Skip to content

Commit

Permalink
Ensure authorization before deleting from store
Browse files Browse the repository at this point in the history 
This fixes bug 1076506.

Change-Id: I3794c14fe523a9a27e943d73dd0248489d2b91f6
  • Loading branch information
@markwash
markwash committed Nov 8, 2012
1 parent 90bcdc5 commit fc0ee76
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 9 deletions.
21 changes: 12 additions & 9 deletions glance/api/v2/images.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -268,19 +268,22 @@ def delete(self, req, image_id):
% locals())
raise webob.exc.HTTPForbidden(explanation=msg)

status = 'deleted'
if image['location']:
if CONF.delayed_delete:
status = 'pending_delete'
self.store_api.schedule_delayed_delete_from_backend(
image['location'], id)
else:
self.store_api.safe_delete_from_backend(image['location'],
req.context, id)
if image['location'] and CONF.delayed_delete:
status = 'pending_delete'
else:
status = 'deleted'

try:
self.db_api.image_update(req.context, image_id, {'status': status})
self.db_api.image_destroy(req.context, image_id)

if image['location']:
if CONF.delayed_delete:
self.store_api.schedule_delayed_delete_from_backend(
image['location'], id)
else:
self.store_api.safe_delete_from_backend(image['location'],
req.context, id)
except (exception.NotFound, exception.Forbidden):
msg = ("Failed to find image %(image_id)s to delete" % locals())
LOG.info(msg)
Expand Down
12 changes: 12 additions & 0 deletions glance/tests/functional/v2/test_images.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,12 @@ def test_permissions(self):
self.assertEqual(201, response.status_code)
image_id = json.loads(response.text)['id']

# Upload some image data
path = self._url('/v2/images/%s/file' % image_id)
headers = self._headers({'Content-Type': 'application/octet-stream'})
response = requests.put(path, headers=headers, data='ZZZZZ')
self.assertEqual(201, response.status_code)

# TENANT1 should see the image in their list
path = self._url('/v2/images')
response = requests.get(path, headers=self._headers())
Expand Down Expand Up @@ -300,6 +306,12 @@ def test_permissions(self):
response = requests.delete(path, headers=headers)
self.assertEqual(404, response.status_code)

# Image data should still be present after the failed delete
path = self._url('/v2/images/%s/file' % image_id)
response = requests.get(path, headers=self._headers())
self.assertEqual(200, response.status_code)
self.assertEqual(response.text, 'ZZZZZ')

self.stop_servers()

def test_tag_lifecycle(self):
Expand Down

0 comments on commit fc0ee76

Please sign in to comment.