From 3202e5da715fad146128ebcd55b62abe81b50406 Mon Sep 17 00:00:00 2001
From: LIlGG <1103069291@qq.com>
Date: Mon, 6 May 2024 17:41:29 +0800
Subject: [PATCH] pref: optimize the user permissions of the uc

---
 console/src/uc/MomentItem.vue                 | 42 +++++++++++--------
 .../run/halo/moments/service/RoleService.java |  9 +++-
 .../service/impl/DefaultRoleService.java      |  4 +-
 .../run/halo/moments/uc/UcMomentEndpoint.java |  5 ++-
 .../run/halo/moments/util/AuthorityUtils.java |  5 +++
 .../resources/extensions/roleTemplate.yaml    | 26 ++++++++----
 6 files changed, 62 insertions(+), 29 deletions(-)

diff --git a/console/src/uc/MomentItem.vue b/console/src/uc/MomentItem.vue
index 825bfad..dab9d2c 100644
--- a/console/src/uc/MomentItem.vue
+++ b/console/src/uc/MomentItem.vue
@@ -122,24 +122,32 @@ const handleUpdate = (moment: Moment) => {
               {{ relativeTimeTo(previewMoment.spec.releaseTime) }}
             </span>
           </div>
-          <VDropdown
-            v-permission="['uc:plugin:moments:manage']"
-            compute-transform-origin
+          <HasPermission
+            :permissions="[
+              'uc:plugin:moments:publish',
+              'uc:plugin:moments:delete',
+            ]"
           >
-            <div
-              class="moments-p-2 moments-group hover:moments-bg-sky-600/10 moments-cursor-pointer moments-rounded-full moments-flex moments-items-center moments-justify-center"
-            >
-              <LucideMoreHorizontal
-                class="h-full w-full moments-text-md moments-text-gray-600 group-hover:moments-text-sky-600 moments-cursor-pointer"
-              />
-            </div>
-            <template #popper>
-              <VDropdownItem @click="editing = true"> 编辑 </VDropdownItem>
-              <VDropdownItem type="danger" @click="deleteMoment">
-                删除
-              </VDropdownItem>
-            </template>
-          </VDropdown>
+            <VDropdown compute-transform-origin>
+              <div
+                class="moments-p-2 moments-group hover:moments-bg-sky-600/10 moments-cursor-pointer moments-rounded-full moments-flex moments-items-center moments-justify-center"
+              >
+                <LucideMoreHorizontal
+                  class="h-full w-full moments-text-md moments-text-gray-600 group-hover:moments-text-sky-600 moments-cursor-pointer"
+                />
+              </div>
+              <template #popper>
+                <HasPermission :permissions="['uc:plugin:moments:publish']">
+                  <VDropdownItem @click="editing = true"> 编辑 </VDropdownItem>
+                </HasPermission>
+                <HasPermission :permissions="['uc:plugin:moments:delete']">
+                  <VDropdownItem type="danger" @click="deleteMoment">
+                    删除
+                  </VDropdownItem>
+                </HasPermission>
+              </template>
+            </VDropdown>
+          </HasPermission>
         </div>
       </div>
       <div class="moments-pl-14 moments-pt-3">
diff --git a/src/main/java/run/halo/moments/service/RoleService.java b/src/main/java/run/halo/moments/service/RoleService.java
index ff655e1..a7a4290 100644
--- a/src/main/java/run/halo/moments/service/RoleService.java
+++ b/src/main/java/run/halo/moments/service/RoleService.java
@@ -4,5 +4,12 @@
 import reactor.core.publisher.Mono;
 
 public interface RoleService {
-    Mono<Boolean> contains(Collection<String> source, Collection<String> candidates);
+    /**
+     * verify whether the source role contains any role in the candidates.
+     *
+     * @param source the role to be verified
+     * @param candidates the roles to be verified
+     * @return <p>true if the source role contains any role in the candidates, otherwise false</p>
+     */
+    Mono<Boolean> joint(Collection<String> source, Collection<String> candidates);
 }
diff --git a/src/main/java/run/halo/moments/service/impl/DefaultRoleService.java b/src/main/java/run/halo/moments/service/impl/DefaultRoleService.java
index 75a2a06..38ebead 100644
--- a/src/main/java/run/halo/moments/service/impl/DefaultRoleService.java
+++ b/src/main/java/run/halo/moments/service/impl/DefaultRoleService.java
@@ -33,14 +33,14 @@ public class DefaultRoleService implements RoleService {
     private final ReactiveExtensionClient client;
 
