-func notifyPayment(request *http.Request, body []byte, owner string, paymentName string, orderId string) (*Payment, *pp.NotifyResult, error) {
+func notifyPayment(request *http.Request, body []byte, owner string, paymentName string) (*Payment, *pp.NotifyResult, error) {
 	payment, err := getPayment(owner, paymentName)
 	if err != nil {
 		return nil, nil, err
@ -180,11 +181,7 @@ func notifyPayment(request *http.Request, body []byte, owner string, paymentName
 		return nil, nil, err
 	}

-	if orderId == "" {
-		orderId = payment.OutOrderId
-	}
-
-	notifyResult, err := pProvider.Notify(request, body, cert.AuthorityPublicKey, orderId)
+	notifyResult, err := pProvider.Notify(request, body, cert.AuthorityPublicKey, payment.OutOrderId)
 	if err != nil {
 		return payment, nil, err
 	}
@ -205,8 +202,8 @@ func notifyPayment(request *http.Request, body []byte, owner string, paymentName
 	return payment, notifyResult, nil
 }

-func NotifyPayment(request *http.Request, body []byte, owner string, paymentName string, orderId string) (*Payment, error) {
-	payment, notifyResult, err := notifyPayment(request, body, owner, paymentName, orderId)
+func NotifyPayment(request *http.Request, body []byte, owner string, paymentName string) (*Payment, error) {
+	payment, notifyResult, err := notifyPayment(request, body, owner, paymentName)
 	if payment != nil {
 		if err != nil {
 			payment.State = pp.PaymentStateError
--- a/object/permission.go
+++ b/object/permission.go
@ -30,6 +30,7 @@ type Permission struct {
 	Description string `xorm:"varchar(100)" json:"description"`

 	Users   []string `xorm:"mediumtext" json:"users"`
+	Groups  []string `xorm:"mediumtext" json:"groups"`
 	Roles   []string `xorm:"mediumtext" json:"roles"`
 	Domains []string `xorm:"mediumtext" json:"domains"`

@ -58,10 +59,7 @@ type PermissionRule struct {
 	Id    string `xorm:"varchar(100) index not null default ''" json:"id"`
 }

-const (
-	builtInAvailableField = 5 // Casdoor built-in adapter, use V5 to filter permission, so has 5 available field
-	builtInAdapter        = "permission_rule"
-)
+const builtInAvailableField = 5 // Casdoor built-in adapter, use V5 to filter permission, so has 5 available field

 func (p *Permission) GetId() string {
 	return util.GetId(p.Owner, p.Name)
@ -290,7 +288,7 @@ func GetPermissionsAndRolesByUser(userId string) ([]*Permission, []*Role, error)

 	for _, role := range roles {
 		perms := []*Permission{}
-		err := ormer.Engine.Where("roles like ?", "%"+role.Name+"\"%").Find(&perms)
+		err := ormer.Engine.Where("roles like ?", "%"+role.GetId()+"\"%").Find(&perms)
 		if err != nil {
 			return nil, nil, err
 		}
--- a/object/permission_enforcer.go
+++ b/object/permission_enforcer.go
@ -79,9 +79,7 @@ func (p *Permission) setEnforcerAdapter(enforcer *casbin.Enforcer) error {
 		}
 	}
 	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
-	driverName := conf.GetConfigString("driverName")
-	dataSourceName := conf.GetConfigRealDataSourceName(driverName)
-	adapter, err := xormadapter.NewAdapterWithTableName(driverName, dataSourceName, tableName, tableNamePrefix, true)
+	adapter, err := xormadapter.NewAdapterByEngineWithTableName(ormer.Engine, tableName, tableNamePrefix)
 	if err != nil {
 		return err
 	}
@ -309,8 +307,7 @@ func GetAllRoles(userId string) []string {

 func GetBuiltInModel(modelText string) (model.Model, error) {
 	if modelText == "" {
-		modelText = `
-[request_definition]
+		modelText = `[request_definition]
 r = sub, obj, act

 [policy_definition]
@ -335,7 +332,7 @@ m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act`
 		policyDefinition := strings.Split(cfg.String("policy_definition::p"), ",")
 		fieldsNum := len(policyDefinition)
 		if fieldsNum > builtInAvailableField {
-			panic(fmt.Errorf("the maximum policy_definition field number cannot exceed %d", builtInAvailableField))
+			panic(fmt.Errorf("the maximum policy_definition field number cannot exceed %d, got %d", builtInAvailableField, fieldsNum))
 		}
 		// filled empty field with "" and V5 with "permissionId"
 		for i := builtInAvailableField - fieldsNum; i > 0; i-- {
--- a/object/permission_upload.go
+++ b/object/permission_upload.go
@ -33,8 +33,8 @@ func getPermissionMap(owner string) (map[string]*Permission, error) {
 	return m, err
 }

-func UploadPermissions(owner string, fileId string) (bool, error) {
-	table := xlsx.ReadXlsxFile(fileId)
+func UploadPermissions(owner string, path string) (bool, error) {
+	table := xlsx.ReadXlsxFile(path)

 	oldUserMap, err := getPermissionMap(owner)
 	if err != nil {
--- a/object/plan.go
+++ b/object/plan.go
@ -16,6 +16,7 @@ package object

 import (
 	"fmt"
+	"time"

 	"github.com/casdoor/casdoor/util"
 	"github.com/xorm-io/core"
@ -28,15 +29,39 @@ type Plan struct {
 	DisplayName string `xorm:"varchar(100)" json:"displayName"`
 	Description string `xorm:"varchar(100)" json:"description"`

-	PricePerMonth float64 `json:"pricePerMonth"`
-	PricePerYear  float64 `json:"pricePerYear"`
-	Currency      string  `xorm:"varchar(100)" json:"currency"`
-	IsEnabled     bool    `json:"isEnabled"`
+	Price            float64  `json:"price"`
+	Currency         string   `xorm:"varchar(100)" json:"currency"`
+	Period           string   `xorm:"varchar(100)" json:"period"`
+	Product          string   `xorm:"varchar(100)" json:"product"`
+	PaymentProviders []string `xorm:"varchar(100)" json:"paymentProviders"` // payment providers for related product
+	IsEnabled        bool     `json:"isEnabled"`

 	Role    string   `xorm:"varchar(100)" json:"role"`
 	Options []string `xorm:"-" json:"options"`
 }

+const (
+	PeriodMonthly = "Monthly"
+	PeriodYearly  = "Yearly"
+)
+
+func (plan *Plan) GetId() string {
+	return fmt.Sprintf("%s/%s", plan.Owner, plan.Name)
+}
+
+func GetDuration(period string) (startTime time.Time, endTime time.Time) {
+	if period == PeriodYearly {
+		startTime = time.Now()
+		endTime = startTime.AddDate(1, 0, 0)
+	} else if period == PeriodMonthly {
+		startTime = time.Now()
+		endTime = startTime.AddDate(0, 1, 0)
+	} else {
+		panic(fmt.Sprintf("invalid period: %s", period))
+	}
+	return
+}
+
 func GetPlanCount(owner, field, value string) (int64, error) {
 	session := GetSession(owner, -1, -1, field, value, "", "")
 	return session.Count(&Plan{})
@ -114,38 +139,3 @@ func DeletePlan(plan *Plan) (bool, error) {
 	}
 	return affected != 0, nil
 }
-
-func (plan *Plan) GetId() string {
-	return fmt.Sprintf("%s/%s", plan.Owner, plan.Name)
-}
-
-func Subscribe(owner string, user string, plan string, pricing string) (*Subscription, error) {
-	selectedPricing, err := GetPricing(fmt.Sprintf("%s/%s", owner, pricing))
-	if err != nil {
-		return nil, err
-	}
-
-	valid := selectedPricing != nil && selectedPricing.IsEnabled
-
-	if !valid {
-		return nil, nil
-	}
-
-	planBelongToPricing, err := selectedPricing.HasPlan(owner, plan)
-	if err != nil {
-		return nil, err
-	}
-
-	if planBelongToPricing {
-		newSubscription := NewSubscription(owner, user, plan, selectedPricing.TrialDuration)
-		affected, err := AddSubscription(newSubscription)
-		if err != nil {
-			return nil, err
-		}
-
-		if affected {
-			return newSubscription, nil
-		}
-	}
-	return nil, nil
-}
--- a/object/pricing.go
+++ b/object/pricing.go
@ -16,7 +16,6 @@ package object

 import (
 	"fmt"
-	"strings"

 	"github.com/casdoor/casdoor/util"
 	"github.com/xorm-io/core"
@ -33,12 +32,26 @@ type Pricing struct {
 	IsEnabled     bool     `json:"isEnabled"`
 	TrialDuration int      `json:"trialDuration"`
 	Application   string   `xorm:"varchar(100)" json:"application"`
+}

-	Submitter   string `xorm:"varchar(100)" json:"submitter"`
-	Approver    string `xorm:"varchar(100)" json:"approver"`
-	ApproveTime string `xorm:"varchar(100)" json:"approveTime"`
+func (pricing *Pricing) GetId() string {
+	return fmt.Sprintf("%s/%s", pricing.Owner, pricing.Name)
+}

-	State string `xorm:"varchar(100)" json:"state"`
+func (pricing *Pricing) HasPlan(planName string) (bool, error) {
+	planId := util.GetId(pricing.Owner, planName)
+	plan, err := GetPlan(planId)
+	if err != nil {
+		return false, err
+	}
+	if plan == nil {
+		return false, fmt.Errorf("plan: %s does not exist", planId)
+	}
+
+	if util.InSlice(pricing.Plans, plan.Name) {
+		return true, nil
+	}
+	return false, nil
 }

 func GetPricingCount(owner, field, value string) (int64, error) {
@ -74,7 +87,7 @@ func getPricing(owner, name string) (*Pricing, error) {
 	pricing := Pricing{Owner: owner, Name: name}
 	existed, err := ormer.Engine.Get(&pricing)
 	if err != nil {
-		return &pricing, err
+		return nil, err
 	}
 	if existed {
 		return &pricing, nil
@ -88,6 +101,20 @@ func GetPricing(id string) (*Pricing, error) {
 	return getPricing(owner, name)
 }

+func GetApplicationDefaultPricing(owner, appName string) (*Pricing, error) {
+	pricings := make([]*Pricing, 0, 1)
+	err := ormer.Engine.Asc("created_time").Find(&pricings, &Pricing{Owner: owner, Application: appName})
+	if err != nil {
+		return nil, err
+	}
+	for _, pricing := range pricings {
+		if pricing.IsEnabled {
+			return pricing, nil
+		}
+	}
+	return nil, nil
+}
+
 func UpdatePricing(id string, pricing *Pricing) (bool, error) {
 	owner, name := util.GetOwnerAndNameFromId(id)
 	if p, err := getPricing(owner, name); err != nil {
@ -120,28 +147,21 @@ func DeletePricing(pricing *Pricing) (bool, error) {
 	return affected != 0, nil
 }

-func (pricing *Pricing) GetId() string {
-	return fmt.Sprintf("%s/%s", pricing.Owner, pricing.Name)
-}
-
-func (pricing *Pricing) HasPlan(owner string, plan string) (bool, error) {
-	selectedPlan, err := GetPlan(fmt.Sprintf("%s/%s", owner, plan))
-	if err != nil {
-		return false, err
-	}
-
-	if selectedPlan == nil {
-		return false, nil
-	}
-
-	result := false
-
-	for _, pricingPlan := range pricing.Plans {
-		if strings.Contains(pricingPlan, selectedPlan.Name) {
-			result = true
-			break
+func CheckPricingAndPlan(owner, pricingName, planName string) error {
+	pricingId := util.GetId(owner, pricingName)
+	pricing, err := GetPricing(pricingId)
+	if pricing == nil || err != nil {
+		if pricing == nil && err == nil {
+			err = fmt.Errorf("pricing: %s does not exist", pricingName)
 		}
+		return err
 	}
-
-	return result, nil
+	ok, err := pricing.HasPlan(planName)
+	if err != nil {
+		return err
+	}
+	if !ok {
+		return fmt.Errorf("pricing: %s does not have plan: %s", pricingName, planName)
+	}
+	return nil
 }
--- a/object/product.go
+++ b/object/product.go
@ -37,7 +37,7 @@ type Product struct {
 	Price       float64  `json:"price"`
 	Quantity    int      `json:"quantity"`
 	Sold        int      `json:"sold"`
-	Providers   []string `xorm:"varchar(100)" json:"providers"`
+	Providers   []string `xorm:"varchar(255)" json:"providers"`
 	ReturnUrl   string   `xorm:"varchar(1000)" json:"returnUrl"`

 	State string `xorm:"varchar(100)" json:"state"`
@ -141,59 +141,76 @@ func (product *Product) isValidProvider(provider *Provider) bool {
 	return false
 }

