From 970c333d4e13685f025c4dc27ae7df9807d6c309 Mon Sep 17 00:00:00 2001
From: Tomas Sedovic <tomas@sedovic.cz>
Date: Tue, 19 Jun 2012 14:54:27 +0200
Subject: [PATCH] Make the describe-resource API calls user-aware

Fixes #143

The stack retrieval DB calls were already fixed in previous commits but
there was still one query (resource_get_by_physical_resource_id) that
would return any resource, not just the ones owned the user.

Change-Id: Ie02ff1e8ba6ea8da2c3d0c7f0a87c32452824fc6
---
 heat/db/sqlalchemy/api.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/heat/db/sqlalchemy/api.py b/heat/db/sqlalchemy/api.py
index dc58028892..7ff6de48f2 100644
--- a/heat/db/sqlalchemy/api.py
+++ b/heat/db/sqlalchemy/api.py
@@ -102,6 +102,9 @@ def resource_get_by_physical_resource_id(context, physical_resource_id):
     result = (model_query(context, models.Resource)
               .filter_by(nova_instance=physical_resource_id)
               .first())
+    if (result is not None and context is not None and
+        result.stack.username != context.username):
+        return None
     return result
 
 
@@ -231,7 +234,7 @@ def event_get_all_by_user(context):
                           filter_by(username=context.username).all()
     results = []
     for stack in stacks:
-        results.extend(model_query(context, models.Event).\
+        results.extend(model_query(context, models.Event).
                                    filter_by(stack_id=stack.id).all())
 
     return results