Disallow updating deleted images.

1. Return a 403 Forbidden error when an admin user tries to update a deleted image. 2. Also added unit test coverage. Fixes LP: #1060930 Change-Id: I8290c8c9f1bcbbfbff7d54f141bdcfa1c40aab6f
openstack · Oct 22, 2012 · 6eb5448 · 6eb5448
1 parent e561026
commit 6eb5448
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/glance/api/v1/images.py b/glance/api/v1/images.py
@@ -709,6 +709,14 @@ def update(self, req, id, image_meta, image_data):
         orig_image_meta = self.get_image_meta_or_404(req, id)
         orig_status = orig_image_meta['status']
 
+        # Do not allow any updates on a deleted image.
+        # Fix for LP Bug #1060930
+        if orig_status == 'deleted':
+            msg = _("Forbidden to update deleted image.")
+            raise HTTPForbidden(explanation=msg,
+                                request=req,
+                                content_type="text/plain")
+
         # The default behaviour for a PUT /images/<IMAGE_ID> is to
         # override any properties that were previously set. This, however,
         # leads to a number of issues for the common use case where a caller

diff --git a/glance/tests/unit/v1/test_api.py b/glance/tests/unit/v1/test_api.py
@@ -2342,6 +2342,23 @@ def test_put_image_content_missing_container_type(self):
         """Tests delayed activation of image with missing container format"""
         self._do_test_put_image_content_missing_format('container_format')
 
+    def test_update_deleted_image(self):
+        """Tests that exception raised trying to update a deleted image"""
+        req = webob.Request.blank("/images/%s" % UUID2)
+        req.method = 'DELETE'
+        res = req.get_response(self.api)
+        self.assertEquals(res.status_int, 200)
+
+        fixture = {'name': 'test_del_img'}
+        req = webob.Request.blank('/images/%s' % UUID2)
+        req.method = 'PUT'
+        req.content_type = 'application/json'
+        req.body = json.dumps(dict(image=fixture))
+
+        res = req.get_response(self.api)
+        self.assertEquals(res.status_int, webob.exc.HTTPForbidden.code)
+        self.assertTrue('Forbidden to update deleted image' in res.body)
+
     def test_register_and_upload(self):
         """
         Test that the process of registering an image with