/v3/roles does not validate the existence of user guid

[vchrisb]

It is possible to create a space/org role for an arbitrary user guid. The following does succeed, event if the guid does not exist:

cf curl /v3/roles -X POST   -d '{
     "relationships": {
       "organization": {
         "data": {
           "guid": "5989b03b-4d88-4eb7-a4a7-5bc428cd31bc"
         }
       },
       "user": {
         "data": {
           "guid": "not-existing"
         }
       }
     },
     "type": "organization_manager"
   }'

For a user, the cc api is validating if it exists, and will fail:

{
 "relationships": {
   "organization": {
     "data": {
       "guid": "5989b03b-4d88-4eb7-a4a7-5bc428cd31bc"
     }
   },
   "user": {
     "data": {
       "username": "not-existing"
     }
   }
 },
 "type": "organization_manager"
}

From briefly looking at the code https://github.com/cloudfoundry/cloud_controller_ng/blob/main/app/controllers/v3/roles_controller.rb#L123 , not lookup is done if a guid is passed as part of the message.

I stumbled across this, as the cf cli is currently testing if a client exist when using set-org-role or set-space-role. But to be able to test for existence, the authenticated user needs to have the clients.read scope, which isn't normally available.
cloudfoundry/cli@5b0cf09
I think the check should be move to the cc api and not handled in the cf cli. This would improve the usability of clients with the cf cli.