Corrects glance image action permissions.
* Admins have full permissions to edit and delete images from syspanel, plus Glance's client returns a proper 403 error instead of 401, so inappropriate access no longer logs the user out inappropriately. Fixes bug 955744. * Regular users can edit and delete if their tenant owns the image. Fixes bug 950364 and fixes bug 737360. Note, this requires the latest version of Glance. Change-Id: Ib816d7e6e1320a9024c5dbe95b04249291ec0463
This commit is contained in:
parent
28deef6c58
commit
2a51171517
@ -32,7 +32,8 @@ class DeleteImage(tables.DeleteAction):
|
||||
|
||||
def allowed(self, request, image=None):
|
||||
if image:
|
||||
return image.owner == request.user.id
|
||||
return image.owner == request.user.tenant_id
|
||||
# Return True to allow table-level bulk delete action to appear.
|
||||
return True
|
||||
|
||||
def delete(self, request, obj_id):
|
||||
@ -52,6 +53,13 @@ class EditImage(tables.LinkAction):
|
||||
url = "horizon:nova:images_and_snapshots:images:update"
|
||||
classes = ("ajax-modal", "btn-edit")
|
||||
|
||||
def allowed(self, request, image=None):
|
||||
if image:
|
||||
return image.owner == request.user.tenant_id
|
||||
# We don't have bulk editing, so if there isn't an image that's
|
||||
# authorized, don't allow the action.
|
||||
return False
|
||||
|
||||
|
||||
def get_image_type(image):
|
||||
return getattr(image.properties, "image_type", "Image")
|
||||
|
@ -25,9 +25,14 @@ class AdminDeleteImage(DeleteImage):
|
||||
return True
|
||||
|
||||
|
||||
class AdminEditImage(EditImage):
|
||||
def allowed(self, request, image=None):
|
||||
return True
|
||||
|
||||
|
||||
class AdminImagesTable(ImagesTable):
|
||||
class Meta:
|
||||
name = "images"
|
||||
verbose_name = _("Images")
|
||||
table_actions = (AdminDeleteImage,)
|
||||
row_actions = (EditImage, AdminDeleteImage)
|
||||
row_actions = (AdminEditImage, AdminDeleteImage)
|
||||
|
Loading…
x
Reference in New Issue
Block a user