Skip to content

Commit

Permalink
Return 403 when admin deletes a deleted image
Browse files Browse the repository at this point in the history 
1. Returned a 403 Forbidden error when an admin user tries to delete a deleted
image.
2. Added unit test coverage.

Fixes LP: #1060944

Change-Id: I1a5c4ca18e2e70d8a614b3132bfcea1f56c5f59c
  • Loading branch information
@UnmeshG
UnmeshG committed Oct 30, 2012
1 parent 0dc333a commit ca0e6c0
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 0 deletions.
6 changes: 6 additions & 0 deletions glance/api/v1/images.py
View file
Expand Up @@ -821,6 +821,12 @@ def delete(self, req, id):
request=req,
content_type="text/plain")

if image['status'] == 'deleted':
msg = _("Forbidden to delete a deleted image.")
LOG.debug(msg)
raise HTTPForbidden(explanation=msg, request=req,
content_type="text/plain")

status = 'deleted'
try:
# The image's location field may be None in the case
Expand Down
45 changes: 45 additions & 0 deletions glance/tests/unit/v1/test_api.py
View file
Expand Up @@ -198,6 +198,38 @@ def test_show_invalid(self):
res = req.get_response(self.api)
self.assertEquals(res.status_int, 404)

def test_show_deleted_image_as_admin(self):
"""
Tests that the /images/<id> registry API endpoint
returns a 200 for deleted image to admin user.
"""
# Delete image #2
req = webob.Request.blank('/images/%s' % UUID2)
req.method = 'DELETE'
res = req.get_response(self.api)
self.assertEquals(res.status_int, 200)

req = webob.Request.blank('/images/%s' % UUID2)
res = req.get_response(self.api)
self.assertEquals(res.status_int, 200)

def test_show_deleted_image_as_nonadmin(self):
"""
Tests that the /images/<id> registry API endpoint
returns a 404 for deleted image to non-admin user.
"""
# Delete image #2
req = webob.Request.blank('/images/%s' % UUID2)
req.method = 'DELETE'
res = req.get_response(self.api)
self.assertEquals(res.status_int, 200)

api = test_utils.FakeAuthMiddleware(rserver.API(self.mapper),
is_admin=False)
req = webob.Request.blank('/images/%s' % UUID2)
res = req.get_response(api)
self.assertEquals(res.status_int, 404)

def test_get_root(self):
"""
Tests that the root registry API returns "index",
Expand Down Expand Up @@ -2359,6 +2391,19 @@ def test_update_deleted_image(self):
self.assertEquals(res.status_int, webob.exc.HTTPForbidden.code)
self.assertTrue('Forbidden to update deleted image' in res.body)

def test_delete_deleted_image(self):
"""Tests that exception raised trying to delete a deleted image"""
req = webob.Request.blank("/images/%s" % UUID2)
req.method = 'DELETE'
res = req.get_response(self.api)
self.assertEquals(res.status_int, 200)

req = webob.Request.blank("/images/%s" % UUID2)
req.method = 'DELETE'
res = req.get_response(self.api)
self.assertEquals(res.status_int, webob.exc.HTTPForbidden.code)
self.assertTrue('Forbidden to delete a deleted image' in res.body)

def test_register_and_upload(self):
"""
Test that the process of registering an image with
Expand Down

0 comments on commit ca0e6c0

Please sign in to comment.