Comment 6 for bug 1065187
Revision history for this message
| Mark Washenberger (markwash) wrote Re: Non-admin users can cause public glance images to be deleted from the backend storage repository | #6 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
I think I can help fill in the gaps.
Images have an attribute called "protected" which, if true, prevents them from being deleted. Since modifying protected to set it to False does have the appropriate authorization checks, protected images cannot be deleted from the backend storage in this way.
If a user submits a delete to an image they can see (but shouldn't be able to delete), they indeed *always* cause the image data to be deleted from the backend store unless the image has protected == True.