Mininglamp-OSS · an9xyz · Jun 16, 2026 · Jun 15, 2026 · Jun 15, 2026 · Jun 16, 2026
@@ -1,6 +1,12 @@
 import { BrowserRouter, Routes, Route, Navigate, useParams } from 'react-router-dom'
+import { useTranslation } from 'react-i18next'
 import { useAuthStore } from './store/auth'
 import { useFeatureStore } from './store/feature'
+import {
+  firstManagerPath,
+  hasManagerCapability,
+  type ManagerCapabilityKey,
+} from './auth/capabilities'
 import MainLayout from './layouts/MainLayout'
 import AdminThemeProvider from './layouts/AdminThemeProvider'
 import Login from './pages/Login'
@@ -24,6 +30,35 @@ function SuperOnlyRoute({ children }: { children: React.ReactNode }) {
   return <>{children}</>
 }
 
+function CapabilityRoute({
+  capability,
+  children,
+}: {
+  capability: ManagerCapabilityKey
+  children: React.ReactNode
+}) {
+  const { managerCapabilities, managerProfileStatus } = useAuthStore()
+  if (
+    managerProfileStatus === 'idle' ||
+    managerProfileStatus === 'loading' ||
+    managerCapabilities === null
+  ) return null
+  if (!hasManagerCapability(managerCapabilities, capability)) {
+    return <Navigate to={firstManagerPath(managerCapabilities)} replace />
+  }
+  return <>{children}</>
+}
+
+function ManagerIndexRoute() {
+  const { managerCapabilities, managerProfileStatus } = useAuthStore()
+  if (
+    managerProfileStatus === 'idle' ||
+    managerProfileStatus === 'loading' ||
+    managerCapabilities === null
+  ) return null
+  return <Navigate to={firstManagerPath(managerCapabilities)} replace />
+}
+
 function SpaceOnlyRoute({ children }: { children: React.ReactNode }) {
   const { isLoggedIn, scope } = useAuthStore()
   if (!isLoggedIn || scope !== 'space') return <Navigate to="/space" replace />
@@ -44,6 +79,25 @@ function SpaceAppBotsGate({ children }: { children: React.ReactNode }) {
   return <AppBotsGate fallback={`/space/${spaceId}/members`}>{children}</AppBotsGate>
 }
 
+function ManagerAppBotsGate({ children }: { children: React.ReactNode }) {
+  const managerCapabilities = useAuthStore((s) => s.managerCapabilities)
+  return <AppBotsGate fallback={firstManagerPath(managerCapabilities)}>{children}</AppBotsGate>
+}
+
+function NoAccess() {
+  const { t } = useTranslation('layout')
+  return (
+    <div style={{ minHeight: 320, display: 'grid', placeItems: 'center', textAlign: 'center' }}>
+      <div>
+        <h1 className="page-title">{t('noAccess.title')}</h1>
+        <p className="page-subtitle" style={{ marginBottom: 0 }}>
+          {t('noAccess.subtitle')}
+        </p>
+      </div>
+    </div>
+  )
+}
+
 /**
  * 同一份 bundle 被挂到 /admin 和 /changelog 两个路径下(Docker 中 dist 双拷贝)。
  * 通过 pathname 前缀选择 basename 与路由树:
@@ -107,22 +161,72 @@ function AdminRoutes() {
           </SuperOnlyRoute>
         }
       >
-        <Route index element={<Navigate to="/dashboard" replace />} />
-        <Route path="dashboard" element={<Dashboard />} />
-        <Route path="users" element={<Users />} />
-        <Route path="groups" element={<Groups />} />
-        <Route path="spaces" element={<Spaces />} />
-        <Route path="system-setting" element={<SystemSetting />} />
-        <Route path="backup" element={<Backup />} />
-        <Route path="download" element={<Download />} />
+        <Route index element={<ManagerIndexRoute />} />
+        <Route
+          path="dashboard"
+          element={
+            <CapabilityRoute capability="dashboard.read">
+              <Dashboard />
+            </CapabilityRoute>
+          }
+        />
+        <Route
+          path="users"
+          element={
+            <CapabilityRoute capability="users.read">
+              <Users />
+            </CapabilityRoute>
+          }
+        />
+        <Route
+          path="groups"
+          element={
+            <CapabilityRoute capability="groups.read">
+              <Groups />
+            </CapabilityRoute>
+          }
+        />
+        <Route
+          path="spaces"
+          element={
+            <CapabilityRoute capability="space.read">
+              <Spaces />
+            </CapabilityRoute>
+          }
+        />
+        <Route
+          path="system-setting"
+          element={
+            <CapabilityRoute capability="system_setting">
+              <SystemSetting />
+            </CapabilityRoute>
+          }
+        />
+        <Route
+          path="backup"
+          element={
+            <CapabilityRoute capability="backup">
+              <Backup />
+            </CapabilityRoute>
+          }
+        />
+        <Route
+          path="download"
+          element={
+            <CapabilityRoute capability="appversion.read">
+              <Download />
+            </CapabilityRoute>
+          }
+        />
         <Route
           path="app-bots"
           element={
-            <AppBotsGate fallback="/dashboard">
+            <ManagerAppBotsGate>
               <AppBots />
-            </AppBotsGate>
+            </ManagerAppBotsGate>
           }
         />
+        <Route path="no-access" element={<NoAccess />} />
       </Route>
     </Routes>
   )

