Make the describe-resource API calls user-aware

Fixes #143

The stack retrieval DB calls were already fixed in previous commits but
there was still one query (resource_get_by_physical_resource_id) that
would return any resource, not just the ones owned the user.

Change-Id: Ie02ff1e8ba6ea8da2c3d0c7f0a87c32452824fc6

diff --git a/heat/db/sqlalchemy/api.py b/heat/db/sqlalchemy/api.py
index dc58028892f25e1f5d4db0a4a1cc3f562943cc42..7ff6de48f2ccf47b58af342916406c6b08ad9cf6 100644 (file)
--- a/heat/db/sqlalchemy/api.py
+++ b/heat/db/sqlalchemy/api.py
@@ -102,6 +102,9 @@ def resource_get_by_physical_resource_id(context, physical_resource_id):
     result = (model_query(context, models.Resource)
               .filter_by(nova_instance=physical_resource_id)
               .first())
+    if (result is not None and context is not None and
+        result.stack.username != context.username):
+        return None
     return result
 
 
@@ -231,7 +234,7 @@ def event_get_all_by_user(context):
                           filter_by(username=context.username).all()
     results = []
     for stack in stacks:
-        results.extend(model_query(context, models.Event).\
+        results.extend(model_query(context, models.Event).
                                    filter_by(stack_id=stack.id).all())
 
     return results