diff --git a/keystone/api/role_assignments.py b/keystone/api/role_assignments.py index d1cfd90c48..fe81cca0fd 100644 --- a/keystone/api/role_assignments.py +++ b/keystone/api/role_assignments.py @@ -80,12 +80,12 @@ class RoleAssignmentsResource(ks_flask.ResourceBase): 'group.id', 'role.id', 'scope.domain.id', 'scope.project.id', 'scope.OS-INHERIT:inherited_to', 'user.id' ] - target = {} + target = None if 'scope.project.id' in flask.request.args: project_id = flask.request.args['scope.project.id'] if project_id: - target['project'] = PROVIDERS.resource_api.get_project( - project_id) + target = {'project': PROVIDERS.resource_api.get_project( + project_id)} ENFORCER.enforce_call(action='identity:list_role_assignments_for_tree', filters=filters, target_attr=target) if not flask.request.args.get('scope.project.id'): diff --git a/keystone/tests/unit/test_v3_assignment.py b/keystone/tests/unit/test_v3_assignment.py index 3bc15af6ed..a81d855ceb 100644 --- a/keystone/tests/unit/test_v3_assignment.py +++ b/keystone/tests/unit/test_v3_assignment.py @@ -2596,11 +2596,15 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase, def test_project_id_specified_if_include_subtree_specified(self): """When using include_subtree, you must specify a project ID.""" - self.get('/role_assignments?include_subtree=True', - expected_status=http_client.BAD_REQUEST) - self.get('/role_assignments?scope.project.id&' - 'include_subtree=True', - expected_status=http_client.BAD_REQUEST) + r = self.get('/role_assignments?include_subtree=True', + expected_status=http_client.BAD_REQUEST) + error_msg = ("scope.project.id must be specified if include_subtree " + "is also specified") + self.assertEqual(error_msg, r.result['error']['message']) + r = self.get('/role_assignments?scope.project.id&' + 'include_subtree=True', + expected_status=http_client.BAD_REQUEST) + self.assertEqual(error_msg, r.result['error']['message']) def test_get_role_assignments_for_project_tree(self): """Get role_assignment?scope.project.id=X&include_subtree``.