A security issue in access to orgs/locations has been filed, which
doesn't take the user's associated taxonomies into account in both UI
and API actions. Could somebody help write a patch to fix it?
Bug #15268: CVE-2016-4475 - API and UI org/locations actions not limited to user's associated orgs/locations - Foreman is the ticket. It probably
needs resource scopes for indexes and regular actions overriding in both
controllers, or similar.
Thanks!