Merge "remove_role_from_user_and_project affecting all users (bug 1170649)"

2013-06-05 07:24:40 +00:00 · 2013-06-05 07:24:40 +00:00 · e6d551d97a
parent 99717a8fc8 3d5b6ddce9
commit e6d551d97a
2 changed files with 54 additions and 0 deletions
--- a/keystone/identity/backends/sql.py
+++ b/keystone/identity/backends/sql.py
@ -425,6 +425,7 @@ class Identity(sql.Base, identity.Driver):
            else:
                session = self.get_session()
                q = session.query(UserProjectGrant)
+                q = q.filter_by(user_id=user_id)
                q = q.filter_by(project_id=tenant_id)
                q.delete()
        except exception.MetadataNotFound:
--- a/tests/test_v3_auth.py
+++ b/tests/test_v3_auth.py
@ -739,6 +739,59 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
                  headers={'X-Subject-Token': token2},
                  expected_status=401)

+    def test_removing_role_assignment_does_not_affect_other_users(self):
+        """Revoking a role from one user should not affect other users."""
+        r = self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user1['id'],
+                password=self.user1['password'],
+                project_id=self.projectA['id']))
+        user1_token = r.headers.get('X-Subject-Token')
+
+        r = self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user3['id'],
+                password=self.user3['password'],
+                project_id=self.projectA['id']))
+        user3_token = r.headers.get('X-Subject-Token')
+
+        # delete relationships between user1 and projectA from setUp
+        self.delete(
+            '/projects/%(project_id)s/users/%(user_id)s/roles/%(role_id)s' % {
+                'project_id': self.projectA['id'],
+                'user_id': self.user1['id'],
+                'role_id': self.role1['id']})
+        self.delete(
+            '/projects/%(project_id)s/groups/%(group_id)s/roles/%(role_id)s' %
+            {'project_id': self.projectA['id'],
+             'group_id': self.group1['id'],
+             'role_id': self.role1['id']})
+
+        # authorization for the first user should now fail
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': user1_token},
+                  expected_status=401)
+        self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user1['id'],
+                password=self.user1['password'],
+                project_id=self.projectA['id']),
+            expected_status=401)
+
+        # authorization for the second user should still succeed
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': user3_token},
+                  expected_status=204)
+        self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user3['id'],
+                password=self.user3['password'],
+                project_id=self.projectA['id']))
+

 class TestAuthJSON(test_v3.RestfulTestCase):
    content_type = 'json'