From d0d48ceb19f9c2bb5739141ea7d78786559a9f38 Mon Sep 17 00:00:00 2001
From: seaislee1209 <seaislee129@gmail.com>
Date: Sat, 28 Mar 2026 22:39:24 +0800
Subject: [PATCH] fix: add Scope=Project to project-level policy attach/detach

Without Scope parameter, AttachUserPolicy defaults to Global scope
even when ProjectName is provided. Adding Scope=Project ensures
policies are correctly limited to the specified project.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 backend/utils/iam_service.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/backend/utils/iam_service.py b/backend/utils/iam_service.py
index ae17a00..a2be71c 100644
--- a/backend/utils/iam_service.py
+++ b/backend/utils/iam_service.py
@@ -92,12 +92,13 @@ class IAMService:
 
     def attach_policy_in_project(self, username: str, policy_name: str,
                                   project_name: str, policy_type: str = "System") -> dict:
-        """在项目范围内授权"""
+        """在项目范围内授权（限定到指定项目）"""
         return self.client.call("AttachUserPolicy", {
             "UserName": username,
             "PolicyName": policy_name,
             "PolicyType": policy_type,
             "ProjectName": project_name,
+            "Scope": "Project",
         })
 
     def detach_policy_in_project(self, username: str, policy_name: str,
@@ -108,6 +109,7 @@ class IAMService:
             "PolicyName": policy_name,
             "PolicyType": policy_type,
             "ProjectName": project_name,
+            "Scope": "Project",
         })
 
     # === Deny Policy (project isolation) ===