Protecting the POST case is more complicated because not all credential types use project_id and so the credentials policy only checks against the credential's owner, not their scope. Since this behavior is longstanding and can't be exploited to elevate the user's privileges, I'm inclined not to fix it.
Protecting the POST case is more complicated because not all credential types use project_id and so the credentials policy only checks against the credential's owner, not their scope. Since this behavior is longstanding and can't be exploited to elevate the user's privileges, I'm inclined not to fix it.