fix: refresh ALL users' Deny policies on project changes

When a project is added/removed for any user, all users' Deny policies must be updated - new projects need to be added to other users' deny lists to prevent unauthorized cross-project access. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 23:29:54 +08:00 · 2026-03-28 23:29:54 +08:00 · 6f4d7e6b5b
commit 6f4d7e6b5b
parent d7b40beff7
1 changed files with 6 additions and 6 deletions
--- a/backend/apps/monitor/views.py
+++ b/backend/apps/monitor/views.py
@ -347,8 +347,8 @@ def iam_user_create_view(request):
            monitor_enabled=True,
        )
-    # 7. Create Deny policy (project isolation)
+    # 7. Create Deny policy (project isolation) + refresh all users
-    _update_deny_policy(obj)
+    _refresh_all_deny_policies()
    AlertRecord.objects.create(
        iam_user=obj,
@ -948,8 +948,8 @@ def iam_user_project_add_view(request, pk):
        obj.attached_policies = attached
        obj.save(update_fields=['attached_policies'])
-    # 更新 Deny 策略（将新项目加入白名单）
+    # 更新所有子账号的 Deny 策略（新项目需要加入其他人的拒绝列表）
-    _update_deny_policy(user)
+    _refresh_all_deny_policies()
    AlertRecord.objects.create(
        iam_user=user,
@ -1094,8 +1094,8 @@ def iam_user_project_delete_view(request, pk, pid):
    project.delete()
-    # 更新 Deny 策略（将移除的项目从白名单中删除）
+    # 更新所有子账号的 Deny 策略
-    _update_deny_policy(user)
+    _refresh_all_deny_policies()
    result = {'message': f'已移除项目 {name}，已回收权限: {detached}'}
    if detach_errors: