I agree with the assertion in the bug. I would think that this would return a 4xx error (not sure I agree with a 403, but...) for both of the following reasons:
1. A domain-specific role should not be assignable to users owned by another domain.
2. A domain-specific role should not be assignable to projects owned by another domain.
It appears that neither one of these are being checked? Is there a use case to not check against one of these?
I agree with the assertion in the bug. I would think that this would return a 4xx error (not sure I agree with a 403, but...) for both of the following reasons:
1. A domain-specific role should not be assignable to users owned by another domain.
2. A domain-specific role should not be assignable to projects owned by another domain.
It appears that neither one of these are being checked? Is there a use case to not check against one of these?