Skip to content

Commit b591304

Browse files
committed
Ensure authorization before deleting from store
This fixes bug 1076506. Change-Id: I3794c14fe523a9a27e943d73dd0248489d2b91f6
1 parent cf655de commit b591304

File tree

2 files changed

+24
-9
lines changed

2 files changed

+24
-9
lines changed

Diff for: glance/api/v2/images.py

+12-9
Original file line numberDiff line numberDiff line change
@@ -260,19 +260,22 @@ def delete(self, req, image_id):
260260
% locals())
261261
raise webob.exc.HTTPForbidden(explanation=msg)
262262

263-
status = 'deleted'
264-
if image['location']:
265-
if CONF.delayed_delete:
266-
status = 'pending_delete'
267-
self.store_api.schedule_delayed_delete_from_backend(
268-
image['location'], id)
269-
else:
270-
self.store_api.safe_delete_from_backend(image['location'],
271-
req.context, id)
263+
if image['location'] and CONF.delayed_delete:
264+
status = 'pending_delete'
265+
else:
266+
status = 'deleted'
272267

273268
try:
274269
self.db_api.image_update(req.context, image_id, {'status': status})
275270
self.db_api.image_destroy(req.context, image_id)
271+
272+
if image['location']:
273+
if CONF.delayed_delete:
274+
self.store_api.schedule_delayed_delete_from_backend(
275+
image['location'], id)
276+
else:
277+
self.store_api.safe_delete_from_backend(image['location'],
278+
req.context, id)
276279
except (exception.NotFound, exception.Forbidden):
277280
msg = ("Failed to find image %(image_id)s to delete" % locals())
278281
LOG.info(msg)

Diff for: glance/tests/functional/v2/test_images.py

+12
Original file line numberDiff line numberDiff line change
@@ -218,6 +218,12 @@ def test_permissions(self):
218218
self.assertEqual(201, response.status_code)
219219
image_id = json.loads(response.text)['id']
220220

221+
# Upload some image data
222+
path = self._url('/v2/images/%s/file' % image_id)
223+
headers = self._headers({'Content-Type': 'application/octet-stream'})
224+
response = requests.put(path, headers=headers, data='ZZZZZ')
225+
self.assertEqual(201, response.status_code)
226+
221227
# TENANT1 should see the image in their list
222228
path = self._url('/v2/images')
223229
response = requests.get(path, headers=self._headers())
@@ -300,6 +306,12 @@ def test_permissions(self):
300306
response = requests.delete(path, headers=headers)
301307
self.assertEqual(404, response.status_code)
302308

309+
# Image data should still be present after the failed delete
310+
path = self._url('/v2/images/%s/file' % image_id)
311+
response = requests.get(path, headers=self._headers())
312+
self.assertEqual(200, response.status_code)
313+
self.assertEqual(response.text, 'ZZZZZ')
314+
303315
self.stop_servers()
304316

305317
def test_tag_lifecycle(self):

0 commit comments

Comments
 (0)