A number of API and UI actions/URLs for viewing and managing organisations and locations are not limited to the orgs/locations assigned directly to the user, instead they are only restricted by permissions assigned to the user's roles. This allows users to view and update other organisations/locations in the system that they should not have access to. Upstream bug: http://projects.theforeman.org/issues/15268 Proposed patch: https://github.com/theforeman/foreman/pull/3568/commits/d88f399d68425e8a69ce95a8e78b681bccf211af
Upstream Patches: https://github.com/theforeman/foreman/commit/1144040f444b4bf4aae81940a150b26b23b4623c https://github.com/theforeman/foreman/commit/a30ab44ed6f140f1791afc51a1e448afc2ff28f9
Fixed upstream 1.11.4
This issue has been addressed in the following products: Red Hat Satellite 6.2 Via RHSA-2016:1615