Comment 3 for bug 1590587

I agree with the assertion in the bug. I would think that this would return a 4xx error (not sure I agree with a 403, but...) for both of the following reasons:

1. A domain-specific role should not be assignable to users owned by another domain.

2. A domain-specific role should not be assignable to projects owned by another domain.

It appears that neither one of these are being checked? Is there a use case to not check against one of these?