Steps to reproduce:

1) Create non-admin user_a with Manager role in OrgA and LocA only, same for user_b, OrgB and LocB
2) try importing a new template as user_a into OrgB and LocB with the following command:

curl -H "Accept: application/json" -H "Content-Type: application/json" -k -X POST -u user_a:changeme https://$(hostname)/api/v2/provisioning_templates/import -d '{ "provisioning_template": {"name": "An org test", "template": "<%#\nkind: PXELinux\nname: An org test\nmodel: ProvisioningTemplate\norganizations:\n - OrgB\nlocations:\n - LocB\n%>\ntest"}, "options": {"verbose": "true", "associate": "always"} }' | json_reformat

You will not be permitted to do so as expected.

3) Now import the template into OrgA, LocA as user_a, which succeeds:

curl -H "Accept: application/json" -H "Content-Type: application/json" -k -X POST -u user_a:changeme https://$(hostname)/api/v2/provisioning_templates/import -d '{ "provisioning_template": {"name": "An org test", "template": "<%#\nkind: PXELinux\nname: An org test\nmodel: ProvisioningTemplate\norganizations:\n - OrgA\nlocations:\n - LocA\n%>\ntest"}, "options": {"verbose": "true", "associate": "always"} }' | json_reformat

4) Try importing template with the same name as user_b into LocB and OrgB:

curl -H "Accept: application/json" -H "Content-Type: application/json" -k -X POST -u user_b:changeme https://$(hostname)/api/v2/provisioning_templates/import -d '{ "provisioning_template": {"name": "An org test", "template": "<%#\nkind: PXELinux\nname: An org test\nmodel: ProvisioningTemplate\norganizations:\n - OrgB\nlocations:\n - LocB\n%>\ntest again"}, "options": {"verbose": "true", "associate": "always"} }' | json_reformat

The result will be a successfully imported template with the template assigned to LocB and OrgB only, user_b was thus able to update something he does not have permissions for and user_a can no longer use that template since it was removed from OrgA and LocA and its original content likely overwritten with whatever user_b posted.