feat: add disallow access console option for custom role (#4958)

#### What type of PR is this?

/area console
/kind feature
/milestone 2.11.x

#### What this PR does / why we need it:

支持为自定义角色配置 **禁止访问 Console** 的选项。

#### Special notes for your reviewer:

测试方式：

1. 创建一个新角色，勾选禁止访问 Console 的选项，并赋予给某个用户。
2. 登录之后，尝试访问 /console 观察是否能够正常访问。
3. 检查个人中心左下角是否有进入 Console 的按钮。
4. 测试其他未设置这个选项的角色是否正常。

#### Does this PR introduce a user-facing change?

```release-note
支持为自定义角色配置 **禁止访问 Console** 的选项。
```

application/src/main/resources/extensions/role-template-uc-content.yaml

@@ -2,6 +2,8 @@ apiVersion: v1alpha1
 kind: "Role"
 metadata:
   name: post-editor
+  labels:
+    rbac.authorization.halo.run/system-reserved: "true"
   annotations:
     rbac.authorization.halo.run/module: "Posts Management"
     rbac.authorization.halo.run/display-name: "Post Editor"
@@ -14,9 +16,13 @@ apiVersion: v1alpha1
 kind: "Role"
 metadata:
   name: post-author
+  labels:
+    rbac.authorization.halo.run/system-reserved: "true"
   annotations:
     rbac.authorization.halo.run/module: "Posts Management"
     rbac.authorization.halo.run/display-name: "Post Author"
+    rbac.authorization.halo.run/disallow-access-console: "true"
+    rbac.authorization.halo.run/redirect-on-login: "/uc"
     rbac.authorization.halo.run/dependencies: |
       [ "post-contributor", "post-publisher" ]
 rules: [ ]
@@ -26,9 +32,13 @@ apiVersion: v1alpha1
 kind: "Role"
 metadata:
   name: post-contributor
+  labels:
+    rbac.authorization.halo.run/system-reserved: "true"
   annotations:
     rbac.authorization.halo.run/module: "Posts Management"
     rbac.authorization.halo.run/display-name: "Post Contributor"
+    rbac.authorization.halo.run/disallow-access-console: "true"
+    rbac.authorization.halo.run/redirect-on-login: "/uc"
     rbac.authorization.halo.run/dependencies: |
       [ "role-template-view-categories", "role-template-view-tags" ]
     rbac.authorization.halo.run/ui-permissions: |

application/src/main/resources/extensions/system-default-role.yaml

@@ -6,7 +6,9 @@ metadata:
     rbac.authorization.halo.run/system-reserved: "true"
   annotations:
     rbac.authorization.halo.run/display-name: "访客"
-rules: [ ]
+    rbac.authorization.halo.run/disallow-access-console: "true"
+    rbac.authorization.halo.run/redirect-on-login: "/uc"
+rules: []
 
 ---
 apiVersion: v1alpha1

console/console-src/modules/system/roles/components/RoleEditingModal.vue

@@ -163,6 +163,26 @@ const handleResetForm = () => {
               type="text"
               :label="$t('core.role.editing_modal.fields.redirect_on_login')"
             ></FormKit>
+            <FormKit
+              v-model="
+                formState.metadata.annotations[
+                  rbacAnnotations.DISALLOW_ACCESS_CONSOLE
+                ]
+              "
+              on-value="true"
+              off-value="false"
+              type="checkbox"
+              :label="
+                $t(
+                  'core.role.editing_modal.fields.disallow_access_console.label'
+                )
+              "
+              :help="
+                $t(
+                  'core.role.editing_modal.fields.disallow_access_console.help'
+                )
+              "
+            ></FormKit>
           </FormKit>
         </div>
       </div>

console/console-src/router/guards/auth-check.ts

@@ -42,7 +42,7 @@ export function setupAuthCheckGuard(router: Router) {
           window.location.href =
             roleHasRedirectOnLogin.metadata.annotations?.[
               rbacAnnotations.REDIRECT_ON_LOGIN
-            ] || "/";
+            ] || "/uc";
           return;
         }
 
@@ -51,6 +51,30 @@ export function setupAuthCheckGuard(router: Router) {
         });
         return;
       }
+
+      if (to.name === "whiteList") {
+        next();
+        return;
+      }
+
+      // Check allow access console
+      const { currentRoles } = userStore;
+
+      const hasDisallowAccessConsoleRole = currentRoles?.some((role) => {
+        return (
+          role.metadata.annotations?.[
+            rbacAnnotations.DISALLOW_ACCESS_CONSOLE
+          ] === "true"
+        );
+      });
+
+      if (hasDisallowAccessConsoleRole) {
+        window.location.href = "/uc";
+        return;
+      }
+
+      next();
+      return;
     }
 
     next();

console/src/constants/annotations.ts

@@ -12,6 +12,7 @@ export enum rbacAnnotations {
   AVATAR_ATTACHMENT_NAME = "halo.run/avatar-attachment-name",
   LAST_AVATAR_ATTACHMENT_NAME = "halo.run/last-avatar-attachment-name",
   REDIRECT_ON_LOGIN = "rbac.authorization.halo.run/redirect-on-login",
+  DISALLOW_ACCESS_CONSOLE = "rbac.authorization.halo.run/disallow-access-console",
 }
 
 // content

console/src/locales/en.yaml

@@ -989,6 +989,9 @@ core:
       fields:
         display_name: Display name
         redirect_on_login: Default redirect location after logging in
+        disallow_access_console:
+          label: Disable access to Console
+          help: Once checked, this role will not be able to access the Console
   identity_authentication:
     title: Identity Authentication
     tabs:

console/src/locales/zh-CN.yaml

@@ -935,6 +935,9 @@ core:
       fields:
         display_name: 名称
         redirect_on_login: 登录之后默认跳转位置
+        disallow_access_console:
+          label: 禁止访问 Console
+          help: 勾选之后，该角色将无法访问 Console
   identity_authentication:
     title: 身份认证
     tabs:

console/src/locales/zh-TW.yaml

@@ -923,6 +923,9 @@ core:
       fields:
         display_name: 名稱
         redirect_on_login: 登入之後預設跳轉位置
+        disallow_access_console:
+          label: 禁止訪問 Console
+          help: 勾選之後，該角色將無法存取 Console
   identity_authentication:
     title: 身份認證
     tabs:

console/uc-src/layouts/BasicLayout.vue

@@ -11,7 +11,7 @@ import {
 import { RoutesMenu } from "@/components/menu/RoutesMenu";
 import IconLogo from "~icons/core/logo?width=5rem&height=2rem";
 import { RouterView, useRoute, useRouter } from "vue-router";
-import { onMounted, reactive, ref } from "vue";
+import { computed, onMounted, reactive, ref } from "vue";
 import axios from "axios";
 import LoginModal from "@/components/login/LoginModal.vue";
 import { coreMenuGroups } from "@console/router/constant";
@@ -95,6 +95,16 @@ onMounted(() => {
     initialize({ target: navbarScroller.value });
   }
 });
+
+const disallowAccessConsole = computed(() => {
+  const hasDisallowAccessConsoleRole = currentRoles?.value?.some((role) => {
+    return (
+      role.metadata.annotations?.[rbacAnnotations.DISALLOW_ACCESS_CONSOLE] ===
+      "true"
+    );
+  });
+  return !!hasDisallowAccessConsoleRole;
+});
 </script>
 
 <template>
@@ -145,6 +155,7 @@ onMounted(() => {
           </div>
           <div class="flex items-center gap-1">
             <a
+              v-if="!disallowAccessConsole"
               v-tooltip="$t('core.uc_sidebar.operations.console.tooltip')"
               class="group inline-block cursor-pointer rounded-full p-1.5 transition-all hover:bg-gray-100"
               href="/console"