feat: add disallow access console option for custom role

application/src/main/resources/extensions/role-template-uc-content.yaml

@@ -17,6 +17,8 @@ metadata:
   annotations:
     rbac.authorization.halo.run/module: "Posts Management"
     rbac.authorization.halo.run/display-name: "Post Author"
+    rbac.authorization.halo.run/disallow-access-console: "true"
+    rbac.authorization.halo.run/redirect-on-login: "/uc"
     rbac.authorization.halo.run/dependencies: |
       [ "post-contributor", "post-publisher" ]
 rules: [ ]
@@ -29,6 +31,8 @@ metadata:
   annotations:
     rbac.authorization.halo.run/module: "Posts Management"
     rbac.authorization.halo.run/display-name: "Post Contributor"
+    rbac.authorization.halo.run/disallow-access-console: "true"
+    rbac.authorization.halo.run/redirect-on-login: "/uc"
     rbac.authorization.halo.run/dependencies: |
       [ "role-template-view-categories", "role-template-view-tags" ]
     rbac.authorization.halo.run/ui-permissions: |

application/src/main/resources/extensions/system-default-role.yaml

@@ -6,7 +6,9 @@ metadata:
     rbac.authorization.halo.run/system-reserved: "true"
   annotations:
     rbac.authorization.halo.run/display-name: "访客"
-rules: [ ]
+    rbac.authorization.halo.run/disallow-access-console: "true"
+    rbac.authorization.halo.run/redirect-on-login: "/uc"
+rules: []
 
 ---
 apiVersion: v1alpha1

console/console-src/modules/system/roles/components/RoleEditingModal.vue

@@ -163,6 +163,26 @@ const handleResetForm = () => {
               type="text"
               :label="$t('core.role.editing_modal.fields.redirect_on_login')"
             ></FormKit>
+            <FormKit
+              v-model="
+                formState.metadata.annotations[
+                  rbacAnnotations.DISALLOW_ACCESS_CONSOLE
+                ]
+              "
+              on-value="true"
+              off-value="false"
+              type="checkbox"
+              :label="
+                $t(
+                  'core.role.editing_modal.fields.disallow_access_console.label'
+                )
+              "
+              :help="
+                $t(
+                  'core.role.editing_modal.fields.disallow_access_console.help'
+                )
+              "
+            ></FormKit>
           </FormKit>
         </div>
       </div>

console/console-src/router/guards/auth-check.ts

@@ -42,7 +42,7 @@ export function setupAuthCheckGuard(router: Router) {
           window.location.href =
             roleHasRedirectOnLogin.metadata.annotations?.[
               rbacAnnotations.REDIRECT_ON_LOGIN
-            ] || "/";
+            ] || "/uc";
           return;
         }
 
@@ -51,6 +51,30 @@ export function setupAuthCheckGuard(router: Router) {
         });
         return;
       }
+
+      if (to.name === "whiteList") {
+        next();
+        return;
+      }
+
+      // Check allow access console
+      const { currentRoles } = userStore;
+
+      const hasDisallowAccessConsoleRole = currentRoles?.some((role) => {
+        return (
+          role.metadata.annotations?.[
+            rbacAnnotations.DISALLOW_ACCESS_CONSOLE
+          ] === "true"
+        );
+      });
+
+      if (hasDisallowAccessConsoleRole) {
+        window.location.href = "/uc";
+        return;
+      }
+
+      next();
+      return;
     }
 
     next();

console/src/constants/annotations.ts

@@ -12,6 +12,7 @@ export enum rbacAnnotations {
   AVATAR_ATTACHMENT_NAME = "halo.run/avatar-attachment-name",
   LAST_AVATAR_ATTACHMENT_NAME = "halo.run/last-avatar-attachment-name",
   REDIRECT_ON_LOGIN = "rbac.authorization.halo.run/redirect-on-login",
+  DISALLOW_ACCESS_CONSOLE = "rbac.authorization.halo.run/disallow-access-console",
 }
 
 // content

console/src/locales/en.yaml

@@ -989,6 +989,9 @@ core:
       fields:
         display_name: Display name
         redirect_on_login: Default redirect location after logging in
+        disallow_access_console:
+          label: Disable access to Console
+          help: Once checked, this role will not be able to access the Console
   identity_authentication:
     title: Identity Authentication
     tabs:

console/src/locales/zh-CN.yaml

@@ -935,6 +935,9 @@ core:
       fields:
         display_name: 名称
         redirect_on_login: 登录之后默认跳转位置
+        disallow_access_console:
+          label: 禁止访问 Console
+          help: 勾选之后，该角色将无法访问 Console
   identity_authentication:
     title: 身份认证
     tabs:

console/src/locales/zh-TW.yaml

@@ -923,6 +923,9 @@ core:
       fields:
         display_name: 名稱
         redirect_on_login: 登入之後預設跳轉位置
+        disallow_access_console:
+          label: 禁止訪問 Console
+          help: 勾選之後，該角色將無法存取 Console
   identity_authentication:
     title: 身份認證
     tabs:

console/uc-src/layouts/BasicLayout.vue

@@ -11,7 +11,7 @@ import {
 import { RoutesMenu } from "@/components/menu/RoutesMenu";
 import IconLogo from "~icons/core/logo?width=5rem&height=2rem";
 import { RouterView, useRoute, useRouter } from "vue-router";
-import { onMounted, reactive, ref } from "vue";
+import { computed, onMounted, reactive, ref } from "vue";
 import axios from "axios";
 import LoginModal from "@/components/login/LoginModal.vue";
 import { coreMenuGroups } from "@console/router/constant";
@@ -95,6 +95,16 @@ onMounted(() => {
     initialize({ target: navbarScroller.value });
   }
 });
+
+const disallowAccessConsole = computed(() => {
+  const hasDisallowAccessConsoleRole = currentRoles?.value?.some((role) => {
+    return (
+      role.metadata.annotations?.[rbacAnnotations.DISALLOW_ACCESS_CONSOLE] ===
+      "true"
+    );
+  });
+  return !!hasDisallowAccessConsoleRole;
+});
 </script>
 
 <template>
@@ -145,6 +155,7 @@ onMounted(() => {
           </div>
           <div class="flex items-center gap-1">
             <a
+              v-if="!disallowAccessConsole"
               v-tooltip="$t('core.uc_sidebar.operations.console.tooltip')"
               class="group inline-block cursor-pointer rounded-full p-1.5 transition-all hover:bg-gray-100"
               href="/console"