Token scope escape issue

OpenNebula token handling mechanism does not check scoped token group. Here is an example: Users with scoped token for GID 0 can use this token to generate scoped token for GID 1.

We tried to fix this issue with PR, but unfortunately, this does not fix it.

We need to check whether users are logged in using scoped token. Looking into file src/rm/ we found that we could raise an error, if only we knew how was the user logged in and what GID is in his scoped token. However, after a few hours of surfing through OpenNebula code, we could not find a way to do it. Can anyone help us with this issue?

Thank you for your time,
Dusan Baran.