From 6f4d7e6b5b24f42306719477f79fa689c990a6cb Mon Sep 17 00:00:00 2001 From: seaislee1209 Date: Sat, 28 Mar 2026 23:29:54 +0800 Subject: [PATCH] fix: refresh ALL users' Deny policies on project changes When a project is added/removed for any user, all users' Deny policies must be updated - new projects need to be added to other users' deny lists to prevent unauthorized cross-project access. Co-Authored-By: Claude Opus 4.6 (1M context) --- backend/apps/monitor/views.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/backend/apps/monitor/views.py b/backend/apps/monitor/views.py index 56d6134..be08cb0 100644 --- a/backend/apps/monitor/views.py +++ b/backend/apps/monitor/views.py @@ -347,8 +347,8 @@ def iam_user_create_view(request): monitor_enabled=True, ) - # 7. Create Deny policy (project isolation) - _update_deny_policy(obj) + # 7. Create Deny policy (project isolation) + refresh all users + _refresh_all_deny_policies() AlertRecord.objects.create( iam_user=obj, @@ -948,8 +948,8 @@ def iam_user_project_add_view(request, pk): obj.attached_policies = attached obj.save(update_fields=['attached_policies']) - # 更新 Deny 策略(将新项目加入白名单) - _update_deny_policy(user) + # 更新所有子账号的 Deny 策略(新项目需要加入其他人的拒绝列表) + _refresh_all_deny_policies() AlertRecord.objects.create( iam_user=user, @@ -1094,8 +1094,8 @@ def iam_user_project_delete_view(request, pk, pid): project.delete() - # 更新 Deny 策略(将移除的项目从白名单中删除) - _update_deny_policy(user) + # 更新所有子账号的 Deny 策略 + _refresh_all_deny_policies() result = {'message': f'已移除项目 {name},已回收权限: {detached}'} if detach_errors: