As stated in related bug:
Image location output on the image detail APIs is controlled by these Glance CONF settings CONF.show_multiple_location and CONF.show_image_direct_url. By default, both of them are False so the location would not be getting returned anyway, so there would be no need to do the policy check in this particular case.
So it seems that Forbidden in case of image-show is correct for now (but i think just removing the locations from output would be more correct here).
Proceeding with analysis.
As stated in related bug: multiple_ location and CONF.show_ image_direct_ url. By default, both of them are False so the location would not be getting returned anyway, so there would be no need to do the policy check in this particular case.
Image location output on the image detail APIs is controlled by these Glance CONF settings CONF.show_
So it seems that Forbidden in case of image-show is correct for now (but i think just removing the locations from output would be more correct here).
Proceeding with analysis.