fix: keep phone/email unique. (#1038)

Signed-off-by: 疯魔慕薇 <kfanjian@gmail.com>

Signed-off-by: 疯魔慕薇 <kfanjian@gmail.com>

object/check.go

@@ -62,10 +62,10 @@ func CheckUserSignup(application *Application, organization *Organization, usern
 		if HasUserByField(organization.Name, "name", username) {
 			return "username already exists"
 		}
-		if HasUserByField(organization.Name, "email", username) {
+		if HasUserByField(organization.Name, "email", email) {
 			return "email already exists"
 		}
-		if HasUserByField(organization.Name, "phone", username) {
+		if HasUserByField(organization.Name, "phone", phone) {
 			return "phone already exists"
 		}
 	}

object/init.go

@@ -251,6 +251,7 @@ func initBuiltInPermission() {
 		DisplayName:  "Built-in Permission",
 		Users:        []string{"built-in/admin"},
 		Roles:        []string{},
+		Domains:      []string{},
 		ResourceType: "Application",
 		Resources:    []string{"app-built-in"},
 		Actions:      []string{"Read", "Write", "Admin"},

object/permission.go

@@ -32,6 +32,7 @@ type Permission struct {
 	Domains []string `xorm:"mediumtext" json:"domains"`
 
 	Model        string   `xorm:"varchar(100)" json:"model"`
+	Adapter      string   `xorm:"varchar(100)" json:"adapter"`
 	ResourceType string   `xorm:"varchar(100)" json:"resourceType"`
 	Resources    []string `xorm:"mediumtext" json:"resources"`
 	Actions      []string `xorm:"mediumtext" json:"actions"`
@@ -52,6 +53,7 @@ type PermissionRule struct {
 	V3    string `xorm:"varchar(100) index not null default ''" json:"v3"`
 	V4    string `xorm:"varchar(100) index not null default ''" json:"v4"`
 	V5    string `xorm:"varchar(100) index not null default ''" json:"v5"`
+	Id    string `xorm:"varchar(100) index not null default ''" json:"id"`
 }
 
 func GetPermissionCount(owner, field, value string) int {
@@ -122,6 +124,15 @@ func UpdatePermission(id string, permission *Permission) bool {
 
 	if affected != 0 {
 		removePolicies(oldPermission)
+		if oldPermission.Adapter != "" && oldPermission.Adapter != permission.Adapter {
+			isEmpty, _ := adapter.Engine.IsTableEmpty(oldPermission.Adapter)
+			if isEmpty {
+				err = adapter.Engine.DropTables(oldPermission.Adapter)
+				if err != nil {
+					panic(err)
+				}
+			}
+		}
 		addPolicies(permission)
 	}
 
@@ -149,6 +160,15 @@ func DeletePermission(permission *Permission) bool {
 
 	if affected != 0 {
 		removePolicies(permission)
+		if permission.Adapter != "" && permission.Adapter != "permission_rule" {
+			isEmpty, _ := adapter.Engine.IsTableEmpty(permission.Adapter)
+			if isEmpty {
+				err = adapter.Engine.DropTables(permission.Adapter)
+				if err != nil {
+					panic(err)
+				}
+			}
+		}
 	}
 
 	return affected != 0
@@ -168,6 +188,16 @@ func GetPermissionsByUser(userId string) []*Permission {
 	return permissions
 }
 
+func GetPermissionsByRole(roleId string) []*Permission {
+	permissions := []*Permission{}
+	err := adapter.Engine.Where("roles like ?", "%"+roleId+"%").Find(&permissions)
+	if err != nil {
+		panic(err)
+	}
+
+	return permissions
+}
+
 func GetPermissionsBySubmitter(owner string, submitter string) []*Permission {
 	permissions := []*Permission{}
 	err := adapter.Engine.Desc("created_time").Find(&permissions, &Permission{Owner: owner, Submitter: submitter})

object/permission_enforcer.go

@@ -24,8 +24,12 @@ import (
 )
 
 func getEnforcer(permission *Permission) *casbin.Enforcer {
+	tableName := "permission_rule"
+	if len(permission.Adapter) != 0 {
+		tableName = permission.Adapter
+	}
 	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
-	adapter, err := xormadapter.NewAdapterWithTableName(conf.GetConfigString("driverName"), conf.GetBeegoConfDataSourceName()+conf.GetConfigString("dbName"), "permission_rule", tableNamePrefix, true)
+	adapter, err := xormadapter.NewAdapterWithTableName(conf.GetConfigString("driverName"), conf.GetBeegoConfDataSourceName()+conf.GetConfigString("dbName"), tableName, tableNamePrefix, true)
 	if err != nil {
 		panic(err)
 	}
@@ -35,7 +39,7 @@ func getEnforcer(permission *Permission) *casbin.Enforcer {
 r = sub, obj, act
 
