feat: stop building docker image of linux/arm64 (#2390)

* feat: write records after exec (#2368)

* add returnOnOutput params

.github/workflows/build.yml

@@ -195,7 +195,7 @@ jobs:
         with:
           context: .
           target: STANDARD
-          platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64
           push: true
           tags: casbin/casdoor:${{steps.get-current-tag.outputs.tag }},casbin/casdoor:latest
 
@@ -205,6 +205,6 @@ jobs:
         with:
           context: .
           target: ALLINONE
-          platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64
           push: true
           tags: casbin/casdoor-all-in-one:${{steps.get-current-tag.outputs.tag }},casbin/casdoor-all-in-one:latest

.github/workflows/migrate.yml

@@ -1,61 +0,0 @@
-name: Migration Test
-
-on:
-  push:
-    paths:
-      - 'object/migrator**'
-  pull_request:
-    paths:
-      - 'object/migrator**'
-
-jobs:
-
-  db-migrator-test:
-    name: db-migrator-test
-    runs-on: ubuntu-latest
-    services:
-      mysql:
-        image: mysql:5.7
-        env:
-          MYSQL_DATABASE: casdoor
-          MYSQL_ROOT_PASSWORD: 123456
-        ports:
-          - 3306:3306
-        options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
-        with:
-          go-version: '^1.16.5'
-      - uses: actions/setup-node@v2
-        with:
-          node-version: 16
-      - name: pull casdoor-master-latest
-        run: |
-          sudo apt update
-          sudo apt install git
-          sudo apt install net-tools
-          sudo mkdir tmp
-          cd tmp
-          sudo git clone https://github.com/casdoor/casdoor.git
-          cd ..
-        working-directory: ./
-      - name: run casdoor-master-latest
-        run: |
-          sudo nohup go run main.go &
-          sudo sleep 2m
-        working-directory: ./tmp/casdoor
-      - name: stop casdoor-master-latest
-        run: |
-          sudo kill -9 `sudo netstat -anltp | grep 8000 | awk '{print $7}' | cut -d / -f 1`
-        working-directory: ./
-      - name: run casdoor-current-version
-        run: |
-          sudo nohup go run ./main.go &
-          sudo sleep 2m
-        working-directory: ./
-      - name: test port-8000
-        run: |
-          if [[ `sudo netstat -anltp | grep 8000 | awk '{print $7}'` == "" ]];then echo 'db-migrator-test fail' && exit 1;fi;
-          echo 'db-migrator-test pass'
-        working-directory: ./

.gitignore

@@ -30,5 +30,4 @@ commentsRouter*.go
 
 # ignore build result
 casdoor
-server_linux_arm64
-server_linux_amd64
+server

Dockerfile

@@ -1,7 +1,6 @@
 FROM node:16.18.0 AS FRONT
 WORKDIR /web
 COPY ./web .
-RUN yarn config set registry https://registry.npmmirror.com
 RUN yarn install --frozen-lockfile --network-timeout 1000000 && yarn run build
 
 
@@ -14,9 +13,6 @@ RUN go test -v -run TestGetVersionInfo ./util/system_test.go ./util/system.go >
 FROM alpine:latest AS STANDARD
 LABEL MAINTAINER="https://casdoor.org/"
 ARG USER=casdoor
-ARG TARGETOS
-ARG TARGETARCH
-ENV BUILDX_ARCH="${TARGETOS:-linux}_${TARGETARCH:-amd64}"
 
 RUN sed -i 's/https/http/' /etc/apk/repositories
 RUN apk add --update sudo
@@ -31,7 +27,7 @@ RUN adduser -D $USER -u 1000 \
 
 USER 1000
 WORKDIR /
-COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/server_${BUILDX_ARCH} ./server
+COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/server ./server
 COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/swagger ./swagger
 COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/conf/app.conf ./conf/app.conf
 COPY --from=BACK --chown=$USER:$USER /go/src/casdoor/version_info.txt ./go/src/casdoor/version_info.txt
@@ -50,15 +46,12 @@ RUN apt update \
 
 FROM db AS ALLINONE
 LABEL MAINTAINER="https://casdoor.org/"
-ARG TARGETOS
-ARG TARGETARCH
-ENV BUILDX_ARCH="${TARGETOS:-linux}_${TARGETARCH:-amd64}"
 
 RUN apt update
 RUN apt install -y ca-certificates && update-ca-certificates
 
 WORKDIR /
-COPY --from=BACK /go/src/casdoor/server_${BUILDX_ARCH} ./server
+COPY --from=BACK /go/src/casdoor/server ./server
 COPY --from=BACK /go/src/casdoor/swagger ./swagger
 COPY --from=BACK /go/src/casdoor/docker-entrypoint.sh /docker-entrypoint.sh
 COPY --from=BACK /go/src/casdoor/conf/app.conf ./conf/app.conf

authz/authz.go

@@ -46,6 +46,7 @@ p, *, *, POST, /api/login, *, *
 p, *, *, GET, /api/get-app-login, *, *
 p, *, *, POST, /api/logout, *, *
 p, *, *, GET, /api/logout, *, *
+p, *, *, POST, /api/callback, *, *
 p, *, *, GET, /api/get-account, *, *
 p, *, *, GET, /api/userinfo, *, *
 p, *, *, GET, /api/user, *, *

build.sh

@@ -8,5 +8,4 @@ else
     echo "Google is blocked, Go proxy is enabled: GOPROXY=https://goproxy.cn,direct"
     export GOPROXY="https://goproxy.cn,direct"
 fi
-CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-w -s" -o server_linux_amd64 .
-CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags="-w -s" -o server_linux_arm64 .
+CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-w -s" -o server .

conf/app.conf

@@ -8,18 +8,21 @@ dbName = casdoor
 tableNamePrefix =
 showSql = false
 redisEndpoint =
-defaultStorageProvider = 
+defaultStorageProvider =
 isCloudIntranet = false
 authState = "casdoor"
 socks5Proxy = "127.0.0.1:10808"
 verificationCodeTimeout = 10
-initScore = 2000
+initScore = 0
 logPostOnly = true
 origin =
 staticBaseUrl = "https://cdn.casbin.org"
 isDemoMode = false
 batchSize = 100
 ldapServerPort = 389
+radiusServerPort = 1812
+radiusSecret = "secret"
 quota = {"organization": -1, "user": -1, "application": -1, "provider": -1}
 logConfig = {"filename": "logs/casdoor.log", "maxdays":99999, "perm":"0770"}
-initDataFile = "./init_data.json"
+initDataFile = "./init_data.json"
+frontendBaseDir = "../casdoor"

controllers/account.go

@@ -18,7 +18,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-	"strconv"
 	"strings"
 
 	"github.com/casdoor/casdoor/form"
@@ -119,20 +118,10 @@ func (c *ApiController) Signup() {
 		}
 	}
 
-	id := util.GenerateId()
-	if application.GetSignupItemRule("ID") == "Incremental" {
-		lastUser, err := object.GetLastUser(authForm.Organization)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		lastIdInt := -1
-		if lastUser != nil {
-			lastIdInt = util.ParseInt(lastUser.Id)
-		}
-
-		id = strconv.Itoa(lastIdInt + 1)
+	id, err := object.GenerateIdForNewUser(application)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
 	}
 
 	username := authForm.Username
@@ -309,27 +298,32 @@ func (c *ApiController) Logout() {
 			return
 		}
 
-		if application.IsRedirectUriValid(redirectUri) {
-			if user == "" {
-				user = util.GetId(token.Organization, token.User)
-			}
+		if user == "" {
+			user = util.GetId(token.Organization, token.User)
+		}
 
-			c.ClearUserSession()
-			// TODO https://github.com/casdoor/casdoor/pull/1494#discussion_r1095675265
-			owner, username := util.GetOwnerAndNameFromId(user)
+		c.ClearUserSession()
+		// TODO https://github.com/casdoor/casdoor/pull/1494#discussion_r1095675265
+		owner, username := util.GetOwnerAndNameFromId(user)
 
-			_, err := object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID())
-			if err != nil {
-				c.ResponseError(err.Error())
+		_, err = object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID())
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		util.LogInfo(c.Ctx, "API: [%s] logged out", user)
+
+		if redirectUri == "" {
+			c.ResponseOk()
+			return
+		} else {
+			if application.IsRedirectUriValid(redirectUri) {
+				c.Ctx.Redirect(http.StatusFound, fmt.Sprintf("%s?state=%s", strings.TrimRight(redirectUri, "/"), state))
+			} else {
+				c.ResponseError(fmt.Sprintf(c.T("token:Redirect URI: %s doesn't exist in the allowed Redirect URI list"), redirectUri))
 				return
 			}
-
-			util.LogInfo(c.Ctx, "API: [%s] logged out", user)
-
-			c.Ctx.Redirect(http.StatusFound, fmt.Sprintf("%s?state=%s", strings.TrimRight(redirectUri, "/"), state))
-		} else {
-			c.ResponseError(fmt.Sprintf(c.T("token:Redirect URI: %s doesn't exist in the allowed Redirect URI list"), redirectUri))
-			return
 		}
 	}
 }

controllers/application.go

@@ -90,14 +90,24 @@ func (c *ApiController) GetApplication() {
 		return
 	}
 
-	if c.Input().Get("withKey") != "" && application.Cert != "" {
+	if c.Input().Get("withKey") != "" && application != nil && application.Cert != "" {
 		cert, err := object.GetCert(util.GetId(application.Owner, application.Cert))
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
 
-		application.CertPublicKey = cert.Certificate
+		if cert == nil {
+			cert, err = object.GetCert(util.GetId(application.Organization, application.Cert))
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+		}
+
+		if cert != nil {
+			application.CertPublicKey = cert.Certificate
+		}
 	}
 
 	c.ResponseOk(object.GetMaskedApplication(application, userId))

controllers/auth.go

@@ -20,6 +20,7 @@ import (
 	"encoding/xml"
 	"fmt"
 	"io/ioutil"
+	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
@@ -59,7 +60,7 @@ func tokenToResponse(token *object.Token) *Response {
 func (c *ApiController) HandleLoggedIn(application *object.Application, user *object.User, form *form.AuthForm) (resp *Response) {
 	userId := user.GetId()
 
-	allowed, err := object.CheckAccessPermission(userId, application)
+	allowed, err := object.CheckLoginPermission(userId, application)
 	if err != nil {
 		c.ResponseError(err.Error(), nil)
 		return
@@ -614,11 +615,16 @@ func (c *ApiController) Login() {
 						return
 					}
 
+					userId := userInfo.Id
+					if userId == "" {
+						userId = util.GenerateId()
+					}
+
 					user = &object.User{
 						Owner:             application.Organization,
 						Name:              userInfo.Username,
 						CreatedTime:       util.GetCurrentTime(),
-						Id:                util.GenerateId(),
+						Id:                userId,
 						Type:              "normal-user",
 						DisplayName:       userInfo.DisplayName,
 						Avatar:            userInfo.AvatarUrl,
@@ -896,3 +902,16 @@ func (c *ApiController) GetCaptchaStatus() {
 	}
 	c.ResponseOk(captchaEnabled)
 }
+
+// Callback
+// @Title Callback
+// @Tag Callback API
+// @Description Get Login Error Counts
+// @router /api/Callback [post]
+func (c *ApiController) Callback() {
+	code := c.GetString("code")
+	state := c.GetString("state")
+
+	frontendCallbackUrl := fmt.Sprintf("/callback?code=%s&state=%s", code, state)
+	c.Ctx.Redirect(http.StatusFound, frontendCallbackUrl)
+}

controllers/enforcer.go

@@ -191,7 +191,7 @@ func (c *ApiController) UpdatePolicy() {
 		return
 	}
 
-	affected, err := object.UpdatePolicy(id, util.CasbinToSlice(policies[0]), util.CasbinToSlice(policies[1]))
+	affected, err := object.UpdatePolicy(id, policies[0].Ptype, util.CasbinToSlice(policies[0]), util.CasbinToSlice(policies[1]))
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@@ -210,7 +210,7 @@ func (c *ApiController) AddPolicy() {
 		return
 	}
 
-	affected, err := object.AddPolicy(id, util.CasbinToSlice(policy))
+	affected, err := object.AddPolicy(id, policy.Ptype, util.CasbinToSlice(policy))
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@@ -229,7 +229,7 @@ func (c *ApiController) RemovePolicy() {
 		return
 	}
 
-	affected, err := object.RemovePolicy(id, util.CasbinToSlice(policy))
+	affected, err := object.RemovePolicy(id, policy.Ptype, util.CasbinToSlice(policy))
 	if err != nil {
 		c.ResponseError(err.Error())
 		return

controllers/payment.go

@@ -179,7 +179,7 @@ func (c *ApiController) NotifyPayment() {
 
 	body := c.Ctx.Input.RequestBody
 
-	payment, err := object.NotifyPayment(c.Ctx.Request, body, owner, paymentName)
+	payment, err := object.NotifyPayment(body, owner, paymentName)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return

controllers/plan.go

@@ -16,7 +16,6 @@ package controllers
 
 import (
 	"encoding/json"
-	"fmt"
 
 	"github.com/beego/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@@ -83,11 +82,8 @@ func (c *ApiController) GetPlan() {
 		c.ResponseError(err.Error())
 		return
 	}
-	if plan == nil {
-		c.ResponseError(fmt.Sprintf(c.T("plan:The plan: %s does not exist"), id))
-		return
-	}
-	if includeOption {
+
+	if plan != nil && includeOption {
 		options, err := object.GetPermissionsByRole(plan.Role)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -97,11 +93,9 @@ func (c *ApiController) GetPlan() {
 		for _, option := range options {
 			plan.Options = append(plan.Options, option.DisplayName)
 		}
-
-		c.ResponseOk(plan)
-	} else {
-		c.ResponseOk(plan)
 	}
+
+	c.ResponseOk(plan)
 }
 
 // UpdatePlan

controllers/pricing.go

@@ -16,7 +16,6 @@ package controllers
 
 import (
 	"encoding/json"
-	"fmt"
 
 	"github.com/beego/beego/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@@ -81,10 +80,7 @@ func (c *ApiController) GetPricing() {
 		c.ResponseError(err.Error())
 		return
 	}
-	if pricing == nil {
-		c.ResponseError(fmt.Sprintf(c.T("pricing:The pricing: %s does not exist"), id))
-		return
-	}
+
 	c.ResponseOk(pricing)
 }
 

controllers/token.go

@@ -156,7 +156,7 @@ func (c *ApiController) DeleteToken() {
 // @Success 200 {object} object.TokenWrapper The Response object
 // @Success 400 {object} object.TokenError The Response object
 // @Success 401 {object} object.TokenError The Response object
-// @router /login/oauth/access_token [post]
+// @router api/login/oauth/access_token [post]
 func (c *ApiController) GetOAuthToken() {
 	grantType := c.Input().Get("grant_type")
 	refreshToken := c.Input().Get("refresh_token")

controllers/user.go

@@ -457,7 +457,16 @@ func (c *ApiController) SetPassword() {
 		return
 	}
 
-	if oldPassword != "" {
+	isAdmin := c.IsAdmin()
+	if isAdmin {
+		if oldPassword != "" {
+			msg := object.CheckPassword(targetUser, oldPassword, c.GetAcceptLanguage())
+			if msg != "" {
+				c.ResponseError(msg)
+				return
+			}
+		}
+	} else {
 		msg := object.CheckPassword(targetUser, oldPassword, c.GetAcceptLanguage())
 		if msg != "" {
 			c.ResponseError(msg)

email/azure_acs.go

@@ -123,7 +123,9 @@ func (a *AzureACSEmailProvider) sendEmail(e *Email) error {
 
 	bodyBuffer := bytes.NewBuffer(postBody)
 
-	req, err := http.NewRequest("POST", a.Endpoint+sendEmailEndpoint+"?api-version="+apiVersion, bodyBuffer)
+	endpoint := strings.TrimSuffix(a.Endpoint, "/")
+	url := fmt.Sprintf("%s/emails:send?api-version=2023-03-31", endpoint)
+	req, err := http.NewRequest("POST", url, bodyBuffer)
 	if err != nil {
 		return fmt.Errorf("error creating AzureACS API request: %s", err)
 	}
@@ -149,7 +151,7 @@ func (a *AzureACSEmailProvider) sendEmail(e *Email) error {
 	defer resp.Body.Close()
 
 	// Response error Handling
-	if resp.StatusCode == http.StatusBadRequest {
+	if resp.StatusCode == http.StatusBadRequest || resp.StatusCode == http.StatusUnauthorized {
 		commError := ErrorResponse{}
 
 		err = json.NewDecoder(resp.Body).Decode(&commError)

email/provider.go

@@ -18,9 +18,9 @@ type EmailProvider interface {
 	Send(fromAddress string, fromName, toAddress string, subject string, content string) error
 }
 
-func GetEmailProvider(typ string, clientId string, clientSecret string, appId string, host string, port int, disableSsl bool) EmailProvider {
+func GetEmailProvider(typ string, clientId string, clientSecret string, host string, port int, disableSsl bool) EmailProvider {
 	if typ == "Azure ACS" {
-		return NewAzureACSEmailProvider(appId, host)
+		return NewAzureACSEmailProvider(clientSecret, host)
 	} else {
 		return NewSmtpEmailProvider(clientId, clientSecret, host, port, typ, disableSsl)
 	}

go.mod

@@ -10,10 +10,10 @@ require (
 	github.com/beego/beego v1.12.12
 	github.com/beevik/etree v1.1.0
 	github.com/casbin/casbin v1.9.1 // indirect
-	github.com/casbin/casbin/v2 v2.37.0
+	github.com/casbin/casbin/v2 v2.77.2
 	github.com/casdoor/go-sms-sender v0.14.0
 	github.com/casdoor/gomail/v2 v2.0.1
-	github.com/casdoor/notify v0.43.0
+	github.com/casdoor/notify v0.44.0
 	github.com/casdoor/oss v1.3.0
 	github.com/casdoor/xorm-adapter/v3 v3.0.4
 	github.com/casvisor/casvisor-go-sdk v1.0.3
@@ -54,6 +54,7 @@ require (
 	github.com/stripe/stripe-go/v74 v74.29.0
 	github.com/tealeg/xlsx v1.0.5
 	github.com/thanhpk/randstr v1.0.4
+	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tklauser/go-sysconf v0.3.10 // indirect
 	github.com/xorm-io/builder v0.3.13
 	github.com/xorm-io/core v0.7.4
@@ -65,6 +66,7 @@ require (
 	google.golang.org/api v0.138.0
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0
+	layeh.com/radius v0.0.0-20221205141417-e7fbddd11d68 // indirect
 	maunium.net/go/mautrix v0.16.0
 	modernc.org/sqlite v1.18.2
 )

