Return 403 on images you can see but can't modify

Visible images return 404 (Not Found) when you try to modify them and are not allowed. This patch changes this return to 403 Forbidden which more accurately reflects the situation, in light of the fact that we are not trying to hide the existence of the image in this case. Fixes bug 1078520 Change-Id: I70e6e273aeaef51dad40cf001308d3a817bdced5
openstack · Nov 14, 2012 · 1758e86 · 1758e86
1 parent d635c41
commit 1758e86
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/glance/api/v2/images.py b/glance/api/v2/images.py
@@ -167,8 +167,10 @@ def update(self, req, image_id, changes):
             try:
                 image = self.db_api.image_update(context, image_id, updates,
                                                  purge_props)
-            except (exception.NotFound, exception.Forbidden):
+            except exception.NotFound:
                 raise webob.exc.HTTPNotFound()
+            except exception.Forbidden:
+                raise webob.exc.HTTPForbidden()
             image = self._normalize_properties(dict(image))
 
         if tags is not None:
@@ -276,10 +278,12 @@ def delete(self, req, image_id):
                 else:
                     self.store_api.safe_delete_from_backend(image['location'],
                                                             req.context, id)
-        except (exception.NotFound, exception.Forbidden):
+        except exception.NotFound:
             msg = ("Failed to find image %(image_id)s to delete" % locals())
             LOG.info(msg)
             raise webob.exc.HTTPNotFound()
+        except exception.Forbidden:
+            raise webob.exc.HTTPForbidden()
         else:
             self.notifier.info('image.delete', image)
 

diff --git a/glance/tests/functional/v2/test_images.py b/glance/tests/functional/v2/test_images.py
@@ -298,13 +298,13 @@ def test_permissions(self):
         })
         data = json.dumps([{'replace': '/name', 'value': 'image-2'}])
         response = requests.patch(path, headers=headers, data=data)
-        self.assertEqual(404, response.status_code)
+        self.assertEqual(403, response.status_code)
 
         # TENANT3 should not be able to delete the image, either
         path = self._url('/v2/images/%s' % image_id)
         headers = self._headers({'X-Tenant-Id': TENANT3})
         response = requests.delete(path, headers=headers)
-        self.assertEqual(404, response.status_code)
+        self.assertEqual(403, response.status_code)
 
         # Image data should still be present after the failed delete
         path = self._url('/v2/images/%s/file' % image_id)