 [policy_definition]
-p = permission, sub, obj, act
+p = sub, obj, act
 
 [role_definition]
 g = _, _
@@ -62,28 +66,68 @@ m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act`
 	return enforcer
 }
 
-func getPolicies(permission *Permission) [][]string {
+func getPolicies(permission *Permission) ([][]string, [][]string) {
 	var policies [][]string
+	var groupingPolicies [][]string
+	domainExist := len(permission.Domains) > 0
 	for _, user := range permission.Users {
 		for _, resource := range permission.Resources {
 			for _, action := range permission.Actions {
-				policies = append(policies, []string{permission.GetId(), user, resource, strings.ToLower(action)})
+				if domainExist {
+					for _, domain := range permission.Domains {
+						policies = append(policies, []string{user, domain, resource, strings.ToLower(action)})
+					}
+				} else {
+					policies = append(policies, []string{user, resource, strings.ToLower(action)})
+				}
 			}
 		}
 	}
 	for _, role := range permission.Roles {
+		roleObj := GetRole(role)
+		for _, subUser := range roleObj.Users {
+			if domainExist {
+				for _, domain := range permission.Domains {
+					groupingPolicies = append(groupingPolicies, []string{subUser, domain, role})
+				}
+			} else {
+				groupingPolicies = append(groupingPolicies, []string{subUser, role})
+			}
+		}
+		for _, subRole := range roleObj.Roles {
+			if domainExist {
+				for _, domain := range permission.Domains {
+					groupingPolicies = append(groupingPolicies, []string{subRole, domain, role})
+				}
+			} else {
+				groupingPolicies = append(groupingPolicies, []string{subRole, role})
+			}
+		}
 		for _, resource := range permission.Resources {
 			for _, action := range permission.Actions {
-				policies = append(policies, []string{permission.GetId(), role, resource, strings.ToLower(action)})
+				if domainExist {
+					for _, domain := range permission.Domains {
+						policies = append(policies, []string{role, domain, resource, strings.ToLower(action)})
+					}
+				} else {
+					policies = append(policies, []string{role, resource, strings.ToLower(action)})
+				}
 			}
 		}
 	}
-	return policies
+	return policies, groupingPolicies
 }
 
 func addPolicies(permission *Permission) {
 	enforcer := getEnforcer(permission)
-	policies := getPolicies(permission)
+	policies, groupingPolicies := getPolicies(permission)
+
+	if len(groupingPolicies) > 0 {
+		_, err := enforcer.AddGroupingPolicies(groupingPolicies)
+		if err != nil {
+			panic(err)
+		}
+	}
 
 	_, err := enforcer.AddPolicies(policies)
 	if err != nil {
@@ -93,48 +137,25 @@ func addPolicies(permission *Permission) {
 
 func removePolicies(permission *Permission) {
 	enforcer := getEnforcer(permission)
+	policies, groupingPolicies := getPolicies(permission)
 
-	_, err := enforcer.RemoveFilteredPolicy(0, permission.GetId())
-	if err != nil {
-		panic(err)
+	if len(groupingPolicies) > 0 {
+		_, err := enforcer.RemoveGroupingPolicies(groupingPolicies)
+		if err != nil {
+			panic(err)
+		}
 	}
-}
 
-func getGroupingPolicies(role *Role) [][]string {
-	var groupingPolicies [][]string
-	for _, subUser := range role.Users {
-		groupingPolicies = append(groupingPolicies, []string{subUser, role.GetId()})
-	}
-	for _, subRole := range role.Roles {
-		groupingPolicies = append(groupingPolicies, []string{subRole, role.GetId()})
-	}
-	return groupingPolicies
-}
-
-func addGroupingPolicies(role *Role) {
-	enforcer := getEnforcer(&Permission{})
-	groupingPolicies := getGroupingPolicies(role)
-
-	_, err := enforcer.AddGroupingPolicies(groupingPolicies)
-	if err != nil {
-		panic(err)
-	}
-}
-
-func removeGroupingPolicies(role *Role) {
-	enforcer := getEnforcer(&Permission{})
-	groupingPolicies := getGroupingPolicies(role)
-
-	_, err := enforcer.RemoveGroupingPolicies(groupingPolicies)
+	_, err := enforcer.RemovePolicies(policies)
 	if err != nil {
 		panic(err)
 	}
 }
 
 func Enforce(userId string, permissionRule *PermissionRule) bool {
-	permission := GetPermission(permissionRule.V0)
+	permission := GetPermission(permissionRule.Id)
 	enforcer := getEnforcer(permission)
-	allow, err := enforcer.Enforce(userId, permissionRule.V2, permissionRule.V3)
+	allow, err := enforcer.Enforce(userId, permissionRule.V1, permissionRule.V2)
 	if err != nil {
 		panic(err)
 	}
@@ -144,9 +165,9 @@ func Enforce(userId string, permissionRule *PermissionRule) bool {
 func BatchEnforce(userId string, permissionRules []PermissionRule) []bool {
 	var requests [][]interface{}
 	for _, permissionRule := range permissionRules {
-		requests = append(requests, []interface{}{userId, permissionRule.V2, permissionRule.V3})
+		requests = append(requests, []interface{}{userId, permissionRule.V1, permissionRule.V2})
 	}
-	permission := GetPermission(permissionRules[0].V0)
+	permission := GetPermission(permissionRules[0].Id)
 	enforcer := getEnforcer(permission)
 	allow, err := enforcer.BatchEnforce(requests)
 	if err != nil {
@@ -155,30 +176,30 @@ func BatchEnforce(userId string, permissionRules []PermissionRule) []bool {
 	return allow
 }
 
-func getAllValues(userId string, sec string, fieldIndex int) []string {
+func getAllValues(userId string, fn func(enforcer *casbin.Enforcer) []string) []string {
 	permissions := GetPermissionsByUser(userId)
+	for _, role := range GetAllRoles(userId) {
+		permissions = append(permissions, GetPermissionsByRole(role)...)
+	}
+
 	var values []string
 	for _, permission := range permissions {
 		enforcer := getEnforcer(permission)
-		enforcer.ClearPolicy()
-		err := enforcer.LoadFilteredPolicy(xormadapter.Filter{V0: []string{permission.GetId()}, V1: []string{userId}})
-		if err != nil {
-			return nil
-		}
-
-		for _, value := range enforcer.GetModel().GetValuesForFieldInPolicyAllTypes(sec, fieldIndex) {
-			values = append(values, value)
-		}
+		values = append(values, fn(enforcer)...)
 	}
 	return values
 }
 
 func GetAllObjects(userId string) []string {
-	return getAllValues(userId, "p", 2)
+	return getAllValues(userId, func(enforcer *casbin.Enforcer) []string {
+		return enforcer.GetAllObjects()
+	})
 }
 
 func GetAllActions(userId string) []string {
-	return getAllValues(userId, "p", 3)
+	return getAllValues(userId, func(enforcer *casbin.Enforcer) []string {
+		return enforcer.GetAllActions()
+	})
 }
 
 func GetAllRoles(userId string) []string {

object/role.go

@@ -99,11 +99,6 @@ func UpdateRole(id string, role *Role) bool {
 		panic(err)
 	}
 
-	if affected != 0 {
-		removeGroupingPolicies(oldRole)
-		addGroupingPolicies(role)
-	}
-
 	return affected != 0
 }
 
@@ -113,10 +108,6 @@ func AddRole(role *Role) bool {
 		panic(err)
 	}
 
-	if affected != 0 {
-		addGroupingPolicies(role)
-	}
-
 	return affected != 0
 }
 
@@ -126,10 +117,6 @@ func DeleteRole(role *Role) bool {
 		panic(err)
 	}
 
-	if affected != 0 {
-		removeGroupingPolicies(role)
-	}
-
 	return affected != 0
 }
 

storage/minio_s3.go

@@ -0,0 +1,36 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package storage
+
+import (
+	awss3 "github.com/aws/aws-sdk-go/service/s3"
+	"github.com/casdoor/oss"
+	"github.com/casdoor/oss/s3"
+)
+
+func NewMinIOS3StorageProvider(clientId string, clientSecret string, region string, bucket string, endpoint string) oss.StorageInterface {
+	sp := s3.New(&s3.Config{
+		AccessID:         clientId,
+		AccessKey:        clientSecret,
+		Region:           region,
+		Bucket:           bucket,
+		Endpoint:         endpoint,
+		S3Endpoint:       endpoint,
+		ACL:              awss3.BucketCannedACLPublicRead,
+		S3ForcePathStyle: true,
+	})
+
+	return sp
+}

storage/storage.go

@@ -22,6 +22,8 @@ func GetStorageProvider(providerType string, clientId string, clientSecret strin
 		return NewLocalFileSystemStorageProvider(clientId, clientSecret, region, bucket, endpoint)
 	case "AWS S3":
 		return NewAwsS3StorageProvider(clientId, clientSecret, region, bucket, endpoint)
+	case "MinIO":
+		return NewMinIOS3StorageProvider(clientId, clientSecret, region, bucket, endpoint)
 	case "Aliyun OSS":
 		return NewAliyunOssStorageProvider(clientId, clientSecret, region, bucket, endpoint)
 	case "Tencent Cloud COS":

web/src/PermissionEditPage.js

@@ -187,6 +187,16 @@ class PermissionEditPage extends React.Component {
             </Select>
           </Col>
         </Row>
+        <Row style={{marginTop: "20px"}} >
+          <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
+            {Setting.getLabel(i18next.t("general:Adapter"), i18next.t("general:Adapter - Tooltip"))} :
+          </Col>
+          <Col span={22} >
+            <Input value={this.state.permission.adapter} onChange={e => {
+              this.updatePermissionField("adapter", e.target.value);
+            }} />
+          </Col>
+        </Row>
         <Row style={{marginTop: "20px"}} >
           <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 2}>
             {Setting.getLabel(i18next.t("role:Sub users"), i18next.t("role:Sub users - Tooltip"))} :
@@ -217,7 +227,7 @@ class PermissionEditPage extends React.Component {
           </Col>
           <Col span={22} >
             <Select virtual={false} mode="tags" style={{width: "100%"}} value={this.state.permission.domains} onChange={(value => {
-              this.updateRoleField("domains", value);
+              this.updatePermissionField("domains", value);
             })}>
               {
                 this.state.permission.domains.map((domain, index) => <Option key={index} value={domain}>{domain}</Option>)
@@ -360,6 +370,27 @@ class PermissionEditPage extends React.Component {
   }
 
   submitPermissionEdit(willExist) {
+    if (this.state.permission.users.length === 0 && this.state.permission.roles.length === 0) {
+      Setting.showMessage("error", "The users and roles cannot be empty at the same time");
+      return;
+    }
+    if (this.state.permission.domains.length === 0) {
+      Setting.showMessage("error", "The domains cannot be empty");
+      return;
+    }
+    if (this.state.permission.resources.length === 0) {
+      Setting.showMessage("error", "The resources cannot be empty");
+      return;
+    }
+    if (this.state.permission.actions.length === 0) {
+      Setting.showMessage("error", "The actions cannot be empty");
+      return;
+    }
+    if (!Setting.isLocalAdminUser(this.props.account) && this.state.permission.submitter !== this.props.account.name) {
+      Setting.showMessage("error", "A normal user can only modify the permission submitted by itself");
+      return;
+    }
+
     const permission = Setting.deepCopy(this.state.permission);
     PermissionBackend.updatePermission(this.state.organizationName, this.state.permissionName, permission)
       .then((res) => {

web/src/PermissionListPage.js

@@ -215,6 +215,45 @@ class PermissionListPage extends BaseListPage {
           );
         },
       },
+      {
+        title: i18next.t("permission:Submitter"),
+        dataIndex: "submitter",
+        key: "submitter",
+        filterMultiple: false,
+        width: "120px",
+        sorter: true,
+      },
+      {
+        title: i18next.t("permission:Approver"),
+        dataIndex: "approver",
+        key: "approver",
+        filterMultiple: false,
+        width: "120px",
+        sorter: true,
+      },
+      {
+        title: i18next.t("permission:Approve time"),
+        dataIndex: "approveTime",
+        key: "approveTime",
+        filterMultiple: false,
+        width: "120px",
+        sorter: true,
+        render: (text, record, index) => {
+          return Setting.getFormattedDate(text);
+        },
+      },
+      {
+        title: i18next.t("permission:State"),
+        dataIndex: "state",
+        key: "state",
+        filterMultiple: false,
+        filters: [
+          {text: "Approved", value: "Approved"},
+          {text: "Pending", value: "Pending"},
+        ],
+        width: "120px",
+        sorter: true,
+      },
       {
         title: i18next.t("general:Action"),
         dataIndex: "",
@@ -269,7 +308,7 @@ class PermissionListPage extends BaseListPage {
     }
     this.setState({loading: true});
 
