CVE-2015-1844 - GET /api/hosts doesn't respect organization/location membership
I created a new user with a dedicated role with the following permissions:
The user is a member of 1 organization and 2/4 locations. When logging in via the web interface, the user can only see the hosts belonging to that 1 organization/2 locations. However, an API call via /api/hosts lists the hosts of all organizations and all locations. The only way I could fix this was by applying a location/organization restriction to the view_hosts filter on the role.
Fixes #9947 - restrict user taxonomies if none is set
(cherry picked from commit abe910f2a46f4ecc1f349263d0b4751ed46ff200)