)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"e38c2c120674b97ca84bdb9b0165a36894cede62","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"97dede1d_1c7521cf","updated":"2021-10-11 13:51:51.000000000","message":"I thought the bug traffic indicated that this was to be abandoned and not pursued?\n\nEven still, preventing delete of something someone owns is not really a good API practice, IMHO. If we can check for in-use in the admin case (as the bug claims) then we should do that here as well and not just block deletion based on the state, IMHO. It also requires humans to enforce the correctness of the system, which is something the computers should do.","commit_id":"2a6e6d5b8768c3354ec0f6adead950fe5a248ffa"},{"author":{"_account_id":29074,"name":"Felix Huettner","email":"felix.huettner@digits.schwarz","username":"felix.huettner"},"change_message_id":"8209e64913f56f046990cd4257d0652e74af3c07","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"a5d55569_d573116e","updated":"2021-10-11 12:54:45.000000000","message":"rebased on master and updated hopefully correctly to policy v2","commit_id":"2a6e6d5b8768c3354ec0f6adead950fe5a248ffa"},{"author":{"_account_id":29074,"name":"Felix Huettner","email":"felix.huettner@digits.schwarz","username":"felix.huettner"},"change_message_id":"63e20c789e81cde7964358480d54ef84b03120a2","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":5,"id":"6c5a5992_adff77bf","in_reply_to":"97dede1d_1c7521cf","updated":"2021-11-03 08:22:15.000000000","message":"I only abandoned the original change (https://review.opendev.org/c/openstack/glance/+/772872) after the feedback in the launchpad issue.\n\nI have now combined the two approaches. So that:\n1. If you are allowed to delete disabled images the deletion works as it should\n2. There is a separate policy `delete_image_deactivated` that per default only allows admins to delete disabled images","commit_id":"2a6e6d5b8768c3354ec0f6adead950fe5a248ffa"},{"author":{"_account_id":29074,"name":"Felix Huettner","email":"felix.huettner@digits.schwarz","username":"felix.huettner"},"change_message_id":"63e20c789e81cde7964358480d54ef84b03120a2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"e2b1eadf_c26bcfac","updated":"2021-11-03 08:22:15.000000000","message":"Thank you for the feedback. And sorry for taking so long to respond.\n\nThe change now fixes the original behaviour of missing the deletion of backend locations during the image deletion.\nIt also introduces a new policy to restrict the deletion of disabled images","commit_id":"2c81fdc5a021e76338009e41883d7026e5442bbd"},{"author":{"_account_id":29074,"name":"Felix Huettner","email":"felix.huettner@digits.schwarz","username":"felix.huettner"},"change_message_id":"5e3310709654203155d192b8a91903073fe47644","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"7c45b803_5cdaeea0","updated":"2021-11-03 09:52:13.000000000","message":"recheck","commit_id":"2c81fdc5a021e76338009e41883d7026e5442bbd"},{"author":{"_account_id":29074,"name":"Felix Huettner","email":"felix.huettner@digits.schwarz","username":"felix.huettner"},"change_message_id":"7d1378dd0c9aa71c22286b87d5b057d1f3db4d27","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"3af87398_5c835e13","updated":"2022-04-05 07:43:46.000000000","message":"recheck","commit_id":"4be1694cfd5d32c770bc53857a87128081fb3f69"}],"glance/api/policy.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"e38c2c120674b97ca84bdb9b0165a36894cede62","unresolved":true,"context_lines":[{"line_number":255,"context_line":"        target \u003d dict(self.target)"},{"line_number":256,"context_line":"        self.policy.enforce(self.context, \u0027delete_image\u0027, target)"},{"line_number":257,"context_line":"        if self.image.status \u003d\u003d \u0027deactivated\u0027 and not self.context.is_admin:"},{"line_number":258,"context_line":"            raise exception.Forbidden()"},{"line_number":259,"context_line":"        return self.image.delete()"},{"line_number":260,"context_line":""},{"line_number":261,"context_line":"    def deactivate(self):"}],"source_content_type":"text/x-python","patch_set":5,"id":"ea0ec875_7168790a","line":258,"updated":"2021-10-11 13:51:51.000000000","message":"I think this is probably not the way we should do this now, as it isn\u0027t really compatible with a flexible policy system.\n\nSince we above provider the target (image) to the policy enforcement, I think changing the rule to require the admin role by default in order to delete deactivated images would be the better option.","commit_id":"2a6e6d5b8768c3354ec0f6adead950fe5a248ffa"},{"author":{"_account_id":29074,"name":"Felix Huettner","email":"felix.huettner@digits.schwarz","username":"felix.huettner"},"change_message_id":"63e20c789e81cde7964358480d54ef84b03120a2","unresolved":true,"context_lines":[{"line_number":255,"context_line":"        target \u003d dict(self.target)"},{"line_number":256,"context_line":"        self.policy.enforce(self.context, \u0027delete_image\u0027, target)"},{"line_number":257,"context_line":"        if self.image.status \u003d\u003d \u0027deactivated\u0027 and not self.context.is_admin:"},{"line_number":258,"context_line":"            raise exception.Forbidden()"},{"line_number":259,"context_line":"        return