-func (product *Product) getProvider(providerId string) (*Provider, error) {
-	provider, err := getProvider(product.Owner, providerId)
+func (product *Product) getProvider(providerName string) (*Provider, error) {
+	provider, err := getProvider(product.Owner, providerName)
 	if err != nil {
 		return nil, err
 	}

 	if provider == nil {
-		return nil, fmt.Errorf("the payment provider: %s does not exist", providerId)
+		return nil, fmt.Errorf("the payment provider: %s does not exist", providerName)
 	}

 	if !product.isValidProvider(provider) {
-		return nil, fmt.Errorf("the payment provider: %s is not valid for the product: %s", providerId, product.Name)
+		return nil, fmt.Errorf("the payment provider: %s is not valid for the product: %s", providerName, product.Name)
 	}

 	return provider, nil
 }

-func BuyProduct(id string, providerName string, user *User, host string) (string, string, error) {
+func BuyProduct(id string, user *User, providerName, pricingName, planName, host string) (*Payment, error) {
 	product, err := GetProduct(id)
 	if err != nil {
-		return "", "", err
+		return nil, err
 	}
-
 	if product == nil {
-		return "", "", fmt.Errorf("the product: %s does not exist", id)
+		return nil, fmt.Errorf("the product: %s does not exist", id)
 	}

 	provider, err := product.getProvider(providerName)
 	if err != nil {
-		return "", "", err
+		return nil, err
 	}

 	pProvider, _, err := provider.getPaymentProvider()
 	if err != nil {
-		return "", "", err
+		return nil, err
 	}

 	owner := product.Owner
 	productName := product.Name
 	payerName := fmt.Sprintf("%s | %s", user.Name, user.DisplayName)
-	paymentName := util.GenerateTimeId()
+	paymentName := fmt.Sprintf("payment_%v", util.GenerateTimeId())
 	productDisplayName := product.DisplayName

 	originFrontend, originBackend := getOriginFromHost(host)
 	returnUrl := fmt.Sprintf("%s/payments/%s/%s/result", originFrontend, owner, paymentName)
 	notifyUrl := fmt.Sprintf("%s/api/notify-payment/%s/%s", originBackend, owner, paymentName)
-	// Create an Order and get the payUrl
+	if user.Type == "paid-user" {
+		// Create a subscription for `paid-user`
+		if pricingName != "" && planName != "" {
+			plan, err := GetPlan(util.GetId(owner, planName))
+			if err != nil {
+				return nil, err
+			}
+			if plan == nil {
+				return nil, fmt.Errorf("the plan: %s does not exist", planName)
+			}
+			sub := NewSubscription(owner, user.Name, plan.Name, paymentName, plan.Period)
+			_, err = AddSubscription(sub)
+			if err != nil {
+				return nil, err
+			}
+			returnUrl = fmt.Sprintf("%s/buy-plan/%s/%s/result?subscription=%s", originFrontend, owner, pricingName, sub.Name)
+		}
+	}
+	// Create an OrderId and get the payUrl
 	payUrl, orderId, err := pProvider.Pay(providerName, productName, payerName, paymentName, productDisplayName, product.Price, product.Currency, returnUrl, notifyUrl)
 	if err != nil {
-		return "", "", err
+		return nil, err
 	}
 	// Create a Payment linked with Product and Order
-	payment := Payment{
+	payment := &Payment{
 		Owner:       product.Owner,
 		Name:        paymentName,
 		CreatedTime: util.GetCurrentTime(),
@ -212,6 +229,7 @@ func BuyProduct(id string, providerName string, user *User, host string) (string

 		User:       user.Name,
 		PayUrl:     payUrl,
+		SuccessUrl: returnUrl,
 		State:      pp.PaymentStateCreated,
 		OutOrderId: orderId,
 	}
@ -220,16 +238,15 @@ func BuyProduct(id string, providerName string, user *User, host string) (string
 		payment.State = pp.PaymentStatePaid
 	}

-	affected, err := AddPayment(&payment)
+	affected, err := AddPayment(payment)
 	if err != nil {
-		return "", "", err
+		return nil, err
 	}

 	if !affected {
-		return "", "", fmt.Errorf("failed to add payment: %s", util.StructToJson(payment))
+		return nil, fmt.Errorf("failed to add payment: %s", util.StructToJson(payment))
 	}
-
-	return payUrl, orderId, err
+	return payment, err
 }

 func ExtendProductWithProviders(product *Product) error {
@ -252,3 +269,38 @@ func ExtendProductWithProviders(product *Product) error {

 	return nil
 }
+
+func CreateProductForPlan(plan *Plan) *Product {
+	product := &Product{
+		Owner:       plan.Owner,
+		Name:        fmt.Sprintf("product_%v", util.GetRandomName()),
+		DisplayName: fmt.Sprintf("Product for Plan %v/%v/%v", plan.Name, plan.DisplayName, plan.Period),
+		CreatedTime: plan.CreatedTime,
+
+		Image:       "https://cdn.casbin.org/img/casdoor-logo_1185x256.png", // TODO
+		Detail:      fmt.Sprintf("This product was auto created for plan %v(%v), subscription period is %v", plan.Name, plan.DisplayName, plan.Period),
+		Description: plan.Description,
+		Tag:         "auto_created_product_for_plan",
+		Price:       plan.Price,
+		Currency:    plan.Currency,
+
+		Quantity: 999,
+		Sold:     0,
+
+		Providers: plan.PaymentProviders,
+		State:     "Published",
+	}
+	if product.Providers == nil {
+		product.Providers = []string{}
+	}
+	return product
+}
+
+func UpdateProductForPlan(plan *Plan, product *Product) {
+	product.Owner = plan.Owner
+	product.DisplayName = fmt.Sprintf("Product for Plan %v/%v/%v", plan.Name, plan.DisplayName, plan.Period)
+	product.Detail = fmt.Sprintf("This product was auto created for plan %v(%v), subscription period is %v", plan.Name, plan.DisplayName, plan.Period)
+	product.Price = plan.Price
+	product.Currency = plan.Currency
+	product.Providers = plan.PaymentProviders
+}
--- a/object/provider.go
+++ b/object/provider.go
@ -36,7 +36,7 @@ type Provider struct {
 	Type              string            `xorm:"varchar(100)" json:"type"`
 	SubType           string            `xorm:"varchar(100)" json:"subType"`
 	Method            string            `xorm:"varchar(100)" json:"method"`
-	ClientId          string            `xorm:"varchar(100)" json:"clientId"`
+	ClientId          string            `xorm:"varchar(200)" json:"clientId"`
 	ClientSecret      string            `xorm:"varchar(2000)" json:"clientSecret"`
 	ClientId2         string            `xorm:"varchar(100)" json:"clientId2"`
 	ClientSecret2     string            `xorm:"varchar(100)" json:"clientSecret2"`
@ -203,7 +203,7 @@ func UpdateProvider(id string, provider *Provider) (bool, error) {
 	if name != provider.Name {
 		err := providerChangeTrigger(name, provider.Name)
 		if err != nil {
-			return false, nil
+			return false, err
 		}
 	}

