Ensure image owned by user before delayed_deletion

Fixes bug 1065187.

Change-Id: Icf2f117a094c712bad645ef5f297e9f7da994c84

glance/api/v1/images.py

@@ -727,6 +727,15 @@ def delete(self, req, id):
                                 content_type="text/plain")
 
         image = self.get_image_meta_or_404(req, id)
+
+        if not (req.context.is_admin
+                or image['owner'] == None
+                or image['owner'] == req.context.owner):
+            msg = _("Unable to delete image you do not own")
+            logger.debug(msg)
+            raise HTTPForbidden(msg, request=req,
+                                content_type="text/plain")
+
         if image['protected']:
             msg = _("Image is protected")
             logger.debug(msg)