Comment 3 for bug 1502136

As stated in related bug:
Image location output on the image detail APIs is controlled by these Glance CONF settings CONF.show_multiple_location and CONF.show_image_direct_url. By default, both of them are False so the location would not be getting returned anyway, so there would be no need to do the policy check in this particular case.
So it seems that Forbidden in case of image-show is correct for now (but i think just removing the locations from output would be more correct here).
Proceeding with analysis.