@ -254,7 +254,8 @@ func DeleteProvider(provider *Provider) (bool, error) {
 func (p *Provider) getPaymentProvider() (pp.PaymentProvider, *Cert, error) {
 	cert := &Cert{}
 	if p.Cert != "" {
-		cert, err := getCert(p.Owner, p.Cert)
+		var err error
+		cert, err = getCert(p.Owner, p.Cert)
 		if err != nil {
 			return nil, nil, err
 		}
--- a/object/record.go
+++ b/object/record.go
@ -21,6 +21,7 @@ import (
 	"github.com/beego/beego/context"
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/util"
+	"github.com/casvisor/casvisor-go-sdk/casvisorsdk"
 )

 var logPostOnly bool
@ -30,26 +31,10 @@ func init() {
 }

 type Record struct {
-	Id int `xorm:"int notnull pk autoincr" json:"id"`
-
-	Owner       string `xorm:"varchar(100) index" json:"owner"`
-	Name        string `xorm:"varchar(100) index" json:"name"`
-	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
-
-	Organization string `xorm:"varchar(100)" json:"organization"`
-	ClientIp     string `xorm:"varchar(100)" json:"clientIp"`
-	User         string `xorm:"varchar(100)" json:"user"`
-	Method       string `xorm:"varchar(100)" json:"method"`
-	RequestUri   string `xorm:"varchar(1000)" json:"requestUri"`
-	Action       string `xorm:"varchar(1000)" json:"action"`
-
-	Object       string `xorm:"-" json:"object"`
-	ExtendedUser *User  `xorm:"-" json:"extendedUser"`
-
-	IsTriggered bool `json:"isTriggered"`
+	casvisorsdk.Record
 }

-func NewRecord(ctx *context.Context) *Record {
+func NewRecord(ctx *context.Context) *casvisorsdk.Record {
 	ip := strings.Replace(util.GetIPFromRequest(ctx.Request), ": ", "", -1)
 	action := strings.Replace(ctx.Request.URL.Path, "/api/", "", -1)
 	requestUri := util.FilterQuery(ctx.Request.RequestURI, []string{"accessToken"})
@ -62,7 +47,7 @@ func NewRecord(ctx *context.Context) *Record {
 		object = string(ctx.Input.RequestBody)
 	}

-	record := Record{
+	record := casvisorsdk.Record{
 		Name:        util.GenerateId(),
 		CreatedTime: util.GetCurrentTime(),
 		ClientIp:    ip,
@ -76,7 +61,7 @@ func NewRecord(ctx *context.Context) *Record {
 	return &record
 }

-func AddRecord(record *Record) bool {
+func AddRecord(record *casvisorsdk.Record) bool {
 	if logPostOnly {
 		if record.Method == "GET" {
 			return false
@ -96,51 +81,19 @@ func AddRecord(record *Record) bool {
 		fmt.Println(errWebhook)
 	}

-	affected, err := ormer.Engine.Insert(record)
+	if casvisorsdk.GetClient() == nil {
+		return false
+	}
+
+	affected, err := casvisorsdk.AddRecord(record)
 	if err != nil {
 		panic(err)
 	}

-	return affected != 0
+	return affected
 }

-func GetRecordCount(field, value string, filterRecord *Record) (int64, error) {
-	session := GetSession("", -1, -1, field, value, "", "")
-	return session.Count(filterRecord)
-}
-
-func GetRecords() ([]*Record, error) {
-	records := []*Record{}
-	err := ormer.Engine.Desc("id").Find(&records)
-	if err != nil {
-		return records, err
-	}
-
-	return records, nil
-}
-
-func GetPaginationRecords(offset, limit int, field, value, sortField, sortOrder string, filterRecord *Record) ([]*Record, error) {
-	records := []*Record{}
-	session := GetSession("", offset, limit, field, value, sortField, sortOrder)
-	err := session.Find(&records, filterRecord)
-	if err != nil {
-		return records, err
-	}
-
-	return records, nil
-}
-
-func GetRecordsByField(record *Record) ([]*Record, error) {
-	records := []*Record{}
-	err := ormer.Engine.Find(&records, record)
-	if err != nil {
-		return records, err
-	}
-
-	return records, nil
-}
-
-func SendWebhooks(record *Record) error {
+func SendWebhooks(record *casvisorsdk.Record) error {
 	webhooks, err := getWebhooksByOrganization(record.Organization)
 	if err != nil {
 		return err
@ -160,17 +113,16 @@ func SendWebhooks(record *Record) error {
 		}

 		if matched {
+			var user *User
 			if webhook.IsUserExtended {
-				user, err := getUser(record.Organization, record.User)
+				user, err = getUser(record.Organization, record.User)
 				user, err = GetMaskedUser(user, false, err)
 				if err != nil {
 					return err
 				}
-
-				record.ExtendedUser = user
 			}

-			err := sendWebhook(webhook, record)
+			err = sendWebhook(webhook, record, user)
 			if err != nil {
 				return err
 			}
--- a/object/record_casvisor.go
+++ b/object/record_casvisor.go
@ -0,0 +1,50 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"strings"
+
+	"github.com/casvisor/casvisor-go-sdk/casvisorsdk"
+)
+
+func getCasvisorApplication() *Application {
+	applications, err := GetApplications("admin")
+	if err != nil {
+		panic(err)
+	}
+
+	for _, application := range applications {
+		if strings.Contains(strings.ToLower(application.Name), "casvisor") {
+			return application
+		}
+	}
+	return nil
+}
+
+func InitCasvisorConfig() {
+	application := getCasvisorApplication()
+	if application == nil {
+		return
+	}
+
+	casvisorEndpoint := application.HomepageUrl
+	clientId := application.ClientId
+	clientSecret := application.ClientSecret
+	casdoorOrganization := application.Organization
+	casdoorApplication := application.Name
+
+	casvisorsdk.InitConfig(casvisorEndpoint, clientId, clientSecret, casdoorOrganization, casdoorApplication)
+}
--- a/object/role.go
+++ b/object/role.go
@ -133,7 +133,7 @@ func UpdateRole(id string, role *Role) (bool, error) {
 	if name != role.Name {
 		err := roleChangeTrigger(name, role.Name)
 		if err != nil {
-			return false, nil
+			return false, err
 		}
 	}

--- a/object/role_upload.go
+++ b/object/role_upload.go
@ -33,8 +33,8 @@ func getRoleMap(owner string) (map[string]*Role, error) {
 	return m, nil
 }

