remove_role_from_user_and_project affecting all users (bug 1170649)

Change-Id: I2333404991114e6985f3f2c4de4fb30dc3195b2d
openstack · Jun 5, 2013 · 81a4d38 · 81a4d38
1 parent 39c4ca1
commit 81a4d38
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 0 deletions.
diff --git a/keystone/identity/backends/sql.py b/keystone/identity/backends/sql.py
@@ -434,6 +434,7 @@ def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
             else:
                 session = self.get_session()
                 q = session.query(UserProjectGrant)
+                q = q.filter_by(user_id=user_id)
                 q = q.filter_by(project_id=tenant_id)
                 q.delete()
         except exception.MetadataNotFound:

diff --git a/tests/test_v3_auth.py b/tests/test_v3_auth.py
@@ -698,6 +698,59 @@ def test_group_membership_changes_revokes_token(self):
                   headers={'X-Subject-Token': token2},
                   expected_status=401)
 
+    def test_removing_role_assignment_does_not_affect_other_users(self):
+        """Revoking a role from one user should not affect other users."""
+        r = self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user1['id'],
+                password=self.user1['password'],
+                project_id=self.projectA['id']))
+        user1_token = r.getheader('X-Subject-Token')
+
+        r = self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user3['id'],
+                password=self.user3['password'],
+                project_id=self.projectA['id']))
+        user3_token = r.getheader('X-Subject-Token')
+
+        # delete relationships between user1 and projectA from setUp
+        self.delete(
+            '/projects/%(project_id)s/users/%(user_id)s/roles/%(role_id)s' % {
+                'project_id': self.projectA['id'],
+                'user_id': self.user1['id'],
+                'role_id': self.role1['id']})
+        self.delete(
+            '/projects/%(project_id)s/groups/%(group_id)s/roles/%(role_id)s' %
+            {'project_id': self.projectA['id'],
+             'group_id': self.group1['id'],
+             'role_id': self.role1['id']})
+
+        # authorization for the first user should now fail
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': user1_token},
+                  expected_status=401)
+        self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user1['id'],
+                password=self.user1['password'],
+                project_id=self.projectA['id']),
+            expected_status=401)
+
+        # authorization for the second user should still succeed
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': user3_token},
+                  expected_status=204)
+        self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user3['id'],
+                password=self.user3['password'],
+                project_id=self.projectA['id']))
+
 
 class TestAuthJSON(test_v3.RestfulTestCase):
     content_type = 'json'