Corrects glance image action permissions.

* Admins have full permissions to edit and delete images
    from syspanel, plus Glance's client returns a proper
    403 error instead of 401, so inappropriate access no longer
    logs the user out inappropriately. Fixes bug 955744.
  * Regular users can edit and delete if their tenant owns the
    image. Fixes bug 950364 and fixes bug 737360.

Note, this requires the latest version of Glance.

Change-Id: Ib816d7e6e1320a9024c5dbe95b04249291ec0463

horizon/dashboards/nova/images_and_snapshots/images/tables.py

@@ -32,7 +32,8 @@ class DeleteImage(tables.DeleteAction):
 
     def allowed(self, request, image=None):
         if image:
-            return image.owner == request.user.id
+            return image.owner == request.user.tenant_id
+        # Return True to allow table-level bulk delete action to appear.
         return True
 
     def delete(self, request, obj_id):
@@ -52,6 +53,13 @@ class EditImage(tables.LinkAction):
     url = "horizon:nova:images_and_snapshots:images:update"
     classes = ("ajax-modal", "btn-edit")
 
+    def allowed(self, request, image=None):
+        if image:
+            return image.owner == request.user.tenant_id
+        # We don't have bulk editing, so if there isn't an image that's
+        # authorized, don't allow the action.
+        return False
+
 
 def get_image_type(image):
     return getattr(image.properties, "image_type", "Image")

horizon/dashboards/syspanel/images/tables.py

@@ -25,9 +25,14 @@ class AdminDeleteImage(DeleteImage):
         return True
 
 
+class AdminEditImage(EditImage):
+    def allowed(self, request, image=None):
+        return True
+
+
 class AdminImagesTable(ImagesTable):
     class Meta:
         name = "images"
         verbose_name = _("Images")
         table_actions = (AdminDeleteImage,)
-        row_actions = (EditImage, AdminDeleteImage)
+        row_actions = (AdminEditImage, AdminDeleteImage)