-func UploadRoles(owner string, fileId string) (bool, error) {
-	table := xlsx.ReadXlsxFile(fileId)
+func UploadRoles(owner string, path string) (bool, error) {
+	table := xlsx.ReadXlsxFile(path)

 	oldUserMap, err := getRoleMap(owner)
 	if err != nil {
--- a/object/saml_idp.go
+++ b/object/saml_idp.go
@ -31,8 +31,8 @@ import (
 	"github.com/RobotsAndPencils/go-saml"
 	"github.com/beevik/etree"
 	"github.com/golang-jwt/jwt/v4"
+	"github.com/google/uuid"
 	dsig "github.com/russellhaering/goxmldsig"
-	uuid "github.com/satori/go.uuid"
 )

 // NewSamlResponse
@ -46,7 +46,7 @@ func NewSamlResponse(user *User, host string, certificate string, destination st
 	expireTime := time.Now().UTC().Add(time.Hour * 24).Format(time.RFC3339)
 	samlResponse.CreateAttr("xmlns:samlp", "urn:oasis:names:tc:SAML:2.0:protocol")
 	samlResponse.CreateAttr("xmlns:saml", "urn:oasis:names:tc:SAML:2.0:assertion")
-	arId := uuid.NewV4()
+	arId := uuid.New()

 	samlResponse.CreateAttr("ID", fmt.Sprintf("_%s", arId))
 	samlResponse.CreateAttr("Version", "2.0")
@ -60,7 +60,7 @@ func NewSamlResponse(user *User, host string, certificate string, destination st
 	assertion := samlResponse.CreateElement("saml:Assertion")
 	assertion.CreateAttr("xmlns:xsi", "http://www.w3.org/2001/XMLSchema-instance")
 	assertion.CreateAttr("xmlns:xs", "http://www.w3.org/2001/XMLSchema")
-	assertion.CreateAttr("ID", fmt.Sprintf("_%s", uuid.NewV4()))
+	assertion.CreateAttr("ID", fmt.Sprintf("_%s", uuid.New()))
 	assertion.CreateAttr("Version", "2.0")
 	assertion.CreateAttr("IssueInstant", now)
 	assertion.CreateElement("saml:Issuer").SetText(host)
@ -82,7 +82,7 @@ func NewSamlResponse(user *User, host string, certificate string, destination st
 	}
 	authnStatement := assertion.CreateElement("saml:AuthnStatement")
 	authnStatement.CreateAttr("AuthnInstant", now)
-	authnStatement.CreateAttr("SessionIndex", fmt.Sprintf("_%s", uuid.NewV4()))
+	authnStatement.CreateAttr("SessionIndex", fmt.Sprintf("_%s", uuid.New()))
 	authnStatement.CreateAttr("SessionNotOnOrAfter", expireTime)
 	authnStatement.CreateElement("saml:AuthnContext").CreateElement("saml:AuthnContextClassRef").SetText("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")

@ -355,7 +355,7 @@ func NewSamlResponse11(user *User, requestID string, host string) *etree.Element
 	samlResponse.CreateAttr("MajorVersion", "1")
 	samlResponse.CreateAttr("MinorVersion", "1")

-	responseID := uuid.NewV4()
+	responseID := uuid.New()
 	samlResponse.CreateAttr("ResponseID", fmt.Sprintf("_%s", responseID))
 	samlResponse.CreateAttr("InResponseTo", requestID)

@ -371,7 +371,7 @@ func NewSamlResponse11(user *User, requestID string, host string) *etree.Element
 	assertion.CreateAttr("xmlns:saml", "urn:oasis:names:tc:SAML:1.0:assertion")
 	assertion.CreateAttr("MajorVersion", "1")
 	assertion.CreateAttr("MinorVersion", "1")
-	assertion.CreateAttr("AssertionID", uuid.NewV4().String())
+	assertion.CreateAttr("AssertionID", uuid.New().String())
 	assertion.CreateAttr("Issuer", host)
 	assertion.CreateAttr("IssueInstant", now)

