feat: add disallow access console option for custom role (#4958)

#### What type of PR is this? /area console /kind feature /milestone 2.11.x #### What this PR does / why we need it: 支持为自定义角色配置 **禁止访问 Console** 的选项。 #### Special notes for your reviewer: 测试方式： 1. 创建一个新角色，勾选禁止访问 Console 的选项，并赋予给某个用户。 2. 登录之后，尝试访问 /console 观察是否能够正常访问。 3. 检查个人中心左下角是否有进入 Console 的按钮。 4. 测试其他未设置这个选项的角色是否正常。 #### Does this PR introduce a user-facing change? ```release-note 支持为自定义角色配置 **禁止访问 Console** 的选项。 ```
2023-12-01 10:38:09 +08:00 · 2023-12-01 10:38:09 +08:00 · 05fd5a67bd
parent 61fe95ab3c
commit 05fd5a67bd
9 changed files with 80 additions and 3 deletions
--- a/application/src/main/resources/extensions/role-template-uc-content.yaml
+++ b/application/src/main/resources/extensions/role-template-uc-content.yaml
@ -2,6 +2,8 @@ apiVersion: v1alpha1
 kind: "Role"
 metadata:
  name: post-editor
+  labels:
+    rbac.authorization.halo.run/system-reserved: "true"
  annotations:
    rbac.authorization.halo.run/module: "Posts Management"
    rbac.authorization.halo.run/display-name: "Post Editor"
@ -14,9 +16,13 @@ apiVersion: v1alpha1
 kind: "Role"
 metadata:
  name: post-author
+  labels:
+    rbac.authorization.halo.run/system-reserved: "true"
  annotations:
    rbac.authorization.halo.run/module: "Posts Management"
    rbac.authorization.halo.run/display-name: "Post Author"
+    rbac.authorization.halo.run/disallow-access-console: "true"
+    rbac.authorization.halo.run/redirect-on-login: "/uc"
    rbac.authorization.halo.run/dependencies: |
      [ "post-contributor", "post-publisher" ]
 rules: [ ]
@ -26,9 +32,13 @@ apiVersion: v1alpha1
 kind: "Role"
 metadata:
  name: post-contributor
+  labels:
+    rbac.authorization.halo.run/system-reserved: "true"
  annotations:
    rbac.authorization.halo.run/module: "Posts Management"
    rbac.authorization.halo.run/display-name: "Post Contributor"
+    rbac.authorization.halo.run/disallow-access-console: "true"
+    rbac.authorization.halo.run/redirect-on-login: "/uc"
    rbac.authorization.halo.run/dependencies: |
      [ "role-template-view-categories", "role-template-view-tags" ]
    rbac.authorization.halo.run/ui-permissions: |
--- a/application/src/main/resources/extensions/system-default-role.yaml
+++ b/application/src/main/resources/extensions/system-default-role.yaml
@ -6,7 +6,9 @@ metadata:
    rbac.authorization.halo.run/system-reserved: "true"
  annotations:
    rbac.authorization.halo.run/display-name: "访客"
-rules: [ ]
+    rbac.authorization.halo.run/disallow-access-console: "true"
+    rbac.authorization.halo.run/redirect-on-login: "/uc"
+rules: []

 ---
 apiVersion: v1alpha1
--- a/console/console-src/modules/system/roles/components/RoleEditingModal.vue
+++ b/console/console-src/modules/system/roles/components/RoleEditingModal.vue
@ -163,6 +163,26 @@ const handleResetForm = () => {
              type="text"
              :label="$t('core.role.editing_modal.fields.redirect_on_login')"
            ></FormKit>
+            <FormKit
+              v-model="
+                formState.metadata.annotations[
+                  rbacAnnotations.DISALLOW_ACCESS_CONSOLE
+                ]
+              "
+              on-value="true"
+              off-value="false"
+              type="checkbox"
+              :label="
+                $t(
+                  'core.role.editing_modal.fields.disallow_access_console.label'
+                )
+              "
+              :help="
+                $t(
+                  'core.role.editing_modal.fields.disallow_access_console.help'
+                )
+              "
+            ></FormKit>
          </FormKit>
        </div>
      </div>
--- a/console/console-src/router/guards/auth-check.ts
+++ b/console/console-src/router/guards/auth-check.ts
@ -42,7 +42,7 @@ export function setupAuthCheckGuard(router: Router) {
          window.location.href =
            roleHasRedirectOnLogin.metadata.annotations?.[
              rbacAnnotations.REDIRECT_ON_LOGIN
-            ] || "/";
+            ] || "/uc";
          return;
        }

