Merge "Fix access by admin users to resources in different projects"

2024-03-12 02:56:46 +00:00 · 2024-03-12 02:56:46 +00:00 · 30a1ca1137
commit 30a1ca1137
parent 726ee1946f 632998e218
1 changed files with 8 additions and 2 deletions
--- a/heat/api/openstack/v1/util.py
+++ b/heat/api/openstack/v1/util.py
@ -29,9 +29,15 @@ def registered_policy_enforce(handler):
    """
    @functools.wraps(handler)
    def handle_stack_method(controller, req, tenant_id, **kwargs):
+        # NOTE(tkajinam): Heat uses stack owner's project id in redirect URI.
+        # So admin might be redirected to different project id when accessing
+        # resources in a different project. Use project id in context to
+        # bypass project_id check, because admin should have access to all
+        # projects.
+        if req.context.is_admin and req.context.project_id:
+            tenant_id = req.context.tenant_id
        _target = {"project_id": tenant_id}
-
-        if req.context.tenant_id != tenant_id and not req.context.is_admin:
+        if req.context.tenant_id != tenant_id:
            raise exc.HTTPForbidden()
        allowed = req.context.policy.enforce(
            context=req.context,