Comment 5 for bug 1662911

In the event a deployment allows users to update their own user attributes, would we expect an administrator to clean up a rogue assignment if a user provides a project ID they shouldn't have access to?