From 4497aadce3537e122042bae7760dbc2ee634d030 Mon Sep 17 00:00:00 2001
From: Todd Willey <xtoddx@gmail.com>
Date: Thu, 7 Jul 2011 16:18:16 -0400
Subject: Return users in a tenant as part of a many-to-many relationship.

---
 keystone/backends/sqlalchemy/api/user.py | 38 +++++++++++++++++++++-----------
 keystone/backends/sqlalchemy/models.py   |  1 +
 2 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/keystone/backends/sqlalchemy/api/user.py b/keystone/backends/sqlalchemy/api/user.py
index fcdc74f7..304ba204 100755
--- a/keystone/backends/sqlalchemy/api/user.py
+++ b/keystone/backends/sqlalchemy/api/user.py
@@ -355,28 +355,40 @@ class UserAPI(BaseUserAPI):
     
     
     def users_get_by_tenant_get_page(self, tenant_id, marker, limit, session=None):
+        # This is broken.  If a user has more than one role per project
+        # shit hits the fan because we're limiting the wrong model.
+        # Also the user lookup is nasty and potentially injectiable.
         if not session:
             session = get_session()
-        user = aliased(models.User)
+        user = aliased(models.UserRoleAssociation)
         if marker:
-            return session.query(user).\
-                                filter("tenant_id = :tenant_id").\
-                                params(tenant_id='%s' % tenant_id).\
-                                filter("id>=:marker").params(
-                                marker='%s' % marker).order_by(
-                                "id").limit(limit).all()
+            rv = session.query(user).\
+                         filter("tenant_id = :tenant_id").\
+                         params(tenant_id='%s' % tenant_id).\
+                         filter("id>=:marker").\
+                         params(marker='%s' % marker).\
+                         order_by("id").\
+                         limit(limit).\
+                         all()
         else:
-            return session.query(user).\
-                                 filter("tenant_id = :tenant_id").\
-                                params(tenant_id='%s' % tenant_id).order_by(
-                                "id").limit(limit).all()
+            rv = session.query(user).\
+                         filter("tenant_id = :tenant_id").\
+                         params(tenant_id='%s' % tenant_id).\
+                         order_by("id").\
+                         limit(limit).\
+                         all()
+        user_ids = set([assoc.user_id for assoc in rv])
+        users = session.query(models.User).\
+                      filter("id in ('%s')" % "','".join(user_ids)).\
+                      all()
+        return users
     
     
     def users_get_by_tenant_get_page_markers(self, tenant_id, marker, limit, \
             session=None):
         if not session:
             session = get_session()
-        user = aliased(models.User)
+        user = aliased(models.UserRoleAssociation)
         first = session.query(user).\
                         filter(user.tenant_id == tenant_id).\
                         order_by(user.id).first()
@@ -431,4 +443,4 @@ class UserAPI(BaseUserAPI):
                                 group.id).all()
 
 def get():
-    return UserAPI()
\ No newline at end of file
+    return UserAPI()
diff --git a/keystone/backends/sqlalchemy/models.py b/keystone/backends/sqlalchemy/models.py
index 16bc7a75..f2ca7dc0 100755
--- a/keystone/backends/sqlalchemy/models.py
+++ b/keystone/backends/sqlalchemy/models.py
@@ -92,6 +92,7 @@ class UserRoleAssociation(Base, KeystoneBase):
     tenant_id = Column(String(255), ForeignKey('tenants.id'))
     __table_args__ = (UniqueConstraint("user_id", "role_id", "tenant_id"), {})
 
+    user = relationship('User')
 
 class Endpoints(Base, KeystoneBase):
     __tablename__ = 'endpoints'
-- 
cgit