self.image.delete()"},{"line_number":260,"context_line":""},{"line_number":261,"context_line":"    def deactivate(self):"}],"source_content_type":"text/x-python","patch_set":5,"id":"662b7ec0_26f54dd2","line":258,"in_reply_to":"ea0ec875_7168790a","updated":"2021-11-03 08:22:15.000000000","message":"Thanks for the feedback. I have added the policy `delete_image_deactivated` to address this","commit_id":"2a6e6d5b8768c3354ec0f6adead950fe5a248ffa"}],"glance/tests/unit/test_policy.py":[{"author":{"_account_id":8122,"name":"Cyril Roelandt","email":"cyril@redhat.com","username":"cyril.roelandt.enovance"},"change_message_id":"5b5769dfff8e6006327b4bdfb1f2a13259a3683c","unresolved":true,"context_lines":[{"line_number":523,"context_line":"        image \u003d glance.api.policy.ImageProxy(image_stub, context, self.policy)"},{"line_number":524,"context_line":"        self.assertRaises(exception.Forbidden, image.delete)"},{"line_number":525,"context_line":"        self.assertEqual(\u0027deactivated\u0027, image.status)"},{"line_number":526,"context_line":""},{"line_number":527,"context_line":"    def test_get_image_not_allowed(self):"},{"line_number":528,"context_line":"        self.policy.enforce.side_effect \u003d exception.Forbidden"},{"line_number":529,"context_line":"        image_target \u003d IterableMock()"}],"source_content_type":"text/x-python","patch_set":3,"id":"08727c13_7c3b69b3","line":526,"range":{"start_line":526,"start_character":0,"end_line":526,"end_character":0},"updated":"2021-03-17 21:29:51.000000000","message":"Could we also have \"test_delete_deactivated_image_allowed\"? I see no test that makes sure a deactivated image can be deleted, and it would be nice to make sure we never break this behaviour in the future.","commit_id":"3fa986779d0089f841fa14c440e2d3538203b532"},{"author":{"_account_id":29074,"name":"Felix Huettner","email":"felix.huettner@digits.schwarz","username":"felix.huettner"},"change_message_id":"8209e64913f56f046990cd4257d0652e74af3c07","unresolved":false,"context_lines":[{"line_number":523,"context_line":"        image \u003d glance.api.policy.ImageProxy(image_stub, context, self.policy)"},{"line_number":524,"context_line":"        self.assertRaises(exception.Forbidden, image.delete)"},{"line_number":525,"context_line":"        self.assertEqual(\u0027deactivated\u0027, image.status)"},{"line_number":526,"context_line":""},{"line_number":527,"context_line":"    def test_get_image_not_allowed(self):"},{"line_number":528,"context_line":"        self.policy.enforce.side_effect \u003d exception.Forbidden"},{"line_number":529,"context_line":"        image_target \u003d IterableMock()"}],"source_content_type":"text/x-python","patch_set":3,"id":"318873e0_7235c63e","line":526,"range":{"start_line":526,"start_character":0,"end_line":526,"end_character":0},"in_reply_to":"08727c13_7c3b69b3","updated":"2021-10-11 12:54:45.000000000","message":"Done","commit_id":"3fa986779d0089f841fa14c440e2d3538203b532"}],"glance/tests/unit/v2/test_images_resource.py":[{"author":{"_account_id":8122,"name":"Cyril Roelandt","email":"cyril@redhat.com","username":"cyril.roelandt.enovance"},"change_message_id":"5b5769dfff8e6006327b4bdfb1f2a13259a3683c","unresolved":true,"context_lines":[{"line_number":3024,"context_line":"        self.assertRaises(webob.exc.HTTPForbidden,"},{"line_number":3025,"context_line":"                          self.controller.delete,"},{"line_number":3026,"context_line":"                          request, UUID1)"},{"line_number":3027,"context_line":""},{"line_number":3028,"context_line":"    @mock.patch.object(store, \u0027get_store_from_store_identifier\u0027)"},{"line_number":3029,"context_line":"    @mock.patch.object(store.location, \u0027get_location_from_uri_and_backend\u0027)"},{"line_number":3030,"context_line":"    @mock.patch.object(store_utils, \u0027get_dir_separator\u0027)"}],"source_content_type":"text/x-python","patch_set":3,"id":"9b860a40_c4d2bb94","line":3027,"range":{"start_line":3027,"start_character":0,"end_line":3027,"end_character":0},"updated":"2021-03-17 21:29:51.000000000","message":"Ditto","commit_id":"3fa986779d0089f841fa14c440e2d3538203b532"},{"author":{"_account_id":29074,"name":"Felix Huettner","email":"felix.huettner@digits.schwarz","username":"felix.huettner"},"change_message_id":"8209e64913f56f046990cd4257d0652e74af3c07","unresolved":false,"context_lines":[{"line_number":3024,"context_line":"        self.assertRaises(webob.exc.HTTPForbidden,"},{"line_number":3025,"context_line":"                          self.controller.delete,"},{"line_number":3026,"context_line":"                          request, UUID1)"},{"line_number":3027,"context_line":""},{"line_number":3028,"context_line":"    @mock.patch.object(store, \u0027get_store_from_store_identifier\u0027)"},{"line_number":3029,"context_line":"    @mock.patch.object(store.location, \u0027get_location_from_uri_and_backend\u0027)"},{"line_number":3030,"context_line":"    @mock.patch.object(store_utils, \u0027get_dir_separator\u0027)"}],"source_content_type":"text/x-python","patch_set":3,"id":"4c63fdcb_2b40620b","line":3027,"range":{"start_line":3027,"start_character":0,"end_line":3027,"end_character":0},"in_reply_to":"9b860a40_c4d2bb94","updated":"2021-10-11 12:54:45.000000000","message":"Done","commit_id":"3fa986779d0089f841fa14c440e2d3538203b532"}]}