go.sum

@@ -919,12 +919,14 @@ github.com/casbin/casbin/v2 v2.1.0/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n
 github.com/casbin/casbin/v2 v2.28.3/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRtgrQfcJqHg=
 github.com/casbin/casbin/v2 v2.37.0 h1:/poEwPSovi4bTOcP752/CsTQiRz2xycyVKFG7GUhbDw=
 github.com/casbin/casbin/v2 v2.37.0/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRtgrQfcJqHg=
+github.com/casbin/casbin/v2 v2.77.2 h1:yQinn/w9x8AswiwqwtrXz93VU48R1aYTXdHEx4RI3jM=
+github.com/casbin/casbin/v2 v2.77.2/go.mod h1:mzGx0hYW9/ksOSpw3wNjk3NRAroq5VMFYUQ6G43iGPk=
 github.com/casdoor/go-sms-sender v0.14.0 h1:yqrzWIHUg64OYPynzF5Fr0XDuCWIWxtXIjOQAAkRKuw=
 github.com/casdoor/go-sms-sender v0.14.0/go.mod h1:cQs7qqohMJBgIVZebOCB8ko09naG1vzFJEH59VNIscs=
 github.com/casdoor/gomail/v2 v2.0.1 h1:J+FG6x80s9e5lBHUn8Sv0Y56mud34KiWih5YdmudR/w=
 github.com/casdoor/gomail/v2 v2.0.1/go.mod h1:VnGPslEAtpix5FjHisR/WKB1qvZDBaujbikxDe9d+2Q=
-github.com/casdoor/notify v0.43.0 h1:NukyVZ9l7d2TSlB5YWKJyDsPmHCvwKQVi9rWDprtcU4=
-github.com/casdoor/notify v0.43.0/go.mod h1:qDmQM5vr2uU01BEuDC6pY6ryahSU11cXPqlHFW232Do=
+github.com/casdoor/notify v0.44.0 h1:/j2TqO5lXEKYyu2WWtmGh3jh4aeN8m6p+9tWb5j1PWU=
+github.com/casdoor/notify v0.44.0/go.mod h1:HgLPFmSmy9+uB72cp2z3Tk5KxpZfStqpLMr+5RddXmw=
 github.com/casdoor/oss v1.3.0 h1:D5pcz65tJRqJrWY11Ks7D9LUsmlhqqMHugjDhSxWTvk=
 github.com/casdoor/oss v1.3.0/go.mod h1:YOi6KpG1pZHTkiy9AYaqI0UaPfE7YkaA07d89f1idqY=
 github.com/casdoor/xorm-adapter/v3 v3.0.4 h1:vB04Ao8n2jA7aFBI9F+gGXo9+Aa1IQP6mTdo50913DM=
@@ -1795,6 +1797,8 @@ github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
 github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
+github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
 github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
 github.com/tklauser/go-sysconf v0.3.10 h1:IJ1AZGZRWbY8T5Vfk04D9WOA5WSejdflXxP03OUqALw=
@@ -1819,8 +1823,8 @@ github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljT
 github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
 github.com/utahta/go-linenotify v0.5.0 h1:E1tJaB/XhqRY/iz203FD0MaHm10DjQPOq5/Mem2A3Gs=
 github.com/utahta/go-linenotify v0.5.0/go.mod h1:KsvBXil2wx+ByaCR0e+IZKTbp4pDesc7yjzRigLf6pE=
-github.com/vartanbeno/go-reddit/v2 v2.0.1 h1:P6ITpf5YHjdy7DHZIbUIDn/iNAoGcEoDQnMa+L4vutw=
-github.com/vartanbeno/go-reddit/v2 v2.0.1/go.mod h1:758/S10hwZSLm43NPtwoNQdZFSg3sjB5745Mwjb0ANI=
+github.com/vartanbeno/go-reddit/v2 v2.0.0 h1:fxYMqx5lhbmJ3yYRN1nnQC/gecRB3xpUS2BbG7GLpsk=
+github.com/vartanbeno/go-reddit/v2 v2.0.0/go.mod h1:758/S10hwZSLm43NPtwoNQdZFSg3sjB5745Mwjb0ANI=
 github.com/volcengine/volc-sdk-golang v1.0.117 h1:ykFVSwsVq9qvIoWP9jeP+VKNAUjrblAdsZl46yVWiH8=
 github.com/volcengine/volc-sdk-golang v1.0.117/go.mod h1:ojXSFvj404o2UKnZR9k9LUUWIUU+9XtlRlzk2+UFc/M=
 github.com/wendal/errors v0.0.0-20181209125328-7f31f4b264ec/go.mod h1:Q12BUT7DqIlHRmgv3RskH+UCM/4eqVMgI0EMmlSpAXc=
@@ -1908,6 +1912,7 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -2764,6 +2769,8 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
+layeh.com/radius v0.0.0-20221205141417-e7fbddd11d68 h1:2NDro2Jzkrqfngy/sA5GVnChs7fx8EzcQKFi/lI2cfg=
+layeh.com/radius v0.0.0-20221205141417-e7fbddd11d68/go.mod h1:pFWM9De99EY9TPVyHIyA56QmoRViVck/x41WFkUlc9A=
 lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
 lukechampine.com/uint128 v1.2.0 h1:mBi/5l91vocEN8otkC5bDLhi2KdCticRiwbdB0O+rjI=
 lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=

idp/goth.go

@@ -19,6 +19,7 @@ import (
 	"net/http"
 	"net/url"
 	"reflect"
+	"strings"
 	"time"
 
 	"github.com/casdoor/casdoor/util"
@@ -97,6 +98,9 @@ func NewGothIdProvider(providerType string, clientId string, clientSecret string
 			Session:  &amazon.Session{},
 		}
 	case "Apple":
+		if !strings.Contains(redirectUrl, "/api/callback") {
+			redirectUrl = strings.Replace(redirectUrl, "/callback", "/api/callback", 1)
+		}
 		idp = GothIdProvider{
 			Provider: apple.New(clientId, clientSecret, redirectUrl, nil),
 			Session:  &apple.Session{},
@@ -392,7 +396,9 @@ func NewGothIdProvider(providerType string, clientId string, clientSecret string
 // Goth's idp all implement the Client method, but since the goth.Provider interface does not provide to modify idp's client method, reflection is required
 func (idp *GothIdProvider) SetHttpClient(client *http.Client) {
 	idpClient := reflect.ValueOf(idp.Provider).Elem().FieldByName("HTTPClient")
-	idpClient.Set(reflect.ValueOf(client))
+	if idpClient.IsValid() {
+		idpClient.Set(reflect.ValueOf(client))
+	}
 }
 
 func (idp *GothIdProvider) GetToken(code string) (*oauth2.Token, error) {
@@ -468,6 +474,8 @@ func getUser(gothUser goth.User, provider string) *UserInfo {
 	if provider == "steam" {
 		user.Username = user.Id
 		user.Email = ""
+	} else if provider == "apple" {
+		user.Username = util.GetUsernameFromEmail(user.Email)
 	}
 	return &user
 }

init_data.json.template

@@ -176,9 +176,7 @@
   ],
   "permissions": [
     {
-      "actions": [
-        ""
-      ],
+      "actions": [],
       "displayName": "",
       "effect": "",
       "isEnabled": true,
@@ -186,15 +184,9 @@
       "name": "",
       "owner": "",
       "resourceType": "",
-      "resources": [
-        ""
-      ],
-      "roles": [
-        ""
-      ],
-      "users": [
-        ""
-      ]
+      "resources": [],
+      "roles": [],
+      "users": []
     }
   ],
   "payments": [
@@ -236,9 +228,7 @@
       "name": "",
       "owner": "",
       "price": 0,
-      "providers": [
-        ""
-      ],
+      "providers": [],
       "quantity": 0,
       "returnUrl": "",
       "sold": 0,
@@ -268,12 +258,8 @@
       "isEnabled": true,
       "name": "",
       "owner": "",
-      "roles": [
-        ""
-      ],
-      "users": [
-        ""
-      ]
+      "roles": [],
+      "users": []
     }
   ],
   "syncers": [
@@ -284,7 +270,7 @@
       "databaseType": "",
       "errorText": "",
       "host": "",
-      "isEnabled": true,
+      "isEnabled": false,
       "name": "",
       "organization": "",
       "owner": "",
@@ -298,9 +284,7 @@
           "isHashed": true,
           "name": "",
           "type": "",
-          "values": [
-            ""
-          ]
+          "values": []
         }
       ],
       "tablePrimaryKey": "",
@@ -330,9 +314,7 @@
   "webhooks": [
     {
       "contentType": "",
-      "events": [
-        ""
-      ],
+      "events": [],
       "headers": [
         {
           "name": "",

ldap/server.go

@@ -34,7 +34,7 @@ func StartLdapServer() {
 	server.Handle(routes)
 	err := server.ListenAndServe("0.0.0.0:" + conf.GetConfigString("ldapServerPort"))
 	if err != nil {
-		log.Printf("StartLdapServer() failed, ErrMsg = %s", err.Error())
+		log.Printf("StartLdapServer() failed, err = %s", err.Error())
 	}
 }
 

ldap/util.go

@@ -117,7 +117,7 @@ func GetFilteredUsers(m *ldap.Message) (filteredUsers []*object.User, code int)
 
 		hasPermission, err := object.CheckUserPermission(requestUserId, userId, true, "en")
 		if !hasPermission {
-			log.Printf("ErrMsg = %v", err.Error())
+			log.Printf("err = %v", err.Error())
 			return nil, ldap.LDAPResultInsufficientAccessRights
 		}
 

main.go

@@ -25,6 +25,7 @@ import (
 	"github.com/casdoor/casdoor/ldap"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/casdoor/radius"
 	"github.com/casdoor/casdoor/routers"
 	"github.com/casdoor/casdoor/util"
 )
@@ -58,7 +59,7 @@ func main() {
 	beego.InsertFilter("*", beego.BeforeRouter, routers.CorsFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.ApiFilter)
 	beego.InsertFilter("*", beego.BeforeRouter, routers.PrometheusFilter)
-	beego.InsertFilter("*", beego.BeforeRouter, routers.RecordMessage)
+	beego.InsertFilter("*", beego.AfterExec, routers.RecordMessage, false)
 
 	beego.BConfig.WebConfig.Session.SessionOn = true
 	beego.BConfig.WebConfig.Session.SessionName = "casdoor_session_id"
@@ -81,6 +82,7 @@ func main() {
 	logs.SetLogFuncCall(false)
 
 	go ldap.StartLdapServer()
+	go radius.StartRadiusServer()
 	go object.ClearThroughputPerSecond()
 
 	beego.Run(fmt.Sprintf(":%v", port))

notification/matrix.go

@@ -21,7 +21,7 @@ import (
 	"maunium.net/go/mautrix/id"
 )
 
-func NewMatrixProvider(userId string, roomId string, accessToken string, homeServer string) (*notify.Notify, error) {
+func NewMatrixProvider(userId string, accessToken string, roomId string, homeServer string) (*notify.Notify, error) {
 	matrixSrv, err := matrix.New(id.UserID(userId), id.RoomID(roomId), homeServer, accessToken)
 	if err != nil {
 		return nil, err

notification/provider.go

@@ -18,27 +18,27 @@ import "github.com/casdoor/notify"
 
 func GetNotificationProvider(typ string, clientId string, clientSecret string, clientId2 string, clientSecret2 string, appId string, receiver string, method string, title string, metaData string) (notify.Notifier, error) {
 	if typ == "Telegram" {
-		return NewTelegramProvider(appId, receiver)
+		return NewTelegramProvider(clientSecret, receiver)
 	} else if typ == "Custom HTTP" {
 		return NewCustomHttpProvider(receiver, method, title)
 	} else if typ == "DingTalk" {
-		return NewDingTalkProvider(appId, receiver)
+		return NewDingTalkProvider(clientId, clientSecret)
 	} else if typ == "Lark" {
-		return NewLarkProvider(receiver)
+		return NewLarkProvider(clientSecret)
 	} else if typ == "Microsoft Teams" {
-		return NewMicrosoftTeamsProvider(receiver)
+		return NewMicrosoftTeamsProvider(clientSecret)
 	} else if typ == "Bark" {
-		return NewBarkProvider(receiver)
+		return NewBarkProvider(clientSecret)
 	} else if typ == "Pushover" {
-		return NewPushoverProvider(appId, receiver)
+		return NewPushoverProvider(clientSecret, receiver)
 	} else if typ == "Pushbullet" {
-		return NewPushbulletProvider(appId, receiver)
+		return NewPushbulletProvider(clientSecret, receiver)
 	} else if typ == "Slack" {
-		return NewSlackProvider(appId, receiver)
+		return NewSlackProvider(clientSecret, receiver)
 	} else if typ == "Webpush" {
 		return NewWebpushProvider(clientId, clientSecret, receiver)
 	} else if typ == "Discord" {
-		return NewDiscordProvider(appId, receiver)
+		return NewDiscordProvider(clientSecret, receiver)
 	} else if typ == "Google Chat" {
 		return NewGoogleChatProvider(metaData)
 	} else if typ == "Line" {

object/adapter.go

@@ -30,15 +30,15 @@ type Adapter struct {
 	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
 	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
 
-	Type            string `xorm:"varchar(100)" json:"type"`
-	DatabaseType    string `xorm:"varchar(100)" json:"databaseType"`
-	Host            string `xorm:"varchar(100)" json:"host"`
-	Port            int    `json:"port"`
-	User            string `xorm:"varchar(100)" json:"user"`
-	Password        string `xorm:"varchar(100)" json:"password"`
-	Database        string `xorm:"varchar(100)" json:"database"`
-	Table           string `xorm:"varchar(100)" json:"table"`
-	TableNamePrefix string `xorm:"varchar(100)" json:"tableNamePrefix"`
+	Table        string `xorm:"varchar(100)" json:"table"`
+	UseSameDb    bool   `json:"useSameDb"`
+	Type         string `xorm:"varchar(100)" json:"type"`
+	DatabaseType string `xorm:"varchar(100)" json:"databaseType"`
+	Host         string `xorm:"varchar(100)" json:"host"`
+	Port         int    `json:"port"`
+	User         string `xorm:"varchar(100)" json:"user"`
+	Password     string `xorm:"varchar(100)" json:"password"`
+	Database     string `xorm:"varchar(100)" json:"database"`
 
 	*xormadapter.Adapter `xorm:"-" json:"-"`
 }
@@ -139,63 +139,69 @@ func (adapter *Adapter) GetId() string {
 	return fmt.Sprintf("%s/%s", adapter.Owner, adapter.Name)
 }
 
-func (adapter *Adapter) getTable() string {
-	if adapter.DatabaseType == "mssql" {
-		return fmt.Sprintf("[%s]", adapter.Table)
-	} else {
-		return adapter.Table
-	}
-}
-
 func (adapter *Adapter) InitAdapter() error {
-	if adapter.Adapter == nil {
-		var dataSourceName string
+	if adapter.Adapter != nil {
+		return nil
+	}
 
-		if adapter.isBuiltIn() {
-			dataSourceName = conf.GetConfigString("dataSourceName")
-			if adapter.DatabaseType == "mysql" {
-				dataSourceName = dataSourceName + adapter.Database
-			}
-		} else {
-			switch adapter.DatabaseType {
-			case "mssql":
-				dataSourceName = fmt.Sprintf("sqlserver://%s:%s@%s:%d?database=%s", adapter.User,
-					adapter.Password, adapter.Host, adapter.Port, adapter.Database)
-			case "mysql":
-				dataSourceName = fmt.Sprintf("%s:%s@tcp(%s:%d)/%s", adapter.User,
-					adapter.Password, adapter.Host, adapter.Port, adapter.Database)
-			case "postgres":
-				dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%d sslmode=disable dbname=%s", adapter.User,
-					adapter.Password, adapter.Host, adapter.Port, adapter.Database)
-			case "CockroachDB":
-				dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%d sslmode=disable dbname=%s serial_normalization=virtual_sequence",
-					adapter.User, adapter.Password, adapter.Host, adapter.Port, adapter.Database)
-			case "sqlite3":
-				dataSourceName = fmt.Sprintf("file:%s", adapter.Host)
-			default:
-				return fmt.Errorf("unsupported database type: %s", adapter.DatabaseType)
-			}
+	var driverName string
+	var dataSourceName string
+	if adapter.UseSameDb || adapter.isBuiltIn() {
+		driverName = conf.GetConfigString("driverName")
+		dataSourceName = conf.GetConfigString("dataSourceName")
+		if conf.GetConfigString("driverName") == "mysql" {
+			dataSourceName = dataSourceName + conf.GetConfigString("dbName")
 		}
-
-		if !isCloudIntranet {
-			dataSourceName = strings.ReplaceAll(dataSourceName, "dbi.", "db.")
-		}
-
-		var err error
-		engine, err := xorm.NewEngine(adapter.DatabaseType, dataSourceName)
-
-		if adapter.isBuiltIn() && adapter.DatabaseType == "postgres" {
-			schema := util.GetValueFromDataSourceName("search_path", dataSourceName)
-			if schema != "" {
-				engine.SetSchema(schema)
-			}
-		}
-
-		adapter.Adapter, err = xormadapter.NewAdapterByEngineWithTableName(engine, adapter.getTable(), adapter.TableNamePrefix)
-		if err != nil {
-			return err
+	} else {
+		driverName = adapter.DatabaseType
+		switch driverName {
+		case "mssql":
+			dataSourceName = fmt.Sprintf("sqlserver://%s:%s@%s:%d?database=%s", adapter.User,
+				adapter.Password, adapter.Host, adapter.Port, adapter.Database)
+		case "mysql":
+			dataSourceName = fmt.Sprintf("%s:%s@tcp(%s:%d)/%s", adapter.User,
+				adapter.Password, adapter.Host, adapter.Port, adapter.Database)
+		case "postgres":
+			dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%d sslmode=disable dbname=%s", adapter.User,
+				adapter.Password, adapter.Host, adapter.Port, adapter.Database)
+		case "CockroachDB":
+			dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%d sslmode=disable dbname=%s serial_normalization=virtual_sequence",
+				adapter.User, adapter.Password, adapter.Host, adapter.Port, adapter.Database)
+		case "sqlite3":
+			dataSourceName = fmt.Sprintf("file:%s", adapter.Host)
+		default:
+			return fmt.Errorf("unsupported database type: %s", adapter.DatabaseType)
 		}
 	}
+
+	if !isCloudIntranet {
+		dataSourceName = strings.ReplaceAll(dataSourceName, "dbi.", "db.")
+	}
+
+	engine, err := xorm.NewEngine(driverName, dataSourceName)
+	if err != nil {
+		return err
+	}
+
+	if (adapter.UseSameDb || adapter.isBuiltIn()) && driverName == "postgres" {
+		schema := util.GetValueFromDataSourceName("search_path", dataSourceName)
+		if schema != "" {
+			engine.SetSchema(schema)
+		}
+	}
+
+	var tableName string
+	if driverName == "mssql" {
+		tableName = fmt.Sprintf("[%s]", adapter.Table)
+	} else {
+		tableName = adapter.Table
+	}
+
+	adapter.Adapter, err = xormadapter.NewAdapterByEngineWithTableName(engine, tableName, "")
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 

object/application.go

@@ -428,7 +428,7 @@ func (application *Application) GetId() string {
 }
 
 func (application *Application) IsRedirectUriValid(redirectUri string) bool {
-	redirectUris := append([]string{"http://localhost:"}, application.RedirectUris...)
+	redirectUris := append([]string{"http://localhost:", "https://localhost:", "http://127.0.0.1:", "http://casdoor-app"}, application.RedirectUris...)
 	for _, targetUri := range redirectUris {
 		targetUriRegex := regexp.MustCompile(targetUri)
 		if targetUriRegex.MatchString(redirectUri) || strings.Contains(redirectUri, targetUri) {

object/cert.go

@@ -33,10 +33,8 @@ type Cert struct {
 	BitSize         int    `json:"bitSize"`
 	ExpireInYears   int    `json:"expireInYears"`
 
-	Certificate            string `xorm:"mediumtext" json:"certificate"`
-	PrivateKey             string `xorm:"mediumtext" json:"privateKey"`
-	AuthorityPublicKey     string `xorm:"mediumtext" json:"authorityPublicKey"`
-	AuthorityRootPublicKey string `xorm:"mediumtext" json:"authorityRootPublicKey"`
+	Certificate string `xorm:"mediumtext" json:"certificate"`
+	PrivateKey  string `xorm:"mediumtext" json:"privateKey"`
 }
 
 func GetMaskedCert(cert *Cert) *Cert {

object/check.go

@@ -350,7 +350,7 @@ func CheckUserPermission(requestUserId, userId string, strict bool, lang string)
 	return hasPermission, fmt.Errorf(i18n.Translate(lang, "auth:Unauthorized operation"))
 }
 
-func CheckAccessPermission(userId string, application *Application) (bool, error) {
+func CheckLoginPermission(userId string, application *Application) (bool, error) {
 	var err error
 	if userId == "built-in/admin" {
 		return true, nil
@@ -361,32 +361,40 @@ func CheckAccessPermission(userId string, application *Application) (bool, error
 		return false, err
 	}
 
-	allowed := true
+	allowCount := 0
+	denyCount := 0
 	for _, permission := range permissions {
-		if !permission.IsEnabled {
+		if !permission.IsEnabled || permission.ResourceType != "Application" || !permission.isResourceHit(application.Name) {
 			continue
 		}
 
-		isHit := false
-		for _, resource := range permission.Resources {
-			if application.Name == resource {
-				isHit = true
-				break
-			}
+		if permission.isUserHit(userId) {
+			allowCount += 1
 		}
 
-		if isHit {
-			containsAsterisk := ContainsAsterisk(userId, permission.Users)
-			if containsAsterisk {
-				return true, err
+		enforcer := getPermissionEnforcer(permission)
+
+		var isAllowed bool
+		isAllowed, err = enforcer.Enforce(userId, application.Name, "Read")
+		if err != nil {
+			return false, err
+		}
+
+		if isAllowed {
+			if permission.Effect == "Allow" {
+				allowCount += 1
 			}
-			enforcer := getPermissionEnforcer(permission)
-			if allowed, err = enforcer.Enforce(userId, application.Name, "read"); allowed {
-				return allowed, err
+		} else {
+			if permission.Effect == "Deny" {
+				denyCount += 1
 			}
 		}
 	}
-	return allowed, err
+
+	if denyCount > 0 {
+		return false, nil
+	}
+	return true, nil
 }
 
 func CheckUsername(username string, lang string) string {

object/email.go

@@ -36,7 +36,7 @@ func getDialer(provider *Provider) *gomail.Dialer {
 }
 
 func SendEmail(provider *Provider, title string, content string, dest string, sender string) error {
-	emailProvider := email.GetEmailProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.AppId, provider.Host, provider.Port, provider.DisableSsl)
+	emailProvider := email.GetEmailProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.Host, provider.Port, provider.DisableSsl)
 
 	fromAddress := provider.ClientId2
 	if fromAddress == "" {

object/enforcer.go

@@ -191,39 +191,55 @@ func GetPolicies(id string) ([]*xormadapter.CasbinRule, error) {
 		return nil, err
 	}
 
