From 5d8c8fb85ba448a6076a06ad6835bcc1c6ef9ce2 Mon Sep 17 00:00:00 2001
From: "wei.ying" <wei.ying@easystack.cn>
Date: Thu, 20 Apr 2017 16:07:37 +0800
Subject: [PATCH] Fix unauthorized exception in users panel

If a member role user login and use admin to get keystoneclient,
but he is not a super user, then a notAuthorized exceptions will be raised,
it seems to be unreasonable.

The following actions will throw unauthorized exception.

Go to Users panel, Click user name , Click Change Password,
Submit Change Password form.

Change-Id: I4f6486b92f023ad0daecfff51e3a1ed16b0e78c0
Closes-Bug: #1684475
---
 .../dashboards/identity/users/forms.py             |  2 +-
 .../dashboards/identity/users/tests.py             | 14 ++++++++------
 .../dashboards/identity/users/views.py             |  7 ++++---
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/openstack_dashboard/dashboards/identity/users/forms.py b/openstack_dashboard/dashboards/identity/users/forms.py
index e34cfdcf91..1d2650e8ee 100644
--- a/openstack_dashboard/dashboards/identity/users/forms.py
+++ b/openstack_dashboard/dashboards/identity/users/forms.py
@@ -314,7 +314,7 @@ class ChangePasswordForm(PasswordMixin, forms.SelfHandlingForm):
 
         try:
             response = api.keystone.user_update_password(
-                request, user_id, password)
+                request, user_id, password, admin=False)
             if user_id == request.user.id:
                 return utils.logout_with_message(
                     request,
diff --git a/openstack_dashboard/dashboards/identity/users/tests.py b/openstack_dashboard/dashboards/identity/users/tests.py
index 84b3305bbb..7702bfef41 100644
--- a/openstack_dashboard/dashboards/identity/users/tests.py
+++ b/openstack_dashboard/dashboards/identity/users/tests.py
@@ -564,10 +564,11 @@ class UsersViewTests(test.BaseAdminViewTests):
         test_password = 'normalpwd'
 
         api.keystone.user_get(IsA(http.HttpRequest), '1',
-                              admin=True).AndReturn(user)
+                              admin=False).AndReturn(user)
         api.keystone.user_update_password(IsA(http.HttpRequest),
                                           user.id,
-                                          test_password).AndReturn(None)
+                                          test_password,
+                                          admin=False).AndReturn(None)
 
         self.mox.ReplayAll()
 
@@ -590,7 +591,7 @@ class UsersViewTests(test.BaseAdminViewTests):
         admin_password = 'secret'
 
         api.keystone.user_get(IsA(http.HttpRequest), '1',
-                              admin=True).AndReturn(user)
+                              admin=False).AndReturn(user)
         api.keystone.user_verify_admin_password(
             IsA(http.HttpRequest), admin_password).AndReturn(None)
 
@@ -613,7 +614,7 @@ class UsersViewTests(test.BaseAdminViewTests):
         user = self.users.get(id="1")
 
         api.keystone.user_get(IsA(http.HttpRequest), '1',
-                              admin=True).AndReturn(user)
+                              admin=False).AndReturn(user)
 
         self.mox.ReplayAll()
 
@@ -634,7 +635,7 @@ class UsersViewTests(test.BaseAdminViewTests):
         user = self.users.get(id="1")
 
         api.keystone.user_get(IsA(http.HttpRequest), '1',
-                              admin=True).AndReturn(user)
+                              admin=False).AndReturn(user)
 
         self.mox.ReplayAll()
 
@@ -862,7 +863,8 @@ class UsersViewTests(test.BaseAdminViewTests):
         tenant = self.tenants.get(id=user.project_id)
 
         api.keystone.domain_get(IsA(http.HttpRequest), '1').AndReturn(domain)
-        api.keystone.user_get(IsA(http.HttpRequest), '1').AndReturn(user)
+        api.keystone.user_get(IsA(http.HttpRequest), '1', admin=False) \
+            .AndReturn(user)
         api.keystone.tenant_get(IsA(http.HttpRequest), user.project_id) \
             .AndReturn(tenant)
         self.mox.ReplayAll()
diff --git a/openstack_dashboard/dashboards/identity/users/views.py b/openstack_dashboard/dashboards/identity/users/views.py
index 32ce48b263..da2166b3d9 100644
--- a/openstack_dashboard/dashboards/identity/users/views.py
+++ b/openstack_dashboard/dashboards/identity/users/views.py
@@ -82,7 +82,8 @@ class IndexView(tables.DataTableView):
                           self.request):
             try:
                 user = api.keystone.user_get(self.request,
-                                             self.request.user.id)
+                                             self.request.user.id,
+                                             admin=False)
                 users.append(user)
             except Exception:
                 exceptions.handle(self.request,
@@ -249,7 +250,7 @@ class DetailView(views.HorizonTemplateView):
     def get_data(self):
         try:
             user_id = self.kwargs['user_id']
-            user = api.keystone.user_get(self.request, user_id)
+            user = api.keystone.user_get(self.request, user_id, admin=False)
         except Exception:
             redirect = self.get_redirect_url()
             exceptions.handle(self.request,
@@ -279,7 +280,7 @@ class ChangePasswordView(forms.ModalFormView):
     def get_object(self):
         try:
             return api.keystone.user_get(self.request, self.kwargs['user_id'],
-                                         admin=True)
+                                         admin=False)
         except Exception:
             redirect = reverse("horizon:identity:users:index")
             exceptions.handle(self.request,