feat: add disallow access console option for custom role (#4958)

#### What type of PR is this?

/area console
/kind feature
/milestone 2.11.x

#### What this PR does / why we need it:

支持为自定义角色配置 **禁止访问 Console** 的选项。

#### Special notes for your reviewer:

测试方式:

1. 创建一个新角色,勾选禁止访问 Console 的选项,并赋予给某个用户。
2. 登录之后,尝试访问 /console 观察是否能够正常访问。
3. 检查个人中心左下角是否有进入 Console 的按钮。
4. 测试其他未设置这个选项的角色是否正常。

#### Does this PR introduce a user-facing change?

```release-note
支持为自定义角色配置 **禁止访问 Console** 的选项。
```
pull/4962/head^2
Ryan Wang 2023-12-01 10:38:09 +08:00 committed by GitHub
parent 61fe95ab3c
commit 05fd5a67bd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 80 additions and 3 deletions

View File

@ -2,6 +2,8 @@ apiVersion: v1alpha1
kind: "Role"
metadata:
name: post-editor
labels:
rbac.authorization.halo.run/system-reserved: "true"
annotations:
rbac.authorization.halo.run/module: "Posts Management"
rbac.authorization.halo.run/display-name: "Post Editor"
@ -14,9 +16,13 @@ apiVersion: v1alpha1
kind: "Role"
metadata:
name: post-author
labels:
rbac.authorization.halo.run/system-reserved: "true"
annotations:
rbac.authorization.halo.run/module: "Posts Management"
rbac.authorization.halo.run/display-name: "Post Author"
rbac.authorization.halo.run/disallow-access-console: "true"
rbac.authorization.halo.run/redirect-on-login: "/uc"
rbac.authorization.halo.run/dependencies: |
[ "post-contributor", "post-publisher" ]
rules: [ ]
@ -26,9 +32,13 @@ apiVersion: v1alpha1
kind: "Role"
metadata:
name: post-contributor
labels:
rbac.authorization.halo.run/system-reserved: "true"
annotations:
rbac.authorization.halo.run/module: "Posts Management"
rbac.authorization.halo.run/display-name: "Post Contributor"
rbac.authorization.halo.run/disallow-access-console: "true"
rbac.authorization.halo.run/redirect-on-login: "/uc"
rbac.authorization.halo.run/dependencies: |
[ "role-template-view-categories", "role-template-view-tags" ]
rbac.authorization.halo.run/ui-permissions: |

View File

@ -6,7 +6,9 @@ metadata:
rbac.authorization.halo.run/system-reserved: "true"
annotations:
rbac.authorization.halo.run/display-name: "访客"
rules: [ ]
rbac.authorization.halo.run/disallow-access-console: "true"
rbac.authorization.halo.run/redirect-on-login: "/uc"
rules: []
---
apiVersion: v1alpha1

View File

@ -163,6 +163,26 @@ const handleResetForm = () => {
type="text"
:label="$t('core.role.editing_modal.fields.redirect_on_login')"
></FormKit>
<FormKit
v-model="
formState.metadata.annotations[
rbacAnnotations.DISALLOW_ACCESS_CONSOLE
]
"
on-value="true"
off-value="false"
type="checkbox"
:label="
$t(
'core.role.editing_modal.fields.disallow_access_console.label'
)
"
:help="
$t(
'core.role.editing_modal.fields.disallow_access_console.help'
)
"
></FormKit>
</FormKit>
</div>
</div>

View File

@ -42,7 +42,7 @@ export function setupAuthCheckGuard(router: Router) {
window.location.href =
roleHasRedirectOnLogin.metadata.annotations?.[
rbacAnnotations.REDIRECT_ON_LOGIN
] || "/";
] || "/uc";
return;
}
@ -51,6 +51,30 @@ export function setupAuthCheckGuard(router: Router) {
});
return;
}
if (to.name === "whiteList") {
next();
return;
}
// Check allow access console
const { currentRoles } = userStore;
const hasDisallowAccessConsoleRole = currentRoles?.some((role) => {
return (
role.metadata.annotations?.[
rbacAnnotations.DISALLOW_ACCESS_CONSOLE
] === "true"
);
});
if (hasDisallowAccessConsoleRole) {
window.location.href = "/uc";
return;
}
next();
return;
}
next();

View File

@ -12,6 +12,7 @@ export enum rbacAnnotations {
AVATAR_ATTACHMENT_NAME = "halo.run/avatar-attachment-name",
LAST_AVATAR_ATTACHMENT_NAME = "halo.run/last-avatar-attachment-name",
REDIRECT_ON_LOGIN = "rbac.authorization.halo.run/redirect-on-login",
DISALLOW_ACCESS_CONSOLE = "rbac.authorization.halo.run/disallow-access-console",
}
// content

View File

@ -989,6 +989,9 @@ core:
fields:
display_name: Display name
redirect_on_login: Default redirect location after logging in
disallow_access_console:
label: Disable access to Console
help: Once checked, this role will not be able to access the Console
identity_authentication:
title: Identity Authentication
tabs:

View File

@ -935,6 +935,9 @@ core:
fields:
display_name: 名称
redirect_on_login: 登录之后默认跳转位置
disallow_access_console:
label: 禁止访问 Console
help: 勾选之后,该角色将无法访问 Console
identity_authentication:
title: 身份认证
tabs:

View File

@ -923,6 +923,9 @@ core:
fields:
display_name: 名稱
redirect_on_login: 登入之後預設跳轉位置
disallow_access_console:
label: 禁止訪問 Console
help: 勾選之後,該角色將無法存取 Console
identity_authentication:
title: 身份認證
tabs:

View File

@ -11,7 +11,7 @@ import {
import { RoutesMenu } from "@/components/menu/RoutesMenu";
import IconLogo from "~icons/core/logo?width=5rem&height=2rem";
import { RouterView, useRoute, useRouter } from "vue-router";
import { onMounted, reactive, ref } from "vue";
import { computed, onMounted, reactive, ref } from "vue";
import axios from "axios";
import LoginModal from "@/components/login/LoginModal.vue";
import { coreMenuGroups } from "@console/router/constant";
@ -95,6 +95,16 @@ onMounted(() => {
initialize({ target: navbarScroller.value });
}
});
const disallowAccessConsole = computed(() => {
const hasDisallowAccessConsoleRole = currentRoles?.value?.some((role) => {
return (
role.metadata.annotations?.[rbacAnnotations.DISALLOW_ACCESS_CONSOLE] ===
"true"
);
});
return !!hasDisallowAccessConsoleRole;
});
</script>
<template>
@ -145,6 +155,7 @@ onMounted(() => {
</div>
<div class="flex items-center gap-1">
<a
v-if="!disallowAccessConsole"
v-tooltip="$t('core.uc_sidebar.operations.console.tooltip')"
class="group inline-block cursor-pointer rounded-full p-1.5 transition-all hover:bg-gray-100"
href="/console"