     @Override
-    public Mono<Boolean> contains(Collection<String> source, Collection<String> candidates) {
+    public Mono<Boolean> joint(Collection<String> source, Collection<String> candidates) {
         if (source.contains(AuthorityUtils.SUPER_ROLE_NAME)) {
             return Mono.just(true);
         }
         return listDependencies(new HashSet<>(source))
             .map(role -> role.getMetadata().getName())
             .collect(Collectors.toSet())
-            .map(roleNames -> roleNames.containsAll(candidates));
+            .map(roleNames -> !Collections.disjoint(roleNames, candidates));
     }
 
     private Flux<Role> listDependencies(Set<String> names) {
diff --git a/src/main/java/run/halo/moments/uc/UcMomentEndpoint.java b/src/main/java/run/halo/moments/uc/UcMomentEndpoint.java
index 6613097..3415f09 100644
--- a/src/main/java/run/halo/moments/uc/UcMomentEndpoint.java
+++ b/src/main/java/run/halo/moments/uc/UcMomentEndpoint.java
@@ -169,8 +169,9 @@ private Mono<ServerResponse> createMyMoment(ServerRequest request) {
                     post.getSpec().setApproved(false);
                     post.getSpec().setOwner(user.getName());
                     var roles = AuthorityUtils.authoritiesToRoles(user.getAuthorities());
-                    return roleService.contains(roles,
-                            Set.of(AuthorityUtils.MOMENT_MANAGEMENT_ROLE_NAME))
+                    return roleService.joint(roles,
+                            Set.of(AuthorityUtils.MOMENT_PUBLISH_APPROVAL_ROLE_NAME,
+                                AuthorityUtils.SUPER_ROLE_NAME))
                         .doOnNext(result -> {
                             if (result) {
                                 // If it is a user with audit authority, there is no need to review.
diff --git a/src/main/java/run/halo/moments/util/AuthorityUtils.java b/src/main/java/run/halo/moments/util/AuthorityUtils.java
index 141bf0a..fe2d351 100644
--- a/src/main/java/run/halo/moments/util/AuthorityUtils.java
+++ b/src/main/java/run/halo/moments/util/AuthorityUtils.java
@@ -5,6 +5,7 @@
 import java.util.stream.Collectors;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.security.core.GrantedAuthority;
+
 /**
  * Utility methods for manipulating GrantedAuthority collection.
  *
@@ -15,6 +16,9 @@ public enum AuthorityUtils {
     public static final String ROLE_PREFIX = "ROLE_";
     public static final String SUPER_ROLE_NAME = "super-role";
 
+    public static final String MOMENT_PUBLISH_APPROVAL_ROLE_NAME =
+        "role-template-uc-moments-approved";
+
     public static final String MOMENT_MANAGEMENT_ROLE_NAME = "role-template-moments-manage";
 
     /**
@@ -31,6 +35,7 @@ public static Set<String> authoritiesToRoles(
             .map(authority -> StringUtils.removeStart(authority, ROLE_PREFIX))
             .collect(Collectors.toSet());
     }
+
     public static boolean containsSuperRole(Collection<String> roles) {
         return roles.contains(SUPER_ROLE_NAME);
     }
diff --git a/src/main/resources/extensions/roleTemplate.yaml b/src/main/resources/extensions/roleTemplate.yaml
index cb99b48..056a081 100644
--- a/src/main/resources/extensions/roleTemplate.yaml
+++ b/src/main/resources/extensions/roleTemplate.yaml
@@ -5,7 +5,7 @@ metadata:
   labels:
     halo.run/role-template: "true"
   annotations:
-    rbac.authorization.halo.run/module: "Moments Management"
+    rbac.authorization.halo.run/module: "Moments"
     rbac.authorization.halo.run/display-name: "瞬间查看"
     rbac.authorization.halo.run/ui-permissions: |
       ["plugin:moments:view"]
@@ -24,7 +24,7 @@ metadata:
   labels:
     halo.run/role-template: "true"
   annotations:
-    rbac.authorization.halo.run/module: "Moments Management"
+    rbac.authorization.halo.run/module: "Moments"
     rbac.authorization.halo.run/display-name: "瞬间管理"
     rbac.authorization.halo.run/ui-permissions: |
       ["plugin:moments:manage"]
@@ -45,7 +45,7 @@ metadata:
   labels:
     halo.run/role-template: "true"
   annotations:
-    rbac.authorization.halo.run/module: "Moments Management"
+    rbac.authorization.halo.run/module: "Moments"
     rbac.authorization.halo.run/display-name: "允许发布自己的瞬间"
     rbac.authorization.halo.run/ui-permissions: |
       ["uc:plugin:moments:publish"]
@@ -57,16 +57,28 @@ rules:
 apiVersion: v1alpha1
 kind: Role
 metadata:
-  name: role-template-uc-moments-manage
+  name: role-template-uc-moments-approved
   labels:
     halo.run/role-template: "true"
   annotations:
-    rbac.authorization.halo.run/module: "Moments Management"
-    rbac.authorization.halo.run/display-name: "允许管理自己的瞬间"
+    rbac.authorization.halo.run/module: "Moments"
+    rbac.authorization.halo.run/display-name: "发布瞬间无需审核"
     rbac.authorization.halo.run/dependencies: |
       ["role-template-uc-moments-publish"]
+rules:
+  - nonResourceURLs: ["*"]
+---
+apiVersion: v1alpha1
+kind: Role
+metadata:
+  name: role-template-uc-moments-delete
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/module: "Moments"
+    rbac.authorization.halo.run/display-name: "允许删除自己的瞬间"
     rbac.authorization.halo.run/ui-permissions: |
-      ["uc:plugin:moments:manage"]
+      ["uc:plugin:moments:delete"]
 rules:
   - apiGroups: ["uc.api.moment.halo.run"]
     resources: ["moments", "tags"]