A number of API and UI actions/URLs for viewing and managing organisations and locations are not limited to the orgs/locations assigned directly to the user, instead they are only restricted by permissions assigned to the user's roles.

• API index calls: GET /api/v2/organizations, GET /api/v2/locations
• API show/update/destroy calls
• UI edit/update/destroy calls

The UI index for orgs/locations and the UI org/location switcher appears to be the only place where the user's associated orgs/locations are taken into account.

Both UI and API controllers should be overriding methods for resource scopes to limit them further to the Organization.my_organizations/Location.my_locations scopes.

Mitigation: ensure all org/location related permissions assigned to a user are restricted to certain orgs/locations, these should still be taken into account.

Thanks to Ivan Necas for reporting this to foreman-security@googlegroups.com.