-	policies := util.MatrixToCasbinRules("p", enforcer.GetPolicy())
+	pRules := enforcer.GetPolicy()
+	res := util.MatrixToCasbinRules("p", pRules)
+
 	if enforcer.GetModel()["g"] != nil {
-		policies = append(policies, util.MatrixToCasbinRules("g", enforcer.GetGroupingPolicy())...)
+		gRules := enforcer.GetGroupingPolicy()
+		res2 := util.MatrixToCasbinRules("g", gRules)
+		res = append(res, res2...)
 	}
 
-	return policies, nil
+	return res, nil
 }
 
-func UpdatePolicy(id string, oldPolicy, newPolicy []string) (bool, error) {
+func UpdatePolicy(id string, ptype string, oldPolicy []string, newPolicy []string) (bool, error) {
 	enforcer, err := GetInitializedEnforcer(id)
 	if err != nil {
 		return false, err
 	}
 
-	return enforcer.UpdatePolicy(oldPolicy, newPolicy)
+	if ptype == "p" {
+		return enforcer.UpdatePolicy(oldPolicy, newPolicy)
+	} else {
+		return enforcer.UpdateGroupingPolicy(oldPolicy, newPolicy)
+	}
 }
 
-func AddPolicy(id string, policy []string) (bool, error) {
+func AddPolicy(id string, ptype string, policy []string) (bool, error) {
 	enforcer, err := GetInitializedEnforcer(id)
 	if err != nil {
 		return false, err
 	}
 
-	return enforcer.AddPolicy(policy)
+	if ptype == "p" {
+		return enforcer.AddPolicy(policy)
+	} else {
+		return enforcer.AddGroupingPolicy(policy)
+	}
 }
 
-func RemovePolicy(id string, policy []string) (bool, error) {
+func RemovePolicy(id string, ptype string, policy []string) (bool, error) {
 	enforcer, err := GetInitializedEnforcer(id)
 	if err != nil {
 		return false, err
 	}
 
-	return enforcer.RemovePolicy(policy)
+	if ptype == "p" {
+		return enforcer.RemovePolicy(policy)
+	} else {
+		return enforcer.RemoveGroupingPolicy(policy)
+	}
 }
 
 func (enforcer *Enforcer) LoadModelCfg() error {

object/group.go

@@ -226,7 +226,7 @@ func GetGroupUserCount(groupId string, field, value string) (int64, error) {
 	} else {
 		return ormer.Engine.Table("user").
 			Where("owner = ?", owner).In("name", names).
-			And(fmt.Sprintf("user.%s LIKE ?", util.CamelToSnakeCase(field)), "%"+value+"%").
+			And(fmt.Sprintf("user.%s like ?", util.CamelToSnakeCase(field)), "%"+value+"%").
 			Count()
 	}
 }
@@ -247,7 +247,7 @@ func GetPaginationGroupUsers(groupId string, offset, limit int, field, value, so
 	}
 
 	if field != "" && value != "" {
-		session = session.And(fmt.Sprintf("user.%s LIKE ?", util.CamelToSnakeCase(field)), "%"+value+"%")
+		session = session.And(fmt.Sprintf("user.%s like ?", util.CamelToSnakeCase(field)), "%"+value+"%")
 	}
 
 	if sortField == "" || sortOrder == "" {

object/init.go

@@ -423,14 +423,11 @@ func initBuiltInUserAdapter() {
 	}
 
 	adapter = &Adapter{
-		Owner:           "built-in",
-		Name:            "user-adapter-built-in",
-		CreatedTime:     util.GetCurrentTime(),
-		Type:            "Database",
-		DatabaseType:    conf.GetConfigString("driverName"),
-		TableNamePrefix: conf.GetConfigString("tableNamePrefix"),
-		Database:        conf.GetConfigString("dbName"),
-		Table:           "casbin_user_rule",
+		Owner:       "built-in",
+		Name:        "user-adapter-built-in",
+		CreatedTime: util.GetCurrentTime(),
+		Table:       "casbin_user_rule",
+		UseSameDb:   true,
 	}
 	_, err = AddAdapter(adapter)
 	if err != nil {
@@ -449,14 +446,11 @@ func initBuiltInApiAdapter() {
 	}
 
 	adapter = &Adapter{
-		Owner:           "built-in",
-		Name:            "api-adapter-built-in",
-		CreatedTime:     util.GetCurrentTime(),
-		Type:            "Database",
-		DatabaseType:    conf.GetConfigString("driverName"),
-		TableNamePrefix: conf.GetConfigString("tableNamePrefix"),
-		Database:        conf.GetConfigString("dbName"),
-		Table:           "casbin_api_rule",
+		Owner:       "built-in",
+		Name:        "api-adapter-built-in",
+		CreatedTime: util.GetCurrentTime(),
+		Table:       "casbin_api_rule",
+		UseSameDb:   true,
 	}
 	_, err = AddAdapter(adapter)
 	if err != nil {

object/mfa_totp.go

@@ -19,7 +19,6 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/beego/beego"
 	"github.com/beego/beego/context"
 	"github.com/google/uuid"
 	"github.com/pquerna/otp"
@@ -39,10 +38,11 @@ type TotpMfa struct {
 }
 
 func (mfa *TotpMfa) Initiate(ctx *context.Context, userId string) (*MfaProps, error) {
-	issuer := beego.AppConfig.String("appname")
-	if issuer == "" {
-		issuer = "casdoor"
-	}
+	//issuer := beego.AppConfig.String("appname")
+	//if issuer == "" {
+	//	issuer = "casdoor"
+	//}
+	issuer := "Casdoor"
 
 	key, err := totp.Generate(totp.GenerateOpts{
 		Issuer:      issuer,

object/oidc_discovery.go

@@ -127,9 +127,16 @@ func GetJsonWebKeySet() (jose.JSONWebKeySet, error) {
 			continue
 		}
 
+		if cert.Certificate == "" {
+			return jwks, fmt.Errorf("the certificate field should not be empty for the cert: %v", cert)
+		}
+
 		certPemBlock := []byte(cert.Certificate)
 		certDerBlock, _ := pem.Decode(certPemBlock)
-		x509Cert, _ := x509.ParseCertificate(certDerBlock.Bytes)
+		x509Cert, err := x509.ParseCertificate(certDerBlock.Bytes)
+		if err != nil {
+			return jwks, err
+		}
 
 		var jwk jose.JSONWebKey
 		jwk.Key = x509Cert.PublicKey

object/ormer.go

@@ -86,7 +86,11 @@ func InitAdapter() {
 		}
 	}
 
-	ormer = NewAdapter(conf.GetConfigString("driverName"), conf.GetConfigDataSourceName(), conf.GetConfigString("dbName"))
+	var err error
+	ormer, err = NewAdapter(conf.GetConfigString("driverName"), conf.GetConfigDataSourceName(), conf.GetConfigString("dbName"))
+	if err != nil {
+		panic(err)
+	}
 
 	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
 	tbMapper := core.NewPrefixMapper(core.SnakeMapper{}, tableNamePrefix)
@@ -121,19 +125,22 @@ func finalizer(a *Ormer) {
 }
 
 // NewAdapter is the constructor for Ormer.
-func NewAdapter(driverName string, dataSourceName string, dbName string) *Ormer {
+func NewAdapter(driverName string, dataSourceName string, dbName string) (*Ormer, error) {
 	a := &Ormer{}
 	a.driverName = driverName
 	a.dataSourceName = dataSourceName
 	a.dbName = dbName
 
 	// Open the DB, create it if not existed.
-	a.open()
+	err := a.open()
+	if err != nil {
+		return nil, err
+	}
 
 	// Call the destructor when the object is released.
 	runtime.SetFinalizer(a, finalizer)
 
-	return a
+	return a, nil
 }
 
 func refineDataSourceNameForPostgres(dataSourceName string) string {
@@ -192,7 +199,7 @@ func (a *Ormer) CreateDatabase() error {
 	return err
 }
 
-func (a *Ormer) open() {
+func (a *Ormer) open() error {
 	dataSourceName := a.dataSourceName + a.dbName
 	if a.driverName != "mysql" {
 		dataSourceName = a.dataSourceName
@@ -200,8 +207,9 @@ func (a *Ormer) open() {
 
 	engine, err := xorm.NewEngine(a.driverName, dataSourceName)
 	if err != nil {
-		panic(err)
+		return err
 	}
+
 	if a.driverName == "postgres" {
 		schema := util.GetValueFromDataSourceName("search_path", dataSourceName)
 		if schema != "" {
@@ -210,6 +218,7 @@ func (a *Ormer) open() {
 	}
 
 	a.Engine = engine
+	return nil
 }
 
 func (a *Ormer) close() {
@@ -316,6 +325,11 @@ func (a *Ormer) createTable() {
 		panic(err)
 	}
 
+	err = a.Engine.Sync2(new(RadiusAccounting))
+	if err != nil {
+		panic(err)
+	}
+
 	err = a.Engine.Sync2(new(PermissionRule))
 	if err != nil {
 		panic(err)

object/payment.go

@@ -16,7 +16,6 @@ package object
 
 import (
 	"fmt"
-	"net/http"
 
 	"github.com/casdoor/casdoor/pp"
 
@@ -153,7 +152,7 @@ func DeletePayment(payment *Payment) (bool, error) {
 	return affected != 0, nil
 }
 
-func notifyPayment(request *http.Request, body []byte, owner string, paymentName string) (*Payment, *pp.NotifyResult, error) {
+func notifyPayment(body []byte, owner string, paymentName string) (*Payment, *pp.NotifyResult, error) {
 	payment, err := getPayment(owner, paymentName)
 	if err != nil {
 		return nil, nil, err
@@ -167,7 +166,7 @@ func notifyPayment(request *http.Request, body []byte, owner string, paymentName
 	if err != nil {
 		return nil, nil, err
 	}
-	pProvider, cert, err := provider.getPaymentProvider()
+	pProvider, err := GetPaymentProvider(provider)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -181,7 +180,7 @@ func notifyPayment(request *http.Request, body []byte, owner string, paymentName
 		return nil, nil, err
 	}
 
-	notifyResult, err := pProvider.Notify(request, body, cert.AuthorityPublicKey, payment.OutOrderId)
+	notifyResult, err := pProvider.Notify(body, payment.OutOrderId)
 	if err != nil {
 		return payment, nil, err
 	}
@@ -202,8 +201,8 @@ func notifyPayment(request *http.Request, body []byte, owner string, paymentName
 	return payment, notifyResult, nil
 }
 
-func NotifyPayment(request *http.Request, body []byte, owner string, paymentName string) (*Payment, error) {
-	payment, notifyResult, err := notifyPayment(request, body, owner, paymentName)
+func NotifyPayment(body []byte, owner string, paymentName string) (*Payment, error) {
+	payment, notifyResult, err := notifyPayment(body, owner, paymentName)
 	if payment != nil {
 		if err != nil {
 			payment.State = pp.PaymentStateError
@@ -231,7 +230,7 @@ func invoicePayment(payment *Payment) (string, error) {
 		return "", fmt.Errorf("the payment provider: %s does not exist", payment.Provider)
 	}
 
-	pProvider, _, err := provider.getPaymentProvider()
+	pProvider, err := GetPaymentProvider(provider)
 	if err != nil {
 		return "", err
 	}

object/permission.go

@@ -15,6 +15,7 @@
 package object
 
 import (
+	"fmt"
 	"strings"
 
 	"github.com/casdoor/casdoor/conf"
@@ -61,10 +62,6 @@ type PermissionRule struct {
 
 const builtInAvailableField = 5 // Casdoor built-in adapter, use V5 to filter permission, so has 5 available field
 
-func (p *Permission) GetId() string {
-	return util.GetId(p.Owner, p.Name)
-}
-
 func GetPermissionCount(owner, field, value string) (int64, error) {
 	session := GetSession(owner, -1, -1, field, value, "", "")
 	return session.Count(&Permission{})
@@ -221,16 +218,15 @@ func AddPermissionsInBatch(permissions []*Permission) bool {
 	}
 
 	affected := false
-	for i := 0; i < (len(permissions)-1)/batchSize+1; i++ {
-		start := i * batchSize
-		end := (i + 1) * batchSize
+	for i := 0; i < len(permissions); i += batchSize {
+		start := i
+		end := i + batchSize
 		if end > len(permissions) {
 			end = len(permissions)
 		}
 
 		tmp := permissions[start:end]
-		// TODO: save to log instead of standard output
-		// fmt.Printf("Add Permissions: [%d - %d].\n", start, end)
+		fmt.Printf("The syncer adds permissions: [%d - %d]\n", start, end)
 		if AddPermissions(tmp) {
 			affected = true
 		}
@@ -262,9 +258,59 @@ func DeletePermission(permission *Permission) (bool, error) {
 	return affected != 0, nil
 }
 
-func GetPermissionsAndRolesByUser(userId string) ([]*Permission, []*Role, error) {
+func getPermissionsByUser(userId string) ([]*Permission, error) {
 	permissions := []*Permission{}
 	err := ormer.Engine.Where("users like ?", "%"+userId+"\"%").Find(&permissions)
+	if err != nil {
+		return permissions, err
+	}
+
+	res := []*Permission{}
+	for _, permission := range permissions {
+		if util.InSlice(permission.Users, userId) {
+			res = append(res, permission)
+		}
+	}
+
+	return res, nil
+}
+
+func GetPermissionsByRole(roleId string) ([]*Permission, error) {
+	permissions := []*Permission{}
+	err := ormer.Engine.Where("roles like ?", "%"+roleId+"\"%").Find(&permissions)
+	if err != nil {
+		return permissions, err
+	}
+
+	res := []*Permission{}
+	for _, permission := range permissions {
+		if util.InSlice(permission.Roles, roleId) {
+			res = append(res, permission)
+		}
+	}
+
+	return res, nil
+}
+
+func GetPermissionsByResource(resourceId string) ([]*Permission, error) {
+	permissions := []*Permission{}
+	err := ormer.Engine.Where("resources like ?", "%"+resourceId+"\"%").Find(&permissions)
+	if err != nil {
+		return permissions, err
+	}
+
+	res := []*Permission{}
+	for _, permission := range permissions {
+		if util.InSlice(permission.Resources, resourceId) {
+			res = append(res, permission)
+		}
+	}
+
+	return res, nil
+}
+
+func getPermissionsAndRolesByUser(userId string) ([]*Permission, []*Role, error) {
+	permissions, err := getPermissionsByUser(userId)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -281,14 +327,13 @@ func GetPermissionsAndRolesByUser(userId string) ([]*Permission, []*Role, error)
 
 	permFromRoles := []*Permission{}
 
-	roles, err := GetRolesByUser(userId)
+	roles, err := getRolesByUser(userId)
 	if err != nil {
 		return nil, nil, err
 	}
 
 	for _, role := range roles {
-		perms := []*Permission{}
-		err := ormer.Engine.Where("roles like ?", "%"+role.GetId()+"\"%").Find(&perms)
+		perms, err := GetPermissionsByRole(role.GetId())
 		if err != nil {
 			return nil, nil, err
 		}
@@ -306,26 +351,6 @@ func GetPermissionsAndRolesByUser(userId string) ([]*Permission, []*Role, error)
 	return permissions, roles, nil
 }
 
-func GetPermissionsByRole(roleId string) ([]*Permission, error) {
-	permissions := []*Permission{}
-	err := ormer.Engine.Where("roles like ?", "%"+roleId+"\"%").Find(&permissions)
-	if err != nil {
-		return permissions, err
-	}
-
-	return permissions, nil
-}
-
-func GetPermissionsByResource(resourceId string) ([]*Permission, error) {
-	permissions := []*Permission{}
-	err := ormer.Engine.Where("resources like ?", "%"+resourceId+"\"%").Find(&permissions)
-	if err != nil {
-		return permissions, err
-	}
-
-	return permissions, nil
-}
-
 func GetPermissionsBySubmitter(owner string, submitter string) ([]*Permission, error) {
 	permissions := []*Permission{}
 	err := ormer.Engine.Desc("created_time").Find(&permissions, &Permission{Owner: owner, Submitter: submitter})
@@ -346,20 +371,6 @@ func GetPermissionsByModel(owner string, model string) ([]*Permission, error) {
 	return permissions, nil
 }
 
-func ContainsAsterisk(userId string, users []string) bool {
-	containsAsterisk := false
-	group, _ := util.GetOwnerAndNameFromId(userId)
-	for _, user := range users {
-		permissionGroup, permissionUserName := util.GetOwnerAndNameFromId(user)
-		if permissionGroup == group && permissionUserName == "*" {
-			containsAsterisk = true
-			break
-		}
-	}
-
-	return containsAsterisk
-}
-
 func GetMaskedPermissions(permissions []*Permission) []*Permission {
 	for _, permission := range permissions {
 		permission.Users = nil
@@ -389,3 +400,27 @@ func GroupPermissionsByModelAdapter(permissions []*Permission) map[string][]stri
 
 	return m
 }
+
+func (p *Permission) GetId() string {
+	return util.GetId(p.Owner, p.Name)
+}
+
+func (p *Permission) isUserHit(name string) bool {
+	targetOrg, _ := util.GetOwnerAndNameFromId(name)
+	for _, user := range p.Users {
+		userOrg, userName := util.GetOwnerAndNameFromId(user)
+		if userOrg == targetOrg && userName == "*" {
+			return true
+		}
+	}
+	return false
+}
+
+func (p *Permission) isResourceHit(name string) bool {
+	for _, resource := range p.Resources {
+		if name == resource {
+			return true
+		}
+	}
+	return false
+}

object/permission_enforcer.go

@@ -258,7 +258,7 @@ func BatchEnforce(permission *Permission, requests *[]CasbinRequest, permissionI
 }
 
 func getAllValues(userId string, fn func(enforcer *casbin.Enforcer) []string) []string {
-	permissions, _, err := GetPermissionsAndRolesByUser(userId)
+	permissions, _, err := getPermissionsAndRolesByUser(userId)
 	if err != nil {
 		panic(err)
 	}
@@ -293,7 +293,7 @@ func GetAllActions(userId string) []string {
 }
 
 func GetAllRoles(userId string) []string {
-	roles, err := GetRolesByUser(userId)
+	roles, err := getRolesByUser(userId)
 	if err != nil {
 		panic(err)
 	}

object/permission_upload.go

@@ -82,5 +82,6 @@ func UploadPermissions(owner string, path string) (bool, error) {
 	if len(newPermissions) == 0 {
 		return false, nil
 	}
+
 	return AddPermissionsInBatch(newPermissions), nil
 }

object/product.go

@@ -172,7 +172,7 @@ func BuyProduct(id string, user *User, providerName, pricingName, planName, host
 		return nil, err
 	}
 
-	pProvider, _, err := provider.getPaymentProvider()
+	pProvider, err := GetPaymentProvider(provider)
 	if err != nil {
 		return nil, err
 	}

object/product_test.go

@@ -17,31 +17,24 @@
 
 package object
 
-import (
-	"testing"
-
-	"github.com/casdoor/casdoor/pp"
-	"github.com/casdoor/casdoor/util"
-)
-
-func TestProduct(t *testing.T) {
-	InitConfig()
-
-	product, _ := GetProduct("admin/product_123")
-	provider, _ := getProvider(product.Owner, "provider_pay_alipay")
-	cert, _ := getCert(product.Owner, "cert-pay-alipay")
-	pProvider, err := pp.GetPaymentProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.Host, cert.Certificate, cert.PrivateKey, cert.AuthorityPublicKey, cert.AuthorityRootPublicKey, provider.ClientId2)
-	if err != nil {
-		panic(err)
-	}
-
-	paymentName := util.GenerateTimeId()
-	returnUrl := ""
-	notifyUrl := ""
-	payUrl, _, err := pProvider.Pay(provider.Name, product.Name, "alice", paymentName, product.DisplayName, product.Price, product.Currency, returnUrl, notifyUrl)
-	if err != nil {
-		panic(err)
-	}
-
-	println(payUrl)
-}
+//func TestProduct(t *testing.T) {
+//	InitConfig()
+//
+//	product, _ := GetProduct("admin/product_123")
+//	provider, _ := getProvider(product.Owner, "provider_pay_alipay")
+//	cert, _ := getCert(product.Owner, "cert-pay-alipay")
+//	pProvider, err := pp.GetPaymentProvider(provider.Type, provider.ClientId, provider.ClientSecret, provider.Host, cert.Certificate, cert.PrivateKey, cert.AuthorityPublicKey, cert.AuthorityRootPublicKey, provider.ClientId2)
+//	if err != nil {
+//		panic(err)
+//	}
+//
+//	paymentName := util.GenerateTimeId()
+//	returnUrl := ""
+//	notifyUrl := ""
+//	payUrl, _, err := pProvider.Pay(provider.Name, product.Name, "alice", paymentName, product.DisplayName, product.Price, product.Currency, returnUrl, notifyUrl)
+//	if err != nil {
+//		panic(err)
+//	}
+//
+//	println(payUrl)
+//}

object/provider.go

@@ -251,30 +251,69 @@ func DeleteProvider(provider *Provider) (bool, error) {
 	return affected != 0, nil
 }
 
-func (p *Provider) getPaymentProvider() (pp.PaymentProvider, *Cert, error) {
+func GetPaymentProvider(p *Provider) (pp.PaymentProvider, error) {
 	cert := &Cert{}
 	if p.Cert != "" {
 		var err error
-		cert, err = getCert(p.Owner, p.Cert)
+		cert, err = GetCert(util.GetId(p.Owner, p.Cert))
 		if err != nil {
-			return nil, nil, err
+			return nil, err
 		}
 
 		if cert == nil {
-			return nil, nil, fmt.Errorf("the cert: %s does not exist", p.Cert)
+			return nil, fmt.Errorf("the cert: %s does not exist", p.Cert)
 		}
 	}
-
-	pProvider, err := pp.GetPaymentProvider(p.Type, p.ClientId, p.ClientSecret, p.Host, cert.Certificate, cert.PrivateKey, cert.AuthorityPublicKey, cert.AuthorityRootPublicKey, p.ClientId2)
-	if err != nil {
-		return nil, cert, err
+	typ := p.Type
+	if typ == "Dummy" {
+		pp, err := pp.NewDummyPaymentProvider()
+		if err != nil {
+			return nil, err
+		}
+		return pp, nil
+	} else if typ == "Alipay" {
+		if p.Metadata != "" {
+			// alipay provider store rootCert's name in metadata
+			rootCert, err := GetCert(util.GetId(p.Owner, p.Metadata))
+			if err != nil {
+				return nil, err
+			}
+			if rootCert == nil {
+				return nil, fmt.Errorf("the cert: %s does not exist", p.Metadata)
+			}
+			pp, err := pp.NewAlipayPaymentProvider(p.ClientId, cert.Certificate, cert.PrivateKey, rootCert.Certificate, rootCert.PrivateKey)
+			if err != nil {
+				return nil, err
+			}
+			return pp, nil
+		} else {
+			return nil, fmt.Errorf("the metadata of alipay provider is empty")
+		}
+	} else if typ == "GC" {
+		return pp.NewGcPaymentProvider(p.ClientId, p.ClientSecret, p.Host), nil
+	} else if typ == "WeChat Pay" {
+		pp, err := pp.NewWechatPaymentProvider(p.ClientId, p.ClientSecret, p.ClientId2, cert.Certificate, cert.PrivateKey)
+		if err != nil {
+			return nil, err
+		}
+		return pp, nil
+	} else if typ == "PayPal" {
+		pp, err := pp.NewPaypalPaymentProvider(p.ClientId, p.ClientSecret)
+		if err != nil {
+			return nil, err
+		}
+		return pp, nil
+	} else if typ == "Stripe" {
+		pp, err := pp.NewStripePaymentProvider(p.ClientId, p.ClientSecret)
+		if err != nil {
+			return nil, err
+		}
+		return pp, nil
+	} else {
+		return nil, fmt.Errorf("the payment provider type: %s is not supported", p.Type)
 	}
 
-	if pProvider == nil {
-		return nil, cert, fmt.Errorf("the payment provider type: %s is not supported", p.Type)
-	}
-
-	return pProvider, cert, nil
+	return nil, nil
 }
 
 func (p *Provider) GetId() string {
@@ -376,6 +415,8 @@ func FromProviderToIdpInfo(ctx *context.Context, provider *Provider) *idp.Provid
 			providerInfo.ClientId = provider.ClientId2
 			providerInfo.ClientSecret = provider.ClientSecret2
 		}
+	} else if provider.Type == "AzureAD" {
+		providerInfo.HostUrl = provider.Domain
 	}
 
 	return providerInfo

object/radius.go

@@ -0,0 +1,124 @@
+package object
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/casdoor/casdoor/util"
+	"github.com/xorm-io/core"
+)
+
+// https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/xe-16/sec-usr-radatt-xe-16-book/sec-rad-ov-ietf-attr.html
+// https://support.huawei.com/enterprise/zh/doc/EDOC1000178159/35071f9a
+type RadiusAccounting struct {
+	Owner       string    `xorm:"varchar(100) notnull pk" json:"owner"`
+	Name        string    `xorm:"varchar(100) notnull pk" json:"name"`
+	CreatedTime time.Time `json:"createdTime"`
+
+	Username    string `xorm:"index" json:"username"`
+	ServiceType int64  `json:"serviceType"` // e.g. LoginUser (1)
+
+	NasId       string `json:"nasId"`       // String identifying the network access server originating the Access-Request.
+	NasIpAddr   string `json:"nasIpAddr"`   // e.g. "192.168.0.10"
+	NasPortId   string `json:"nasPortId"`   // Contains a text string which identifies the port of the NAS that is authenticating the user. e.g."eth.0"
+	NasPortType int64  `json:"nasPortType"` // Indicates the type of physical port the network access server is using to authenticate the user. e.g.Ethernet（15）
+	NasPort     int64  `json:"nasPort"`     // Indicates the physical port number of the network access server that is authenticating the user. e.g. 233
+
+	FramedIpAddr    string `json:"framedIpAddr"`    // Indicates the IP address to be configured for the user by sending the IP address of a user to the RADIUS server.
+	FramedIpNetmask string `json:"framedIpNetmask"` // Indicates the IP netmask to be configured for the user when the user is using a device on a network.
+
+	AcctSessionId      string    `xorm:"index" json:"acctSessionId"`
+	AcctSessionTime    int64     `json:"acctSessionTime"` // Indicates how long (in seconds) the user has received service.
+	AcctInputTotal     int64     `json:"acctInputTotal"`
+	AcctOutputTotal    int64     `json:"acctOutputTotal"`
+	AcctInputPackets   int64     `json:"acctInputPackets"`   // Indicates how many packets have been received from the port over the course of this service being provided to a framed user.
+	AcctOutputPackets  int64     `json:"acctOutputPackets"`  // Indicates how many packets have been sent to the port in the course of delivering this service to a framed user.
+	AcctTerminateCause int64     `json:"acctTerminateCause"` // e.g. Lost-Carrier (2)
+	LastUpdate         time.Time `json:"lastUpdate"`
+	AcctStartTime      time.Time `xorm:"index" json:"acctStartTime"`
+	AcctStopTime       time.Time `xorm:"index" json:"acctStopTime"`
+}
+
+func (ra *RadiusAccounting) GetId() string {
+	return util.GetId(ra.Owner, ra.Name)
+}
+
+func getRadiusAccounting(owner, name string) (*RadiusAccounting, error) {
+	if owner == "" || name == "" {
+		return nil, nil
+	}
+	ra := RadiusAccounting{Owner: owner, Name: name}
+	existed, err := ormer.Engine.Get(&ra)
+	if err != nil {
+		return nil, err
+	}
+	if existed {
+		return &ra, nil
+	} else {
+		return nil, nil
+	}
+}
+
+func getPaginationRadiusAccounting(owner, field, value, sortField, sortOrder string, offset, limit int) ([]*RadiusAccounting, error) {
+	ras := []*RadiusAccounting{}
+	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
+	err := session.Find(&ras)
+	if err != nil {
+		return ras, err
+	}
+	return ras, nil
+}
+
+func GetRadiusAccounting(id string) (*RadiusAccounting, error) {
+	owner, name := util.GetOwnerAndNameFromId(id)
+	return getRadiusAccounting(owner, name)
+}
+
+func GetRadiusAccountingBySessionId(sessionId string) (*RadiusAccounting, error) {
+	ras, err := getPaginationRadiusAccounting("", "acct_session_id", sessionId, "created_time", "desc", 0, 1)
+	if err != nil {
+		return nil, err
+	}
+	if len(ras) == 0 {
+		return nil, nil
+	}
+	return ras[0], nil
+}
+
+func AddRadiusAccounting(ra *RadiusAccounting) error {
+	_, err := ormer.Engine.Insert(ra)
+	return err
+}
+
+func DeleteRadiusAccounting(ra *RadiusAccounting) error {
+	_, err := ormer.Engine.ID(core.PK{ra.Owner, ra.Name}).Delete(&RadiusAccounting{})
+	return err
+}
+
+func UpdateRadiusAccounting(id string, ra *RadiusAccounting) error {
+	owner, name := util.GetOwnerAndNameFromId(id)
+	_, err := ormer.Engine.ID(core.PK{owner, name}).Update(ra)
+	return err
+}
+
+func InterimUpdateRadiusAccounting(oldRa *RadiusAccounting, newRa *RadiusAccounting, stop bool) error {
+	if oldRa.AcctSessionId != newRa.AcctSessionId {
+		return fmt.Errorf("AcctSessionId is not equal, newRa = %s, oldRa = %s", newRa.AcctSessionId, oldRa.AcctSessionId)
+	}
+	oldRa.AcctInputTotal = newRa.AcctInputTotal
+	oldRa.AcctOutputTotal = newRa.AcctOutputTotal
+	oldRa.AcctInputPackets = newRa.AcctInputPackets
+	oldRa.AcctOutputPackets = newRa.AcctOutputPackets
+	oldRa.AcctSessionTime = newRa.AcctSessionTime
+	if stop {
+		oldRa.AcctStopTime = newRa.AcctStopTime
+		if oldRa.AcctStopTime.IsZero() {
+			oldRa.AcctStopTime = time.Now()
+		}
+		oldRa.AcctTerminateCause = newRa.AcctTerminateCause
+	} else {
+		oldRa.LastUpdate = time.Now()
+	}
+
+	return UpdateRadiusAccounting(oldRa.GetId(), oldRa)
+}

object/record.go

@@ -87,7 +87,7 @@ func AddRecord(record *casvisorsdk.Record) bool {
 
 	affected, err := casvisorsdk.AddRecord(record)
 	if err != nil {
-		panic(err)
+		fmt.Printf("AddRecord() error: %s", err.Error())
 	}
 
 	return affected

object/role.go

@@ -32,6 +32,7 @@ type Role struct {
 	Description string `xorm:"varchar(100)" json:"description"`
 
 	Users     []string `xorm:"mediumtext" json:"users"`
+	Groups    []string `xorm:"mediumtext" json:"groups"`
 	Roles     []string `xorm:"mediumtext" json:"roles"`
 	Domains   []string `xorm:"mediumtext" json:"domains"`
 	IsEnabled bool     `json:"isEnabled"`
@@ -207,16 +208,15 @@ func AddRolesInBatch(roles []*Role) bool {
 	}
 
 	affected := false
-	for i := 0; i < (len(roles)-1)/batchSize+1; i++ {
-		start := i * batchSize
-		end := (i + 1) * batchSize
+	for i := 0; i < len(roles); i += batchSize {
+		start := i
+		end := i + batchSize
 		if end > len(roles) {
 			end = len(roles)
 		}
 
 		tmp := roles[start:end]
-		// TODO: save to log instead of standard output
-		// fmt.Printf("Add users: [%d - %d].\n", start, end)
+		fmt.Printf("The syncer adds roles: [%d - %d]\n", start, end)
 		if AddRoles(tmp) {
 			affected = true
 		}
@@ -252,15 +252,30 @@ func (role *Role) GetId() string {
 	return fmt.Sprintf("%s/%s", role.Owner, role.Name)
 }
 
-func GetRolesByUser(userId string) ([]*Role, error) {
+func getRolesByUserInternal(userId string) ([]*Role, error) {
 	roles := []*Role{}
 	err := ormer.Engine.Where("users like ?", "%"+userId+"\"%").Find(&roles)
 	if err != nil {
 		return roles, err
 	}
 
-	allRolesIds := make([]string, 0, len(roles))
+	res := []*Role{}
+	for _, role := range roles {
+		if util.InSlice(role.Users, userId) {
+			res = append(res, role)
+		}
+	}
 
+	return res, nil
+}
+
+func getRolesByUser(userId string) ([]*Role, error) {
+	roles, err := getRolesByUserInternal(userId)
+	if err != nil {
+		return roles, err
+	}
+
+	allRolesIds := []string{}
 	for _, role := range roles {
 		allRolesIds = append(allRolesIds, role.GetId())
 	}
@@ -336,16 +351,6 @@ func GetMaskedRoles(roles []*Role) []*Role {
 	return roles
 }
 
-func GetRolesByNamePrefix(owner string, prefix string) ([]*Role, error) {
-	roles := []*Role{}
-	err := ormer.Engine.Where("owner=? and name like ?", owner, prefix+"%").Find(&roles)
-	if err != nil {
-		return roles, err
-	}
-
-	return roles, nil
-}
-
 // GetAncestorRoles returns a list of roles that contain the given roleIds
 func GetAncestorRoles(roleIds ...string) ([]*Role, error) {
 	var (

object/role_upload.go

@@ -68,5 +68,6 @@ func UploadRoles(owner string, path string) (bool, error) {
 	if len(newRoles) == 0 {
 		return false, nil
 	}
+
 	return AddRolesInBatch(newRoles), nil
 }

object/saml_idp.go

@@ -200,6 +200,10 @@ func GetSamlMeta(application *Application, host string) (*IdpEntityDescriptor, e
 		return nil, errors.New("please set a cert for the application first")
 	}
 
+	if cert.Certificate == "" {
+		return nil, fmt.Errorf("the certificate field should not be empty for the cert: %v", cert)
+	}
+
 	block, _ := pem.Decode([]byte(cert.Certificate))
 	certificate := base64.StdEncoding.EncodeToString(block.Bytes)
 
@@ -288,6 +292,10 @@ func GetSamlResponse(application *Application, user *User, samlRequest string, h
 		return "", "", "", err
 	}
 
+	if cert.Certificate == "" {
+		return "", "", "", fmt.Errorf("the certificate field should not be empty for the cert: %v", cert)
+	}
+
 	block, _ := pem.Decode([]byte(cert.Certificate))
 	certificate := base64.StdEncoding.EncodeToString(block.Bytes)
 

object/storage.go

@@ -72,7 +72,7 @@ func GetTruncatedPath(provider *Provider, fullFilePath string, limit int) string
 }
 
 func GetUploadFileUrl(provider *Provider, fullFilePath string, hasTimestamp bool) (string, string) {
-	escapedPath := util.UrlJoin(provider.PathPrefix, escapePath(fullFilePath))
+	escapedPath := util.UrlJoin(provider.PathPrefix, fullFilePath)
 	objectKey := util.UrlJoin(util.GetUrlPath(provider.Domain), escapedPath)
 
 	host := ""

object/syncer.go

@@ -230,28 +230,39 @@ func (syncer *Syncer) getTable() string {
 	}
 }
 
-func (syncer *Syncer) getKey() string {
-	key := "id"
-	hasKey := false
-	hasId := false
+func (syncer *Syncer) getKeyColumn() *TableColumn {
+	var column *TableColumn
 	for _, tableColumn := range syncer.TableColumns {
 		if tableColumn.IsKey {
-			hasKey = true
-			key = tableColumn.Name
-		}
-		if tableColumn.Name == "id" {
-			hasId = true
+			column = tableColumn
 		}
 	}
 
-	if !hasKey && !hasId {
-		key = syncer.TableColumns[0].Name
+	if column == nil {
+		for _, tableColumn := range syncer.TableColumns {
+			if tableColumn.Name == "id" {
+				column = tableColumn
+			}
+		}
 	}
 
-	return key
+	if column == nil {
+		column = syncer.TableColumns[0]
+	}
+
+	return column
+}
+
+func (syncer *Syncer) getKey() string {
+	column := syncer.getKeyColumn()
+	return util.CamelToSnakeCase(column.CasdoorName)
 }
 
 func RunSyncer(syncer *Syncer) error {
-	syncer.initAdapter()
+	err := syncer.initAdapter()
+	if err != nil {
+		return err
+	}
+
 	return syncer.syncUsers()
 }

object/syncer_cron.go

@@ -50,9 +50,12 @@ func addSyncerJob(syncer *Syncer) error {
 		return nil
 	}
 
-	syncer.initAdapter()
+	err := syncer.initAdapter()
+	if err != nil {
+		return err
+	}
 
-	err := syncer.syncUsers()
+	err = syncer.syncUsers()
 	if err != nil {
 		return err
 	}

object/syncer_public_api.go

@@ -38,7 +38,11 @@ func getEnabledSyncerForOrganization(organization string) (*Syncer, error) {
 
 	for _, syncer := range syncers {
 		if syncer.Organization == organization && syncer.IsEnabled {
-			syncer.initAdapter()
+			err = syncer.initAdapter()
+			if err != nil {
+				return nil, err
+			}
+
 			return syncer, nil
 		}
 	}

object/syncer_sync.go

@@ -16,7 +16,8 @@ package object
 
 import (
 	"fmt"
-	"time"
+
+	"github.com/casdoor/casdoor/util"
 )
 
 func (syncer *Syncer) syncUsers() error {
@@ -26,17 +27,26 @@ func (syncer *Syncer) syncUsers() error {
 
 	fmt.Printf("Running syncUsers()..\n")
 
-	users, _, _ := syncer.getUserMap()
-	oUsers, _, err := syncer.getOriginalUserMap()
+	users, err := GetUsers(syncer.Organization)
 	if err != nil {
-		fmt.Printf(err.Error())
-
-		timestamp := time.Now().Format("2006-01-02 15:04:05")
-		line := fmt.Sprintf("[%s] %s\n", timestamp, err.Error())
-		_, err = updateSyncerErrorText(syncer, line)
-		if err != nil {
-			return err
+		line := fmt.Sprintf("[%s] %s\n", util.GetCurrentTime(), err.Error())
+		_, err2 := updateSyncerErrorText(syncer, line)
+		if err2 != nil {
+			panic(err2)
 		}
+
+		return err
+	}
+
+	oUsers, err := syncer.getOriginalUsers()
+	if err != nil {
+		line := fmt.Sprintf("[%s] %s\n", util.GetCurrentTime(), err.Error())
+		_, err2 := updateSyncerErrorText(syncer, line)
+		if err2 != nil {
+			panic(err2)
+		}
+
+		return err
 	}
 
 	fmt.Printf("Users: %d, oUsers: %d\n", len(users), len(oUsers))
@@ -76,7 +86,7 @@ func (syncer *Syncer) syncUsers() error {
 					updatedUser.PreHash = oHash
 
 					fmt.Printf("Update from oUser to user: %v\n", updatedUser)
-					_, err = syncer.updateUserForOriginalByFields(updatedUser, key)
+					_, err = syncer.updateUserForOriginalFields(updatedUser, key)
 					if err != nil {
 						return err
 					}
@@ -113,7 +123,7 @@ func (syncer *Syncer) syncUsers() error {
 						updatedUser.PreHash = oHash
 
 						fmt.Printf("Update from oUser to user (2nd condition): %v\n", updatedUser)
-						_, err = syncer.updateUserForOriginalByFields(updatedUser, key)
+						_, err = syncer.updateUserForOriginalFields(updatedUser, key)
 						if err != nil {
 							return err
 						}
@@ -122,6 +132,7 @@ func (syncer *Syncer) syncUsers() error {
 			}
 		}
 	}
+
 	_, err = AddUsersInBatch(newUsers)
 	if err != nil {
 		return err

object/syncer_user.go

@@ -15,12 +15,12 @@
 package object
 
 import (
+	"database/sql"
 	"fmt"
 	"strings"
 	"time"
 
 	"github.com/casdoor/casdoor/util"
-	"github.com/xorm-io/core"
 )
 
 type OriginalUser = User
@@ -31,7 +31,7 @@ type Credential struct {
 }
 
 func (syncer *Syncer) getOriginalUsers() ([]*OriginalUser, error) {
-	var results []map[string]string
+	var results []map[string]sql.NullString
 	err := syncer.Ormer.Engine.Table(syncer.getTable()).Find(&results)
 	if err != nil {
 		return nil, err
@@ -49,19 +49,6 @@ func (syncer *Syncer) getOriginalUsers() ([]*OriginalUser, error) {
 	return users, nil
 }
 
-func (syncer *Syncer) getOriginalUserMap() ([]*OriginalUser, map[string]*OriginalUser, error) {
-	users, err := syncer.getOriginalUsers()
-	if err != nil {
-		return users, nil, err
-	}
-
-	m := map[string]*OriginalUser{}
-	for _, user := range users {
-		m[user.Id] = user
-	}
-	return users, m, nil
-}
-
 func (syncer *Syncer) addUser(user *OriginalUser) (bool, error) {
 	m := syncer.getMapFromOriginalUser(user)
 	affected, err := syncer.Ormer.Engine.Table(syncer.getTable()).Insert(m)
@@ -88,38 +75,14 @@ func (syncer *Syncer) updateUser(user *OriginalUser) (bool, error) {
 	pkValue := m[key]
 	delete(m, key)
 
-	affected, err := syncer.Ormer.Engine.Table(syncer.getTable()).ID(pkValue).Update(&m)
+	affected, err := syncer.Ormer.Engine.Table(syncer.getTable()).Where(fmt.Sprintf("%s = ?", key), pkValue).Update(&m)
 	if err != nil {
 		return false, err
 	}
 	return affected != 0, nil
 }
 
-func (syncer *Syncer) updateUserForOriginalFields(user *User) (bool, error) {
-	var err error
-	owner, name := util.GetOwnerAndNameFromId(user.GetId())
-	oldUser, err := getUserById(owner, name)
-	if oldUser == nil || err != nil {
-		return false, err
-	}
-
-	if user.Avatar != oldUser.Avatar && user.Avatar != "" {
-		user.PermanentAvatar, err = getPermanentAvatarUrl(user.Owner, user.Name, user.Avatar, true)
-		if err != nil {
-			return false, err
-		}
-	}
-
-	columns := syncer.getCasdoorColumns()
-	columns = append(columns, "affiliation", "hash", "pre_hash")
-	affected, err := ormer.Engine.ID(core.PK{oldUser.Owner, oldUser.Name}).Cols(columns...).Update(user)
-	if err != nil {
-		return false, err
-	}
-	return affected != 0, nil
-}
-
-func (syncer *Syncer) updateUserForOriginalByFields(user *User, key string) (bool, error) {
+func (syncer *Syncer) updateUserForOriginalFields(user *User, key string) (bool, error) {
 	var err error
 	oldUser := User{}
 
@@ -161,27 +124,31 @@ func (syncer *Syncer) calculateHash(user *OriginalUser) string {
 	return util.GetMd5Hash(s)
 }
 
-func (syncer *Syncer) initAdapter() {
-	if syncer.Ormer == nil {
-		var dataSourceName string
-		if syncer.DatabaseType == "mssql" {
-			dataSourceName = fmt.Sprintf("sqlserver://%s:%s@%s:%d?database=%s", syncer.User, syncer.Password, syncer.Host, syncer.Port, syncer.Database)
-		} else if syncer.DatabaseType == "postgres" {
-			sslMode := "disable"
-			if syncer.SslMode != "" {
-				sslMode = syncer.SslMode
-			}
-			dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%d sslmode=%s dbname=%s", syncer.User, syncer.Password, syncer.Host, syncer.Port, sslMode, syncer.Database)
-		} else {
-			dataSourceName = fmt.Sprintf("%s:%s@tcp(%s:%d)/", syncer.User, syncer.Password, syncer.Host, syncer.Port)
-		}
-
-		if !isCloudIntranet {
-			dataSourceName = strings.ReplaceAll(dataSourceName, "dbi.", "db.")
-		}
-
-		syncer.Ormer = NewAdapter(syncer.DatabaseType, dataSourceName, syncer.Database)
+func (syncer *Syncer) initAdapter() error {
+	if syncer.Ormer != nil {
+		return nil
 	}
+
+	var dataSourceName string
+	if syncer.DatabaseType == "mssql" {
+		dataSourceName = fmt.Sprintf("sqlserver://%s:%s@%s:%d?database=%s", syncer.User, syncer.Password, syncer.Host, syncer.Port, syncer.Database)
+	} else if syncer.DatabaseType == "postgres" {
+		sslMode := "disable"
+		if syncer.SslMode != "" {
+			sslMode = syncer.SslMode
+		}
+		dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%d sslmode=%s dbname=%s", syncer.User, syncer.Password, syncer.Host, syncer.Port, sslMode, syncer.Database)
+	} else {
+		dataSourceName = fmt.Sprintf("%s:%s@tcp(%s:%d)/", syncer.User, syncer.Password, syncer.Host, syncer.Port)
+	}
+
+	if !isCloudIntranet {
+		dataSourceName = strings.ReplaceAll(dataSourceName, "dbi.", "db.")
+	}
+
+	var err error
+	syncer.Ormer, err = NewAdapter(syncer.DatabaseType, dataSourceName, syncer.Database)
+	return err
 }
 
 func RunSyncUsersJob() {
@@ -191,7 +158,10 @@ func RunSyncUsersJob() {
 	}
 
 	for _, syncer := range syncers {
-		addSyncerJob(syncer)
+		err = addSyncerJob(syncer)
+		if err != nil {
+			panic(err)
+		}
 	}
 
 	time.Sleep(time.Duration(1<<63 - 1))

object/syncer_util.go

@@ -15,6 +15,7 @@
 package object
 
 import (
+	"database/sql"
 	"encoding/json"
 	"fmt"
 	"reflect"
@@ -196,7 +197,7 @@ func (syncer *Syncer) getUserValue(user *User, key string) string {
 	}
 }
 
-func (syncer *Syncer) getOriginalUsersFromMap(results []map[string]string) []*OriginalUser {
+func (syncer *Syncer) getOriginalUsersFromMap(results []map[string]sql.NullString) []*OriginalUser {
 	users := []*OriginalUser{}
 	for _, result := range results {
 		originalUser := &OriginalUser{
@@ -216,11 +217,11 @@ func (syncer *Syncer) getOriginalUsersFromMap(results []map[string]string) []*Or
 				names := strings.Split(tableColumnName, "+")
 				var values []string
 				for _, name := range names {
-					values = append(values, result[strings.Trim(name, " ")])
+					values = append(values, result[strings.Trim(name, " ")].String)
 				}
 				value = strings.Join(values, " ")
 			} else {
-				value = result[tableColumnName]
+				value = result[tableColumnName].String
 			}
 			syncer.setUserByKeyValue(originalUser, tableColumn.CasdoorName, value)
 		}
@@ -249,9 +250,9 @@ func (syncer *Syncer) getOriginalUsersFromMap(results []map[string]string) []*Or
 			// enable
 			value, ok := result["ENABLED"]
 			if ok {
-				originalUser.IsForbidden = !util.ParseBool(value)
+				originalUser.IsForbidden = !util.ParseBool(value.String)
 			} else {
-				originalUser.IsForbidden = !util.ParseBool(result["enabled"])
+				originalUser.IsForbidden = !util.ParseBool(result["enabled"].String)
 			}
 		}
 

object/syner_db_user.go

@@ -1,37 +0,0 @@
-// Copyright 2021 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package object
-
-func (syncer *Syncer) getUsers() []*User {
-	users, err := GetUsers(syncer.Organization)
-	if err != nil {
-		panic(err)
-	}
-
-	return users
-}
-
-func (syncer *Syncer) getUserMap() ([]*User, map[string]*User, map[string]*User) {
-	users := syncer.getUsers()
-
-	m1 := map[string]*User{}
-	m2 := map[string]*User{}
-	for _, user := range users {
-		m1[user.Id] = user
-		m2[user.Name] = user
-	}
-
-	return users, m1, m2
-}

object/token_cas.go

@@ -209,17 +209,22 @@ func GenerateCasToken(userId string, service string) (string, error) {
 		return "", err
 	}
 
-	tmp := map[string]string{}
+	tmp := map[string]interface{}{}
 	err = json.Unmarshal(data, &tmp)
 	if err != nil {
 		return "", err
 	}
 
 	for k, v := range tmp {
-		if v != "" {
+		value := fmt.Sprintf("%v", v)
+		if value == "<nil>" || value == "[]" || value == "map[]" {
+			value = ""
+		}
+
+		if value != "" {
 			authenticationSuccess.Attributes.UserAttributes.Attributes = append(authenticationSuccess.Attributes.UserAttributes.Attributes, &CasNamedAttribute{
 				Name:  k,
-				Value: v,
+				Value: value,
 			})
 		}
 	}
@@ -281,6 +286,10 @@ func GetValidationBySaml(samlRequest string, host string) (string, string, error
 		return "", "", err
 	}
 
+	if cert.Certificate == "" {
+		return "", "", fmt.Errorf("the certificate field should not be empty for the cert: %v", cert)
+	}
+
 	block, _ := pem.Decode([]byte(cert.Certificate))
 	certificate := base64.StdEncoding.EncodeToString(block.Bytes)
 	randomKeyStore := &X509Key{

object/token_jwt.go

@@ -26,7 +26,7 @@ type Claims struct {
 	*User
 	TokenType string `json:"tokenType,omitempty"`
 	Nonce     string `json:"nonce,omitempty"`
-	Tag       string `json:"tag,omitempty"`
+	Tag       string `json:"tag"`
 	Scope     string `json:"scope,omitempty"`
 	jwt.RegisteredClaims
 }
@@ -37,56 +37,90 @@ type UserShort struct {
 }
 
 type UserWithoutThirdIdp struct {
-	Owner               string            `xorm:"varchar(100) notnull pk" json:"owner"`
-	Name                string            `xorm:"varchar(100) notnull pk" json:"name"`
-	CreatedTime         string            `xorm:"varchar(100)" json:"createdTime"`
-	UpdatedTime         string            `xorm:"varchar(100)" json:"updatedTime"`
-	Id                  string            `xorm:"varchar(100) index" json:"id"`
-	Type                string            `xorm:"varchar(100)" json:"type"`
-	Password            string            `xorm:"varchar(100)" json:"password"`
-	PasswordSalt        string            `xorm:"varchar(100)" json:"passwordSalt"`
-	DisplayName         string            `xorm:"varchar(100)" json:"displayName"`
-	FirstName           string            `xorm:"varchar(100)" json:"firstName"`
-	LastName            string            `xorm:"varchar(100)" json:"lastName"`
-	Avatar              string            `xorm:"varchar(500)" json:"avatar"`
-	PermanentAvatar     string            `xorm:"varchar(500)" json:"permanentAvatar"`
-	Email               string            `xorm:"varchar(100) index" json:"email"`
-	EmailVerified       bool              `json:"emailVerified"`
-	Phone               string            `xorm:"varchar(100) index" json:"phone"`
-	Location            string            `xorm:"varchar(100)" json:"location"`
-	Address             []string          `json:"address"`
-	Affiliation         string            `xorm:"varchar(100)" json:"affiliation"`
-	Title               string            `xorm:"varchar(100)" json:"title"`
-	IdCardType          string            `xorm:"varchar(100)" json:"idCardType"`
-	IdCard              string            `xorm:"varchar(100) index" json:"idCard"`
-	Homepage            string            `xorm:"varchar(100)" json:"homepage"`
-	Bio                 string            `xorm:"varchar(100)" json:"bio"`
-	Tag                 string            `xorm:"varchar(100)" json:"tag"`
-	Region              string            `xorm:"varchar(100)" json:"region"`
-	Language            string            `xorm:"varchar(100)" json:"language"`
-	Gender              string            `xorm:"varchar(100)" json:"gender"`
-	Birthday            string            `xorm:"varchar(100)" json:"birthday"`
-	Education           string            `xorm:"varchar(100)" json:"education"`
-	Score               int               `json:"score"`
-	Karma               int               `json:"karma"`
-	Ranking             int               `json:"ranking"`
-	IsDefaultAvatar     bool              `json:"isDefaultAvatar"`
-	IsOnline            bool              `json:"isOnline"`
-	IsAdmin             bool              `json:"isAdmin"`
-	IsForbidden         bool              `json:"isForbidden"`
-	IsDeleted           bool              `json:"isDeleted"`
-	SignupApplication   string            `xorm:"varchar(100)" json:"signupApplication"`
-	Hash                string            `xorm:"varchar(100)" json:"hash"`
-	PreHash             string            `xorm:"varchar(100)" json:"preHash"`
-	CreatedIp           string            `xorm:"varchar(100)" json:"createdIp"`
-	LastSigninTime      string            `xorm:"varchar(100)" json:"lastSigninTime"`
-	LastSigninIp        string            `xorm:"varchar(100)" json:"lastSigninIp"`
-	Ldap                string            `xorm:"ldap varchar(100)" json:"ldap"`
-	Properties          map[string]string `json:"properties"`
-	Roles               []*Role           `xorm:"-" json:"roles"`
-	Permissions         []*Permission     `xorm:"-" json:"permissions"`
-	LastSigninWrongTime string            `xorm:"varchar(100)" json:"lastSigninWrongTime"`
-	SigninWrongTimes    int               `json:"signinWrongTimes"`
+	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
+	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
+	CreatedTime string `xorm:"varchar(100) index" json:"createdTime"`
+	UpdatedTime string `xorm:"varchar(100)" json:"updatedTime"`
+
+	Id                string   `xorm:"varchar(100) index" json:"id"`
+	Type              string   `xorm:"varchar(100)" json:"type"`
+	Password          string   `xorm:"varchar(100)" json:"password"`
+	PasswordSalt      string   `xorm:"varchar(100)" json:"passwordSalt"`
+	PasswordType      string   `xorm:"varchar(100)" json:"passwordType"`
+	DisplayName       string   `xorm:"varchar(100)" json:"displayName"`
+	FirstName         string   `xorm:"varchar(100)" json:"firstName"`
+	LastName          string   `xorm:"varchar(100)" json:"lastName"`
+	Avatar            string   `xorm:"varchar(500)" json:"avatar"`
+	AvatarType        string   `xorm:"varchar(100)" json:"avatarType"`
+	PermanentAvatar   string   `xorm:"varchar(500)" json:"permanentAvatar"`
+	Email             string   `xorm:"varchar(100) index" json:"email"`
+	EmailVerified     bool     `json:"emailVerified"`
+	Phone             string   `xorm:"varchar(20) index" json:"phone"`
+	CountryCode       string   `xorm:"varchar(6)" json:"countryCode"`
+	Region            string   `xorm:"varchar(100)" json:"region"`
+	Location          string   `xorm:"varchar(100)" json:"location"`
+	Address           []string `json:"address"`
+	Affiliation       string   `xorm:"varchar(100)" json:"affiliation"`
+	Title             string   `xorm:"varchar(100)" json:"title"`
+	IdCardType        string   `xorm:"varchar(100)" json:"idCardType"`
+	IdCard            string   `xorm:"varchar(100) index" json:"idCard"`
+	Homepage          string   `xorm:"varchar(100)" json:"homepage"`
+	Bio               string   `xorm:"varchar(100)" json:"bio"`
+	Tag               string   `xorm:"varchar(100)" json:"tag"`
+	Language          string   `xorm:"varchar(100)" json:"language"`
+	Gender            string   `xorm:"varchar(100)" json:"gender"`
+	Birthday          string   `xorm:"varchar(100)" json:"birthday"`
+	Education         string   `xorm:"varchar(100)" json:"education"`
+	Score             int      `json:"score"`
+	Karma             int      `json:"karma"`
+	Ranking           int      `json:"ranking"`
+	IsDefaultAvatar   bool     `json:"isDefaultAvatar"`
+	IsOnline          bool     `json:"isOnline"`
+	IsAdmin           bool     `json:"isAdmin"`
+	IsForbidden       bool     `json:"isForbidden"`
+	IsDeleted         bool     `json:"isDeleted"`
+	SignupApplication string   `xorm:"varchar(100)" json:"signupApplication"`
+	Hash              string   `xorm:"varchar(100)" json:"hash"`
+	PreHash           string   `xorm:"varchar(100)" json:"preHash"`
+	AccessKey         string   `xorm:"varchar(100)" json:"accessKey"`
+	AccessSecret      string   `xorm:"varchar(100)" json:"accessSecret"`
+
+	GitHub   string `xorm:"github varchar(100)" json:"github"`
+	Google   string `xorm:"varchar(100)" json:"google"`
+	QQ       string `xorm:"qq varchar(100)" json:"qq"`
+	WeChat   string `xorm:"wechat varchar(100)" json:"wechat"`
+	Facebook string `xorm:"facebook varchar(100)" json:"facebook"`
+	DingTalk string `xorm:"dingtalk varchar(100)" json:"dingtalk"`
+	Weibo    string `xorm:"weibo varchar(100)" json:"weibo"`
+	Gitee    string `xorm:"gitee varchar(100)" json:"gitee"`
+	LinkedIn string `xorm:"linkedin varchar(100)" json:"linkedin"`
+	Wecom    string `xorm:"wecom varchar(100)" json:"wecom"`
+	Lark     string `xorm:"lark varchar(100)" json:"lark"`
+	Gitlab   string `xorm:"gitlab varchar(100)" json:"gitlab"`
+
+	CreatedIp      string `xorm:"varchar(100)" json:"createdIp"`
+	LastSigninTime string `xorm:"varchar(100)" json:"lastSigninTime"`
+	LastSigninIp   string `xorm:"varchar(100)" json:"lastSigninIp"`
+
+	// WebauthnCredentials []webauthn.Credential `xorm:"webauthnCredentials blob" json:"webauthnCredentials"`
+	PreferredMfaType string   `xorm:"varchar(100)" json:"preferredMfaType"`
+	RecoveryCodes    []string `xorm:"varchar(1000)" json:"recoveryCodes"`
+	TotpSecret       string   `xorm:"varchar(100)" json:"totpSecret"`
+	MfaPhoneEnabled  bool     `json:"mfaPhoneEnabled"`
+	MfaEmailEnabled  bool     `json:"mfaEmailEnabled"`
+	// MultiFactorAuths    []*MfaProps           `xorm:"-" json:"multiFactorAuths,omitempty"`
+
+	Ldap       string            `xorm:"ldap varchar(100)" json:"ldap"`
+	Properties map[string]string `json:"properties"`
+
+	Roles       []*Role       `json:"roles"`
+	Permissions []*Permission `json:"permissions"`
+	Groups      []string      `xorm:"groups varchar(1000)" json:"groups"`
+
+	LastSigninWrongTime string `xorm:"varchar(100)" json:"lastSigninWrongTime"`
+	SigninWrongTimes    int    `json:"signinWrongTimes"`
+
+	// ManagedAccounts []ManagedAccount `xorm:"managedAccounts blob" json:"managedAccounts"`
 }
 
 type ClaimsShort struct {
@@ -101,7 +135,7 @@ type ClaimsWithoutThirdIdp struct {
 	*UserWithoutThirdIdp
 	TokenType string `json:"tokenType,omitempty"`
 	Nonce     string `json:"nonce,omitempty"`
-	Tag       string `json:"tag,omitempty"`
+	Tag       string `json:"tag"`
 	Scope     string `json:"scope,omitempty"`
 	jwt.RegisteredClaims
 }
@@ -125,14 +159,18 @@ func getUserWithoutThirdIdp(user *User) *UserWithoutThirdIdp {
 		Type:              user.Type,
 		Password:          user.Password,
 		PasswordSalt:      user.PasswordSalt,
+		PasswordType:      user.PasswordType,
 		DisplayName:       user.DisplayName,
 		FirstName:         user.FirstName,
 		LastName:          user.LastName,
 		Avatar:            user.Avatar,
+		AvatarType:        user.AvatarType,
 		PermanentAvatar:   user.PermanentAvatar,
 		Email:             user.Email,
 		EmailVerified:     user.EmailVerified,
 		Phone:             user.Phone,
+		CountryCode:       user.CountryCode,
+		Region:            user.Region,
 		Location:          user.Location,
 		Address:           user.Address,
 		Affiliation:       user.Affiliation,
@@ -142,7 +180,6 @@ func getUserWithoutThirdIdp(user *User) *UserWithoutThirdIdp {
 		Homepage:          user.Homepage,
 		Bio:               user.Bio,
 		Tag:               user.Tag,
-		Region:            user.Region,
 		Language:          user.Language,
 		Gender:            user.Gender,
 		Birthday:          user.Birthday,
@@ -158,16 +195,38 @@ func getUserWithoutThirdIdp(user *User) *UserWithoutThirdIdp {
 		SignupApplication: user.SignupApplication,
 		Hash:              user.Hash,
 		PreHash:           user.PreHash,
+		AccessKey:         user.AccessKey,
+		AccessSecret:      user.AccessSecret,
+
+		GitHub:   user.GitHub,
+		Google:   user.Google,
+		QQ:       user.QQ,
+		WeChat:   user.WeChat,
+		Facebook: user.Facebook,
+		DingTalk: user.DingTalk,
+		Weibo:    user.Weibo,
+		Gitee:    user.Gitee,
+		LinkedIn: user.LinkedIn,
+		Wecom:    user.Wecom,
+		Lark:     user.Lark,
+		Gitlab:   user.Gitlab,
 
