Merge "Fix access by admin users to resources in different projects"

This commit is contained in:
Zuul 2024-03-12 02:56:46 +00:00 committed by Gerrit Code Review
commit 30a1ca1137

View File

@ -29,9 +29,15 @@ def registered_policy_enforce(handler):
""" """
@functools.wraps(handler) @functools.wraps(handler)
def handle_stack_method(controller, req, tenant_id, **kwargs): def handle_stack_method(controller, req, tenant_id, **kwargs):
# NOTE(tkajinam): Heat uses stack owner's project id in redirect URI.
# So admin might be redirected to different project id when accessing
# resources in a different project. Use project id in context to
# bypass project_id check, because admin should have access to all
# projects.
if req.context.is_admin and req.context.project_id:
tenant_id = req.context.tenant_id
_target = {"project_id": tenant_id} _target = {"project_id": tenant_id}
if req.context.tenant_id != tenant_id:
if req.context.tenant_id != tenant_id and not req.context.is_admin:
raise exc.HTTPForbidden() raise exc.HTTPForbidden()
allowed = req.context.policy.enforce( allowed = req.context.policy.enforce(
context=req.context, context=req.context,