diff --git a/glance/api/v2/images.py b/glance/api/v2/images.py index 9c4e08b870..3058f5ff68 100644 --- a/glance/api/v2/images.py +++ b/glance/api/v2/images.py @@ -729,7 +729,7 @@ class ImagesController(object): class RequestDeserializer(wsgi.JSONRequestDeserializer): - _disallowed_properties = ('direct_url', 'self', 'file', 'schema') + _disallowed_properties = ('direct_url', 'self', 'file', 'schema', 'stores') _readonly_properties = ('created_at', 'updated_at', 'status', 'checksum', 'size', 'virtual_size', 'direct_url', 'self', 'file', 'schema', 'id', 'os_hash_algo', diff --git a/glance/tests/unit/v2/test_images_resource.py b/glance/tests/unit/v2/test_images_resource.py index b8a05506e9..375ede8db0 100644 --- a/glance/tests/unit/v2/test_images_resource.py +++ b/glance/tests/unit/v2/test_images_resource.py @@ -4361,6 +4361,13 @@ class TestImagesDeserializerNoAdditionalProperties(test_utils.BaseTestCase): self.assertRaises(webob.exc.HTTPBadRequest, self.deserializer.create, request) + def test_neg_create_with_stores(self): + self.config(allow_additional_image_properties=True) + request = unit_test_utils.get_fake_request() + request.body = jsonutils.dump_as_bytes({'stores': 'test'}) + self.assertRaises(webob.exc.HTTPForbidden, + self.deserializer.create, request) + def test_update(self): request = unit_test_utils.get_fake_request() request.content_type = 'application/openstack-images-v2.1-json-patch' diff --git a/releasenotes/notes/fix_1889676-f8d302fd240c8a57.yaml b/releasenotes/notes/fix_1889676-f8d302fd240c8a57.yaml new file mode 100644 index 0000000000..268b6f23ab --- /dev/null +++ b/releasenotes/notes/fix_1889676-f8d302fd240c8a57.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Bug 1889676_: "stores" can be set as property breaking multistore indication of stores where the images are present + + .. _1889676: https://bugs.launchpad.net/glance/+bug/1889676