Merge "Fix for GET project by project admin"

2015-12-08 09:19:39 +00:00 · 2015-12-08 09:19:39 +00:00 · f9de05579d
commit f9de05579d
parent 8c77532327 7f3158a6d4
2 changed files with 22 additions and 1 deletions
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -37,7 +37,8 @@

    "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
    "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
-    "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
+    "admin_and_matching_target_project_id": "rule:admin_required and project_id:%(target.project.id)s",
+    "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or rule:admin_and_matching_target_project_id",
    "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
    "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
    "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@ -1264,3 +1264,23 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,

        self.delete('/auth/tokens', token=admin_token,
                    headers={'X-Subject-Token': user_token})
+
+    def test_project_admin_get_project(self):
+        user_auth = self.build_authentication_request(
+            user_id=self.just_a_user['id'],
+            password=self.just_a_user['password'],
+            project_id=self.project['id'])
+
+        self.get('/projects/%s' % self.project['id'], auth=user_auth,
+                 expected_status=exception.ForbiddenAction.code)
+
+        # Now, authenticate with a user that does have the project
+        # admin role
+        admin_auth = self.build_authentication_request(
+            user_id=self.project_admin_user['id'],
+            password=self.project_admin_user['password'],
+            project_id=self.project['id'])
+
+        resp = self.get('/projects/%s' % self.project['id'], auth=admin_auth)
+        self.assertEqual(self.project['id'],
+                         jsonutils.loads(resp.body)['project']['id'])