Updating an image by adding 'visibility' returns a 200 response
Bug #1443512 reported by
Luke Wollney
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
In Progress
|
Undecided
|
Yongfeng Du |
Bug Description
Overview:
When a user attempts to update an image by adding 'visibility' as an image property, a 200 response is returned.
Steps to reproduce:
1) Create an image
2) Update the image via PATCH /images/<id> passing '[{"path": "/visibility", "value": "private", "op": "add"}]'
3) Notice that a 200 accepted response is returned
Expected:
A 403 response should be returned
Actual:
A 200 response is returned
Changed in glance: | |
assignee: | nobody → yongfeng (dolpherdu) |
Changed in glance: | |
status: | New → Incomplete |
To post a comment you must log in.
Using the latest devstack, I did some tests on this senario.
1. user demo create an image, the image by default is 'private'
2. issue command to set private, success. (no changes) openstack- images- v2.1-json- patch' -H 'X-Auth-Token: e1b9454607e54f7 4b0439931e469cf 68' -d '[{"op": "add", "path": "/visibility", "value": "private"}]' http:// devstack: 9292/v2/ images/ 3ce7864a- ebb7-426d- afc0-a7d756529a 16
curl -i -X PATCH -H 'Content-Type: application/
3. issue command to set 'public', failed with 403. (No permission to set public)
4. swtich to user admin, change the image property to 'public', success
5. switch back to user demo, change image property to 'private', success.
This behavior is reasonable to me, since demo is the owner of the image, he should have the permission of setting it to 'private'.
Could you clarify your test?
1). the detailed steps and setup of test
2). Why do you think this is a bug? maybe we have misunderstanding of the V2 PATCH method?