Comment 0 for bug 1522524

Overview:
This may be a bit cautious to submit as private security however its easy to go from private to public, but harder to do it the other way around.

In glance once an admin has marked a image as deactivated a user can no longer download or delete that image. This is so an image can be inspected by the admins without the user interfering.
However, these restrictions can be avoided specifically allowing a user to delete a deactivated image. Meaning an admin would not be able to guarantee the status of a deactivated image.

What should happen: 403 What does happen: 200

How to reproduce:
1. Create an image.
echo test | glance image-create --name 3 --container-format bare --disk-format raw

2. Deactivate the image.
glance image-deactivate 0630d5e4-6009-4723-94e6-1ad056ab649a

3. Check image is deactivated.
glance image-show 0630d5e4-6009-4723-94e6-1ad056ab649a

4. Using the v1 API delete the image.
curl -X DELETE http://localhost:9292/v1/images/0630d5e4-6009-4723-94e6-1ad056ab649a -H 'X-Auth-token: 108322e43f6346ebadb3c2fb72831913'

5. Image is now gone.
glance image-show 0630d5e4-6009-4723-94e6-1ad056ab649a