Comment 2 for bug 1846817

Lance Bragstad (lbragstad) wrote :

Ok - I played with this a little more locally and I don't think we have a true security vulnerability. I checked all of this with domain administrators and the filtering from the request is accounted for in authorization.

I think we're safe to open this up as a public filtering issue with the v3/role_assignments API.

https://gist.github.com/lbragstad/df576b7552b751fae16a35aa3c176b3e