yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1645894] Re: user with _admin_ role of one project can list and delete private images in others projects

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brian Rosmaita <rosmaita.fossdev@xxxxxxxxx>
Date: Fri, 21 Apr 2017 01:56:30 -0000
Reply-to: Bug 1645894 <1645894@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: glance
       Status: New => Invalid

** Changed in: glance
     Assignee: (unassigned) => Brian Rosmaita (brian-rosmaita)

** Changed in: glance
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1645894

Title:
  user with _admin_ role of one project can list and delete private
  images in others projects

Status in Glance:
  Invalid

Bug description:
  in glance V2, admin of one project can list and delete private images
  in others projects

  Assume have project1(admin user: admin1) and project2(admin user:
  admin2), have created a private image (image1) in project1

  Then login into project2 as user admin2,

  In Horizon:
  in project tab, can see image1 and visibility is 'Shared with Project', but unable to delete this image, same with Admin Tab

  In CLI:
  user admin2 can list and delete image1 (private image in project1)

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1645894/+subscriptions

References

[Bug 1645894] [NEW] user with _admin_ role of one project can list and delete private images in others projects
From: yuanyuan zhang, 2016-11-29