Comment 3 for bug 1850274

Hi,

Similar issue was discussed some time ago in Neutron driver team. See for example RFE https://bugs.launchpad.net/neutron/+bug/1705467 or bug https://bugs.launchpad.net/mos/+bug/1782314 which is about something similar.
So this is basically known problem which we than decided to not fix as we would need to ask keystone about project ID during every API request and it could make API even slower than it is now.
But maybe we can think about some validation in keystone e.g. if project/tenant_id value in request body is different than one in context. That would probably slow down only some request made usually by admin users.

And as Jeremy already said, quota can be managed only by admin users, see https://github.com/openstack/neutron/blob/b86fa161edd1d1a9d20efbd52d922d5ba738b18d/neutron/extensions/quotasv2.py#L117 so there is no big risk in such vulnerability and I would make this bug public.