feat: fix binding after registration causes the page to crash (#945 )

fix: panic triggered when user is nil (#940 )
Support sqlite3 DB
2025-07-21 21:03:50 +08:00 · 2022-08-01 21:08:10 +08:00 · 2022-07-31 23:23:36 +08:00 · 2022-07-31 18:11:18 +08:00 · 2022-07-31 10:54:41 +08:00 · 2022-07-31 01:02:28 +08:00
12 changed files with 125 additions and 35 deletions
--- a/controllers/link.go
+++ b/controllers/link.go
@ -21,7 +21,8 @@ import (
 )

 type LinkForm struct {
-	ProviderType string `json:"providerType"`
+	ProviderType string      `json:"providerType"`
+	User         object.User `json:"user"`
 }

 // Unlink ...
@ -40,16 +41,55 @@ func (c *ApiController) Unlink() {
 	}
 	providerType := form.ProviderType

+	// the user will be unlinked from the provider
+	unlinkedUser := form.User
 	user := object.GetUser(userId)
-	value := object.GetUserField(user, providerType)
+
+	if user.Id != unlinkedUser.Id && !user.IsGlobalAdmin {
+		// if the user is not the same as the one we are unlinking, we need to make sure the user is the global admin.
+		c.ResponseError("You are not the global admin, you can't unlink other users")
+		return
+	}
+
+	if user.Id == unlinkedUser.Id && !user.IsGlobalAdmin {
+		// if the user is unlinking themselves, should check the provider can be unlinked, if not, we should return an error.
+		application := object.GetApplicationByUser(user)
+		if application == nil {
+			c.ResponseError("You can't unlink yourself, you are not a member of any application")
+			return
+		}
+
+		if len(application.Providers) == 0 {
+			c.ResponseError("This application has no providers")
+			return
+		}
+
+		provider := application.GetProviderItemByType(providerType)
+		if provider == nil {
+			c.ResponseError("This application has no providers of type " + providerType)
+			return
+		}
+
+		if !provider.CanUnlink {
+			c.ResponseError("This provider can't be unlinked")
+			return
+		}
+
+	}
+
+	// only two situations can happen here
+	// 1. the user is the global admin
+	// 2. the user is unlinking themselves and provider can be unlinked
+
+	value := object.GetUserField(&unlinkedUser, providerType)

 	if value == "" {
 		c.ResponseError("Please link first", value)
 		return
 	}

-	object.ClearUserOAuthProperties(user, providerType)
+	object.ClearUserOAuthProperties(&unlinkedUser, providerType)

-	object.LinkUserAccount(user, providerType, "")
+	object.LinkUserAccount(&unlinkedUser, providerType, "")
 	c.ResponseOk()
 }
--- a/controllers/user.go
+++ b/controllers/user.go
@ -80,12 +80,16 @@ func (c *ApiController) GetUsers() {
 // @Title GetUser
 // @Tag User API
 // @Description get user
-// @Param   id     query    string  true        "The id of the user"
+// @Param   id     query    string  true         "The id of the user"
+// @Param   owner  query    string  false        "The owner of the user"
+// @Param   email  query    string  false 	     "The email of the user"
+// @Param   phone  query    string  false 	     "The phone of the user"
 // @Success 200 {object} object.User The Response object
 // @router /get-user [get]
 func (c *ApiController) GetUser() {
 	id := c.Input().Get("id")
 	email := c.Input().Get("email")
+	phone := c.Input().Get("phone")
 	userId := c.Input().Get("userId")

 	owner := c.Input().Get("owner")
@ -96,7 +100,7 @@ func (c *ApiController) GetUser() {
 	organization := object.GetOrganization(fmt.Sprintf("%s/%s", "admin", owner))
 	if !organization.IsProfilePublic {
 		requestUserId := c.GetSessionUsername()
-		hasPermission, err := object.CheckUserPermission(requestUserId, id, false)
+		hasPermission, err := object.CheckUserPermission(requestUserId, id, owner, false)
 		if !hasPermission {
 			c.ResponseError(err.Error())
 			return
@ -104,18 +108,23 @@ func (c *ApiController) GetUser() {
 	}

 	var user *object.User
-	if email != "" {
+	switch {
+	case email != "":
 		user = object.GetUserByEmail(owner, email)
-	} else if userId != "" {
+	case phone != "":
+		user = object.GetUserByPhone(owner, phone)
+	case userId != "":
 		user = object.GetUserByUserId(owner, userId)
-	} else {
+	default:
 		user = object.GetUser(id)
 	}

-	roles := object.GetRolesByUser(user.GetId())
-	user.Roles = roles
-	permissions := object.GetPermissionsByUser(user.GetId())
-	user.Permissions = permissions
+	if user != nil {
+		roles := object.GetRolesByUser(user.GetId())
+		user.Roles = roles
+		permissions := object.GetPermissionsByUser(user.GetId())
+		user.Permissions = permissions
+	}

 	c.Data["json"] = object.GetMaskedUser(user)
 	c.ServeJSON()
@ -257,7 +266,7 @@ func (c *ApiController) SetPassword() {
 	requestUserId := c.GetSessionUsername()
 	userId := fmt.Sprintf("%s/%s", userOwner, userName)

-	hasPermission, err := object.CheckUserPermission(requestUserId, userId, true)
+	hasPermission, err := object.CheckUserPermission(requestUserId, userId, userOwner, true)
 	if !hasPermission {
 		c.ResponseError(err.Error())
 		return
--- a/object/adapter.go
+++ b/object/adapter.go
@ -22,8 +22,9 @@ import (
 	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/util"
 	//_ "github.com/denisenkom/go-mssqldb" // db = mssql
-	_ "github.com/go-sql-driver/mysql"     // db = mysql
+	_ "github.com/go-sql-driver/mysql" // db = mysql
 	//_ "github.com/lib/pq"                // db = postgres
+	//_ "github.com/mattn/go-sqlite3"      // db = sqlite3
 	"xorm.io/core"
 	"xorm.io/xorm"
 )
--- a/object/check.go
+++ b/object/check.go
@ -197,14 +197,18 @@ func filterField(field string) bool {
 	return reFieldWhiteList.MatchString(field)
 }

-func CheckUserPermission(requestUserId, userId string, strict bool) (bool, error) {
+func CheckUserPermission(requestUserId, userId, userOwner string, strict bool) (bool, error) {
 	if requestUserId == "" {
 		return false, fmt.Errorf("please login first")
 	}

-	targetUser := GetUser(userId)
-	if targetUser == nil {
-		return false, fmt.Errorf("the user: %s doesn't exist", userId)
+	if userId != "" {
+		targetUser := GetUser(userId)
+		if targetUser == nil {
+			return false, fmt.Errorf("the user: %s doesn't exist", userId)
+		}
+
+		userOwner = targetUser.Owner
 	}

 	hasPermission := false
@ -219,7 +223,7 @@ func CheckUserPermission(requestUserId, userId string, strict bool) (bool, error
 			hasPermission = true
 		} else if requestUserId == userId {
 			hasPermission = true
-		} else if targetUser.Owner == requestUser.Owner {
+		} else if userOwner == requestUser.Owner {
 			if strict {
 				hasPermission = requestUser.IsAdmin
 			} else {
--- a/object/provider_item.go
+++ b/object/provider_item.go
@ -33,6 +33,15 @@ func (application *Application) GetProviderItem(providerName string) *ProviderIt
 	return nil
 }

+func (application *Application) GetProviderItemByType(providerType string) *ProviderItem {
+	for _, item := range application.Providers {
+		if item.Provider.Type == providerType {
+			return item
+		}
+	}
+	return nil
+}
+
 func (pi *ProviderItem) IsProviderVisible() bool {
 	if pi.Provider == nil {
 		return false
--- a/object/syncer_sync.go
+++ b/object/syncer_sync.go
@ -22,7 +22,7 @@ import (
 func (syncer *Syncer) syncUsers() {
 	fmt.Printf("Running syncUsers()..\n")

-	users, userMap := syncer.getUserMap()
+	users, userMap, userNameMap := syncer.getUserMap()
 	oUsers, oUserMap, err := syncer.getOriginalUserMap()
 	if err != nil {
 		fmt.Printf(err.Error())
@ -44,9 +44,11 @@ func (syncer *Syncer) syncUsers() {
 	for _, oUser := range oUsers {
 		id := oUser.Id
 		if _, ok := userMap[id]; !ok {
-			newUser := syncer.createUserFromOriginalUser(oUser, affiliationMap)
-			fmt.Printf("New user: %v\n", newUser)
-			newUsers = append(newUsers, newUser)
+			if _, ok := userNameMap[oUser.Name]; !ok {
+				newUser := syncer.createUserFromOriginalUser(oUser, affiliationMap)
+				fmt.Printf("New user: %v\n", newUser)
+				newUsers = append(newUsers, newUser)
+			}
 		} else {
 			user := userMap[id]
 			oHash := syncer.calculateHash(oUser)
--- a/object/syner_db_user.go
+++ b/object/syner_db_user.go
@ -19,12 +19,15 @@ func (syncer *Syncer) getUsers() []*User {
 	return users
 }

-func (syncer *Syncer) getUserMap() ([]*User, map[string]*User) {
+func (syncer *Syncer) getUserMap() ([]*User, map[string]*User, map[string]*User) {
 	users := syncer.getUsers()

-	m := map[string]*User{}
+	m1 := map[string]*User{}
+	m2 := map[string]*User{}
 	for _, user := range users {
-		m[user.Id] = user
+		m1[user.Id] = user
+		m2[user.Name] = user
 	}
-	return users, m
+
+	return users, m1, m2
 }
--- a/object/user.go
+++ b/object/user.go
@ -73,7 +73,7 @@ type User struct {
 	LastSigninTime string `xorm:"varchar(100)" json:"lastSigninTime"`
 	LastSigninIp   string `xorm:"varchar(100)" json:"lastSigninIp"`

-	Github        string `xorm:"varchar(100)" json:"github"`
+	GitHub        string `xorm:"github varchar(100)" json:"github"`
 	Google        string `xorm:"varchar(100)" json:"google"`
 	QQ            string `xorm:"qq varchar(100)" json:"qq"`
 	WeChat        string `xorm:"wechat varchar(100)" json:"wechat"`
@ -273,6 +273,24 @@ func GetUserByEmail(owner string, email string) *User {
 	}
 }

+func GetUserByPhone(owner string, phone string) *User {
+	if owner == "" || phone == "" {
+		return nil
+	}
+
+	user := User{Owner: owner, Phone: phone}
+	existed, err := adapter.Engine.Get(&user)
+	if err != nil {
+		panic(err)
+	}
+
+	if existed {
+		return &user
+	} else {
+		return nil
+	}
+}
+
 func GetUserByUserId(owner string, userId string) *User {
 	if owner == "" || userId == "" {
 		return nil
--- a/object/user_test.go
+++ b/object/user_test.go
@ -37,11 +37,11 @@ func TestSyncAvatarsFromGitHub(t *testing.T) {

 	users := GetGlobalUsers()
 	for _, user := range users {
-		if user.Github == "" {
+		if user.GitHub == "" {
 			continue
 		}

-		user.Avatar = fmt.Sprintf("https://avatars.githubusercontent.com/%s", user.Github)
+		user.Avatar = fmt.Sprintf("https://avatars.githubusercontent.com/%s", user.GitHub)
 		updateUserColumn("avatar", user)
 	}
 }
--- a/web/src/UserEditPage.js
+++ b/web/src/UserEditPage.js
@ -466,7 +466,7 @@ class UserEditPage extends React.Component {
                  (this.state.application === null || this.state.user === null) ? null : (
                    this.state.application?.providers.filter(providerItem => Setting.isProviderVisible(providerItem)).map((providerItem, index) =>
                      (providerItem.provider.category === "OAuth") ? (
-                        <OAuthWidget key={providerItem.name} labelSpan={(Setting.isMobile()) ? 10 : 3} user={this.state.user} application={this.state.application} providerItem={providerItem} onUnlinked={() => {return this.unlinked();}} />
+                        <OAuthWidget key={providerItem.name} labelSpan={(Setting.isMobile()) ? 10 : 3} user={this.state.user} application={this.state.application} providerItem={providerItem} account={this.props.account} onUnlinked={() => {return this.unlinked();}} />
                      ) : (
                        <SamlWidget key={providerItem.name} labelSpan={(Setting.isMobile()) ? 10 : 3} user={this.state.user} application={this.state.application} providerItem={providerItem} onUnlinked={() => {return this.unlinked();}} />
                      )
--- a/web/src/auth/PromptPage.js
+++ b/web/src/auth/PromptPage.js
@ -117,7 +117,7 @@ class PromptPage extends React.Component {
        <div>
          {
            (application === null || this.state.user === null) ? null : (
-              application?.providers.filter(providerItem => Setting.isProviderPrompted(providerItem)).map((providerItem, index) => <OAuthWidget key={providerItem.name} labelSpan={6} user={this.state.user} application={application} providerItem={providerItem} onUnlinked={() => {return this.unlinked();}} />)
+              application?.providers.filter(providerItem => Setting.isProviderPrompted(providerItem)).map((providerItem, index) => <OAuthWidget key={providerItem.name} labelSpan={6} user={this.state.user} application={application} providerItem={providerItem} account={this.props.account} onUnlinked={() => {return this.unlinked();}} />)
            )
          }
        </div>
--- a/web/src/common/OAuthWidget.js
+++ b/web/src/common/OAuthWidget.js
@ -91,6 +91,8 @@ class OAuthWidget extends React.Component {
  unlinkUser(providerType) {
    const body = {
      providerType: providerType,
+      // should add the unlink user's info, cause the user may not be logged in, but a admin want to unlink the user.
+      user: this.props.user,
    };
    AuthBackend.unlink(body)
      .then((res) => {
@ -113,6 +115,8 @@ class OAuthWidget extends React.Component {
    const displayName = this.getUserProperty(user, provider.type, "displayName");
    const email = this.getUserProperty(user, provider.type, "email");
    let avatarUrl = this.getUserProperty(user, provider.type, "avatarUrl");
+    // the account user
+    const account = this.props.account;

    if (avatarUrl === "" || avatarUrl === undefined) {
      avatarUrl = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB4AAAAeCAQAAACROWYpAAAAHElEQVR42mNkoAAwjmoe1TyqeVTzqOZRzcNZMwB18wAfEFQkPQAAAABJRU5ErkJggg==";
@ -161,10 +165,10 @@ class OAuthWidget extends React.Component {
          {
            linkedValue === "" ? (
              <a key={provider.displayName} href={Provider.getAuthUrl(application, provider, "link")}>
-                <Button style={{marginLeft: "20px", width: "80px"}} type="primary">{i18next.t("user:Link")}</Button>
+                <Button style={{marginLeft: "20px", width: "80px"}} type="primary" disabled={user.id !== account.id}>{i18next.t("user:Link")}</Button>
              </a>
            ) : (
-              <Button disabled={!providerItem.canUnlink} style={{marginLeft: "20px", width: "80px"}} onClick={() => this.unlinkUser(provider.type)}>{i18next.t("user:Unlink")}</Button>
+              <Button disabled={!providerItem.canUnlink && !account.isGlobalAdmin} style={{marginLeft: "20px", width: "80px"}} onClick={() => this.unlinkUser(provider.type)}>{i18next.t("user:Unlink")}</Button>
            )
          }
        </Col>
Author	SHA1	Message	Date
q1anx1	13404d6035	feat: fix binding after registration causes the page to crash (#945 )	2022-08-01 21:08:10 +08:00
Mikey	afa9c530ad	fix: panic triggered when user is nil (#940 )	2022-07-31 23:23:36 +08:00
Yang Luo	1600615aca	Support sqlite3 DB	2022-07-31 18:11:18 +08:00
Mikey	2bb8491499	fix: unable to get user if profile is private (#936 )	2022-07-31 10:54:41 +08:00
Mikey	293283ed25	feat: add get user by phone (#934 ) * fix: check reset phone & email modify rules * Update verification.go * Update organization.go * feat: add get user by phone Co-authored-by: Yang Luo <hsluoyz@qq.com>	2022-07-31 01:02:28 +08:00
q1anx1	9cb519d1e9	fix: Admins should not be allowed to add third-party login for their members (#932 ) * feat: admin can unlink the other user * feat: global admin can unlink other user * fix	2022-07-30 23:11:02 +08:00
Yixiang Zhao	fb9b8f1662	fix: skip the duplicated users when sync users (#928 ) Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>	2022-07-30 22:24:23 +08:00