)]}'
{"glance/api/v2/image_data.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"a812b2f219997a0d6efc94aaff0021bff33998e5","unresolved":true,"context_lines":[{"line_number":333,"context_line":"            req.context, authorization_layer\u003dFalse)"},{"line_number":334,"context_line":"        # NOTE(abhishekk): stage API call does not have its own policy but"},{"line_number":335,"context_line":"        # it requires get_image access, this is the right place to check"},{"line_number":336,"context_line":"        # whether user has access to image or not"},{"line_number":337,"context_line":"        try:"},{"line_number":338,"context_line":"            image \u003d image_repo.get(image_id)"},{"line_number":339,"context_line":"        except exception.NotFound as e:"}],"source_content_type":"text/x-python","patch_set":3,"id":"1848ffdb_f0ea4c4e","line":336,"updated":"2021-08-16 17:55:15.000000000","message":"Wow, I guess I didn\u0027t realize this. I guess not for the refactor, but we could at least check upload_image here to provide consistency with that operation right? I mean, I could say \"green people can\u0027t upload images\" but that would mean they could stage them right? Or, I guess I can\u0027t even do that because of the db-level enforcement of admin-or-owner, huh?","commit_id":"64bf872e52fcec6b018b5cce87779e546a73ec96"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"08898c5c5bb85031fcdd7990cc64ced9a0ad67a3","unresolved":true,"context_lines":[{"line_number":333,"context_line":"            req.context, authorization_layer\u003dFalse)"},{"line_number":334,"context_line":"        # NOTE(abhishekk): stage API call does not have its own policy but"},{"line_number":335,"context_line":"        # it requires get_image access, this is the right place to check"},{"line_number":336,"context_line":"        # whether user has access to image or not"},{"line_number":337,"context_line":"        try:"},{"line_number":338,"context_line":"            image \u003d image_repo.get(image_id)"},{"line_number":339,"context_line":"        except exception.NotFound as e:"}],"source_content_type":"text/x-python","patch_set":3,"id":"7b8efe12_7dcd45c6","line":336,"in_reply_to":"1848ffdb_f0ea4c4e","updated":"2021-08-16 18:06:14.000000000","message":"yeah, db level is admin or owner, and if we want to check here upload policy then we should do it as a separate patch IMO, what do you say?","commit_id":"64bf872e52fcec6b018b5cce87779e546a73ec96"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"6ca81b391059c86293d39966a098921161533c92","unresolved":true,"context_lines":[{"line_number":333,"context_line":"            req.context, authorization_layer\u003dFalse)"},{"line_number":334,"context_line":"        # NOTE(abhishekk): stage API call does not have its own policy but"},{"line_number":335,"context_line":"        # it requires get_image access, this is the right place to check"},{"line_number":336,"context_line":"        # whether user has access to image or not"},{"line_number":337,"context_line":"        try:"},{"line_number":338,"context_line":"            image \u003d image_repo.get(image_id)"},{"line_number":339,"context_line":"        except exception.NotFound as e:"}],"source_content_type":"text/x-python","patch_set":3,"id":"86bb6946_74b66cab","line":336,"in_reply_to":"7b8efe12_7dcd45c6","updated":"2021-08-16 18:20:05.000000000","message":"Yep, separate, which is why I said \"not for the refactor.