fix: restore preserves pre-disable Volcengine login state

- Save volc_login_allowed state before disable - Restore to original state (not always open) - e.g. login=off before disable -> still off after restore Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 22:11:48 +08:00 · 2026-03-28 22:11:48 +08:00 · 413977361a
commit 413977361a
parent bae68ea6a1
2 changed files with 19 additions and 8 deletions
--- a/backend/apps/monitor/views.py
+++ b/backend/apps/monitor/views.py
@ -584,6 +584,8 @@ def iam_user_disable_view(request, pk):
            pass

        user.status = IAMUser.Status.DISABLED
+        # 在策略快照里记住停用前的火山登录状态
+        saved_policies.append({"_volc_login_was": user.volc_login_allowed})
        user.saved_policies_on_disable = saved_policies
        user.volc_login_allowed = False
        user.save(update_fields=['status', 'saved_policies_on_disable', 'volc_login_allowed'])
@ -620,14 +622,23 @@ def iam_user_enable_view(request, pk):

    svc = IAMService(ak, sk)
    try:
-        # 1. 恢复控制台 + API 密钥
-        svc.enable_user(user.username)
+        # 从快照中提取停用前的火山登录状态
+        saved_policies = user.saved_policies_on_disable or []
+        restore_login = False
+        actual_policies = []
+        for p in saved_policies:
+            if "_volc_login_was" in p:
+                restore_login = p["_volc_login_was"]
+            else:
+                actual_policies.append(p)
+
+        # 1. 恢复 API 密钥 + 控制台（按停用前状态）
+        svc.enable_user(user.username, restore_login=restore_login)

        # 2. 重新附加停用时保存的策略
        restored_count = 0
        restore_errors = []
-        saved_policies = user.saved_policies_on_disable or []
-        for p in saved_policies:
+        for p in actual_policies:
            try:
                svc.attach_user_policy(user.username, p["name"], p["type"])
                restored_count += 1
@ -636,7 +647,7 @@ def iam_user_enable_view(request, pk):

        user.status = IAMUser.Status.ACTIVE
        user.saved_policies_on_disable = []
-        user.volc_login_allowed = svc._has_login_profile(user.username)
+        user.volc_login_allowed = restore_login
        user.save(update_fields=['status', 'saved_policies_on_disable', 'volc_login_allowed'])

        error_info = f"，恢复失败: {restore_errors}" if restore_errors else ""
--- a/backend/utils/iam_service.py
+++ b/backend/utils/iam_service.py
@ -233,11 +233,11 @@ class IAMService:
        if errors:
            raise VolcengineAPIError("DisableUser", "PartialFailure", "; ".join(errors))

-    def enable_user(self, username: str):
-        """恢复用户：恢复控制台 + 恢复所有 AccessKey"""
+    def enable_user(self, username: str, restore_login: bool = True):
+        """恢复用户：恢复控制台（可选） + 恢复所有 AccessKey"""
        errors = []

-        if self._has_login_profile(username):
+        if restore_login and self._has_login_profile(username):
            try:
                self.update_login_allowed(username, True)
            except VolcengineAPIError as e: