Make sure users can't remove their account quotas

Protect X-Remove-Account-Meta-Quota-Bytes same as X-Account-Meta-Quota-Bytes

Fixes bug 1204110

Change-Id: Ibac5b555f50b1fe41b2999c0d5776d90f9c9f3d1

.gitignore

@@ -1,5 +1,6 @@
 *.py[co]
 *.sw?
+*~
 doc/build/*
 dist
 build

swift/common/middleware/account_quotas.py

@@ -73,6 +73,9 @@ class AccountQuotaMiddleware(object):
             return self.app
 
         new_quota = request.headers.get('X-Account-Meta-Quota-Bytes')
+        remove_quota = request.headers.get('X-Remove-Account-Meta-Quota-Bytes')
+        if remove_quota:
+            new_quota = 0    # X-Remove dominates if both are present
 
         if request.environ.get('reseller_request') is True:
             if new_quota and not new_quota.isdigit():

test/unit/common/middleware/test_account_quotas.py

@@ -180,6 +180,17 @@ class TestAccountQuota(unittest.TestCase):
         res = req.get_response(app)
         self.assertEquals(res.status_int, 403)
 
+    def test_delete_quotas_with_remove_header(self):
+        headers = [('x-account-bytes-used', '0'), ]
+        app = account_quotas.AccountQuotaMiddleware(FakeApp(headers))
+        cache = FakeCache(None)
+        req = Request.blank('/v1/a/c', environ={
+                'REQUEST_METHOD': 'POST',
+                'swift.cache': cache,
+                'HTTP_X_REMOVE_ACCOUNT_META_QUOTA_BYTES': 'True'})
+        res = req.get_response(app)
+        self.assertEquals(res.status_int, 403)
+
     def test_delete_quotas_reseller(self):
         headers = [('x-account-bytes-used', '0'), ]
         app = account_quotas.AccountQuotaMiddleware(FakeApp(headers))
@@ -190,6 +201,18 @@ class TestAccountQuota(unittest.TestCase):
         res = req.get_response(app)
         self.assertEquals(res.status_int, 200)
 
+    def test_delete_quotas_with_remove_header_reseller(self):
+        headers = [('x-account-bytes-used', '0'), ]
+        app = account_quotas.AccountQuotaMiddleware(FakeApp(headers))
+        cache = FakeCache(None)
+        req = Request.blank('/v1/a/c', environ={
+                'REQUEST_METHOD': 'POST',
+                'swift.cache': cache,
+                'HTTP_X_REMOVE_ACCOUNT_META_QUOTA_BYTES': 'True',
+                'reseller_request': True})
+        res = req.get_response(app)
+        self.assertEquals(res.status_int, 200)
+
     def test_invalid_request_exception(self):
         headers = [('x-account-bytes-used', '1000'), ]
         app = account_quotas.AccountQuotaMiddleware(FakeApp(headers))