Can view private images belonging to another user using member-list
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
Critical
|
Mark Washenberger | ||
Grizzly |
Fix Released
|
Critical
|
Mark Washenberger |
Bug Description
Description of usecase which causes this bug:
1. ADMIN user (image admin-admin-private has member fake-member-id . you can see the image in image list, you can see the members for the image and for the given member-id you can see the image)
iccha@iccha-
iccha@iccha-
+------
| ID | Name | Disk Format | Container Format | Size | Status |
+------
| 5c2a93c2-
| 6e056225-
| c7fd417b-
| b50d67a8-
+------
iccha@iccha-
+------
| Image ID | Member ID | Can Share |
+------
| 5c2a93c2-
+------
iccha@iccha-
+------
| Image ID | Member ID | Can Share |
+------
| 5c2a93c2-
+------
2. DEMO user ( cannot view image admin-admin-private because its a private image created by admin, cannot view the members of admin-admin-
iccha@iccha-
iccha@iccha-
+------
| ID | Name | Disk Format | Container Format | Size | Status |
+------
| 6e056225-
| c7fd417b-
| b50d67a8-
| 5bbd2cf8-
+------
iccha@iccha-
curl -i -X GET -H 'X-Auth-Token: 524e0f13f4d94ba
HTTP/1.1 404 Not Found
date: Sun, 03 Feb 2013 20:53:40 GMT
content-length: 120
content-type: text/plain; charset=UTF-8
x-openstack-
404 Not Found
The resource could not be found.
Image with identifier 5c2a93c2-
Request returned failure status.
404 Not Found
The resource could not be found.
Image with identifier 5c2a93c2-
iccha@iccha-
curl -i -X GET -H 'X-Auth-Token: e713a6477074479
HTTP/1.1 200 OK
date: Sun, 03 Feb 2013 20:53:48 GMT
content-length: 93
content-type: application/json; charset=UTF-8
x-openstack-
{"shared_images": [{"image_id": "5c2a93c2-
+------
| Image ID | Member ID | Can Share |
+------
| 5c2a93c2-
+------
Changed in glance: | |
status: | New → Triaged |
Changed in glance: | |
milestone: | none → grizzly-rc1 |
importance: | Undecided → Critical |
Changed in glance: | |
assignee: | nobody → Mark Washenberger (markwash) |
Changed in glance: | |
status: | Fix Committed → Fix Released |
Fix proposed to branch: master /review. openstack. org/23898
Review: https:/