yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1517060] Re: Users (without admin privileges) can change ACTIVE_IMMUTABLE properties of their own images when deactivated.

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Doug Hellmann <doug@xxxxxxxxxxxxxxxx>
Date: Wed, 02 Dec 2015 22:12:05 -0000
Reply-to: Bug 1517060 <1517060@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: glance
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1517060

Title:
  Users (without admin privileges) can change ACTIVE_IMMUTABLE
  properties of their own images when deactivated.

Status in Glance:
  Fix Released
Status in Glance kilo series:
  In Progress
Status in Glance liberty series:
  Fix Committed

Bug description:
  Steps to reproduce:

  1. Create a new image with 'active' status.
  2. Deactivate this image from admin. (image should have a 'deactivated' status)
  3. Use this curl request:
  curl -X PUT http://localhost:9292/v1/images/<USER_IMAGE_ID> -H 'X-Auth-Token: <USER_TOKEN>' -H 'x-image-meta-size: 1234567'
  4. Verify that created image have a '1234567' size.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1517060/+subscriptions

References

[Bug 1517060] [NEW] User (without admin privileges) can change size your own image with 'deactivated' status.
From: Alexey Galkin, 2015-11-17