From 05fd5a67bd2e257f3409e50fb582ba29ed9ddda3 Mon Sep 17 00:00:00 2001 From: Ryan Wang Date: Fri, 1 Dec 2023 10:38:09 +0800 Subject: [PATCH] feat: add disallow access console option for custom role (#4958) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #### What type of PR is this? /area console /kind feature /milestone 2.11.x #### What this PR does / why we need it: 支持为自定义角色配置 **禁止访问 Console** 的选项。 #### Special notes for your reviewer: 测试方式: 1. 创建一个新角色,勾选禁止访问 Console 的选项,并赋予给某个用户。 2. 登录之后,尝试访问 /console 观察是否能够正常访问。 3. 检查个人中心左下角是否有进入 Console 的按钮。 4. 测试其他未设置这个选项的角色是否正常。 #### Does this PR introduce a user-facing change? ```release-note 支持为自定义角色配置 **禁止访问 Console** 的选项。 ``` --- .../extensions/role-template-uc-content.yaml | 10 +++++++ .../extensions/system-default-role.yaml | 4 ++- .../roles/components/RoleEditingModal.vue | 20 ++++++++++++++ .../console-src/router/guards/auth-check.ts | 26 ++++++++++++++++++- console/src/constants/annotations.ts | 1 + console/src/locales/en.yaml | 3 +++ console/src/locales/zh-CN.yaml | 3 +++ console/src/locales/zh-TW.yaml | 3 +++ console/uc-src/layouts/BasicLayout.vue | 13 +++++++++- 9 files changed, 80 insertions(+), 3 deletions(-) diff --git a/application/src/main/resources/extensions/role-template-uc-content.yaml b/application/src/main/resources/extensions/role-template-uc-content.yaml index 3904fdca0..0e4c41648 100644 --- a/application/src/main/resources/extensions/role-template-uc-content.yaml +++ b/application/src/main/resources/extensions/role-template-uc-content.yaml @@ -2,6 +2,8 @@ apiVersion: v1alpha1 kind: "Role" metadata: name: post-editor + labels: + rbac.authorization.halo.run/system-reserved: "true" annotations: rbac.authorization.halo.run/module: "Posts Management" rbac.authorization.halo.run/display-name: "Post Editor" @@ -14,9 +16,13 @@ apiVersion: v1alpha1 kind: "Role" metadata: name: post-author + labels: + rbac.authorization.halo.run/system-reserved: "true" annotations: rbac.authorization.halo.run/module: "Posts Management" rbac.authorization.halo.run/display-name: "Post Author" + rbac.authorization.halo.run/disallow-access-console: "true" + rbac.authorization.halo.run/redirect-on-login: "/uc" rbac.authorization.halo.run/dependencies: | [ "post-contributor", "post-publisher" ] rules: [ ] @@ -26,9 +32,13 @@ apiVersion: v1alpha1 kind: "Role" metadata: name: post-contributor + labels: + rbac.authorization.halo.run/system-reserved: "true" annotations: rbac.authorization.halo.run/module: "Posts Management" rbac.authorization.halo.run/display-name: "Post Contributor" + rbac.authorization.halo.run/disallow-access-console: "true" + rbac.authorization.halo.run/redirect-on-login: "/uc" rbac.authorization.halo.run/dependencies: | [ "role-template-view-categories", "role-template-view-tags" ] rbac.authorization.halo.run/ui-permissions: | diff --git a/application/src/main/resources/extensions/system-default-role.yaml b/application/src/main/resources/extensions/system-default-role.yaml index 50adc6baf..dee595d51 100644 --- a/application/src/main/resources/extensions/system-default-role.yaml +++ b/application/src/main/resources/extensions/system-default-role.yaml @@ -6,7 +6,9 @@ metadata: rbac.authorization.halo.run/system-reserved: "true" annotations: rbac.authorization.halo.run/display-name: "访客" -rules: [ ] + rbac.authorization.halo.run/disallow-access-console: "true" + rbac.authorization.halo.run/redirect-on-login: "/uc" +rules: [] --- apiVersion: v1alpha1 diff --git a/console/console-src/modules/system/roles/components/RoleEditingModal.vue b/console/console-src/modules/system/roles/components/RoleEditingModal.vue index 35c8e8b82..dc8ec6d12 100644 --- a/console/console-src/modules/system/roles/components/RoleEditingModal.vue +++ b/console/console-src/modules/system/roles/components/RoleEditingModal.vue @@ -163,6 +163,26 @@ const handleResetForm = () => { type="text" :label="$t('core.role.editing_modal.fields.redirect_on_login')" > + diff --git a/console/console-src/router/guards/auth-check.ts b/console/console-src/router/guards/auth-check.ts index 710d579ca..77a5969b4 100644 --- a/console/console-src/router/guards/auth-check.ts +++ b/console/console-src/router/guards/auth-check.ts @@ -42,7 +42,7 @@ export function setupAuthCheckGuard(router: Router) { window.location.href = roleHasRedirectOnLogin.metadata.annotations?.[ rbacAnnotations.REDIRECT_ON_LOGIN - ] || "/"; + ] || "/uc"; return; } @@ -51,6 +51,30 @@ export function setupAuthCheckGuard(router: Router) { }); return; } + + if (to.name === "whiteList") { + next(); + return; + } + + // Check allow access console + const { currentRoles } = userStore; + + const hasDisallowAccessConsoleRole = currentRoles?.some((role) => { + return ( + role.metadata.annotations?.[ + rbacAnnotations.DISALLOW_ACCESS_CONSOLE + ] === "true" + ); + }); + + if (hasDisallowAccessConsoleRole) { + window.location.href = "/uc"; + return; + } + + next(); + return; } next(); diff --git a/console/src/constants/annotations.ts b/console/src/constants/annotations.ts index fa0272f39..c09f1b01c 100644 --- a/console/src/constants/annotations.ts +++ b/console/src/constants/annotations.ts @@ -12,6 +12,7 @@ export enum rbacAnnotations { AVATAR_ATTACHMENT_NAME = "halo.run/avatar-attachment-name", LAST_AVATAR_ATTACHMENT_NAME = "halo.run/last-avatar-attachment-name", REDIRECT_ON_LOGIN = "rbac.authorization.halo.run/redirect-on-login", + DISALLOW_ACCESS_CONSOLE = "rbac.authorization.halo.run/disallow-access-console", } // content diff --git a/console/src/locales/en.yaml b/console/src/locales/en.yaml index e5e236c68..a8e769c52 100644 --- a/console/src/locales/en.yaml +++ b/console/src/locales/en.yaml @@ -989,6 +989,9 @@ core: fields: display_name: Display name redirect_on_login: Default redirect location after logging in + disallow_access_console: + label: Disable access to Console + help: Once checked, this role will not be able to access the Console identity_authentication: title: Identity Authentication tabs: diff --git a/console/src/locales/zh-CN.yaml b/console/src/locales/zh-CN.yaml index c5f1debfa..02fe40143 100644 --- a/console/src/locales/zh-CN.yaml +++ b/console/src/locales/zh-CN.yaml @@ -935,6 +935,9 @@ core: fields: display_name: 名称 redirect_on_login: 登录之后默认跳转位置 + disallow_access_console: + label: 禁止访问 Console + help: 勾选之后,该角色将无法访问 Console identity_authentication: title: 身份认证 tabs: diff --git a/console/src/locales/zh-TW.yaml b/console/src/locales/zh-TW.yaml index 67cea9303..71eed660e 100644 --- a/console/src/locales/zh-TW.yaml +++ b/console/src/locales/zh-TW.yaml @@ -923,6 +923,9 @@ core: fields: display_name: 名稱 redirect_on_login: 登入之後預設跳轉位置 + disallow_access_console: + label: 禁止訪問 Console + help: 勾選之後,該角色將無法存取 Console identity_authentication: title: 身份認證 tabs: diff --git a/console/uc-src/layouts/BasicLayout.vue b/console/uc-src/layouts/BasicLayout.vue index 229e5ebb0..28ee3fa25 100644 --- a/console/uc-src/layouts/BasicLayout.vue +++ b/console/uc-src/layouts/BasicLayout.vue @@ -11,7 +11,7 @@ import { import { RoutesMenu } from "@/components/menu/RoutesMenu"; import IconLogo from "~icons/core/logo?width=5rem&height=2rem"; import { RouterView, useRoute, useRouter } from "vue-router"; -import { onMounted, reactive, ref } from "vue"; +import { computed, onMounted, reactive, ref } from "vue"; import axios from "axios"; import LoginModal from "@/components/login/LoginModal.vue"; import { coreMenuGroups } from "@console/router/constant"; @@ -95,6 +95,16 @@ onMounted(() => { initialize({ target: navbarScroller.value }); } }); + +const disallowAccessConsole = computed(() => { + const hasDisallowAccessConsoleRole = currentRoles?.value?.some((role) => { + return ( + role.metadata.annotations?.[rbacAnnotations.DISALLOW_ACCESS_CONSOLE] === + "true" + ); + }); + return !!hasDisallowAccessConsoleRole; +});