\" :)","commit_id":"64bf872e52fcec6b018b5cce87779e546a73ec96"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"c6accc729105d8b6d1f9afb18ecc8567f515cb66","unresolved":false,"context_lines":[{"line_number":333,"context_line":"            req.context, authorization_layer\u003dFalse)"},{"line_number":334,"context_line":"        # NOTE(abhishekk): stage API call does not have its own policy but"},{"line_number":335,"context_line":"        # it requires get_image access, this is the right place to check"},{"line_number":336,"context_line":"        # whether user has access to image or not"},{"line_number":337,"context_line":"        try:"},{"line_number":338,"context_line":"            image \u003d image_repo.get(image_id)"},{"line_number":339,"context_line":"        except exception.NotFound as e:"}],"source_content_type":"text/x-python","patch_set":3,"id":"6f120c3d_129d1402","line":336,"in_reply_to":"86bb6946_74b66cab","updated":"2021-08-16 22:17:30.000000000","message":"Ack","commit_id":"64bf872e52fcec6b018b5cce87779e546a73ec96"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"a812b2f219997a0d6efc94aaff0021bff33998e5","unresolved":true,"context_lines":[{"line_number":342,"context_line":"        api_pol \u003d api_policy.ImageAPIPolicy(req.context, image,"},{"line_number":343,"context_line":"                                            enforcer\u003dself.policy)"},{"line_number":344,"context_line":"        try:"},{"line_number":345,"context_line":"            api_pol.modify_image()"},{"line_number":346,"context_line":"        except exception.Forbidden as e:"},{"line_number":347,"context_line":"            # NOTE(abhishekk): This will throw Forbidden if S-RBAC is not"},{"line_number":348,"context_line":"            # enabled"}],"source_content_type":"text/x-python","patch_set":3,"id":"a5404bc9_94646dbf","line":345,"updated":"2021-08-16 17:55:15.000000000","message":"Okay, so this is net-new, but should end up with a policy failure instead of the DB catching it late when we try to modify status, right? Cool.","commit_id":"64bf872e52fcec6b018b5cce87779e546a73ec96"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"08898c5c5bb85031fcdd7990cc64ced9a0ad67a3","unresolved":true,"context_lines":[{"line_number":342,"context_line":"        api_pol \u003d api_policy.ImageAPIPolicy(req.context, image,"},{"line_number":343,"context_line":"                                            enforcer\u003dself.policy)"},{"line_number":344,"context_line":"        try:"},{"line_number":345,"context_line":"            api_pol.modify_image()"},{"line_number":346,"context_line":"        except exception.Forbidden as e:"},{"line_number":347,"context_line":"            # NOTE(abhishekk): This will throw Forbidden if S-RBAC is not"},{"line_number":348,"context_line":"            # enabled"}],"source_content_type":"text/x-python","patch_set":3,"id":"bd1d624a_b5fba499","line":345,"in_reply_to":"a5404bc9_94646dbf","updated":"2021-08-16 18:06:14.000000000","message":"Correct!","commit_id":"64bf872e52fcec6b018b5cce87779e546a73ec96"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"0cb82c990898ca7eb02fc86eddae9e813f804d3c","unresolved":true,"context_lines":[{"line_number":345,"context_line":"            api_pol.modify_image()"},{"line_number":346,"context_line":"        except exception.Forbidden as e:"},{"line_number":347,"context_line":"            # NOTE(abhishekk): This will throw Forbidden if S-RBAC is not"},{"line_number":348,"context_line":"            # enabled"},{"line_number":349,"context_line":"            raise webob.exc.HTTPForbidden(explanation\u003de.msg)"},{"line_number":350,"context_line":""},{"line_number":351,"context_line":"        # NOTE(jokke): this is horrible way to do it but as long as"}],"source_content_type":"text/x-python","patch_set":7,"id":"26439723_b2d42a19","line":348,"updated":"2021-08-20 16:33:14.000000000","message":"This tripped me up a bit at first, but if secure-rbac is enabled, we\u0027ll get the \"not found if you can\u0027t see this, else forbidden\" behavior. This exception handler is just to cover the \"forbidden because not admin-or-owner\" legacy check.","commit_id":"fa6f871e2031505ccb420dc436f293815b87088c"}],"glance/api/v2/policy.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"a812b2f219997a0d6efc94aaff0021bff33998e5","unresolved":true,"context_lines":[{"line_number":128,"context_line":"            # so check that first, followed by the general"},{"line_number":129,"context_line":"            # modify_image policy below."},{"line_number":130,"context_line":"            self._enforce_visibility(value)"},{"line_number":131,"context_line":"        self._enforce(\u0027modify_image\u0027)"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"    def update_locations(self):"},{"line_number":134,"context_line":"        self._enforce(\u0027set_image_location\u0027)"}],"source_content_type":"text/x-python","patch_set":3,"id":"8d1dbc75_526b8dc5","line":131,"updated":"2021-08-16 17:55:15.000000000","message":"Should probably make this call self.modify_image() right?","commit_id":"64bf872e52fcec6b018b5cce87779e546a73ec96"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"08898c5c5bb85031fcdd7990cc64ced9a0ad67a3","unresolved":false,"context_lines":[{"line_number":128,"context_line":"            # so check that first, followed by the general"},{"line_number":129,"context_line":"            # modify_image policy below."},{"line_number":130,"context_line":"            self._enforce_visibility(value)"},{"line_number":131,"context_line":"        self._enforce(\u0027modify_image\u0027)"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"    def update_locations(self):"},{"line_number":134,"context_line":"        self._enforce(\u0027set_image_location\u0027)"}],"source_content_type":"text/x-python","patch_set":3,"id":"4d19bd43_1f2516db","line":131,"in_reply_to":"8d1dbc75_526b8dc5","updated":"2021-08-16 18:06:14.000000000","message":"Ack","commit_id":"64bf872e52fcec6b018b5cce87779e546a73ec96"}],"glance/tests/functional/v2/test_images_api_policy.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"a812b2f219997a0d6efc94aaff0021bff33998e5","unresolved":true,"context_lines":[{"line_number":375,"context_line":"        self._create_and_stage(expected_code\u003d404)"},{"line_number":376,"context_line":""},{"line_number":377,"context_line":"        # create shared visibility image and stage by 2nd project should"},{"line_number":378,"context_line":"        # return 404"},{"line_number":379,"context_line":"        self.set_policy_rules({"},{"line_number":380,"context_line":"            \u0027get_image\u0027: \u0027\u0027,"},{"line_number":381,"context_line":"            \u0027modify_image\u0027: \u0027!\u0027,"}],"source_content_type":"text/x-python","patch_set":3,"id":"d3bae766_cacb709e","line":378,"updated":"2021-08-16 17:55:15.000000000","message":"Might be good to add \"...until it is actually shared with that project.\" I read this assuming the share, which should be 403 and saw below that you were asserting 403, but after the share.","commit_id":"64bf872e52fcec6b018b5cce87779e546a73ec96"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"08898c5c5bb85031fcdd7990cc64ced9a0ad67a3","unresolved":false,"context_lines":[{"line_number":375,"context_line":"        self._create_and_stage(expected_code\u003d404)"},{"line_number":376,"context_line":""},{"line_number":377,"context_line":"        # create shared visibility image and stage by 2nd project should"},{"line_number":378,"context_line":"        # return 404"},{"line_number":379,"context_line":"        self.set_policy_rules({"},{"line_number":380,"context_line":"            \u0027get_image\u0027: \u0027\u0027,"},{"line_number":381,"context_line":"            \u0027modify_image\u0027: \u0027!\u0027,"}],"source_content_type":"text/x-python","patch_set":3,"id":"4e2df42e_20259e83","line":378,"in_reply_to":"d3bae766_cacb709e","updated":"2021-08-16 18:06:14.000000000","message":"Ack","commit_id":"64bf872e52fcec6b018b5cce87779e546a73ec96"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d722913ee227aa2f2304bfa6ab1e22d0e964359e","unresolved":true,"context_lines":[{"line_number":348,"context_line":"        # First make sure we can perform staging operation"},{"line_number":349,"context_line":"        self._create_and_stage(expected_code\u003d204)"},{"line_number":350,"context_line":""},{"line_number":351,"context_line":"        # Now disable get_image permissions, but allow mofify_image"},{"line_number":352,"context_line":"        # should return 204 as well, means even if we can not see"},{"line_number":353,"context_line":"        # image details, we can stage data for it."