 		CreatedIp:      user.CreatedIp,
 		LastSigninTime: user.LastSigninTime,
 		LastSigninIp:   user.LastSigninIp,
 
+		PreferredMfaType: user.PreferredMfaType,
+		RecoveryCodes:    user.RecoveryCodes,
+		TotpSecret:       user.TotpSecret,
+		MfaPhoneEnabled:  user.MfaPhoneEnabled,
+		MfaEmailEnabled:  user.MfaEmailEnabled,
+
 		Ldap:       user.Ldap,
 		Properties: user.Properties,
 
 		Roles:       user.Roles,
 		Permissions: user.Permissions,
+		Groups:      user.Groups,
 
 		LastSigninWrongTime: user.LastSigninWrongTime,
 		SigninWrongTimes:    user.SigninWrongTimes,
@@ -309,6 +368,10 @@ func ParseJwtToken(token string, cert *Cert) (*Claims, error) {
 			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 		}
 
+		if cert.Certificate == "" {
+			return nil, fmt.Errorf("the certificate field should not be empty for the cert: %v", cert)
+		}
+
 		// RSA certificate
 		certificate, err := jwt.ParseRSAPublicKeyFromPEM([]byte(cert.Certificate))
 		if err != nil {

object/user.go

@@ -16,6 +16,7 @@ package object
 
 import (
 	"fmt"
+	"strconv"
 	"strings"
 
 	"github.com/casdoor/casdoor/conf"
@@ -483,7 +484,7 @@ func GetMaskedUsers(users []*User, errs ...error) ([]*User, error) {
 	return users, nil
 }
 
-func GetLastUser(owner string) (*User, error) {
+func getLastUser(owner string) (*User, error) {
 	user := User{Owner: owner}
 	existed, err := ormer.Engine.Desc("created_time", "id").Get(&user)
 	if err != nil {
@@ -614,9 +615,18 @@ func UpdateUserForAllFields(id string, user *User) (bool, error) {
 }
 
 func AddUser(user *User) (bool, error) {
-	var err error
 	if user.Id == "" {
-		user.Id = util.GenerateId()
+		application, err := GetApplicationByUser(user)
+		if err != nil {
+			return false, err
+		}
+
+		id, err := GenerateIdForNewUser(application)
+		if err != nil {
+			return false, err
+		}
+
+		user.Id = id
 	}
 
 	if user.Owner == "" || user.Name == "" {
@@ -632,7 +642,7 @@ func AddUser(user *User) (bool, error) {
 		user.UpdateUserPassword(organization)
 	}
 
-	err = user.UpdateUserHash()
+	err := user.UpdateUserHash()
 	if err != nil {
 		return false, err
 	}
@@ -707,16 +717,15 @@ func AddUsersInBatch(users []*User) (bool, error) {
 	}
 
 	affected := false
-	for i := 0; i < (len(users)-1)/batchSize+1; i++ {
-		start := i * batchSize
-		end := (i + 1) * batchSize
+	for i := 0; i < len(users); i += batchSize {
+		start := i
+		end := i + batchSize
 		if end > len(users) {
 			end = len(users)
 		}
 
 		tmp := users[start:end]
-		// TODO: save to log instead of standard output
-		// fmt.Printf("Add users: [%d - %d].\n", start, end)
+		fmt.Printf("The syncer adds users: [%d - %d]\n", start, end)
 		if ok, err := AddUsers(tmp); err != nil {
 			return false, err
 		} else if ok {
@@ -786,7 +795,7 @@ func ExtendUserWithRolesAndPermissions(user *User) (err error) {
 		return
 	}
 
-	user.Permissions, user.Roles, err = GetPermissionsAndRolesByUser(user.GetId())
+	user.Permissions, user.Roles, err = getPermissionsAndRolesByUser(user.GetId())
 	if err != nil {
 		return err
 	}
@@ -900,3 +909,22 @@ func (user *User) IsGlobalAdmin() bool {
 
 	return user.Owner == "built-in"
 }
+
+func GenerateIdForNewUser(application *Application) (string, error) {
+	if application == nil || application.GetSignupItemRule("ID") != "Incremental" {
+		return util.GenerateId(), nil
+	}
+
+	lastUser, err := getLastUser(application.Organization)
+	if err != nil {
+		return "", err
+	}
+
+	lastUserId := -1
+	if lastUser != nil {
+		lastUserId = util.ParseInt(lastUser.Id)
+	}
+
+	res := strconv.Itoa(lastUserId + 1)
+	return res, nil
+}

object/user_avatar.go

@@ -35,7 +35,7 @@ func downloadImage(client *http.Client, url string) (*bytes.Buffer, string, erro
 	resp, err := client.Do(req)
 	if err != nil {
 		fmt.Printf("downloadImage() error for url [%s]: %s\n", url, err.Error())
-		if strings.Contains(err.Error(), "EOF") || strings.Contains(err.Error(), "no such host") {
+		if strings.Contains(err.Error(), "EOF") || strings.Contains(err.Error(), "no such host") || strings.Contains(err.Error(), "did not properly respond after a period of time") {
 			return nil, "", nil
 		} else {
 			return nil, "", err

object/user_enforcer.go

@@ -87,7 +87,7 @@ func (e *UserGroupEnforcer) GetAllUsersByGroup(group string) ([]string, error) {
 
 	users, err := e.enforcer.GetUsersForRole(GetGroupWithPrefix(group))
 	if err != nil {
-		if err == errors.ERR_NAME_NOT_FOUND {
+		if err == errors.ErrNameNotFound {
 			return []string{}, nil
 		}
 		return nil, err

object/user_upload.go

@@ -144,5 +144,6 @@ func UploadUsers(owner string, path string) (bool, error) {
 	if len(newUsers) == 0 {
 		return false, nil
 	}
+
 	return AddUsersInBatch(newUsers)
 }

object/user_util.go

@@ -320,6 +320,11 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, lang str
 		itemsChanged = append(itemsChanged, item)
 	}
 
+	if oldUser.Score != newUser.Score {
+		item := GetAccountItemByName("Score", organization)
+		itemsChanged = append(itemsChanged, item)
+	}
+
 	for i := range itemsChanged {
 		if pass, err := CheckAccountItemModifyRule(itemsChanged[i], isAdmin, lang); !pass {
 			return pass, err

pp/alipay.go

@@ -16,9 +16,9 @@ package pp
 
 import (
 	"context"
-	"net/http"
+	"encoding/json"
+	"fmt"
 
-	"github.com/casdoor/casdoor/util"
 	"github.com/go-pay/gopay"
 	"github.com/go-pay/gopay/alipay"
 )
@@ -28,6 +28,11 @@ type AlipayPaymentProvider struct {
 }
 
 func NewAlipayPaymentProvider(appId string, appCertificate string, appPrivateKey string, authorityPublicKey string, authorityRootPublicKey string) (*AlipayPaymentProvider, error) {
+	// clientId => appId
+	// cert.Certificate => appCertificate
+	// cert.PrivateKey => appPrivateKey
+	// rootCert.Certificate => authorityPublicKey
+	// rootCert.PrivateKey => authorityRootPublicKey
 	pp := &AlipayPaymentProvider{}
 
 	client, err := alipay.NewClient(appId, appPrivateKey, true)
@@ -46,54 +51,60 @@ func NewAlipayPaymentProvider(appId string, appCertificate string, appPrivateKey
 
 func (pp *AlipayPaymentProvider) Pay(providerName string, productName string, payerName string, paymentName string, productDisplayName string, price float64, currency string, returnUrl string, notifyUrl string) (string, string, error) {
 	// pp.Client.DebugSwitch = gopay.DebugOn
-
 	bm := gopay.BodyMap{}
-
-	bm.Set("providerName", providerName)
-	bm.Set("productName", productName)
-
-	bm.Set("return_url", returnUrl)
-	bm.Set("notify_url", notifyUrl)
-
-	bm.Set("subject", productDisplayName)
+	pp.Client.SetReturnUrl(returnUrl)
+	pp.Client.SetNotifyUrl(notifyUrl)
+	bm.Set("subject", joinAttachString([]string{productName, productDisplayName, providerName}))
 	bm.Set("out_trade_no", paymentName)
-	bm.Set("total_amount", getPriceString(price))
+	bm.Set("total_amount", priceFloat64ToString(price))
 
 	payUrl, err := pp.Client.TradePagePay(context.Background(), bm)
 	if err != nil {
 		return "", "", err
 	}
-	return payUrl, "", nil
+	return payUrl, paymentName, nil
 }
 
-func (pp *AlipayPaymentProvider) Notify(request *http.Request, body []byte, authorityPublicKey string, orderId string) (*NotifyResult, error) {
-	bm, err := alipay.ParseNotifyToBodyMap(request)
+func (pp *AlipayPaymentProvider) Notify(body []byte, orderId string) (*NotifyResult, error) {
+	bm := gopay.BodyMap{}
+	bm.Set("out_trade_no", orderId)
+	aliRsp, err := pp.Client.TradeQuery(context.Background(), bm)
+	notifyResult := &NotifyResult{}
 	if err != nil {
+		errRsp := &alipay.ErrorResponse{}
+		unmarshalErr := json.Unmarshal([]byte(err.Error()), errRsp)
+		if unmarshalErr != nil {
+			return nil, err
+		}
+		if errRsp.SubCode == "ACQ.TRADE_NOT_EXIST" {
+			notifyResult.PaymentStatus = PaymentStateCanceled
+			return notifyResult, nil
+		}
 		return nil, err
 	}
-
-	providerName := bm.Get("providerName")
-	productName := bm.Get("productName")
-
-	productDisplayName := bm.Get("subject")
-	paymentName := bm.Get("out_trade_no")
-	price := util.ParseFloat(bm.Get("total_amount"))
-
-	ok, err := alipay.VerifySignWithCert(authorityPublicKey, bm)
-	if err != nil {
-		return nil, err
+	switch aliRsp.Response.TradeStatus {
+	case "WAIT_BUYER_PAY":
+		notifyResult.PaymentStatus = PaymentStateCreated
+		return notifyResult, nil
+	case "TRADE_CLOSED":
+		notifyResult.PaymentStatus = PaymentStateTimeout
+		return notifyResult, nil
+	case "TRADE_SUCCESS":
+		// skip
+	default:
+		notifyResult.PaymentStatus = PaymentStateError
+		notifyResult.NotifyMessage = fmt.Sprintf("unexpected alipay trade state: %v", aliRsp.Response.TradeStatus)
+		return notifyResult, nil
 	}
-	if !ok {
-		return nil, err
-	}
-	notifyResult := &NotifyResult{
+	productDisplayName, productName, providerName, _ := parseAttachString(aliRsp.Response.Subject)
+	notifyResult = &NotifyResult{
 		ProductName:        productName,
 		ProductDisplayName: productDisplayName,
 		ProviderName:       providerName,
 		OrderId:            orderId,
 		PaymentStatus:      PaymentStatePaid,
-		Price:              price,
-		PaymentName:        paymentName,
+		Price:              priceStringToFloat64(aliRsp.Response.TotalAmount),
+		PaymentName:        orderId,
 	}
 	return notifyResult, nil
 }

pp/dummy.go

@@ -14,8 +14,6 @@
 
 package pp
 
-import "net/http"
-
 type DummyPaymentProvider struct{}
 
 func NewDummyPaymentProvider() (*DummyPaymentProvider, error) {
@@ -27,7 +25,7 @@ func (pp *DummyPaymentProvider) Pay(providerName string, productName string, pay
 	return returnUrl, "", nil
 }
 
-func (pp *DummyPaymentProvider) Notify(request *http.Request, body []byte, authorityPublicKey string, orderId string) (*NotifyResult, error) {
+func (pp *DummyPaymentProvider) Notify(body []byte, orderId string) (*NotifyResult, error) {
 	return &NotifyResult{
 		PaymentStatus: PaymentStatePaid,
 	}, nil

pp/gc.go

@@ -216,7 +216,7 @@ func (pp *GcPaymentProvider) Pay(providerName string, productName string, payerN
 	return payRespInfo.PayUrl, "", nil
 }
 
-func (pp *GcPaymentProvider) Notify(request *http.Request, body []byte, authorityPublicKey string, orderId string) (*NotifyResult, error) {
+func (pp *GcPaymentProvider) Notify(body []byte, orderId string) (*NotifyResult, error) {
 	reqBody := GcRequestBody{}
 	m, err := url.ParseQuery(string(body))
 	if err != nil {

pp/paypal.go

@@ -18,7 +18,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net/http"
 	"strconv"
 
 	"github.com/casdoor/casdoor/conf"
@@ -88,7 +87,7 @@ func (pp *PaypalPaymentProvider) Pay(providerName string, productName string, pa
 	return ppRsp.Response.Links[1].Href, ppRsp.Response.Id, nil
 }
 
-func (pp *PaypalPaymentProvider) Notify(request *http.Request, body []byte, authorityPublicKey string, orderId string) (*NotifyResult, error) {
+func (pp *PaypalPaymentProvider) Notify(body []byte, orderId string) (*NotifyResult, error) {
 	notifyResult := &NotifyResult{}
 	captureRsp, err := pp.Client.OrderCapture(context.Background(), orderId, nil)
 	if err != nil {

pp/provider.go

@@ -14,8 +14,6 @@
 
 package pp
 
-import "net/http"
-
 type PaymentState string
 
 const (
@@ -42,45 +40,7 @@ type NotifyResult struct {
 
 type PaymentProvider interface {
 	Pay(providerName string, productName string, payerName string, paymentName string, productDisplayName string, price float64, currency string, returnUrl string, notifyUrl string) (string, string, error)
-	Notify(request *http.Request, body []byte, authorityPublicKey string, orderId string) (*NotifyResult, error)
+	Notify(body []byte, orderId string) (*NotifyResult, error)
 	GetInvoice(paymentName string, personName string, personIdCard string, personEmail string, personPhone string, invoiceType string, invoiceTitle string, invoiceTaxId string) (string, error)
 	GetResponseError(err error) string
 }
-
-func GetPaymentProvider(typ string, clientId string, clientSecret string, host string, appCertificate string, appPrivateKey string, authorityPublicKey string, authorityRootPublicKey string, clientId2 string) (PaymentProvider, error) {
-	if typ == "Dummy" {
-		pp, err := NewDummyPaymentProvider()
-		if err != nil {
-			return nil, err
-		}
-		return pp, nil
-	} else if typ == "Alipay" {
-		pp, err := NewAlipayPaymentProvider(clientId, appCertificate, appPrivateKey, authorityPublicKey, authorityRootPublicKey)
-		if err != nil {
-			return nil, err
-		}
-		return pp, nil
-	} else if typ == "GC" {
-		return NewGcPaymentProvider(clientId, clientSecret, host), nil
-	} else if typ == "WeChat Pay" {
-		pp, err := NewWechatPaymentProvider(clientId, clientSecret, clientId2, appCertificate, appPrivateKey)
-		if err != nil {
-			return nil, err
-		}
-		return pp, nil
-	} else if typ == "PayPal" {
-		pp, err := NewPaypalPaymentProvider(clientId, clientSecret)
-		if err != nil {
-			return nil, err
-		}
-		return pp, nil
-	} else if typ == "Stripe" {
-		pp, err := NewStripePaymentProvider(clientId, clientSecret)
-		if err != nil {
-			return nil, err
-		}
-		return pp, nil
-	}
-
-	return nil, nil
-}

pp/stripe.go

@@ -16,7 +16,6 @@ package pp
 
 import (
 	"fmt"
-	"net/http"
 	"time"
 
 	"github.com/casdoor/casdoor/conf"
@@ -94,7 +93,7 @@ func (pp *StripePaymentProvider) Pay(providerName string, productName string, pa
 	return sCheckout.URL, sCheckout.ID, nil
 }
 
-func (pp *StripePaymentProvider) Notify(request *http.Request, body []byte, authorityPublicKey string, orderId string) (*NotifyResult, error) {
+func (pp *StripePaymentProvider) Notify(body []byte, orderId string) (*NotifyResult, error) {
 	notifyResult := &NotifyResult{}
 	sCheckout, err := stripeCheckout.Get(orderId, nil)
 	if err != nil {

pp/util.go

@@ -49,3 +49,11 @@ func priceFloat64ToInt64(price float64) int64 {
 func priceFloat64ToString(price float64) string {
 	return strconv.FormatFloat(price, 'f', 2, 64)
 }
+
+func priceStringToFloat64(price string) float64 {
+	f, err := strconv.ParseFloat(price, 64)
+	if err != nil {
+		panic(err)
+	}
+	return f
+}

pp/wechatpay.go

@@ -18,7 +18,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net/http"
 
 	"github.com/casdoor/casdoor/util"
 	"github.com/go-pay/gopay"
@@ -87,7 +86,7 @@ func (pp *WechatPaymentProvider) Pay(providerName string, productName string, pa
 	return nativeRsp.Response.CodeUrl, paymentName, nil // Wechat can use paymentName as the OutTradeNo to query order status
 }
 
-func (pp *WechatPaymentProvider) Notify(request *http.Request, body []byte, authorityPublicKey string, orderId string) (*NotifyResult, error) {
+func (pp *WechatPaymentProvider) Notify(body []byte, orderId string) (*NotifyResult, error) {
 	notifyResult := &NotifyResult{}
 	queryRsp, err := pp.Client.V3TransactionQueryOrder(context.Background(), wechat.OutTradeNo, orderId)
 	if err != nil {

radius/server.go

@@ -0,0 +1,109 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package radius
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/object"
+	"layeh.com/radius"
+	"layeh.com/radius/rfc2865"
+	"layeh.com/radius/rfc2866"
+)
+
+// https://support.huawei.com/enterprise/zh/doc/EDOC1000178159/35071f9a#tab_3
+func StartRadiusServer() {
+	secret := conf.GetConfigString("radiusSecret")
+	server := radius.PacketServer{
+		Addr:         "0.0.0.0:" + conf.GetConfigString("radiusServerPort"),
+		Handler:      radius.HandlerFunc(handlerRadius),
+		SecretSource: radius.StaticSecretSource([]byte(secret)),
+	}
+	log.Printf("Starting Radius server on %s", server.Addr)
+	if err := server.ListenAndServe(); err != nil {
+		log.Printf("StartRadiusServer() failed, err = %v", err)
+	}
+}
+
+func handlerRadius(w radius.ResponseWriter, r *radius.Request) {
+	switch r.Code {
+	case radius.CodeAccessRequest:
+		handleAccessRequest(w, r)
+	case radius.CodeAccountingRequest:
+		handleAccountingRequest(w, r)
+	default:
+		log.Printf("radius message, code = %d", r.Code)
+	}
+}
+
+func handleAccessRequest(w radius.ResponseWriter, r *radius.Request) {
+	username := rfc2865.UserName_GetString(r.Packet)
+	password := rfc2865.UserPassword_GetString(r.Packet)
+	organization := rfc2865.Class_GetString(r.Packet)
+	log.Printf("handleAccessRequest() username=%v, org=%v, password=%v", username, organization, password)
+	if organization == "" {
+		w.Write(r.Response(radius.CodeAccessReject))
+		return
+	}
+	_, msg := object.CheckUserPassword(organization, username, password, "en")
+	if msg != "" {
+		w.Write(r.Response(radius.CodeAccessReject))
+		return
+	}
+	w.Write(r.Response(radius.CodeAccessAccept))
+}
+
+func handleAccountingRequest(w radius.ResponseWriter, r *radius.Request) {
+	statusType := rfc2866.AcctStatusType_Get(r.Packet)
+	username := rfc2865.UserName_GetString(r.Packet)
+	organization := rfc2865.Class_GetString(r.Packet)
+	log.Printf("handleAccountingRequest() username=%v, org=%v, statusType=%v", username, organization, statusType)
+	w.Write(r.Response(radius.CodeAccountingResponse))
+	var err error
+	defer func() {
+		if err != nil {
+			log.Printf("handleAccountingRequest() failed, err = %v", err)
+		}
+	}()
+	switch statusType {
+	case rfc2866.AcctStatusType_Value_Start:
+		// Start an accounting session
+		ra := GetAccountingFromRequest(r)
+		err = object.AddRadiusAccounting(ra)
+	case rfc2866.AcctStatusType_Value_InterimUpdate, rfc2866.AcctStatusType_Value_Stop:
+		// Interim update to an accounting session | Stop an accounting session
+		var (
+			newRa = GetAccountingFromRequest(r)
+			oldRa *object.RadiusAccounting
+		)
+		oldRa, err = object.GetRadiusAccountingBySessionId(newRa.AcctSessionId)
+		if err != nil {
+			return
+		}
+		if oldRa == nil {
+			if err = object.AddRadiusAccounting(newRa); err != nil {
+				return
+			}
+		}
+		stop := statusType == rfc2866.AcctStatusType_Value_Stop
+		err = object.InterimUpdateRadiusAccounting(oldRa, newRa, stop)
+	case rfc2866.AcctStatusType_Value_AccountingOn, rfc2866.AcctStatusType_Value_AccountingOff:
+		// By default, no Accounting-On or Accounting-Off messages are sent (no acct-on-off).
+	default:
+		err = fmt.Errorf("unsupport statusType = %v", statusType)
+	}
+}

radius/server_test.go

@@ -0,0 +1,54 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !skipCi
+// +build !skipCi
+
+package radius
+
+import (
+	"context"
+	"testing"
+
+	"layeh.com/radius"
+	"layeh.com/radius/rfc2865"
+)
+
+func TestAccessRequestRejected(t *testing.T) {
+	packet := radius.New(radius.CodeAccessRequest, []byte(`secret`))
+	rfc2865.UserName_SetString(packet, "admin")
+	rfc2865.UserPassword_SetString(packet, "12345")
+	rfc2865.Class_SetString(packet, "built-in")
+	response, err := radius.Exchange(context.Background(), packet, "localhost:1812")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if response.Code != radius.CodeAccessReject {
+		t.Fatalf("Expected %v, got %v", radius.CodeAccessReject, response.Code)
+	}
+}
+
+func TestAccessRequestAccepted(t *testing.T) {
+	packet := radius.New(radius.CodeAccessRequest, []byte(`secret`))
+	rfc2865.UserName_SetString(packet, "admin")
+	rfc2865.UserPassword_SetString(packet, "123")
+	rfc2865.Class_SetString(packet, "built-in")
+	response, err := radius.Exchange(context.Background(), packet, "localhost:1812")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if response.Code != radius.CodeAccessAccept {
+		t.Fatalf("Expected %v, got %v", radius.CodeAccessAccept, response.Code)
+	}
+}

radius/util.go

@@ -0,0 +1,67 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package radius
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+	"layeh.com/radius"
+	"layeh.com/radius/rfc2865"
+	"layeh.com/radius/rfc2866"
+	"layeh.com/radius/rfc2869"
+)
+
+func GetAccountingFromRequest(r *radius.Request) *object.RadiusAccounting {
+	acctInputOctets := int(rfc2866.AcctInputOctets_Get(r.Packet))
+	acctInputGigawords := int(rfc2869.AcctInputGigawords_Get(r.Packet))
+	acctOutputOctets := int(rfc2866.AcctOutputOctets_Get(r.Packet))
+	acctOutputGigawords := int(rfc2869.AcctOutputGigawords_Get(r.Packet))
+	organization := rfc2865.Class_GetString(r.Packet)
+	getAcctStartTime := func(sessionTime int) time.Time {
+		m, _ := time.ParseDuration(fmt.Sprintf("-%ds", sessionTime))
+		return time.Now().Add(m)
+	}
+	ra := &object.RadiusAccounting{
+		Owner:       organization,
+		Name:        "ra_" + util.GenerateId()[:6],
+		CreatedTime: time.Now(),
+
+		Username:    rfc2865.UserName_GetString(r.Packet),
+		ServiceType: int64(rfc2865.ServiceType_Get(r.Packet)),
+
+		NasId:       rfc2865.NASIdentifier_GetString(r.Packet),
+		NasIpAddr:   rfc2865.NASIPAddress_Get(r.Packet).String(),
+		NasPortId:   rfc2869.NASPortID_GetString(r.Packet),
+		NasPortType: int64(rfc2865.NASPortType_Get(r.Packet)),
+		NasPort:     int64(rfc2865.NASPort_Get(r.Packet)),
+
+		FramedIpAddr:    rfc2865.FramedIPAddress_Get(r.Packet).String(),
+		FramedIpNetmask: rfc2865.FramedIPNetmask_Get(r.Packet).String(),
+
+		AcctSessionId:      rfc2866.AcctSessionID_GetString(r.Packet),
+		AcctSessionTime:    int64(rfc2866.AcctSessionTime_Get(r.Packet)),
+		AcctInputTotal:     int64(acctInputOctets) + int64(acctInputGigawords)*4*1024*1024*1024,
+		AcctOutputTotal:    int64(acctOutputOctets) + int64(acctOutputGigawords)*4*1024*1024*1024,
+		AcctInputPackets:   int64(rfc2866.AcctInputPackets_Get(r.Packet)),
+		AcctOutputPackets:  int64(rfc2866.AcctInputPackets_Get(r.Packet)),
+		AcctStartTime:      getAcctStartTime(int(rfc2866.AcctSessionTime_Get(r.Packet))),
+		AcctTerminateCause: int64(rfc2866.AcctTerminateCause_Get(r.Packet)),
+		LastUpdate:         time.Now(),
+	}
+	return ra
+}

routers/base.go

@@ -16,6 +16,9 @@ package routers
 
 import (
 	"fmt"
+	"net"
+	"net/http"
+	"net/url"
 	"strings"
 
 	"github.com/beego/beego/context"
@@ -33,6 +36,8 @@ type Response struct {
 }
 
 func responseError(ctx *context.Context, error string, data ...interface{}) {
+	ctx.ResponseWriter.WriteHeader(http.StatusForbidden)
+
 	resp := Response{Status: "error", Msg: error}
 	switch len(data) {
 	case 2:
@@ -151,3 +156,39 @@ func parseBearerToken(ctx *context.Context) string {
 
 	return tokens[1]
 }
+
+func getHostname(s string) string {
+	if s == "" {
+		return ""
+	}
+
+	l, err := url.Parse(s)
+	if err != nil {
+		panic(err)
+	}
+
+	res := l.Hostname()
+	return res
+}
+
+func removePort(s string) string {
+	ipStr, _, err := net.SplitHostPort(s)
+	if err != nil {
+		ipStr = s
+	}
+	return ipStr
+}
+
+func isHostIntranet(s string) bool {
+	ipStr, _, err := net.SplitHostPort(s)
+	if err != nil {
+		ipStr = s
+	}
+
+	ip := net.ParseIP(ipStr)
+	if ip == nil {
+		return false
+	}
+
+	return ip.IsPrivate()
+}

routers/cors_filter.go

@@ -16,6 +16,7 @@ package routers
 
 import (
 	"net/http"
+	"strings"
 
 	"github.com/beego/beego/context"
 	"github.com/casdoor/casdoor/conf"
@@ -29,35 +30,56 @@ const (
 	headerAllowHeaders = "Access-Control-Allow-Headers"
 )
 
+func setCorsHeaders(ctx *context.Context, origin string) {
+	ctx.Output.Header(headerAllowOrigin, origin)
+	ctx.Output.Header(headerAllowMethods, "POST, GET, OPTIONS, DELETE")
+	ctx.Output.Header(headerAllowHeaders, "Content-Type, Authorization")
+
+	if ctx.Input.Method() == "OPTIONS" {
+		ctx.ResponseWriter.WriteHeader(http.StatusOK)
+	}
+}
+
 func CorsFilter(ctx *context.Context) {
 	origin := ctx.Input.Header(headerOrigin)
 	originConf := conf.GetConfigString("origin")
+	originHostname := getHostname(origin)
+	host := removePort(ctx.Request.Host)
 
-	if ctx.Request.Method == "POST" && ctx.Request.RequestURI == "/api/login/oauth/access_token" {
-		ctx.Output.Header(headerAllowOrigin, origin)
-		ctx.Output.Header(headerAllowMethods, "POST, GET, OPTIONS, DELETE")
-		ctx.Output.Header(headerAllowHeaders, "Content-Type, Authorization")
+	if strings.HasPrefix(origin, "http://localhost") || strings.HasPrefix(origin, "https://localhost") || strings.HasPrefix(origin, "http://127.0.0.1") || strings.HasPrefix(origin, "http://casdoor-app") {
+		setCorsHeaders(ctx, origin)
 		return
 	}
 
-	if origin != "" && originConf != "" && origin != originConf {
-		ok, err := object.IsOriginAllowed(origin)
-		if err != nil {
-			panic(err)
-		}
+	if ctx.Request.Method == "POST" && ctx.Request.RequestURI == "/api/login/oauth/access_token" {
+		setCorsHeaders(ctx, origin)
+		return
+	}
 
-		if ok {
-			ctx.Output.Header(headerAllowOrigin, origin)
-			ctx.Output.Header(headerAllowMethods, "POST, GET, OPTIONS, DELETE")
-			ctx.Output.Header(headerAllowHeaders, "Content-Type, Authorization")
+	if ctx.Request.RequestURI == "/api/userinfo" {
+		setCorsHeaders(ctx, origin)
+		return
+	}
+
+	if origin != "" {
+		if origin == originConf {
+			setCorsHeaders(ctx, origin)
+		} else if originHostname == host {
+			setCorsHeaders(ctx, origin)
+		} else if isHostIntranet(host) {
+			setCorsHeaders(ctx, origin)
 		} else {
-			ctx.ResponseWriter.WriteHeader(http.StatusForbidden)
-			return
-		}
+			ok, err := object.IsOriginAllowed(origin)
+			if err != nil {
+				panic(err)
+			}
 
-		if ctx.Input.Method() == "OPTIONS" {
-			ctx.ResponseWriter.WriteHeader(http.StatusOK)
-			return
+			if ok {
+				setCorsHeaders(ctx, origin)
+			} else {
+				ctx.ResponseWriter.WriteHeader(http.StatusForbidden)
+				return
+			}
 		}
 	}
 

routers/router.go

@@ -63,6 +63,7 @@ func initAPI() {
 	beego.Router("/api/webhook", &controllers.ApiController{}, "POST:HandleOfficialAccountEvent")
 	beego.Router("/api/get-webhook-event", &controllers.ApiController{}, "GET:GetWebhookEventType")
 	beego.Router("/api/get-captcha-status", &controllers.ApiController{}, "GET:GetCaptchaStatus")
+	beego.Router("/api/callback", &controllers.ApiController{}, "POST:Callback")
 
 	beego.Router("/api/get-organizations", &controllers.ApiController{}, "GET:GetOrganizations")
 	beego.Router("/api/get-organization", &controllers.ApiController{}, "GET:GetOrganization")
@@ -247,10 +248,10 @@ func initAPI() {
 	beego.Router("/api/send-sms", &controllers.ApiController{}, "POST:SendSms")
 	beego.Router("/api/send-notification", &controllers.ApiController{}, "POST:SendNotification")
 
-	beego.Router("/api/webauthn/signup/begin", &controllers.ApiController{}, "Get:WebAuthnSignupBegin")
-	beego.Router("/api/webauthn/signup/finish", &controllers.ApiController{}, "Post:WebAuthnSignupFinish")
-	beego.Router("/api/webauthn/signin/begin", &controllers.ApiController{}, "Get:WebAuthnSigninBegin")
-	beego.Router("/api/webauthn/signin/finish", &controllers.ApiController{}, "Post:WebAuthnSigninFinish")
+	beego.Router("/api/webauthn/signup/begin", &controllers.ApiController{}, "GET:WebAuthnSignupBegin")
+	beego.Router("/api/webauthn/signup/finish", &controllers.ApiController{}, "POST:WebAuthnSignupFinish")
+	beego.Router("/api/webauthn/signin/begin", &controllers.ApiController{}, "GET:WebAuthnSigninBegin")
+	beego.Router("/api/webauthn/signin/finish", &controllers.ApiController{}, "POST:WebAuthnSigninFinish")
 
 	beego.Router("/api/mfa/setup/initiate", &controllers.ApiController{}, "POST:MfaSetupInitiate")
 	beego.Router("/api/mfa/setup/verify", &controllers.ApiController{}, "POST:MfaSetupVerify")

routers/static_filter.go

@@ -33,8 +33,19 @@ var (
 	oldStaticBaseUrl = "https://cdn.casbin.org"
 	newStaticBaseUrl = conf.GetConfigString("staticBaseUrl")
 	enableGzip       = conf.GetConfigBool("enableGzip")
+	frontendBaseDir  = conf.GetConfigString("frontendBaseDir")
 )
 
+func getWebBuildFolder() string {
+	path := "web/build"
+	if util.FileExist(filepath.Join(path, "index.html")) || frontendBaseDir == "" {
+		return path
+	}
+
+	path = filepath.Join(frontendBaseDir, "web/build")
+	return path
+}
+
 func StaticFilter(ctx *context.Context) {
 	urlPath := ctx.Request.URL.Path
 
@@ -49,7 +60,8 @@ func StaticFilter(ctx *context.Context) {
 		return
 	}
 
-	path := "web/build"
+	webBuildFolder := getWebBuildFolder()
+	path := webBuildFolder
 	if urlPath == "/" {
 		path += "/index.html"
 	} else {
@@ -57,7 +69,7 @@ func StaticFilter(ctx *context.Context) {
 	}
 
 	if !util.FileExist(path) {
-		path = "web/build/index.html"
+		path = webBuildFolder + "/index.html"
 	}
 	if !util.FileExist(path) {
 		dir, err := os.Getwd()

util/string.go

@@ -300,3 +300,12 @@ func GetValueFromDataSourceName(key string, dataSourceName string) string {
 
 	return ""
 }
+
+func GetUsernameFromEmail(email string) string {
+	tokens := strings.Split(email, "@")
+	if len(tokens) == 0 {
+		return uuid.NewString()
+	} else {
+		return tokens[0]
+	}
+}

web/src/AdapterEditPage.js

@@ -13,7 +13,7 @@
 // limitations under the License.
 
 import React from "react";
-import {Button, Card, Col, Input, InputNumber, Row, Select} from "antd";
+import {Button, Card, Col, Input, InputNumber, Row, Select, Switch} from "antd";
 import * as AdapterBackend from "./backend/AdapterBackend";
 import * as OrganizationBackend from "./backend/OrganizationBackend";
 import * as Setting from "./Setting";
@@ -81,56 +81,6 @@ class AdapterEditPage extends React.Component {
     });
   }
 
-  renderDataSourceNameConfig() {
-    if (Setting.builtInObject(this.state.adapter)) {
-      return null;
-    }
-    return (
-      <React.Fragment>
-        <Row style={{marginTop: "20px"}} >
-          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("provider:Host"), i18next.t("provider:Host - Tooltip"))} :
-          </Col>
-          <Col span={22} >
-            <Input value={this.state.adapter.host} onChange={e => {
-              this.updateAdapterField("host", e.target.value);
-            }} />
-          </Col>
-        </Row>
-        <Row style={{marginTop: "20px"}} >
-          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("provider:Port"), i18next.t("provider:Port - Tooltip"))} :
-          </Col>
-          <Col span={22} >
-            <InputNumber value={this.state.adapter.port} min={0} max={65535} onChange={value => {
-              this.updateAdapterField("port", value);
-            }} />
-          </Col>
-        </Row>
-        <Row style={{marginTop: "20px"}} >
-          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("general:User"), i18next.t("general:User - Tooltip"))} :
-          </Col>
-          <Col span={22} >
-            <Input value={this.state.adapter.user} onChange={e => {
-              this.updateAdapterField("user", e.target.value);
-            }} />
-          </Col>
-        </Row>
-        <Row style={{marginTop: "20px"}} >
-          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("general:Password"), i18next.t("general:Password - Tooltip"))} :
-          </Col>
-          <Col span={22} >
-            <Input value={this.state.adapter.password} onChange={e => {
-              this.updateAdapterField("password", e.target.value);
-            }} />
-          </Col>
-        </Row>
-      </React.Fragment>
-    );
-  }
-
   renderAdapter() {
     return (
       <Card size="small" title={
@@ -165,55 +115,6 @@ class AdapterEditPage extends React.Component {
             }} />
           </Col>
         </Row>
-        <Row style={{marginTop: "20px"}} >
-          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("provider:Type"), i18next.t("provider:Type - Tooltip"))} :
-          </Col>
-          <Col span={22} >
-            <Select virtual={false} disabled={Setting.builtInObject(this.state.adapter)} style={{width: "100%"}} value={this.state.adapter.type} onChange={(value => {
-              this.updateAdapterField("type", value);
-              const adapter = this.state.adapter;
-              // adapter["tableColumns"] = Setting.getAdapterTableColumns(this.state.adapter);
-              this.setState({
-                adapter: adapter,
-              });
-            })}>
-              {
-                ["Database"]
-                  .map((item, index) => <Option key={index} value={item}>{item}</Option>)
-              }
-            </Select>
-          </Col>
-        </Row>
-        <Row style={{marginTop: "20px"}} >
-          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("syncer:Database type"), i18next.t("syncer:Database type - Tooltip"))} :
-          </Col>
-          <Col span={22} >
-            <Select virtual={false} disabled={Setting.builtInObject(this.state.adapter)} style={{width: "100%"}} value={this.state.adapter.databaseType} onChange={(value => {this.updateAdapterField("databaseType", value);})}>
-              {
-                [
-                  {id: "mysql", name: "MySQL"},
-                  {id: "postgres", name: "PostgreSQL"},
-                  {id: "mssql", name: "SQL Server"},
-                  {id: "oracle", name: "Oracle"},
-                  {id: "sqlite3", name: "Sqlite 3"},
-                ].map((databaseType, index) => <Option key={index} value={databaseType.id}>{databaseType.name}</Option>)
-              }
-            </Select>
-          </Col>
-        </Row>
-        {this.state.adapter.type === "Database" ? this.renderDataSourceNameConfig() : null}
-        <Row style={{marginTop: "20px"}} >
-          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("syncer:Database"), i18next.t("syncer:Database - Tooltip"))} :
-          </Col>
-          <Col span={22} >
-            <Input disabled={Setting.builtInObject(this.state.adapter)} value={this.state.adapter.database} onChange={e => {
-              this.updateAdapterField("database", e.target.value);
-            }} />
-          </Col>
-        </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
             {Setting.getLabel(i18next.t("syncer:Table"), i18next.t("syncer:Table - Tooltip"))} :
@@ -225,9 +126,130 @@ class AdapterEditPage extends React.Component {
               }} />
           </Col>
         </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 19 : 2}>
+            {Setting.getLabel(i18next.t("adapter:Use same DB"), i18next.t("adapter:Use same DB - Tooltip"))} :
+          </Col>
+          <Col span={1} >
+            <Switch disabled={Setting.builtInObject(this.state.adapter)} checked={this.state.adapter.useSameDb || Setting.builtInObject(this.state.adapter)} onChange={checked => {
+              this.updateAdapterField("useSameDb", checked);
+              if (checked) {
+                this.updateAdapterField("type", "");
+                this.updateAdapterField("databaseType", "");
+                this.updateAdapterField("host", "");
+                this.updateAdapterField("port", 0);
+                this.updateAdapterField("user", "");
+                this.updateAdapterField("password", "");
+                this.updateAdapterField("database", "");
+              } else {
+                this.updateAdapterField("type", "Database");
+                this.updateAdapterField("databaseType", "mysql");
+                this.updateAdapterField("host", "localhost");
+                this.updateAdapterField("port", 3306);
+                this.updateAdapterField("user", "root");
+                this.updateAdapterField("password", "123456");
+                this.updateAdapterField("database", "dbName");
+              }
+            }} />
+          </Col>
+        </Row>
+        {
+          (this.state.adapter.useSameDb || Setting.builtInObject(this.state.adapter)) ? null : (
+            <React.Fragment>
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                  {Setting.getLabel(i18next.t("provider:Type"), i18next.t("provider:Type - Tooltip"))} :
+                </Col>
+                <Col span={22} >
+                  <Select virtual={false} disabled={Setting.builtInObject(this.state.adapter)} style={{width: "100%"}} value={this.state.adapter.type} onChange={(value => {
+                    this.updateAdapterField("type", value);
+                    const adapter = this.state.adapter;
+                    // adapter["tableColumns"] = Setting.getAdapterTableColumns(this.state.adapter);
+                    this.setState({
+                      adapter: adapter,
+                    });
+                  })}>
+                    {
+                      ["Database"]
+                        .map((item, index) => <Option key={index} value={item}>{item}</Option>)
+                    }
+                  </Select>
+                </Col>
+              </Row>
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                  {Setting.getLabel(i18next.t("syncer:Database type"), i18next.t("syncer:Database type - Tooltip"))} :
+                </Col>
+                <Col span={22} >
+                  <Select virtual={false} disabled={Setting.builtInObject(this.state.adapter)} style={{width: "100%"}} value={this.state.adapter.databaseType} onChange={(value => {this.updateAdapterField("databaseType", value);})}>
+                    {
+                      [
+                        {id: "mysql", name: "MySQL"},
+                        {id: "postgres", name: "PostgreSQL"},
+                        {id: "mssql", name: "SQL Server"},
+                        {id: "oracle", name: "Oracle"},
+                        {id: "sqlite3", name: "Sqlite 3"},
+                      ].map((databaseType, index) => <Option key={index} value={databaseType.id}>{databaseType.name}</Option>)
+                    }
+                  </Select>
+                </Col>
+              </Row>
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                  {Setting.getLabel(i18next.t("provider:Host"), i18next.t("provider:Host - Tooltip"))} :
+                </Col>
+                <Col span={22} >
+                  <Input value={this.state.adapter.host} onChange={e => {
+                    this.updateAdapterField("host", e.target.value);
+                  }} />
+                </Col>
+              </Row>
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                  {Setting.getLabel(i18next.t("provider:Port"), i18next.t("provider:Port - Tooltip"))} :
+                </Col>
+                <Col span={22} >
+                  <InputNumber value={this.state.adapter.port} min={0} max={65535} onChange={value => {
+                    this.updateAdapterField("port", value);
+                  }} />
+                </Col>
+              </Row>
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                  {Setting.getLabel(i18next.t("general:User"), i18next.t("general:User - Tooltip"))} :
+                </Col>
+                <Col span={22} >
+                  <Input value={this.state.adapter.user} onChange={e => {
+                    this.updateAdapterField("user", e.target.value);
+                  }} />
+                </Col>
+              </Row>
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                  {Setting.getLabel(i18next.t("general:Password"), i18next.t("general:Password - Tooltip"))} :
+                </Col>
+                <Col span={22} >
+                  <Input value={this.state.adapter.password} onChange={e => {
+                    this.updateAdapterField("password", e.target.value);
+                  }} />
+                </Col>
+              </Row>
+              <Row style={{marginTop: "20px"}} >
+                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                  {Setting.getLabel(i18next.t("syncer:Database"), i18next.t("syncer:Database - Tooltip"))} :
+                </Col>
+                <Col span={22} >
+                  <Input disabled={Setting.builtInObject(this.state.adapter)} value={this.state.adapter.database} onChange={e => {
+                    this.updateAdapterField("database", e.target.value);
+                  }} />
+                </Col>
+              </Row>
+            </React.Fragment>
+          )
+        }
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-            {Setting.getLabel(i18next.t("provider:DB Test"), i18next.t("provider:DB Test - Tooltip"))} :
+            {Setting.getLabel(i18next.t("provider:DB test"), i18next.t("provider:DB test - Tooltip"))} :
           </Col>
           <Col span={2} >
             <Button type={"primary"} onClick={() => {

web/src/AdapterListPage.js

@@ -14,7 +14,7 @@
 
 import React from "react";
 import {Link} from "react-router-dom";
-import {Button, Table} from "antd";
+import {Button, Switch, Table} from "antd";
 import moment from "moment";
 import * as Setting from "./Setting";
 import * as AdapterBackend from "./backend/AdapterBackend";
@@ -30,14 +30,8 @@ class AdapterListPage extends BaseListPage {
       owner: owner,
       name: `adapter_${randomName}`,
       createdTime: moment().format(),
-      type: "Database",
-      host: "localhost",
-      port: 3306,
-      user: "root",
-      password: "123456",
-      databaseType: "mysql",
-      database: "dbName",
-      table: "tableName",
+      table: "table_name",
+      useSameDb: true,
     };
   }
 
@@ -118,6 +112,25 @@ class AdapterListPage extends BaseListPage {
           return Setting.getFormattedDate(text);
         },
       },
+      {
+        title: i18next.t("syncer:Table"),
+        dataIndex: "table",
+        key: "table",
+        width: "120px",
+        sorter: true,
+      },
+      {
+        title: i18next.t("adapter:Use same DB"),
+        dataIndex: "useSameDb",
+        key: "useSameDb",
+        width: "120px",
+        sorter: true,
+        render: (text, record, index) => {
+          return (
+            <Switch disabled checkedChildren="ON" unCheckedChildren="OFF" checked={text} />
+          );
+        },
+      },
       {
         title: i18next.t("provider:Type"),
         dataIndex: "type",
@@ -129,6 +142,13 @@ class AdapterListPage extends BaseListPage {
           {text: "Database", value: "Database"},
         ],
       },
+      {
+        title: i18next.t("syncer:Database type"),
+        dataIndex: "databaseType",
+        key: "databaseType",
+        width: "120px",
+        sorter: (a, b) => a.databaseType.localeCompare(b.databaseType),
+      },
       {
         title: i18next.t("provider:Host"),
         dataIndex: "host",
@@ -144,6 +164,12 @@ class AdapterListPage extends BaseListPage {
         width: "100px",
         sorter: true,
         ...this.getColumnSearchProps("port"),
+        render: (text, record, index) => {
+          if (text === 0) {
+            return "";
+          }
+          return text;
+        },
       },
       {
         title: i18next.t("general:User"),
@@ -161,13 +187,6 @@ class AdapterListPage extends BaseListPage {
         sorter: true,
         ...this.getColumnSearchProps("password"),
       },
-      {
-        title: i18next.t("syncer:Database type"),
-        dataIndex: "databaseType",
-        key: "databaseType",
-        width: "120px",
-        sorter: (a, b) => a.databaseType.localeCompare(b.databaseType),
-      },
       {
         title: i18next.t("syncer:Database"),
         dataIndex: "database",
@@ -175,13 +194,6 @@ class AdapterListPage extends BaseListPage {
         width: "120px",
         sorter: true,
       },
-      {
-        title: i18next.t("syncer:Table"),
-        dataIndex: "table",
-        key: "table",
-        width: "120px",
-        sorter: true,
-      },
       {
         title: i18next.t("general:Action"),
         dataIndex: "",

web/src/PaymentResultPage.js

@@ -101,7 +101,7 @@ class PaymentResultPage extends React.Component {
         payment: payment,
       });
       if (payment.state === "Created") {
-        if (["PayPal", "Stripe"].includes(payment.type)) {
+        if (["PayPal", "Stripe", "Alipay"].includes(payment.type)) {
           this.setState({
             timeout: setTimeout(async() => {
               await PaymentBackend.notifyPayment(this.state.owner, this.state.paymentName);

web/src/PermissionListPage.js

@@ -298,6 +298,13 @@ class PermissionListPage extends BaseListPage {
         filterMultiple: false,
         width: "120px",
         sorter: true,
+        render: (text, record, index) => {
+          return (
+            <Link to={`/users/${record.owner}/${encodeURIComponent(text)}`}>
+              {text}
+            </Link>
+          );
+        },
       },
       {
         title: i18next.t("permission:Approver"),
@@ -306,6 +313,13 @@ class PermissionListPage extends BaseListPage {
         filterMultiple: false,
         width: "120px",
         sorter: true,
+        render: (text, record, index) => {
+          return (
+            <Link to={`/users/${record.owner}/${encodeURIComponent(text)}`}>
+              {text}
+            </Link>
+          );
+        },
       },
       {
         title: i18next.t("permission:Approve time"),

web/src/ProviderEditPage.js

@@ -172,6 +172,12 @@ class ProviderEditPage extends React.Component {
       } else {
         return Setting.getLabel(i18next.t("provider:Site key"), i18next.t("provider:Site key - Tooltip"));
       }
+    case "Notification":
+      if (provider.type === "DingTalk") {
+        return Setting.getLabel(i18next.t("provider:Access key"), i18next.t("provider:Access key - Tooltip"));
+      } else {
+        return Setting.getLabel(i18next.t("provider:Client ID"), i18next.t("provider:Client ID - Tooltip"));
+      }
     default:
       return Setting.getLabel(i18next.t("provider:Client ID"), i18next.t("provider:Client ID - Tooltip"));
     }
@@ -180,7 +186,11 @@ class ProviderEditPage extends React.Component {
   getClientSecretLabel(provider) {
     switch (provider.category) {
     case "Email":
-      return Setting.getLabel(i18next.t("general:Password"), i18next.t("general:Password - Tooltip"));
+      if (provider.type === "Azure ACS") {
+        return Setting.getLabel(i18next.t("provider:Secret key"), i18next.t("provider:Secret key - Tooltip"));
+      } else {
+        return Setting.getLabel(i18next.t("general:Password"), i18next.t("general:Password - Tooltip"));
+      }
     case "SMS":
       if (provider.type === "Volc Engine SMS" || provider.type === "Amazon SNS" || provider.type === "Baidu Cloud SMS") {
         return Setting.getLabel(i18next.t("provider:Secret access key"), i18next.t("provider:Secret access key - Tooltip"));
@@ -202,8 +212,10 @@ class ProviderEditPage extends React.Component {
         return Setting.getLabel(i18next.t("provider:Secret key"), i18next.t("provider:Secret key - Tooltip"));
       }
     case "Notification":
-      if (provider.type === "Line") {
+      if (provider.type === "Line" || provider.type === "Telegram" || provider.type === "Bark" || provider.type === "DingTalk" || provider.type === "Discord" || provider.type === "Slack" || provider.type === "Pushover" || provider.type === "Pushbullet") {
         return Setting.getLabel(i18next.t("provider:Secret key"), i18next.t("provider:Secret key - Tooltip"));
+      } else if (provider.type === "Lark" || provider.type === "Microsoft Teams") {
+        return Setting.getLabel(i18next.t("provider:Endpoint"), i18next.t("provider:Endpoint - Tooltip"));
       } else {
         return Setting.getLabel(i18next.t("provider:Client secret"), i18next.t("provider:Client secret - Tooltip"));
       }
@@ -297,7 +309,7 @@ class ProviderEditPage extends React.Component {
         tooltip = i18next.t("provider:Project Id - Tooltip");
       }
     } else if (provider.category === "Email") {
-      if (provider.type === "SUBMAIL" || provider.type === "Azure ACS") {
+      if (provider.type === "SUBMAIL") {
         text = i18next.t("provider:App ID");
         tooltip = i18next.t("provider:App ID - Tooltip");
       }
@@ -305,7 +317,7 @@ class ProviderEditPage extends React.Component {
       if (provider.type === "Viber") {
         text = i18next.t("provider:Domain");
         tooltip = i18next.t("provider:Domain - Tooltip");
-      } else if (provider.type === "Telegram" || provider.type === "DingTalk" || provider.type === "Pushover" || provider.type === "Pushbullet" || provider.type === "Slack" || provider.type === "Discord" || provider.type === "Line" || provider.type === "Matrix" || provider.type === "Rocket Chat") {
+      } else if (provider.type === "Line" || provider.type === "Matrix" || provider.type === "Rocket Chat") {
         text = i18next.t("provider:App Key");
         tooltip = i18next.t("provider:App Key - Tooltip");
       }
@@ -336,12 +348,9 @@ class ProviderEditPage extends React.Component {
     if (provider.type === "Telegram" || provider.type === "Pushover" || provider.type === "Pushbullet" || provider.type === "Slack" || provider.type === "Discord" || provider.type === "Line" || provider.type === "Twitter" || provider.type === "Reddit" || provider.type === "Rocket Chat" || provider.type === "Viber") {
       text = i18next.t("provider:Chat ID");
       tooltip = i18next.t("provider:Chat ID - Tooltip");
-    } else if (provider.type === "Custom HTTP" || provider.type === "Lark" || provider.type === "Microsoft Teams" || provider.type === "Webpush" || provider.type === "Matrix") {
+    } else if (provider.type === "Custom HTTP" || provider.type === "Webpush" || provider.type === "Matrix") {
       text = i18next.t("provider:Endpoint");
       tooltip = i18next.t("provider:Endpoint - Tooltip");
-    } else if (provider.type === "DingTalk" || provider.type === "Bark") {
-      text = i18next.t("provider:Secret Key");
-      tooltip = i18next.t("provider:Secret Key - Tooltip");
     }
 
     if (text === "" && tooltip === "") {
@@ -626,24 +635,24 @@ class ProviderEditPage extends React.Component {
         }
         {
           (this.state.provider.category === "Captcha" && this.state.provider.type === "Default") ||
-          (this.state.provider.category === "Email" && this.state.provider.type === "Azure ACS") ||
           (this.state.provider.category === "Web3") ||
-          (this.state.provider.category === "Storage" && this.state.provider.type === "Local File System" ||
-          (this.state.provider.category === "Notification" && this.state.provider.type !== "Webpush" && this.state.provider.type !== "Line" && this.state.provider.type !== "Matrix" && this.state.provider.type !== "Twitter" && this.state.provider.type !== "Reddit" && this.state.provider.type !== "Rocket Chat" && this.state.provider.type !== "Viber")) ? null : (
+          (this.state.provider.category === "Storage" && this.state.provider.type === "Local File System") ||
+          (this.state.provider.category === "Notification" && (this.state.provider.type === "Google Chat" || this.state.provider.type === "Custom HTTP")) ? null : (
               <React.Fragment>
                 {
-                  this.state.provider.type === "Line" ? null : (
-                    <Row style={{marginTop: "20px"}} >
-                      <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
-                        {this.getClientIdLabel(this.state.provider)} :
-                      </Col>
-                      <Col span={22} >
-                        <Input value={this.state.provider.clientId} onChange={e => {
-                          this.updateProviderField("clientId", e.target.value);
-                        }} />
-                      </Col>
-                    </Row>
-                  )
+                  (this.state.provider.category === "Email" && this.state.provider.type === "Azure ACS") ||
+                  (this.state.provider.category === "Notification" && (this.state.provider.type === "Line" || this.state.provider.type === "Telegram" || this.state.provider.type === "Bark" || this.state.provider.type === "Discord" || this.state.provider.type === "Slack" || this.state.provider.type === "Pushbullet" || this.state.provider.type === "Pushover" || this.state.provider.type === "Lark" || this.state.provider.type === "Microsoft Teams")) ? null : (
+                      <Row style={{marginTop: "20px"}} >
+                        <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                          {this.getClientIdLabel(this.state.provider)} :
+                        </Col>
+                        <Col span={22} >
+                          <Input value={this.state.provider.clientId} onChange={e => {
+                            this.updateProviderField("clientId", e.target.value);
+                          }} />
+                        </Col>
+                      </Row>
+                    )
                 }
                 <Row style={{marginTop: "20px"}} >
                   <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
@@ -1111,6 +1120,22 @@ class ProviderEditPage extends React.Component {
             </Row>
           ) : null
         }
+        {
+          (this.state.provider.type === "Alipay") ? (
+            <Row style={{marginTop: "20px"}} >
+              <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+                {Setting.getLabel(i18next.t("general:Root Cert"), i18next.t("general:Root Cert - Tooltip"))} :
+              </Col>
+              <Col span={22} >
+                <Select virtual={false} style={{width: "100%"}} value={this.state.provider.metadata} onChange={(value => {this.updateProviderField("metadata", value);})}>
+                  {
+                    this.state.certs.map((cert, index) => <Option key={index} value={cert.name}>{cert.name}</Option>)
+                  }
+                </Select>
+              </Col>
+            </Row>
+          ) : null
+        }
         {
           this.state.provider.type === "Web3Onboard" ? (
             <Row style={{marginTop: "20px"}} >

web/src/RoleEditPage.js

@@ -14,11 +14,12 @@
 
 import React from "react";
 import {Button, Card, Col, Input, Row, Select, Switch} from "antd";
-import * as RoleBackend from "./backend/RoleBackend";
 import * as OrganizationBackend from "./backend/OrganizationBackend";
+import * as UserBackend from "./backend/UserBackend";
+import * as GroupBackend from "./backend/GroupBackend";
+import * as RoleBackend from "./backend/RoleBackend";
 import * as Setting from "./Setting";
 import i18next from "i18next";
-import * as UserBackend from "./backend/UserBackend";
 
 class RoleEditPage extends React.Component {
   constructor(props) {
@@ -30,6 +31,7 @@ class RoleEditPage extends React.Component {
       role: null,
       organizations: [],
       users: [],
+      groups: [],
       roles: [],
       mode: props.location.mode !== undefined ? props.location.mode : "edit",
     };
@@ -57,6 +59,7 @@ class RoleEditPage extends React.Component {
         });
 
         this.getUsers(this.state.organizationName);
+        this.getGroups(this.state.organizationName);
         this.getRoles(this.state.organizationName);
       });
   }
@@ -84,6 +87,20 @@ class RoleEditPage extends React.Component {
       });
   }
 
+  getGroups(organizationName) {
+    GroupBackend.getGroups(organizationName)
+      .then((res) => {
+        if (res.status === "error") {
+          Setting.showMessage("error", res.msg);
+          return;
+        }
+
+        this.setState({
+          groups: res.data,
+        });
+      });
+  }
+
   getRoles(organizationName) {
     RoleBackend.getRoles(organizationName)
       .then((res) => {
@@ -176,6 +193,17 @@ class RoleEditPage extends React.Component {
             />
           </Col>
         </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("role:Sub groups"), i18next.t("role:Sub groups - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Select virtual={false} mode="multiple" style={{width: "100%"}} value={this.state.role.groups}
+              onChange={(value => {this.updateRoleField("groups", value);})}
+              options={this.state.groups.map((group) => Setting.getOption(`${group.owner}/${group.name}`, `${group.owner}/${group.name}`))}
+            />
+          </Col>
+        </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
             {Setting.getLabel(i18next.t("role:Sub roles"), i18next.t("role:Sub roles - Tooltip"))} :

web/src/RoleListPage.js

@@ -33,6 +33,7 @@ class RoleListPage extends BaseListPage {
       createdTime: moment().format(),
       displayName: `New Role - ${randomName}`,
       users: [],
+      groups: [],
       roles: [],
       domains: [],
       isEnabled: true,
@@ -171,6 +172,17 @@ class RoleListPage extends BaseListPage {
           return Setting.getTags(text, "users");
         },
       },
+      {
+        title: i18next.t("role:Sub groups"),
+        dataIndex: "groups",
+        key: "groups",
+        // width: '100px',
+        sorter: true,
+        ...this.getColumnSearchProps("groups"),
+        render: (text, record, index) => {
+          return Setting.getTags(text, "groups");
+        },
+      },
       {
         title: i18next.t("role:Sub roles"),
         dataIndex: "roles",

web/src/Setting.js

@@ -749,7 +749,7 @@ export function isMobile() {
 }
 
 export function getFormattedDate(date) {
-  if (date === undefined) {
+  if (!date) {
     return null;
   }
 

web/src/SyncerListPage.js

@@ -38,7 +38,7 @@ class SyncerListPage extends BaseListPage {
       password: "123456",
       databaseType: "mysql",
       database: "dbName",
-      table: "tableName",
+      table: "table_name",
       tableColumns: [],
       affiliationTable: "",
       avatarBaseUrl: "",

web/src/UserListPage.js

@@ -298,13 +298,6 @@ class UserListPage extends BaseListPage {
         sorter: true,
         ...this.getColumnSearchProps("phone"),
       },
-      // {
-      //   title: 'Phone',
-      //   dataIndex: 'phone',
-      //   key: 'phone',
-      //   width: '120px',
-      //   sorter: (a, b) => a.phone.localeCompare(b.phone),
-      // },
       {
         title: i18next.t("user:Affiliation"),
         dataIndex: "affiliation",

web/src/auth/Provider.js

@@ -379,7 +379,7 @@ export function getAuthUrl(application, provider, method) {
   }
 
   let endpoint = authInfo[provider.type].endpoint;
-  const redirectUri = `${window.location.origin}/callback`;
+  let redirectUri = `${window.location.origin}/callback`;
   const scope = authInfo[provider.type].scope;
 
   const isShortState = provider.type === "WeChat" && navigator.userAgent.includes("MicroMessenger");
@@ -390,6 +390,8 @@ export function getAuthUrl(application, provider, method) {
     if (provider.domain !== "") {
       endpoint = endpoint.replace("common", provider.domain);
     }
+  } else if (provider.type === "Apple") {
+    redirectUri = `${window.location.origin}/api/callback`;
   }
 
   if (provider.type === "Google" || provider.type === "GitHub" || provider.type === "QQ" || provider.type === "Facebook"
@@ -448,7 +450,7 @@ export function getAuthUrl(application, provider, method) {
   } else if (provider.type === "Infoflow") {
     return `${endpoint}?appid=${provider.clientId}&redirect_uri=${redirectUri}?state=${state}`;
   } else if (provider.type === "Apple") {
-    return `${endpoint}?client_id=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}&response_type=code&scope=${scope}&response_mode=form_post`;
+    return `${endpoint}?client_id=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}&response_type=code%20id_token&scope=${scope}&response_mode=form_post`;
   } else if (provider.type === "Steam") {
     return `${endpoint}?openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select&openid.identity=http://specs.openid.net/auth/2.0/identifier_select&openid.mode=checkid_setup&openid.ns=http://specs.openid.net/auth/2.0&openid.realm=${window.location.origin}&openid.return_to=${redirectUri}?state=${state}`;
   } else if (provider.type === "Okta") {