diff --git a/glance/api/middleware/cache.py b/glance/api/middleware/cache.py
index 82e3c0c..31adbe1 100644
--- a/glance/api/middleware/cache.py
+++ b/glance/api/middleware/cache.py
@@ -28,6 +28,7 @@ import re
 
 import webob
 
+from glance.api import policy
 from glance.api.common import size_checked_iter
 from glance.api.v1 import images
 from glance.common import exception
@@ -54,9 +55,17 @@ class CacheFilter(wsgi.Middleware):
     def __init__(self, app):
         self.cache = image_cache.ImageCache()
         self.serializer = images.ImageSerializer()
+        self.policy = policy.Enforcer()
         LOG.info(_("Initialized image cache middleware"))
         super(CacheFilter, self).__init__(app)
 
+    def _enforce(self, req, action):
+        """Authorize an action against our policies"""
+        try:
+            self.policy.enforce(req.context, action, {})
+        except exception.Forbidden:
+            raise webob.exc.HTTPForbidden()
+
     def _verify_metadata(self, image_meta):
         """
         Sanity check the 'deleted' and 'size' metadata values.
@@ -110,6 +119,8 @@ class CacheFilter(wsgi.Middleware):
         if request.method != 'GET' or not self.cache.is_cached(image_id):
             return None
 
+        self._enforce(request, 'download_image')
+
         LOG.debug(_("Cache hit for image '%s'"), image_id)
         image_iterator = self.get_from_cache(image_id)
         method = getattr(self, '_process_%s_request' % version)