From 2a51171517de2890d26130225a60901827fdfd51 Mon Sep 17 00:00:00 2001
From: Gabriel Hurley <gabriel@strikeawe.com>
Date: Mon, 19 Mar 2012 18:49:01 -0700
Subject: [PATCH] Corrects glance image action permissions.

  * Admins have full permissions to edit and delete images
    from syspanel, plus Glance's client returns a proper
    403 error instead of 401, so inappropriate access no longer
    logs the user out inappropriately. Fixes bug 955744.
  * Regular users can edit and delete if their tenant owns the
    image. Fixes bug 950364 and fixes bug 737360.

Note, this requires the latest version of Glance.

Change-Id: Ib816d7e6e1320a9024c5dbe95b04249291ec0463
---
 .../nova/images_and_snapshots/images/tables.py         | 10 +++++++++-
 horizon/dashboards/syspanel/images/tables.py           |  7 ++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/horizon/dashboards/nova/images_and_snapshots/images/tables.py b/horizon/dashboards/nova/images_and_snapshots/images/tables.py
index 343d24bf6..d93a5ba1a 100644
--- a/horizon/dashboards/nova/images_and_snapshots/images/tables.py
+++ b/horizon/dashboards/nova/images_and_snapshots/images/tables.py
@@ -32,7 +32,8 @@ class DeleteImage(tables.DeleteAction):
 
     def allowed(self, request, image=None):
         if image:
-            return image.owner == request.user.id
+            return image.owner == request.user.tenant_id
+        # Return True to allow table-level bulk delete action to appear.
         return True
 
     def delete(self, request, obj_id):
@@ -52,6 +53,13 @@ class EditImage(tables.LinkAction):
     url = "horizon:nova:images_and_snapshots:images:update"
     classes = ("ajax-modal", "btn-edit")
 
+    def allowed(self, request, image=None):
+        if image:
+            return image.owner == request.user.tenant_id
+        # We don't have bulk editing, so if there isn't an image that's
+        # authorized, don't allow the action.
+        return False
+
 
 def get_image_type(image):
     return getattr(image.properties, "image_type", "Image")
diff --git a/horizon/dashboards/syspanel/images/tables.py b/horizon/dashboards/syspanel/images/tables.py
index 0e8d0a2b2..57bf996a0 100644
--- a/horizon/dashboards/syspanel/images/tables.py
+++ b/horizon/dashboards/syspanel/images/tables.py
@@ -25,9 +25,14 @@ class AdminDeleteImage(DeleteImage):
         return True
 
 
+class AdminEditImage(EditImage):
+    def allowed(self, request, image=None):
+        return True
+
+
 class AdminImagesTable(ImagesTable):
     class Meta:
         name = "images"
         verbose_name = _("Images")
         table_actions = (AdminDeleteImage,)
-        row_actions = (EditImage, AdminDeleteImage)
+        row_actions = (AdminEditImage, AdminDeleteImage)