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
haiwu	d12088e8e7	feat: fix bug in pricing when signup by phone (#2316 ) * fix: fix bug in pricing * fix: remove log	2023-09-08 21:03:30 +08:00
Yang Luo	c62588f9bc	Add EmailVerified to UserInfo	2023-09-08 18:27:14 +08:00
haiwu	16cd09d175	feat: support wechat pay (#2312 ) * feat: support wechat pay * feat: support wechat pay * feat: update wechatpay.go * feat: add router /qrcode	2023-09-07 15:45:54 +08:00
Yang Luo	7318ee6e3a	Improve LocalFileSystemProvider's error handling	2023-09-07 10:49:39 +08:00
Yang Luo	3459ef1479	Improve termsOfUse UI and error handling	2023-09-07 10:33:20 +08:00
UsherFall	ca6b27f922	feat: fix notification provider frontend bug and twitter error (#2310 )	2023-09-06 23:41:34 +08:00
Yang Luo	e528e8883b	Add "localhost" to IsRedirectUriValid()	2023-09-06 21:14:58 +08:00
Yang Luo	b7cd604e56	Mask user in GenerateCasToken()	2023-09-06 18:36:55 +08:00
Yang Luo	3c2fd574a6	Refactor GenerateCasToken()	2023-09-06 18:35:13 +08:00
Yang Luo	a9de7d3aef	Add groups to permission	2023-09-06 00:10:33 +08:00
Yang Luo	9820801634	Make Product's Providers longer (255)	2023-09-05 20:24:24 +08:00
UsherFall	c6e422c3a8	feat: add multiple notification providers (#2302 ) * feat: support dingtalk notification provider * feat: support lark notification provider * feat: support microsoft teams notification provider * feat: support bark notification provider * feat: support pushover notification provider * feat: support pushbullet notification provider * feat: support slack notification provider * feat: support webpush notification provider * fix go-test error * update notify repository * feat: support discord notification provider * feat: support google chat notification provider * feat: support Line notification provider * feat: support matrix notification provider * feat: support twitter notification provider * fix lint * add no proxy provider * update setting.js * update social_teams	2023-09-05 17:05:34 +08:00
UsherFall	bc8e9cfd64	feat: storage provider's domain initial value bug (#2303 )	2023-09-05 14:53:32 +08:00
Yang Luo	c1eae9fcd8	Fix TotpMfa's Verify()	2023-09-04 19:21:26 +08:00
YunShu	6dae6e4954	docs: fix all dead links (#2297 ) https://github.com/Selflocking/linkchecker/actions/runs/6058177987	2023-09-03 21:19:23 +08:00
YunShu	559a91e8ee	feat: fix bug that failed to set password after changing username (#2296 ) * fix: failed to set password after changing username When we add a new member to an organization using Casdoor, Casdoor will automatically generate a member with a random username, such as "user_qvducc". When we change the username, for example, to "yunshu", an issue arises where we are unable to successfully edit the password. This is because Casdoor searches for a user based on `owner/username`, and before any changes are saved, the username in the database remains "user_qvducc". However, the frontend uses `orgName/yunshu` instead of `orgName/user_qvducc` to send the request to change the password. As a result, the backend cannot find the user and the password change fails. * Update user.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-09-03 00:04:48 +08:00
Yang Luo	b0aaf09ef1	Add 7 new i18n languages	2023-09-02 18:49:43 +08:00
Yang Luo	7e2f67c49a	Fix i18n error	2023-09-02 18:33:19 +08:00
Yang Luo	e584a6a111	Support using "?allowEmpty=1" to bypass empty displayName check in update-user API	2023-09-02 11:59:07 +08:00
YunShu	6700d2e244	fix: show error when frontend HTML entry does not exist (#2289 ) * fix: add response when web file not found The error flow is as follows: Assuming my directory structure is as follows: ```tree ├── GitHub │ ├── casdoor # code repository ├── casdoor # compiled binary file ``` Execute the program in the `GitHub` directory: ```bash ./casdoor/casdoor ``` The working directory at this time is `GitHub`. According to the code: ```go func StaticFilter(ctx context.Context) { urlPath := ctx.Request.URL.Path /// omitted path := "web/build" if urlPath == "/" { path += "/index.html" } else { path += urlPath } if !util.FileExist(path) { path = "web/build/index.html" } if !util.FileExist(path) { return } /// omitted } ``` If the user accesses `/`, according to this code, the returned value is actually `web/build/index.html`. But the current directory is GitHub, and there is no `web/build/index.html` file. According to the following code, it will directly return: ```go if !util.FileExist(path) { return } ``` Then in `main.go`: ```go beego.InsertFilter("", beego.BeforeRouter, routers.StaticFilter) beego.InsertFilter("", beego.BeforeRouter, routers.AutoSigninFilter) beego.InsertFilter("", beego.BeforeRouter, routers.CorsFilter) beego.InsertFilter("", beego.BeforeRouter, routers.ApiFilter) beego.InsertFilter("", beego.BeforeRouter, routers.PrometheusFilter) beego.InsertFilter("", beego.BeforeRouter, routers.RecordMessage) ``` The introduction of `beego.InsertFilter` is as follows: ``` func InsertFilter(pattern string, pos int, filter FilterFunc, params ...bool) App InsertFilter adds a FilterFunc with pattern condition and action constant. The pos means action constant including beego.BeforeStatic, beego.BeforeRouter, beego.BeforeExec, beego.AfterExec and beego.FinishRouter. The bool params is for setting the returnOnOutput value (false allows multiple filters to execute) ``` When the `params` parameter is `false`, it runs multiple filters. The default is `true`. So normally, if ```go beego.InsertFilter("", beego.BeforeRouter, routers.StaticFilter) ``` response something, the following filters will not be executed. But because the file does not exist, the function directly returns, causing the subsequent filters to continue executing. When it reaches ```go beego.InsertFilter("", beego.BeforeRouter, routers.ApiFilter) ``` it will start to check permissions: ``` subOwner = anonymous, subName = anonymous, method = GET, urlPath = /login, obj.Owner = , obj.Name = , result = deny ``` Then it will report this error: ```json { "status": "error", "msg": "Unauthorized operation", "data": null, "data2": null } ``` The solution should be: ```go func StaticFilter(ctx context.Context) { urlPath := ctx.Request.URL.Path /// omitted path := "web/build" if urlPath == "/" { path += "/index.html" } else { path += urlPath } if !util.FileExist(path) { // todo: response error: page not found return } /// omitted } ``` Update static_filter.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-09-02 00:06:04 +08:00