@@ -1,4 +1,5 @@
 import api from './index'
+import { normalizeManagerCapabilities, type ManagerMe } from '../auth/capabilities'
 
 interface LoginParams {
   username: string
@@ -13,3 +14,9 @@ interface LoginResponse {
 
 export const login = (params: LoginParams) =>
   api.post<LoginResponse>('/v1/manager/login', params).then((res) => res.data)
+
+export const getManagerMe = () =>
+  api.get<ManagerMe>('/v1/manager/me').then((res) => ({
+    ...res.data,
+    capabilities: normalizeManagerCapabilities(res.data.capabilities),
+  }))
@@ -0,0 +1,49 @@
+import { describe, expect, it } from 'vitest'
+import {
+  firstManagerPath,
+  hasManagerCapability,
+  MANAGER_NO_ACCESS_PATH,
+  normalizeManagerCapabilities,
+} from './capabilities'
+
+describe('manager capabilities', () => {
+  it('normalizes missing capability keys to false', () => {
+    const capabilities = normalizeManagerCapabilities({
+      'dashboard.read': true,
+      system_setting: false,
+    })
+
+    expect(capabilities['dashboard.read']).toBe(true)
+    expect(capabilities.system_setting).toBe(false)
+    expect(capabilities.backup).toBe(false)
+  })
+
+  it('checks capabilities strictly', () => {
+    const capabilities = normalizeManagerCapabilities({
+      'dashboard.read': 1,
+      system_setting: true,
+    })
+
+    expect(hasManagerCapability(capabilities, 'dashboard.read')).toBe(false)
+    expect(hasManagerCapability(capabilities, 'system_setting')).toBe(true)
+  })
+
+  it('selects the first readable manager path', () => {
+    const capabilities = normalizeManagerCapabilities({
+      'space.read': true,
+      'appversion.read': true,
+    })
+
+    expect(firstManagerPath(capabilities)).toBe('/spaces')
+  })
+
+  it('falls back to no-access when no readable manager path exists', () => {
+    const capabilities = normalizeManagerCapabilities({
+      'users.write': true,
+      'space.destructive': true,
+    })
+
+    expect(firstManagerPath(capabilities)).toBe(MANAGER_NO_ACCESS_PATH)
+    expect(firstManagerPath(null)).toBe(MANAGER_NO_ACCESS_PATH)
+  })
+})
@@ -0,0 +1,57 @@
+export const MANAGER_CAPABILITY_KEYS = [
+  'system_setting',
+  'backup',
+  'appversion.read',
+  'appversion.write',
+  'dashboard.read',
+  'dashboard.trigger',
+  'users.read',
+  'users.write',
+  // Reserved for administrator-account management UI when that surface is added.
+  'users.manage_admin',
+  'groups.read',
+  'groups.write',
+  'space.read',
+  'space.write',
+  'space.destructive',
+] as const
+
+export const MANAGER_NO_ACCESS_PATH = '/no-access'
+
+export type ManagerCapabilityKey = (typeof MANAGER_CAPABILITY_KEYS)[number]
+
+export type ManagerCapabilities = Record<ManagerCapabilityKey, boolean>
+
+export interface ManagerMe {
+  uid: string
+  name: string
+  role: string
+  capabilities: ManagerCapabilities
+}
+
+export function normalizeManagerCapabilities(
+  capabilities?: Partial<Record<ManagerCapabilityKey, unknown>> | null,
+): ManagerCapabilities {
+  return MANAGER_CAPABILITY_KEYS.reduce((acc, key) => {
+    acc[key] = capabilities?.[key] === true
+    return acc
+  }, {} as ManagerCapabilities)
+}
+
+export function hasManagerCapability(
+  capabilities: ManagerCapabilities | null | undefined,
+  key: ManagerCapabilityKey,
+): boolean {
+  return capabilities?.[key] === true
+}
+
+export function firstManagerPath(capabilities: ManagerCapabilities | null | undefined): string {
+  if (hasManagerCapability(capabilities, 'dashboard.read')) return '/dashboard'
+  if (hasManagerCapability(capabilities, 'users.read')) return '/users'
+  if (hasManagerCapability(capabilities, 'groups.read')) return '/groups'
+  if (hasManagerCapability(capabilities, 'space.read')) return '/spaces'
+  if (hasManagerCapability(capabilities, 'system_setting')) return '/system-setting'
+  if (hasManagerCapability(capabilities, 'backup')) return '/backup'
+  if (hasManagerCapability(capabilities, 'appversion.read')) return '/download'
+  return MANAGER_NO_ACCESS_PATH
+}
@@ -1,5 +1,6 @@
 import { useMemo } from 'react'
 import { useAuthStore } from '../store/auth'
+import { hasManagerCapability, type ManagerCapabilities } from '../auth/capabilities'
 import * as manager from '../api/space'
 import * as user from '../api/space-user'
 
