The assertion being made by OP is that the domain which owns the scoped project should become the domain upon which the action is performed, but I would consider that behavior to be a privilege escalation vulnerability. The user is presenting explicit domain-level authorization on a domain-level resource, and would thus be circumventing the intended policy.json behavior.
The assertion being made by OP is that the domain which owns the scoped project should become the domain upon which the action is performed, but I would consider that behavior to be a privilege escalation vulnerability. The user is presenting explicit domain-level authorization on a domain-level resource, and would thus be circumventing the intended policy.json behavior.