Merge "Require authz for user role list (bug 1006815)"

2012-06-08 17:00:02 +00:00 · 2012-06-08 17:00:02 +00:00 · 84a7f37510
parent b2aa620bc9 868054992f
commit 84a7f37510
2 changed files with 12 additions and 0 deletions
--- a/keystone/identity/core.py
+++ b/keystone/identity/core.py
@ -467,6 +467,7 @@ class RoleController(wsgi.Application):
        not implementing them in hopes that the idea will die off.

        """
+        self.assert_admin(context)
        if tenant_id is None:
            raise exception.NotImplemented(message='User roles not supported: '
                                                   'tenant ID required')
--- a/tests/test_content_types.py
+++ b/tests/test_content_types.py
@ -587,6 +587,17 @@ class JsonTestCase(RestfulTestCase, CoreApiTests):
                               expected_status=401)
        self.assertValidErrorResponse(r)

+    def test_user_role_list_requires_auth(self):
+        """User role list should 401 without an X-Auth-Token (bug 1006815)."""
+        # values here don't matter because we should 401 before they're checked
+        path = '/v2.0/tenants/%(tenant_id)s/users/%(user_id)s/roles' % {
+                'tenant_id': uuid.uuid4().hex,
+                'user_id': uuid.uuid4().hex,
+        }
+
+        r = self.admin_request(path=path, expected_status=401)
+        self.assertValidErrorResponse(r)
+

 class XmlTestCase(RestfulTestCase, CoreApiTests):
    xmlns = 'http://docs.openstack.org/identity/api/v2.0'