-    const getPermissions = Setting.isAdminUser(this.props.account) ? PermissionBackend.getPermissions : PermissionBackend.getPermissionsBySubmitter;
+    const getPermissions = Setting.isLocalAdminUser(this.props.account) ? PermissionBackend.getPermissions : PermissionBackend.getPermissionsBySubmitter;
     getPermissions("", params.pagination.current, params.pagination.pageSize, field, value, sortField, sortOrder)
       .then((res) => {
         if (res.status === "ok") {

web/src/ProviderEditPage.js

@@ -474,7 +474,7 @@ class ProviderEditPage extends React.Component {
                 }} />
               </Col>
             </Row>
-            {this.state.provider.type === "AWS S3" || this.state.provider.type === "Tencent Cloud COS" ? (
+            {["AWS S3", "MinIO", "Tencent Cloud COS"].includes(this.state.provider.type) ? (
               <Row style={{marginTop: "20px"}} >
                 <Col style={{marginTop: "5px"}} span={2}>
                   {Setting.getLabel(i18next.t("provider:Region ID"), i18next.t("provider:Region ID - Tooltip"))} :

web/src/Setting.js

@@ -69,6 +69,10 @@ export const OtherProviderInfo = {
       logo: `${StaticBaseUrl}/img/social_aws.png`,
       url: "https://aws.amazon.com/s3",
     },
+    "MinIO": {
+      logo: "https://min.io/resources/img/logo.svg",
+      url: "https://min.io/",
+    },
     "Aliyun OSS": {
       logo: `${StaticBaseUrl}/img/social_aliyun.png`,
       url: "https://aliyun.com/product/oss",
@@ -612,6 +616,7 @@ export function getProviderTypeOptions(category) {
       [
         {id: "Local File System", name: "Local File System"},
         {id: "AWS S3", name: "AWS S3"},
+        {id: "MinIO", name: "MinIO"},
         {id: "Aliyun OSS", name: "Aliyun OSS"},
         {id: "Tencent Cloud COS", name: "Tencent Cloud COS"},
         {id: "Azure Blob", name: "Azure Blob"},

web/src/locales/de/data.json

@@ -98,6 +98,8 @@
   },
   "general": {
     "Action": "Aktion",
+    "Adapter": "Adapter",
+    "Adapter - Tooltip": "Adapter - Tooltip",
     "Add": "Neu",
     "Affiliation URL": "Affiliation-URL",
     "Affiliation URL - Tooltip": "Unique string-style identifier",

web/src/locales/en/data.json

@@ -98,6 +98,8 @@
   },
   "general": {
     "Action": "Action",
+    "Adapter": "Adapter",
+    "Adapter - Tooltip": "Adapter - Tooltip",
     "Add": "Add",
     "Affiliation URL": "Affiliation URL",
     "Affiliation URL - Tooltip": "Affiliation URL - Tooltip",

web/src/locales/fr/data.json

@@ -98,6 +98,8 @@
   },
   "general": {
     "Action": "Action",
+    "Adapter": "Adapter",
+    "Adapter - Tooltip": "Adapter - Tooltip",
     "Add": "Ajouter",
     "Affiliation URL": "URL d'affiliation",
     "Affiliation URL - Tooltip": "Unique string-style identifier",

web/src/locales/ja/data.json

@@ -98,6 +98,8 @@
   },
   "general": {
     "Action": "アクション",
+    "Adapter": "Adapter",
+    "Adapter - Tooltip": "Adapter - Tooltip",
     "Add": "追加",
     "Affiliation URL": "アフィリエイトURL",
     "Affiliation URL - Tooltip": "Unique string-style identifier",

web/src/locales/ko/data.json

@@ -98,6 +98,8 @@
   },
   "general": {
     "Action": "Action",
+    "Adapter": "Adapter",
+    "Adapter - Tooltip": "Adapter - Tooltip",
     "Add": "Add",
     "Affiliation URL": "Affiliation URL",
     "Affiliation URL - Tooltip": "Unique string-style identifier",

web/src/locales/ru/data.json

@@ -98,6 +98,8 @@
   },
   "general": {
     "Action": "Действие",
+    "Adapter": "Adapter",
+    "Adapter - Tooltip": "Adapter - Tooltip",
     "Add": "Добавить",
     "Affiliation URL": "URL-адрес партнёра",
     "Affiliation URL - Tooltip": "Unique string-style identifier",

web/src/locales/zh/data.json

@@ -98,6 +98,8 @@
   },
   "general": {
     "Action": "操作",
+    "Adapter": "适配器",
+    "Adapter - Tooltip": "策略存储的表名",
     "Add": "添加",
     "Affiliation URL": "工作单位URL",
     "Affiliation URL - Tooltip": "工作单位URL",