From 81a4d386bc1b8f9e32026506bd1ae134d3df643b Mon Sep 17 00:00:00 2001
From: Dolph Mathews <dolph.mathews@gmail.com>
Date: Mon, 3 Jun 2013 14:46:53 -0500
Subject: [PATCH] remove_role_from_user_and_project affecting all users (bug
 1170649)

Change-Id: I2333404991114e6985f3f2c4de4fb30dc3195b2d
---
 keystone/identity/backends/sql.py |  1 +
 tests/test_v3_auth.py             | 53 +++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)

diff --git a/keystone/identity/backends/sql.py b/keystone/identity/backends/sql.py
index 1b06c4db9a..0f08020bbb 100644
--- a/keystone/identity/backends/sql.py
+++ b/keystone/identity/backends/sql.py
@@ -434,6 +434,7 @@ def remove_role_from_user_and_project(self, user_id, tenant_id, role_id):
             else:
                 session = self.get_session()
                 q = session.query(UserProjectGrant)
+                q = q.filter_by(user_id=user_id)
                 q = q.filter_by(project_id=tenant_id)
                 q.delete()
         except exception.MetadataNotFound:
diff --git a/tests/test_v3_auth.py b/tests/test_v3_auth.py
index a292af2b48..1b41c3bcde 100644
--- a/tests/test_v3_auth.py
+++ b/tests/test_v3_auth.py
@@ -698,6 +698,59 @@ def test_group_membership_changes_revokes_token(self):
                   headers={'X-Subject-Token': token2},
                   expected_status=401)
 
+    def test_removing_role_assignment_does_not_affect_other_users(self):
+        """Revoking a role from one user should not affect other users."""
+        r = self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user1['id'],
+                password=self.user1['password'],
+                project_id=self.projectA['id']))
+        user1_token = r.getheader('X-Subject-Token')
+
+        r = self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user3['id'],
+                password=self.user3['password'],
+                project_id=self.projectA['id']))
+        user3_token = r.getheader('X-Subject-Token')
+
+        # delete relationships between user1 and projectA from setUp
+        self.delete(
+            '/projects/%(project_id)s/users/%(user_id)s/roles/%(role_id)s' % {
+                'project_id': self.projectA['id'],
+                'user_id': self.user1['id'],
+                'role_id': self.role1['id']})
+        self.delete(
+            '/projects/%(project_id)s/groups/%(group_id)s/roles/%(role_id)s' %
+            {'project_id': self.projectA['id'],
+             'group_id': self.group1['id'],
+             'role_id': self.role1['id']})
+
+        # authorization for the first user should now fail
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': user1_token},
+                  expected_status=401)
+        self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user1['id'],
+                password=self.user1['password'],
+                project_id=self.projectA['id']),
+            expected_status=401)
+
+        # authorization for the second user should still succeed
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': user3_token},
+                  expected_status=204)
+        self.post(
+            '/auth/tokens',
+            body=self.build_authentication_request(
+                user_id=self.user3['id'],
+                password=self.user3['password'],
+                project_id=self.projectA['id']))
+
 
 class TestAuthJSON(test_v3.RestfulTestCase):
     content_type = 'json'