@ -51,6 +51,30 @@ export function setupAuthCheckGuard(router: Router) {
        });
        return;
      }
+
+      if (to.name === "whiteList") {
+        next();
+        return;
+      }
+
+      // Check allow access console
+      const { currentRoles } = userStore;
+
+      const hasDisallowAccessConsoleRole = currentRoles?.some((role) => {
+        return (
+          role.metadata.annotations?.[
+            rbacAnnotations.DISALLOW_ACCESS_CONSOLE
+          ] === "true"
+        );
+      });
+
+      if (hasDisallowAccessConsoleRole) {
+        window.location.href = "/uc";
+        return;
+      }
+
+      next();
+      return;
    }

    next();
--- a/console/src/constants/annotations.ts
+++ b/console/src/constants/annotations.ts
@ -12,6 +12,7 @@ export enum rbacAnnotations {
  AVATAR_ATTACHMENT_NAME = "halo.run/avatar-attachment-name",
  LAST_AVATAR_ATTACHMENT_NAME = "halo.run/last-avatar-attachment-name",
  REDIRECT_ON_LOGIN = "rbac.authorization.halo.run/redirect-on-login",
+  DISALLOW_ACCESS_CONSOLE = "rbac.authorization.halo.run/disallow-access-console",
 }

 // content
--- a/console/src/locales/en.yaml
+++ b/console/src/locales/en.yaml
@ -989,6 +989,9 @@ core:
      fields:
        display_name: Display name
        redirect_on_login: Default redirect location after logging in
+        disallow_access_console:
+          label: Disable access to Console
+          help: Once checked, this role will not be able to access the Console
  identity_authentication:
    title: Identity Authentication
    tabs:
--- a/console/src/locales/zh-CN.yaml
+++ b/console/src/locales/zh-CN.yaml
@ -935,6 +935,9 @@ core:
      fields:
        display_name: 名称
        redirect_on_login: 登录之后默认跳转位置
+        disallow_access_console:
+          label: 禁止访问 Console
+          help: 勾选之后，该角色将无法访问 Console
  identity_authentication:
    title: 身份认证
    tabs:
--- a/console/src/locales/zh-TW.yaml
+++ b/console/src/locales/zh-TW.yaml
@ -923,6 +923,9 @@ core:
      fields:
        display_name: 名稱
        redirect_on_login: 登入之後預設跳轉位置
+        disallow_access_console:
+          label: 禁止訪問 Console
+          help: 勾選之後，該角色將無法存取 Console
  identity_authentication:
    title: 身份認證
    tabs:
--- a/console/uc-src/layouts/BasicLayout.vue
+++ b/console/uc-src/layouts/BasicLayout.vue
@ -11,7 +11,7 @@ import {
 import { RoutesMenu } from "@/components/menu/RoutesMenu";
 import IconLogo from "~icons/core/logo?width=5rem&height=2rem";
 import { RouterView, useRoute, useRouter } from "vue-router";
-import { onMounted, reactive, ref } from "vue";
+import { computed, onMounted, reactive, ref } from "vue";
 import axios from "axios";
 import LoginModal from "@/components/login/LoginModal.vue";
 import { coreMenuGroups } from "@console/router/constant";
@ -95,6 +95,16 @@ onMounted(() => {
    initialize({ target: navbarScroller.value });
  }
 });
+
+const disallowAccessConsole = computed(() => {
+  const hasDisallowAccessConsoleRole = currentRoles?.value?.some((role) => {
+    return (
+      role.metadata.annotations?.[rbacAnnotations.DISALLOW_ACCESS_CONSOLE] ===
+      "true"
+    );
+  });
+  return !!hasDisallowAccessConsoleRole;
+});
 </script>

 <template>
@ -145,6 +155,7 @@ onMounted(() => {
          </div>
          <div class="flex items-center gap-1">
            <a
+              v-if="!disallowAccessConsole"
              v-tooltip="$t('core.uc_sidebar.operations.console.tooltip')"
              class="group inline-block cursor-pointer rounded-full p-1.5 transition-all hover:bg-gray-100"
              href="/console"