From: Tomas Sedovic <tomas@sedovic.cz>
Date: Tue, 19 Jun 2012 12:54:27 +0000 (+0200)
Subject: Make the describe-resource API calls user-aware
X-Git-Tag: 2014.1~1695
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=970c333d4e13685f025c4dc27ae7df9807d6c309;p=openstack-build%2Fheat-build.git

Make the describe-resource API calls user-aware

Fixes #143

The stack retrieval DB calls were already fixed in previous commits but
there was still one query (resource_get_by_physical_resource_id) that
would return any resource, not just the ones owned the user.

Change-Id: Ie02ff1e8ba6ea8da2c3d0c7f0a87c32452824fc6
---

diff --git a/heat/db/sqlalchemy/api.py b/heat/db/sqlalchemy/api.py
index dc580288..7ff6de48 100644
--- a/heat/db/sqlalchemy/api.py
+++ b/heat/db/sqlalchemy/api.py
@@ -102,6 +102,9 @@ def resource_get_by_physical_resource_id(context, physical_resource_id):
     result = (model_query(context, models.Resource)
               .filter_by(nova_instance=physical_resource_id)
               .first())
+    if (result is not None and context is not None and
+        result.stack.username != context.username):
+        return None
     return result
 
 
@@ -231,7 +234,7 @@ def event_get_all_by_user(context):
                           filter_by(username=context.username).all()
     results = []
     for stack in stacks:
-        results.extend(model_query(context, models.Event).\
+        results.extend(model_query(context, models.Event).
                                    filter_by(stack_id=stack.id).all())
 
     return results