Comment 20 for bug 1400966
Revision history for this message
| Nikhil Komawar (nikhil-komawar) wrote Re: Glance allows users to download and delete any file in glance-api server | #20 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f399f05
demo site
(Get the code!)
The setting of policy to admin only makes sense.
However, there is a risk of backward incompatibility if a existing deployment runs with this assumption (and they knowingly change the policy in adherence to the security issue). Given the nature of the risk it (admin only policy) seems like a decent trade-off until a cleaner solution is proposed. We'd try to get the better fix sooner in kilo.
Thanks!