},{"line_number":354,"context_line":"        self.set_policy_rules({"}],"source_content_type":"text/x-python","patch_set":4,"id":"b04bcf18_0d7c21b4","line":351,"range":{"start_line":351,"start_character":55,"end_line":351,"end_character":61},"updated":"2021-08-16 21:23:58.000000000","message":"modify*","commit_id":"7c6cc5f9a869cea8a88823d39f37c1dde4f3ff1b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9a51e818f8c2e238417ddbc42acc65bc0689ea75","unresolved":false,"context_lines":[{"line_number":348,"context_line":"        # First make sure we can perform staging operation"},{"line_number":349,"context_line":"        self._create_and_stage(expected_code\u003d204)"},{"line_number":350,"context_line":""},{"line_number":351,"context_line":"        # Now disable get_image permissions, but allow mofify_image"},{"line_number":352,"context_line":"        # should return 204 as well, means even if we can not see"},{"line_number":353,"context_line":"        # image details, we can stage data for it."},{"line_number":354,"context_line":"        self.set_policy_rules({"}],"source_content_type":"text/x-python","patch_set":4,"id":"abf85e90_5414611e","line":351,"range":{"start_line":351,"start_character":55,"end_line":351,"end_character":61},"in_reply_to":"063d1ea6_3e42f464","updated":"2021-08-17 21:34:57.000000000","message":"Ack","commit_id":"7c6cc5f9a869cea8a88823d39f37c1dde4f3ff1b"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"c6accc729105d8b6d1f9afb18ecc8567f515cb66","unresolved":true,"context_lines":[{"line_number":348,"context_line":"        # First make sure we can perform staging operation"},{"line_number":349,"context_line":"        self._create_and_stage(expected_code\u003d204)"},{"line_number":350,"context_line":""},{"line_number":351,"context_line":"        # Now disable get_image permissions, but allow mofify_image"},{"line_number":352,"context_line":"        # should return 204 as well, means even if we can not see"},{"line_number":353,"context_line":"        # image details, we can stage data for it."},{"line_number":354,"context_line":"        self.set_policy_rules({"}],"source_content_type":"text/x-python","patch_set":4,"id":"063d1ea6_3e42f464","line":351,"range":{"start_line":351,"start_character":55,"end_line":351,"end_character":61},"in_reply_to":"b04bcf18_0d7c21b4","updated":"2021-08-16 22:17:30.000000000","message":":( will fix it if new PS is required otherwise, will propose quick follwoup","commit_id":"7c6cc5f9a869cea8a88823d39f37c1dde4f3ff1b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d722913ee227aa2f2304bfa6ab1e22d0e964359e","unresolved":true,"context_lines":[{"line_number":391,"context_line":"        image \u003d resp.json"},{"line_number":392,"context_line":"        # Now stage data using another project details"},{"line_number":393,"context_line":"        headers \u003d self._headers({"},{"line_number":394,"context_line":"            \u0027X-Tenant-Id\u0027: \u0027fake-tenant-id\u0027,"},{"line_number":395,"context_line":"            \u0027Content-Type\u0027: \u0027application/octet-stream\u0027"},{"line_number":396,"context_line":"        })"},{"line_number":397,"context_line":"        resp \u003d self.api_put("}],"source_content_type":"text/x-python","patch_set":4,"id":"dfb46185_e0950c11","line":394,"range":{"start_line":394,"start_character":15,"end_line":394,"end_character":21},"updated":"2021-08-16 21:23:58.000000000","message":"nit: I think we can use Project-Id here, but that\u0027s probably a sweeping change we can make later.","commit_id":"7c6cc5f9a869cea8a88823d39f37c1dde4f3ff1b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9a51e818f8c2e238417ddbc42acc65bc0689ea75","unresolved":false,"context_lines":[{"line_number":391,"context_line":"        image \u003d resp.json"},{"line_number":392,"context_line":"        # Now stage data using another project details"},{"line_number":393,"context_line":"        headers \u003d