From 413977361a74606c4f75d8e93167d71e8065bcd3 Mon Sep 17 00:00:00 2001
From: seaislee1209 <seaislee129@gmail.com>
Date: Sat, 28 Mar 2026 22:11:48 +0800
Subject: [PATCH] fix: restore preserves pre-disable Volcengine login state

- Save volc_login_allowed state before disable
- Restore to original state (not always open)
- e.g. login=off before disable -> still off after restore

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 backend/apps/monitor/views.py | 21 ++++++++++++++++-----
 backend/utils/iam_service.py  |  6 +++---
 2 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/backend/apps/monitor/views.py b/backend/apps/monitor/views.py
index 94a112a..54e337b 100644
--- a/backend/apps/monitor/views.py
+++ b/backend/apps/monitor/views.py
@@ -584,6 +584,8 @@ def iam_user_disable_view(request, pk):
             pass
 
         user.status = IAMUser.Status.DISABLED
+        # 在策略快照里记住停用前的火山登录状态
+        saved_policies.append({"_volc_login_was": user.volc_login_allowed})
         user.saved_policies_on_disable = saved_policies
         user.volc_login_allowed = False
         user.save(update_fields=['status', 'saved_policies_on_disable', 'volc_login_allowed'])
@@ -620,14 +622,23 @@ def iam_user_enable_view(request, pk):
 
     svc = IAMService(ak, sk)
     try:
-        # 1. 恢复控制台 + API 密钥
-        svc.enable_user(user.username)
+        # 从快照中提取停用前的火山登录状态
+        saved_policies = user.saved_policies_on_disable or []
+        restore_login = False
+        actual_policies = []
+        for p in saved_policies:
+            if "_volc_login_was" in p:
+                restore_login = p["_volc_login_was"]
+            else:
+                actual_policies.append(p)
+
+        # 1. 恢复 API 密钥 + 控制台（按停用前状态）
+        svc.enable_user(user.username, restore_login=restore_login)
 
         # 2. 重新附加停用时保存的策略
         restored_count = 0
         restore_errors = []
-        saved_policies = user.saved_policies_on_disable or []
-        for p in saved_policies:
+        for p in actual_policies:
             try:
                 svc.attach_user_policy(user.username, p["name"], p["type"])
                 restored_count += 1
@@ -636,7 +647,7 @@ def iam_user_enable_view(request, pk):
 
         user.status = IAMUser.Status.ACTIVE
         user.saved_policies_on_disable = []
-        user.volc_login_allowed = svc._has_login_profile(user.username)
+        user.volc_login_allowed = restore_login
         user.save(update_fields=['status', 'saved_policies_on_disable', 'volc_login_allowed'])
 
         error_info = f"，恢复失败: {restore_errors}" if restore_errors else ""
diff --git a/backend/utils/iam_service.py b/backend/utils/iam_service.py
index 4b4f03f..ae17a00 100644
--- a/backend/utils/iam_service.py
+++ b/backend/utils/iam_service.py
@@ -233,11 +233,11 @@ class IAMService:
         if errors:
             raise VolcengineAPIError("DisableUser", "PartialFailure", "; ".join(errors))
 
-    def enable_user(self, username: str):
-        """恢复用户：恢复控制台 + 恢复所有 AccessKey"""
+    def enable_user(self, username: str, restore_login: bool = True):
+        """恢复用户：恢复控制台（可选） + 恢复所有 AccessKey"""
         errors = []
 
-        if self._has_login_profile(username):
+        if restore_login and self._has_login_profile(username):
             try:
                 self.update_login_allowed(username, True)
             except VolcengineAPIError as e: