diff --git a/application/src/main/resources/extensions/role-template-uc-content.yaml b/application/src/main/resources/extensions/role-template-uc-content.yaml index 3904fdca0..0e4c41648 100644 --- a/application/src/main/resources/extensions/role-template-uc-content.yaml +++ b/application/src/main/resources/extensions/role-template-uc-content.yaml @@ -2,6 +2,8 @@ apiVersion: v1alpha1 kind: "Role" metadata: name: post-editor + labels: + rbac.authorization.halo.run/system-reserved: "true" annotations: rbac.authorization.halo.run/module: "Posts Management" rbac.authorization.halo.run/display-name: "Post Editor" @@ -14,9 +16,13 @@ apiVersion: v1alpha1 kind: "Role" metadata: name: post-author + labels: + rbac.authorization.halo.run/system-reserved: "true" annotations: rbac.authorization.halo.run/module: "Posts Management" rbac.authorization.halo.run/display-name: "Post Author" + rbac.authorization.halo.run/disallow-access-console: "true" + rbac.authorization.halo.run/redirect-on-login: "/uc" rbac.authorization.halo.run/dependencies: | [ "post-contributor", "post-publisher" ] rules: [ ] @@ -26,9 +32,13 @@ apiVersion: v1alpha1 kind: "Role" metadata: name: post-contributor + labels: + rbac.authorization.halo.run/system-reserved: "true" annotations: rbac.authorization.halo.run/module: "Posts Management" rbac.authorization.halo.run/display-name: "Post Contributor" + rbac.authorization.halo.run/disallow-access-console: "true" + rbac.authorization.halo.run/redirect-on-login: "/uc" rbac.authorization.halo.run/dependencies: | [ "role-template-view-categories", "role-template-view-tags" ] rbac.authorization.halo.run/ui-permissions: | diff --git a/application/src/main/resources/extensions/system-default-role.yaml b/application/src/main/resources/extensions/system-default-role.yaml index 50adc6baf..dee595d51 100644 --- a/application/src/main/resources/extensions/system-default-role.yaml +++ b/application/src/main/resources/extensions/system-default-role.yaml @@ -6,7 +6,9 @@ metadata: rbac.authorization.halo.run/system-reserved: "true" annotations: rbac.authorization.halo.run/display-name: "访客" -rules: [ ] + rbac.authorization.halo.run/disallow-access-console: "true" + rbac.authorization.halo.run/redirect-on-login: "/uc" +rules: [] --- apiVersion: v1alpha1 diff --git a/console/console-src/modules/system/roles/components/RoleEditingModal.vue b/console/console-src/modules/system/roles/components/RoleEditingModal.vue index 35c8e8b82..dc8ec6d12 100644 --- a/console/console-src/modules/system/roles/components/RoleEditingModal.vue +++ b/console/console-src/modules/system/roles/components/RoleEditingModal.vue @@ -163,6 +163,26 @@ const handleResetForm = () => { type="text" :label="$t('core.role.editing_modal.fields.redirect_on_login')" > + diff --git a/console/console-src/router/guards/auth-check.ts b/console/console-src/router/guards/auth-check.ts index 710d579ca..77a5969b4 100644 --- a/console/console-src/router/guards/auth-check.ts +++ b/console/console-src/router/guards/auth-check.ts @@ -42,7 +42,7 @@ export function setupAuthCheckGuard(router: Router) { window.location.href = roleHasRedirectOnLogin.metadata.annotations?.[ rbacAnnotations.REDIRECT_ON_LOGIN - ] || "/"; + ] || "/uc"; return; } @@ -51,6 +51,30 @@ export function setupAuthCheckGuard(router: Router) { }); return; } + + if (to.name === "whiteList") { + next(); + return; + } + + // Check allow access console + const { currentRoles } = userStore; + + const hasDisallowAccessConsoleRole = currentRoles?.some((role) => { + return ( + role.metadata.annotations?.[ + rbacAnnotations.DISALLOW_ACCESS_CONSOLE + ] === "true" + ); + }); + + if (hasDisallowAccessConsoleRole) { + window.location.href = "/uc"; + return; + } + + next(); + return; } next(); diff --git a/console/src/constants/annotations.ts b/console/src/constants/annotations.ts index fa0272f39..c09f1b01c 100644 --- a/console/src/constants/annotations.ts +++ b/console/src/constants/annotations.ts @@ -12,6 +12,7 @@ export enum rbacAnnotations { AVATAR_ATTACHMENT_NAME = "halo.run/avatar-attachment-name", LAST_AVATAR_ATTACHMENT_NAME = "halo.run/last-avatar-attachment-name", REDIRECT_ON_LOGIN = "rbac.authorization.halo.run/redirect-on-login", + DISALLOW_ACCESS_CONSOLE = "rbac.authorization.halo.run/disallow-access-console", } // content diff --git a/console/src/locales/en.yaml b/console/src/locales/en.yaml index e5e236c68..a8e769c52 100644 --- a/console/src/locales/en.yaml +++ b/console/src/locales/en.yaml @@ -989,6 +989,9 @@ core: fields: display_name: Display name redirect_on_login: Default redirect location after logging in + disallow_access_console: + label: Disable access to Console + help: Once checked, this role will not be able to access the Console identity_authentication: title: Identity Authentication tabs: diff --git a/console/src/locales/zh-CN.yaml b/console/src/locales/zh-CN.yaml index c5f1debfa..02fe40143 100644 --- a/console/src/locales/zh-CN.yaml +++ b/console/src/locales/zh-CN.yaml @@ -935,6 +935,9 @@ core: fields: display_name: 名称 redirect_on_login: 登录之后默认跳转位置 + disallow_access_console: + label: 禁止访问 Console + help: 勾选之后,该角色将无法访问 Console identity_authentication: title: 身份认证 tabs: diff --git a/console/src/locales/zh-TW.yaml b/console/src/locales/zh-TW.yaml index 67cea9303..71eed660e 100644 --- a/console/src/locales/zh-TW.yaml +++ b/console/src/locales/zh-TW.yaml @@ -923,6 +923,9 @@ core: fields: display_name: 名稱 redirect_on_login: 登入之後預設跳轉位置 + disallow_access_console: + label: 禁止訪問 Console + help: 勾選之後,該角色將無法存取 Console identity_authentication: title: 身份認證 tabs: diff --git a/console/uc-src/layouts/BasicLayout.vue b/console/uc-src/layouts/BasicLayout.vue index 229e5ebb0..28ee3fa25 100644 --- a/console/uc-src/layouts/BasicLayout.vue +++ b/console/uc-src/layouts/BasicLayout.vue @@ -11,7 +11,7 @@ import { import { RoutesMenu } from "@/components/menu/RoutesMenu"; import IconLogo from "~icons/core/logo?width=5rem&height=2rem"; import { RouterView, useRoute, useRouter } from "vue-router"; -import { onMounted, reactive, ref } from "vue"; +import { computed, onMounted, reactive, ref } from "vue"; import axios from "axios"; import LoginModal from "@/components/login/LoginModal.vue"; import { coreMenuGroups } from "@console/router/constant"; @@ -95,6 +95,16 @@ onMounted(() => { initialize({ target: navbarScroller.value }); } }); + +const disallowAccessConsole = computed(() => { + const hasDisallowAccessConsoleRole = currentRoles?.value?.some((role) => { + return ( + role.metadata.annotations?.[rbacAnnotations.DISALLOW_ACCESS_CONSOLE] === + "true" + ); + }); + return !!hasDisallowAccessConsoleRole; +});