Cattī Crūdēlēs	0c5c308071	fix: sendCasAuthenticationResponseErr when pgtUrlObj if not valid url (#2287 ) * fix: sendCasAuthenticationResponseErr when pgtUrlObj if not valid url check pgtUrlObj.Scheme first will cause panic if url.Parse returns error. * Update cas.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-09-01 22:26:57 +08:00
Yang Luo	0b859197da	Fix CAS "/proxyValidate" API	2023-09-01 21:47:26 +08:00
Yang Luo	3078409343	Add CertPublicKey to Application	2023-09-01 21:16:51 +08:00
Tower He	bbf2db2e00	feat: support to use a different db schema for pg (#2281 )	2023-09-01 18:02:13 +08:00
Yang Luo	0c7b911ce7	Fix enforcer edit page logic	2023-09-01 01:30:50 +08:00
Yang Luo	2cc55715ac	Add app.conf existence check	2023-09-01 01:25:45 +08:00
Yang Luo	c829bf1769	Fix DummyPaymentProvider's return URL	2023-09-01 01:25:15 +08:00
Yang Luo	ec956c12ca	Fix Email duplicated issue in update-user	2023-08-31 23:44:40 +08:00
Tower He	d3d4646c56	feat: fix can not create db when using pg with a dbname in DSN (#2280 ) * fix: can not create db when using pg with a dbname in DSN * Update ormer.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-08-31 18:05:38 +08:00
Yang Luo	669ac7c618	Don't encrypt user pass when user.PasswordType is non-empty when adding users	2023-08-31 17:49:36 +08:00
Yang Luo	6715efd781	Fix enforcer edit page	2023-08-31 17:32:36 +08:00
haiwu	953be4a7b6	feat: support subscription periods (yearly/monthly) (#2265 ) * feat: support year/month subscription * feat: add GetPrice() for plan * feat: add GetDuration * feat: gofumpt * feat: add subscription mode for pricing * feat: restrict auto create product operation * fix: format code * feat: add period for plan,remove period from pricing * feat: format code * feat: remove space * feat: remove period in signup page	2023-08-30 17:13:45 +08:00
Yang Luo	943cc43427	Fix payment list and product edit actions	2023-08-28 21:01:23 +08:00
Yang Luo	1e5ce7a045	Fix crash in syncUsersNoError()	2023-08-28 01:51:06 +08:00
Baihhh	7a85b74573	fix: fix tour disabled state (#2264 ) * fix: distinguish between pages that can tour or not * Update OpenTour.js --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-08-27 23:18:14 +08:00
Yang Luo	7e349c1768	feat: fix crash bug in getSteps()	2023-08-27 21:58:58 +08:00
Baihhh	b19be2df88	fix: change the id to key in syncer (#2263 )	2023-08-27 20:57:27 +08:00
Yang Luo	fc3866db1c	Use XORM grammar in syncer	2023-08-27 18:15:23 +08:00
Yang Luo	bf2bb31e41	Add sslMode for syncer	2023-08-27 17:07:19 +08:00
Baihhh	ec8bd6f01d	feat: add tour for list pages (#2243 )	2023-08-27 16:40:31 +08:00
Yang Luo	98722fd681	Fix crash in app list page for normal user	2023-08-27 11:31:48 +08:00
Yang Luo	221c55aa93	Fix yarn build cmd	2023-08-27 11:17:18 +08:00
Yang Luo	988b26b3c2	Return error for RunSyncer()	2023-08-27 02:22:37 +08:00
Yang Luo	7e3c361ce7	Add all webhook events	2023-08-26 23:50:24 +08:00
Yang Luo	a637707e77	Fix null bug in IsAdminOrSelf()	2023-08-26 10:39:46 +08:00
Yaodong Yu	7970edeaa7	feat: password and invitation code verification rules (#2258 )	2023-08-25 21:16:21 +08:00
haiwu	9da2f0775f	fix: fix bug in Pricing (#2255 )	2023-08-25 19:27:46 +08:00
Yang Luo	739a9bcd0d	feat: add CasvisorUrl	2023-08-25 11:56:12 +08:00
Yang Luo	fb0949b9ed	Fix docker cannot get version bug	2023-08-25 11:49:47 +08:00
Yang Luo	27ed901167	Restrict sysinfo page to global admin	2023-08-25 11:20:11 +08:00
Yang Luo	ceab662b88	Remove dup swagger page	2023-08-25 11:09:59 +08:00
haiwu	05b2f00057	feat: support Pricings flow (#2250 ) * feat: fix price display * feat: support subscription * feat: fix select-plan-> signup -> buy-plan -> login flow * feat: support paid-user to login and jump to the pricing page * feat: support more subscription state * feat: add payment providers for plan * feat: format code * feat: gofumpt * feat: redirect to buy-plan-result page when user have pending subscription * feat: response err when pricing don't exit * Update PricingListPage.js * Update ProductBuyPage.js * Update LoginPage.js --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-08-24 23:20:50 +08:00
Yang Luo	8073dfa88c	Remove tmpFiles folder usage	2023-08-24 22:03:36 +08:00
Yang Luo	1eeeb64a0c	Add checkModel() for UserGroupEnforcer	2023-08-24 18:22:23 +08:00
Yaodong Yu	f5e0461cae	feat: add invitation code for signup feature (#2249 ) * feat: add invitation code for signup feature * feat: add invitation code for signup feature	2023-08-24 13:42:17 +08:00
Andrey	a0c5eb241f	feat: add fields to syncer (PreferredMfaType, TotpSecret, SignupApplication) #2239 (#2245 )	2023-08-23 21:40:00 +08:00
Lars Lehtonen	4d8edcc446	fix: dropped controllers err (#2244 ) Signed-off-by: Lars Lehtonen <lars.lehtonen@gmail.com>	2023-08-23 21:37:51 +08:00
Yaodong Yu	2b23c04f49	fix: add SignupApplication and type for user synced from LDAP (#2240 )	2023-08-21 22:52:35 +08:00
Cattī Crūdēlēs	e60ee52d91	feat: replace satori/go.uuid with google/uuid (#2238 )	2023-08-21 13:58:15 +08:00
UsherFall	c54b54ca19	fix: Adjust custom http to notification provider (#2237 ) * feat: Adjust custom http to notification provider * fix go linter * update ProviderEditPage * update ProviderEditPage	2023-08-20 21:04:30 +08:00
Yaodong Yu	f0e097e138	feat: fix home page (#2236 ) * fix: home page * fix: home page	2023-08-20 00:58:39 +08:00
Yang Luo	25ec1bdfa8	Fix bug in getUserOrganization()	2023-08-20 00:53:51 +08:00
Yang Luo	ea7718d7b7	Use Casvisor for records	2023-08-20 00:44:01 +08:00
Yang Luo	463fa8b636	Add ormer_session.go	2023-08-19 18:41:08 +08:00
Yang Luo	11895902f4	Move getCreateDatabaseFlag() to ormer	2023-08-19 16:44:34 +08:00
Yang Luo	15269d3315	Refactor out conf_quota.go	2023-08-19 16:39:21 +08:00
Yang Luo	4468859795	Improve sendTest msg	2023-08-19 12:47:51 +08:00
UsherFall	914128a78a	fix: Support Telegram Notification provider (#2225 ) * fear: support telegram provider * fix: fix telegram logo * fix: fix telegram bot package * Update telegram.go * Update notification.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-08-19 12:33:00 +08:00
Yaodong Yu	e5a189e0f4	fix: remove isGlobalAdmin field in user (#2235 ) * refactor: remove isGlobalAdmin field in user * fix: upload xlsx * fix: remove field in account table	2023-08-19 12:23:15 +08:00
