zyc/AirGate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: refresh ALL users' Deny policies on project changes

Browse Source 
When a project is added/removed for any user, all users' Deny
policies must be updated - new projects need to be added to other
users' deny lists to prevent unauthorized cross-project access.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
seaislee1209 2026-03-28 23:29:54 +08:00
parent d7b40beff7
commit 6f4d7e6b5b
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
backend/apps/monitor/views.py
View File

@ -347,8 +347,8 @@ def iam_user_create_view(request):
monitor_enabled=True,
)
# 7. Create Deny policy (project isolation)
_update_deny_policy(obj)
# 7. Create Deny policy (project isolation) + refresh all users
_refresh_all_deny_policies()
AlertRecord.objects.create(
iam_user=obj,
@ -948,8 +948,8 @@ def iam_user_project_add_view(request, pk):
obj.attached_policies = attached
obj.save(update_fields=['attached_policies'])
# 更新 Deny 策略(将新项目加入白名单
_update_deny_policy(user)
# 更新所有子账号的 Deny 策略(新项目需要加入其他人的拒绝列表
_refresh_all_deny_policies()
AlertRecord.objects.create(
iam_user=user,
@ -1094,8 +1094,8 @@ def iam_user_project_delete_view(request, pk, pid):
project.delete()
# 更新 Deny 策略(将移除的项目从白名单中删除)
_update_deny_policy(user)
# 更新所有子账号的 Deny 策略
_refresh_all_deny_policies()
result = {'message': f'已移除项目 {name},已回收权限: {detached}'}
if detach_errors: