We set current org/loc for user in before filter blindly without any association check [2]³. As a user I'd expect 404 (bug fixed by #3549) but I get the list of resources from org I've chosen even though I'm not associated to it.

Note that this is possible because users have by default viewer_role allowing to view all data regardless of organization. If user would have all filters associated to org 1 only he/she wouldn't see resource from org 2.

[2]https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/api/taxonomy_scope.rb#L11
[3]https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/api/taxonomy_scope.rb#L14