Yang Luo	a07216d0e1	Improve contentType parsing in downloadImage()	2023-08-19 02:35:45 +08:00
haiwu	fec54944dd	feat: fix CAS login bug (#2230 ) * fix: cas login * fix: cas login * feat: rollback get-default-app change * fix : move cas restrict logic to GetApplicationLogin() * fix: format code * fix: fix getOAuthGetParameters for cas * fix: fix getOAuthGetParameters for cas * fix: cas login	2023-08-19 01:15:41 +08:00
hsluoyz	a2db61cc1a	chore: Revert "feat: restrict redirectUrls for CAS login" (#2234 ) This reverts commit `b7a37126ad`.	2023-08-19 00:30:35 +08:00
Yaodong Yu	134541acde	chore: put some dev dependency package to right place (#2232 )	2023-08-18 22:17:16 +08:00
Yaodong Yu	59fca0342e	chore: fix yarn build warning (#2231 )	2023-08-18 21:25:57 +08:00
Yang Luo	abfc464155	Remove isEnabled for model, adapter and enforcer, improve UI	2023-08-18 19:22:47 +08:00
Yaodong Yu	a41f6880a2	feat: move policy table from adapter to enforcer and improve it (#2228 ) * feat: improve policiy table * feat: add connection test in AdapterEditPage.js * feat: update button style	2023-08-18 19:00:21 +08:00
Yaodong Yu	d12117324c	feat: support admin to enable MFA for other users (#2221 ) * feat: support admin enable user sms and email mfa * chore: update ci * chore: update ci	2023-08-17 17:19:24 +08:00
hsluoyz	1a6c9fbf69	Fix typo in README	2023-08-17 14:47:09 +08:00
hsluoyz	dd60d79af9	Fix typo in README	2023-08-17 14:46:10 +08:00
Yang Luo	73d314c7fe	Add MfaTotpPeriodInSeconds param	2023-08-16 21:48:54 +08:00
Yaodong Yu	27959e0f6f	fix: fix crash in UserEditPage.js	2023-08-16 15:57:48 +08:00
Baihhh	47f40c5b24	feat: support 3 more UI languages (#2218 ) Signed-off-by: baihhh <2542274498@qq.com>	2023-08-16 15:54:34 +08:00
haiwu	2ff9020884	feat: support Stripe payment provider (#2204 ) * feat: add stripe payment provider * feat: support stripe payment * feat: delete todo comment * feat: remove description struct * feat: change outOrderId->orderId	2023-08-15 00:16:30 +08:00
Yang Luo	abaf4ca8d9	Make GetDashboard() faster	2023-08-14 15:43:09 +08:00
珩	8ff0cfd6ec	feat: support dashboard in homepage (#2207 ) * feat: support dashboard * feat: support dashboard	2023-08-14 15:31:29 +08:00
Yang Luo	7a2a40edcc	Improve table columns	2023-08-14 12:19:02 +08:00
Yang Luo	b7a001ea39	Fix property empty issue	2023-08-14 12:09:50 +08:00
haiwu	891e8e21d8	feat: support Web3-Onboard provider (#2209 ) * feat: add Web3-Onboard idp * feat: update Web3-Onboard logo * feat: update package.json * feat: remove unused package * feat: add yarn build param --max_old_space_size=4096 * feat: remove log * feat: add Wallet configure * feat: remove hardware wallets	2023-08-13 23:58:57 +08:00
Baihhh	80b0d26813	fix: synchronize update the syncers (#2201 ) Signed-off-by: baihhh <2542274498@qq.com>	2023-08-13 22:30:57 +08:00
Yaodong Yu	db4ac60bb6	feat: fix LDAP mobile field incorrect mapped (#2206 )	2023-08-12 13:45:26 +08:00
Yang Luo	33a922f026	Add custom HTTP SMS provider	2023-08-12 12:52:53 +08:00
Yang Luo	9f65053d04	Improve i18n	2023-08-12 02:44:38 +08:00
Yang Luo	be969e5efa	Fix typo	2023-08-11 22:18:35 +08:00
Yang Luo	9156bd426b	ci: Show provider.displayName in signin button	2023-08-11 16:29:52 +08:00
Yang Luo	fe4a4328aa	feat: refactor code in InitApi()	2023-08-11 16:17:29 +08:00
Yaodong Yu	9899022bcd	fix: check enforcer should not be nil (#2199 ) * fix: check enforcer should not be nil * fix: check enforcer should not be nil * Update user.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-08-11 12:31:49 +08:00
Yaodong Yu	1a9d02be46	feat: use the casbin model to store relationships between users and groups (#2178 ) * fix:reslove conflict * fix: remove interface	2023-08-11 10:59:18 +08:00
Yang Luo	eafaa135b4	Change builtInAvailableField back to 5	2023-08-11 02:45:11 +08:00
Yang Luo	6746551447	Improve error message in InitEnforcer()	2023-08-11 02:36:29 +08:00
Yang Luo	3cb46c3628	Add isKey to syncer's table	2023-08-09 00:33:04 +08:00
Yaodong Yu	558bcf95d6	feat: save policy in adapter edit page (#2190 ) * fix: save policy in adapter * fix: disable edit for builtin adapter	2023-08-09 00:12:53 +08:00
Yang Luo	bb937c30c1	Fix empty cert in getPaymentProvider()	2023-08-08 22:37:48 +08:00
Baihhh	8dfdf7f767	ci: add GoogleCloud and QiNiu in Storage (#2188 ) * feat: add GoogleCloud and QiNiu in Storage Signed-off-by: baihhh <2542274498@qq.com> * Update qiniu_cloud.go * Update storage.go --------- Signed-off-by: baihhh <2542274498@qq.com> Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-08-08 22:34:55 +08:00
Yang Luo	62b2082e82	Add getUserOrganization() to user edit page	2023-08-08 21:58:27 +08:00
Yang Luo	a1806439f8	Add UserPrincipalName and MemberOf to get-ldap-users API	2023-08-08 20:18:47 +08:00
Yang Luo	01e58158b7	feat: Remove useless code	2023-08-08 19:16:55 +08:00
Yaodong Yu	15427ad9d6	fix: fix add provider error (#2184 )	2023-08-07 17:22:32 +08:00
YunShu	d058f78dc6	fix: fix broken links (#2181 )	2023-08-07 01:02:03 +08:00
UsherFall	fd9dbf8251	feat: add multiple SMS providers (#2182 ) * feat: add amazon sns and azure acs provider * feat: add msg91 sms provider * feat: add infobip sms provider * feat: add ucloud sms provider * feat: add baidu cloud sms provider * fix: fix logo and azure acs	2023-08-07 00:59:17 +08:00
Yaodong Yu	3220a04fa9	fix: use org/groupName replace groupName (#2180 )	2023-08-06 20:16:44 +08:00
Yaodong Yu	f06a4990bd	fix: rename in init.go (#2179 ) * fix: rename in init.go * fix: remove blank line * fix: remove blank line * Update init.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>	2023-08-06 13:07:30 +08:00
Yang Luo	9df7de5f27	Improve menu icons	2023-08-05 18:00:24 +08:00
Yang Luo	56c808c091	Improve menu	2023-08-05 17:41:35 +08:00
Yang Luo	9fd2421564	Update @ant-design/cssinjs dependency to avoid build error	2023-08-04 01:22:57 +08:00
Yang Luo	689d45c7fa	feat: fix org name cannot be changed bug	2023-08-03 18:48:37 +08:00
Yang Luo	c24343bd53	Fix XxxChangeTrigger() doesn't return error bug	2023-08-03 18:45:49 +08:00
Yang Luo	979f43638d	Change builtInAvailableField to 10	2023-08-03 18:17:15 +08:00
Yaodong Yu	685a4514cd	fix: revert adapter port vartype to int (#2174 )	2023-08-03 09:35:16 +08:00
Yaodong Yu	a05ca3af24	feat: use role ID to search in GetPermissionsAndRolesByUser() (#2170 )	2023-08-02 20:58:06 +08:00
Yang Luo	c6f301ff9e	Support svg in downloadImage()	2023-07-31 20:23:28 +08:00