yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1645894] [NEW] user with _admin_ role of one project can list and delete private images in others projects

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: yuanyuan zhang <1645894@xxxxxxxxxxxxxxxxxx>
Date: Tue, 29 Nov 2016 22:48:11 -0000
Reply-to: Bug 1645894 <1645894@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

in glance V2, admin of one project can list and delete private images in
others projects

Assume have project1(admin user: admin1) and project2(admin user:
admin2), have created a private image (image1) in project1

Then login into project2 as user admin2,

In Horizon:
in project tab, can see image1 and visibility is 'Shared with Project', but unable to delete this image, same with Admin Tab

In CLI:
user admin2 can list and delete image1 (private image in project1)

** Affects: glance
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1645894

Title:
  user with _admin_ role of one project can list and delete private
  images in others projects

Status in Glance:
  New

Bug description:
  in glance V2, admin of one project can list and delete private images
  in others projects

  Assume have project1(admin user: admin1) and project2(admin user:
  admin2), have created a private image (image1) in project1

  Then login into project2 as user admin2,

  In Horizon:
  in project tab, can see image1 and visibility is 'Shared with Project', but unable to delete this image, same with Admin Tab

  In CLI:
  user admin2 can list and delete image1 (private image in project1)

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1645894/+subscriptions

Follow ups

[Bug 1645894] Re: user with _admin_ role of one project can list and delete private images in others projects
From: Brian Rosmaita, 2017-04-21