self._headers({"},{"line_number":394,"context_line":"            \u0027X-Tenant-Id\u0027: \u0027fake-tenant-id\u0027,"},{"line_number":395,"context_line":"            \u0027Content-Type\u0027: \u0027application/octet-stream\u0027"},{"line_number":396,"context_line":"        })"},{"line_number":397,"context_line":"        resp \u003d self.api_put("}],"source_content_type":"text/x-python","patch_set":4,"id":"106f6817_b1f5cd5f","line":394,"range":{"start_line":394,"start_character":15,"end_line":394,"end_character":21},"in_reply_to":"a18e42e7_43df078a","updated":"2021-08-17 21:34:57.000000000","message":"Ack","commit_id":"7c6cc5f9a869cea8a88823d39f37c1dde4f3ff1b"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"c6accc729105d8b6d1f9afb18ecc8567f515cb66","unresolved":true,"context_lines":[{"line_number":391,"context_line":"        image \u003d resp.json"},{"line_number":392,"context_line":"        # Now stage data using another project details"},{"line_number":393,"context_line":"        headers \u003d self._headers({"},{"line_number":394,"context_line":"            \u0027X-Tenant-Id\u0027: \u0027fake-tenant-id\u0027,"},{"line_number":395,"context_line":"            \u0027Content-Type\u0027: \u0027application/octet-stream\u0027"},{"line_number":396,"context_line":"        })"},{"line_number":397,"context_line":"        resp \u003d self.api_put("}],"source_content_type":"text/x-python","patch_set":4,"id":"a18e42e7_43df078a","line":394,"range":{"start_line":394,"start_character":15,"end_line":394,"end_character":21},"in_reply_to":"dfb46185_e0950c11","updated":"2021-08-16 22:17:30.000000000","message":"Yes, I have added in my todo list (to change all at once).","commit_id":"7c6cc5f9a869cea8a88823d39f37c1dde4f3ff1b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d722913ee227aa2f2304bfa6ab1e22d0e964359e","unresolved":true,"context_lines":[{"line_number":421,"context_line":"            \u0027/v2/images/%s/stage\u0027 % image[\u0027id\u0027],"},{"line_number":422,"context_line":"            headers\u003dheaders,"},{"line_number":423,"context_line":"            data\u003db\u0027IMAGEDATA\u0027)"},{"line_number":424,"context_line":"        self.assertEqual(403, resp.status_code)"}],"source_content_type":"text/x-python","patch_set":4,"id":"12e5bf44_4f4eef0b","line":424,"updated":"2021-08-16 21:23:58.000000000","message":"Ok - so just for my own understanding, this is testing that even though an image is shared with another project, no one from that project can stage data to it because they aren\u0027t the owners of the image, right?","commit_id":"7c6cc5f9a869cea8a88823d39f37c1dde4f3ff1b"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"c6accc729105d8b6d1f9afb18ecc8567f515cb66","unresolved":true,"context_lines":[{"line_number":421,"context_line":"            \u0027/v2/images/%s/stage\u0027 % image[\u0027id\u0027],"},{"line_number":422,"context_line":"            headers\u003dheaders,"},{"line_number":423,"context_line":"            data\u003db\u0027IMAGEDATA\u0027)"},{"line_number":424,"context_line":"        self.assertEqual(403, resp.status_code)"}],"source_content_type":"text/x-python","patch_set":4,"id":"835415bd_b693c6e3","line":424,"in_reply_to":"12e5bf44_4f4eef0b","updated":"2021-08-16 22:17:30.000000000","message":"Correct","commit_id":"7c6cc5f9a869cea8a88823d39f37c1dde4f3ff1b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9a51e818f8c2e238417ddbc42acc65bc0689ea75","unresolved":false,"context_lines":[{"line_number":421,"context_line":"            \u0027/v2/images/%s/stage\u0027 % image[\u0027id\u0027],"},{"line_number":422,"context_line":"            headers\u003dheaders,"},{"line_number":423,"context_line":"            data\u003db\u0027IMAGEDATA\u0027)"},{"line_number":424,"context_line":"        self.assertEqual(403, resp.status_code)"}],"source_content_type":"text/x-python","patch_set":4,"id":"ce149842_3116fdbd","line":424,"in_reply_to":"835415bd_b693c6e3","updated":"2021-08-17 21:34:57.000000000","message":"Ack","commit_id":"7c6cc5f9a869cea8a88823d39f37c1dde4f3ff1b"}]}