Comment 13 for bug 1496277

@Angus - thanks for picking this up!

TBH I don't think restricting to opening paths in /etc/heat/templates is enough - we should *never* read *any* server-side files as a result of user provided type: filename or (user) resource_registry entries - that (AIUI) is the whole point of the allowed schemes in TemplateResource?

The /etc/heat/templates is only for consumption via the *global* environment, e.g template authors should *only* have access to those templates via their global resource_registry alias as defined in /etc/heat/environment.d - or at least that's the way I thought this was supposed to work?