From 6133e815e3507c0f0570c9466187faa2048f15ca Mon Sep 17 00:00:00 2001
From: Duc Truong <dtruong@blizzard.com>
Date: Thu, 5 Nov 2020 22:50:18 +0000
Subject: [PATCH] Load projects without restrictions in policy_check

The policy_check needs to load projects without project safe restriction
because it is possible for users to attach policies belonging to other
projects.

Change-Id: I019e7765bdce3f3338167ce11660f4eae70639fc
Closes-Bug: #1896099
---
 senlin/engine/actions/base.py                        |  3 ++-
 senlin/tests/unit/engine/actions/test_action_base.py | 11 +++++++----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/senlin/engine/actions/base.py b/senlin/engine/actions/base.py
index 82b41f024..35aa190c9 100755
--- a/senlin/engine/actions/base.py
+++ b/senlin/engine/actions/base.py
@@ -531,7 +531,8 @@ class Action(object):
         self.data['reason'] = 'Completed policy checking.'
 
         for pb in bindings:
-            policy = policy_mod.Policy.load(self.context, pb.policy_id)
+            policy = policy_mod.Policy.load(self.context, pb.policy_id,
+                                            project_safe=False)
 
             # add last_op as input for the policy so that it can be used
             # during pre_op
diff --git a/senlin/tests/unit/engine/actions/test_action_base.py b/senlin/tests/unit/engine/actions/test_action_base.py
index 9d6df4f1c..5254c843b 100755
--- a/senlin/tests/unit/engine/actions/test_action_base.py
+++ b/senlin/tests/unit/engine/actions/test_action_base.py
@@ -1017,7 +1017,8 @@ class ActionPolicyCheckTest(base.SenlinTestCase):
         mock_load_all.assert_called_once_with(
             action.context, cluster_id, sort='priority',
             filters={'enabled': True})
-        mock_load.assert_called_once_with(action.context, policy.id)
+        mock_load.assert_called_once_with(action.context, policy.id,
+                                          project_safe=False)
         # last_op was updated anyway
         self.assertEqual(action.inputs['last_op'], pb.last_op)
         # neither pre_op nor post_op was called, because target not match
@@ -1076,7 +1077,8 @@ class ActionPolicyCheckTest(base.SenlinTestCase):
         mock_load_all.assert_called_once_with(
             action.context, cluster_id, sort='priority',
             filters={'enabled': True})
-        mock_load.assert_called_once_with(action.context, policy.id)
+        mock_load.assert_called_once_with(action.context, policy.id,
+                                          project_safe=False)
         # last_op was not updated
         self.assertIsNone(pb.last_op)
 
@@ -1103,7 +1105,8 @@ class ActionPolicyCheckTest(base.SenlinTestCase):
         mock_load_all.assert_called_once_with(
             action.context, cluster_id, sort='priority',
             filters={'enabled': True})
-        mock_load.assert_called_once_with(action.context, policy.id)
+        mock_load.assert_called_once_with(action.context, policy.id,
+                                          project_safe=False)
         # last_op was updated for POST check
         self.assertEqual(action.inputs['last_op'], pb.last_op)
         # pre_op is called, but post_op was not called
@@ -1144,7 +1147,7 @@ class ActionPolicyCheckTest(base.SenlinTestCase):
         mock_load_all.assert_called_once_with(
             action.context, cluster_id, sort='priority',
             filters={'enabled': True})
-        calls = [mock.call(action.context, policy1.id)]
+        calls = [mock.call(action.context, policy1.id, project_safe=False)]
         mock_load.assert_has_calls(calls)