@@ -78,6 +79,8 @@ export interface SpaceScope {
   canManageInvites: boolean
   canRemoveMembers: boolean
   canAddMembers: boolean
+  canChangeMemberRoles: boolean
+  canUpdateSpaceProfile: boolean
   canReviewApplies: boolean
   supportsMemberSearch: boolean
   supportsMemberPagination: boolean
@@ -107,14 +110,18 @@ export interface SpaceScope {
   }
 }
 
-function buildSuperScope(): SpaceScope {
+function buildSuperScope(capabilities: ManagerCapabilities | null): SpaceScope {
+  const canWrite = hasManagerCapability(capabilities, 'space.write')
+  const canDestructive = hasManagerCapability(capabilities, 'space.destructive')
   return {
     kind: 'super',
     role: 'super',
-    canManageInvites: true,
-    canRemoveMembers: true,
-    canAddMembers: true,
-    canReviewApplies: true,
+    canManageInvites: canWrite,
+    canRemoveMembers: canDestructive,
+    canAddMembers: canWrite,
+    canChangeMemberRoles: canDestructive,
+    canUpdateSpaceProfile: canWrite,
+    canReviewApplies: canWrite,
     supportsMemberSearch: true,
     supportsMemberPagination: true,
     supportsApplyFilter: true,
@@ -165,6 +172,8 @@ function buildUserScope(role: SpaceMemberRole): SpaceScope {
     canManageInvites: isManager,
     canRemoveMembers: isManager,
     canAddMembers: false,
+    canChangeMemberRoles: role === 2,
+    canUpdateSpaceProfile: isManager,
     canReviewApplies: isManager,
     supportsMemberSearch: false,
     supportsMemberPagination: true,
@@ -238,8 +247,9 @@ function buildUserScope(role: SpaceMemberRole): SpaceScope {
 
 export function useSpaceScope(role?: SpaceMemberRole): SpaceScope {
   const scope = useAuthStore((s) => s.scope)
+  const capabilities = useAuthStore((s) => s.managerCapabilities)
   return useMemo(() => {
-    if (scope === 'super') return buildSuperScope()
+    if (scope === 'super') return buildSuperScope(capabilities)
     return buildUserScope(role ?? 0)
-  }, [scope, role])
+  }, [capabilities, scope, role])
 }
@@ -7,5 +7,9 @@
   "theme.tooltip": "Theme: {{name}}",
   "theme.light": "Light",
   "theme.dark": "Dark",
-  "theme.auto": "Auto"
+  "theme.auto": "Auto",
+  "managerProfile.loadFailed": "Failed to load manager permissions",
+  "managerProfile.retry": "Retry",
+  "noAccess.title": "No Available Access",
+  "noAccess.subtitle": "This manager account does not have access to any admin console sections."
 }
@@ -7,5 +7,9 @@
   "theme.tooltip": "主题：{{name}}",
   "theme.light": "浅色",
   "theme.dark": "深色",
-  "theme.auto": "跟随系统"
+  "theme.auto": "跟随系统",
+  "managerProfile.loadFailed": "管理员权限加载失败",
+  "managerProfile.retry": "重试",
+  "noAccess.title": "暂无可访问功能",
+  "noAccess.subtitle": "当前管理员账号没有可进入的管理台能力。"
 }