Fix access by admin users to resources in different projects

This allows admin users[1] to use a different project id in request
path, to fix the unexpected access denials during redirection when
enforcing new default rules. This was allowed previously with
deprecated policy rules, and with the new SRBAC design we require
project scope auth to access project owned resources such as stack.

[1]
User with admin role in admin project in case admin_project_name is
set in Keystone. If it's not set then user with admin role in any
project are considered as "admin".

Story: 2011036
Task: 49532
Change-Id: I49f46e36828881d9700e0e178bd80eb04efe4510

heat/api/openstack/v1/util.py

@@ -29,9 +29,15 @@ def registered_policy_enforce(handler):
     """
     @functools.wraps(handler)
     def handle_stack_method(controller, req, tenant_id, **kwargs):
+        # NOTE(tkajinam): Heat uses stack owner's project id in redirect URI.
+        # So admin might be redirected to different project id when accessing
+        # resources in a different project. Use project id in context to
+        # bypass project_id check, because admin should have access to all
+        # projects.
+        if req.context.is_admin and req.context.project_id:
+            tenant_id = req.context.tenant_id
         _target = {"project_id": tenant_id}
-
-        if req.context.tenant_id != tenant_id and not req.context.is_admin:
+        if req.context.tenant_id != tenant_id:
             raise exc.HTTPForbidden()
         allowed = req.context.policy.enforce(
             context=req.context,