fix: add Scope=Project to project-level policy attach/detach

Without Scope parameter, AttachUserPolicy defaults to Global scope even when ProjectName is provided. Adding Scope=Project ensures policies are correctly limited to the specified project. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 22:39:24 +08:00 · 2026-03-28 22:39:24 +08:00 · d0d48ceb19
commit d0d48ceb19
parent 23ec78e83d
1 changed files with 3 additions and 1 deletions
--- a/backend/utils/iam_service.py
+++ b/backend/utils/iam_service.py
@ -92,12 +92,13 @@ class IAMService:

    def attach_policy_in_project(self, username: str, policy_name: str,
                                  project_name: str, policy_type: str = "System") -> dict:
-        """在项目范围内授权"""
+        """在项目范围内授权（限定到指定项目）"""
        return self.client.call("AttachUserPolicy", {
            "UserName": username,
            "PolicyName": policy_name,
            "PolicyType": policy_type,
            "ProjectName": project_name,
+            "Scope": "Project",
        })

    def detach_policy_in_project(self, username: str, policy_name: str,
@ -108,6 +109,7 @@ class IAMService:
            "PolicyName": policy_name,
            "PolicyType": policy_type,
            "ProjectName": project_name,
+            "Scope": "Project",
        })

    # === Deny Policy (project isolation) ===