github
/
halo
mirror of https://github.com/halo-dev/halo
1
0
Fork 0
Code Issues Releases Wiki Activity

feat: add more role templates (#2488) 

#### What type of PR is this?
/kind improvement
/area core
/milestone 2.0

#### What this PR does / why we need it:
补充角色模板
#### Which issue(s) this PR fixes:

Fixes #2342 https://github.com/halo-dev/halo/issues/2391

#### Special notes for your reviewer:
/cc @halo-dev/sig-halo 
#### Does this PR introduce a user-facing change?

```release-note
None
```
pull/2499/head
guqing 2022-09-30 17:38:23 +08:00 committed by GitHub
parent 7de944f61d
commit 3995adba32
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 336 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/main/java/run/halo/app/core/extension/Role.java
View File

@ -143,8 +143,6 @@ public class Role extends AbstractExtension {
String[] verbs;
String pluginName;
public Builder apiGroups(String... apiGroups) {
this.apiGroups = apiGroups;
return this;

2
src/main/java/run/halo/app/core/extension/attachment/endpoint/AttachmentEndpoint.java
View File

@ -59,7 +59,7 @@ public class AttachmentEndpoint implements CustomEndpoint {
@Override
public RouterFunction<ServerResponse> endpoint() {
var tag = "storage.halo.run/v1alpha1/Attachment";
var tag = "api.console.halo.run/v1alpha1/Attachment";
return SpringdocRouteBuilder.route()
.POST("/attachments/upload", contentType(MediaType.MULTIPART_FORM_DATA), this::upload,
builder -> builder

3
src/main/java/run/halo/app/core/extension/reconciler/PostReconciler.java
View File

@ -110,7 +110,8 @@ public class PostReconciler implements Reconciler<Reconciler.Request> {
}
if (excerpt.getAutoGenerate()) {
contentService.getContent(spec.getReleaseSnapshot())
.subscribe(content -> {
.blockOptional()
.ifPresent(content -> {
String contentRevised = content.content();
status.setExcerpt(getExcerpt(contentRevised));
});

3
src/main/java/run/halo/app/core/extension/service/DefaultRoleService.java
View File

@ -74,7 +74,8 @@ public class DefaultRoleService implements RoleService {
}
visited.add(roleName);
extensionClient.fetch(Role.class, roleName)
.subscribe(role -> {
.blockOptional()
.ifPresent(role -> {
result.add(role);
Map<String, String> annotations = role.getMetadata().getAnnotations();
if (annotations != null) {

6
src/main/java/run/halo/app/security/authorization/RequestInfoFactory.java
View File

@ -178,6 +178,12 @@ public class RequestInfoFactory {
requestInfo.resource = requestInfo.parts[0];
}
// has name and no subresource but verb=create, then this is a non-resource request
if (StringUtils.isNotBlank(requestInfo.name) && StringUtils.isBlank(requestInfo.subresource)
&& "create".equals(requestInfo.verb)) {
requestInfo.isResourceRequest = false;
}
// if there's no name on the request and we thought it was a get before, then the actual
// verb is a list or a watch
if (requestInfo.name.length() == 0 && "get".equals(requestInfo.verb)) {

40
src/main/resources/extensions/role-template-attachment.yaml Normal file
View File

@ -0,0 +1,40 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-manage-attachments
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: "[ \"role-template-view-attachments\" ]"
rbac.authorization.halo.run/module: "Attachments Management"
rbac.authorization.halo.run/display-name: "Attachment Manage"
rbac.authorization.halo.run/ui-permissions: |
["system:attachments:manage"]
rules:
- apiGroups: [ "storage.halo.run" ]
resources: [ "attachments" ]
verbs: [ "*" ]
- apiGroups: [ "api.console.halo.run" ]
resources: [ "attachments" ]
verbs: [ "*" ]
- nonResourceURLs: [ "/apis/api.console.halo.run/attachments/upload" ]
verbs: [ "post" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-view-attachments
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/module: "Attachments Management"
rbac.authorization.halo.run/display-name: "Attachment View"
rbac.authorization.halo.run/ui-permissions: |
["system:attachments:view"]
rules:
- apiGroups: [ "storage.halo.run" ]
resources: [ "attachments" ]
verbs: [ "get", "list" ]
- apiGroups: [ "api.console.halo.run" ]
resources: [ "attachments" ]
verbs: [ "get", "list" ]

25
src/main/resources/extensions/role-template-category.yaml Normal file
View File

@ -0,0 +1,25 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-manage-categories
labels:
halo.run/role-template: "true"
halo.run/hidden: "true"
annotations:
rbac.authorization.halo.run/dependencies: "[ \"role-template-view-categories\" ]"
rules:
- apiGroups: [ "content.halo.run" ]
resources: [ "categories" ]
verbs: [ "*" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-view-categories
labels:
halo.run/role-template: "true"
halo.run/hidden: "true"
rules:
- apiGroups: [ "content.halo.run" ]
resources: [ "categories" ]
verbs: [ "get", "list" ]

38
src/main/resources/extensions/role-template-comment.yaml Normal file
View File

@ -0,0 +1,38 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-manage-comments
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: "[ \"role-template-view-comments\" ]"
rbac.authorization.halo.run/module: "Comments Management"
rbac.authorization.halo.run/display-name: "Comment Manage"
rbac.authorization.halo.run/ui-permissions: |
["system:comments:manage"]
rules:
- apiGroups: [ "content.halo.run" ]
resources: [ "comments", "replies" ]
verbs: [ "*" ]
- apiGroups: [ "api.console.halo.run" ]
resources: [ "comments", "comments/reply", "replies" ]
verbs: [ "*" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-view-comments
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/module: "Comments Management"
rbac.authorization.halo.run/display-name: "Comment View"
rbac.authorization.halo.run/ui-permissions: |
["system:comments:view"]
rules:
- apiGroups: [ "content.halo.run" ]
resources: [ "comments", "replies" ]
verbs: [ "get", "list" ]
- apiGroups: [ "api.console.halo.run" ]
resources: [ "comments", "comments/reply", "replies" ]
verbs: [ "get", "list" ]

32
src/main/resources/extensions/role-template-menu.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-manage-menus
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: "[ \"role-template-view-menus\" ]"
rbac.authorization.halo.run/module: "Menus Management"
rbac.authorization.halo.run/display-name: "Menu Manage"
rbac.authorization.halo.run/ui-permissions: |
["system:menus:manage"]
rules:
- apiGroups: [ "" ]
resources: [ "menus", "menuitems" ]
verbs: [ "*" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-view-menus
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/module: "Menus Management"
rbac.authorization.halo.run/display-name: "Menu Manage"
rbac.authorization.halo.run/ui-permissions: |
["system:menus:view"]
rules:
- apiGroups: [ "" ]
resources: [ "menus", "menuitems" ]
verbs: [ "get", "list" ]

41
src/main/resources/extensions/role-template-post.yaml Normal file
View File

@ -0,0 +1,41 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-manage-posts
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: |
[ "role-template-view-posts", "role-template-manage-snaphosts", "role-template-manage-tags", "role-template-manage-categories" ]
rbac.authorization.halo.run/module: "Posts Management"
rbac.authorization.halo.run/display-name: "Post Manage"
rbac.authorization.halo.run/ui-permissions: |
["system:posts:manage"]
rules:
- apiGroups: [ "content.halo.run" ]
resources: [ "posts" ]
verbs: [ "*" ]
- apiGroups: [ "api.console.halo.run" ]
resources: [ "posts", "posts/publish", "contents", "contents/publish" ]
verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-view-posts
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: |
[ "role-template-view-snaphosts", "role-template-view-tags", "role-template-view-categories" ]
rbac.authorization.halo.run/module: "Posts Management"
rbac.authorization.halo.run/display-name: "Post View"
rbac.authorization.halo.run/ui-permissions: |
["system:posts:view"]
rules:
- apiGroups: [ "content.halo.run" ]
resources: [ "posts" ]
verbs: [ "get", "list" ]
- apiGroups: [ "api.console.halo.run" ]
resources: [ "posts", "contents" ]
verbs: [ "get", "list" ]

39
src/main/resources/extensions/role-template-singlepage.yaml Normal file
View File

@ -0,0 +1,39 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-manage-singlepages
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: "[ \"role-template-view-singlepages\", \"role-template-manage-snaphosts\" ]"
rbac.authorization.halo.run/module: "SinglePages Management"
rbac.authorization.halo.run/display-name: "SinglePage Manage"
rbac.authorization.halo.run/ui-permissions: |
["system:singlepages:manage"]
rules:
- apiGroups: [ "content.halo.run" ]
resources: [ "singlepages" ]
verbs: [ "*" ]
- apiGroups: [ "api.console.halo.run" ]
resources: [ "singlepages", "singlepages/publish", "contents", "contents/publish" ]
verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-view-singlepages
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: "[ \"role-template-view-snaphosts\" ]"
rbac.authorization.halo.run/module: "SinglePages Management"
rbac.authorization.halo.run/display-name: "SinglePage View"
rbac.authorization.halo.run/ui-permissions: |
["system:singlepages:view"]
rules:
- apiGroups: [ "content.halo.run" ]
resources: [ "singlepages" ]
verbs: [ "get", "list" ]
- apiGroups: [ "api.console.halo.run" ]
resources: [ "singlepages", "contents" ]
verbs: [ "get", "list" ]

25
src/main/resources/extensions/role-template-snaphost.yaml Normal file
View File

@ -0,0 +1,25 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-manage-snaphosts
labels:
halo.run/role-template: "true"
halo.run/hidden: "true"
annotations:
rbac.authorization.halo.run/dependencies: "[ \"role-template-view-snaphosts\" ]"
rules:
- apiGroups: [ "content.halo.run" ]
resources: [ "snaphosts" ]
verbs: [ "*" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-view-snaphosts
labels:
halo.run/role-template: "true"
halo.run/hidden: "true"
rules:
- apiGroups: [ "content.halo.run" ]
resources: [ "snaphosts" ]
verbs: [ "get", "list" ]

25
src/main/resources/extensions/role-template-tag.yaml Normal file
View File

@ -0,0 +1,25 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-manage-tags
labels:
halo.run/role-template: "true"
halo.run/hidden: "true"
annotations:
rbac.authorization.halo.run/dependencies: "[ \"role-template-view-tags\" ]"
rules:
- apiGroups: [ "content.halo.run" ]
resources: [ "tags" ]
verbs: [ "*" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-view-tags
labels:
halo.run/role-template: "true"
halo.run/hidden: "true"
rules:
- apiGroups: [ "content.halo.run" ]
resources: [ "tags" ]
verbs: [ "get", "list" ]

40
src/main/resources/extensions/role-template-theme.yaml Normal file
View File

@ -0,0 +1,40 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-manage-themes
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: "[ \"role-template-view-themes\" ]"
rbac.authorization.halo.run/module: "Themes Management"
rbac.authorization.halo.run/display-name: "Theme Manage"
rbac.authorization.halo.run/ui-permissions: |
["system:themes:manage"]
rules:
- apiGroups: [ "theme.halo.run" ]
resources: [ "themes" ]
verbs: [ "*" ]
- apiGroups: [ "api.console.halo.run" ]
resources: [ "themes", "themes/reload-setting" ]
verbs: [ "*" ]
- nonResourceURLs: [ "/apis/api.console.halo.run/themes/install" ]
verbs: [ "post" ]
---
apiVersion: v1alpha1
kind: "Role"
metadata:
name: role-template-view-themes
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/module: "Themes Management"
rbac.authorization.halo.run/display-name: "Theme View"
rbac.authorization.halo.run/ui-permissions: |
["system:themes:view"]
rules:
- apiGroups: [ "theme.halo.run" ]
resources: [ "themes" ]
verbs: [ "get", "list" ]
- apiGroups: [ "api.console.halo.run" ]
resources: [ "singlepages" ]
verbs: [ "get", "list" ]

5
src/main/resources/extensions/system-default-role.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1alpha1
kind: "Role"
metadata:
name: guest
rules: [ ]

15
src/test/java/run/halo/app/security/authorization/RequestInfoResolverTest.java
View File

@ -168,6 +168,21 @@ public class RequestInfoResolverTest {
String.format("%s: expected non-resource request", errorCase.desc));
}
}
List<ErrorCases> postCases =
List.of(new ErrorCases("api resource has name and no subresource but post",
"/api/version/themes/install"),
new ErrorCases("apis resource has name and no subresource but post",
"/apis/api.halo.run/v1alpha1/themes/install"));
for (ErrorCases errorCase : postCases) {
var request =
method(HttpMethod.POST, errorCase.url).build();
RequestInfo apiRequestInfo = RequestInfoFactory.INSTANCE.newRequestInfo(request);
if (apiRequestInfo.isResourceRequest()) {
throw new RuntimeException(
String.format("%s: expected non-resource request", errorCase.desc));
}
}
}
@Test