Tom Parrott

> Assuming [76cfc85](https://github.com/canonical/lxd/commit/76cfc851a46df5958d76f1028a4247c547d26879) has now been backported to 5.21, this should be fixed to return a 401 if a restricted client uses the `all-projects` query parameter. It should be in...

> In both cases, it would be nice if the all-projects param spanned to the projects that the restricted user has access to. @edlerd Probably worth creating a jira request...

More generally what you're requesting is the same as https://github.com/canonical/lxd/issues/13962

@edlerd shall we close this one in preference to https://github.com/canonical/lxd/issues/13962 ?

Noted thanks. @markylaing do you think this issue has a different underlying cause than https://github.com/canonical/lxd/issues/13962 ?

> Yes. The `all-projects` query parameter for restricted TLS clients is being blocked by this function > > [lxd/lxd/daemon.go](https://github.com/canonical/lxd/blob/5169fd87039da0cef8af5c054f963cfaa56df045/lxd/daemon.go#L308-L356) > > Lines 308 to 356 in [5169fd8](/canonical/lxd/commit/5169fd87039da0cef8af5c054f963cfaa56df045) > > //...

> which was specifically added to maintain API behaviour for restricted TLS clients. I'm not sure we'll be able to change this without breaking the API. If that was always...

> > [@markylaing](https://github.com/markylaing) thanks, at the very least the HTTP response code is incorrect: > > > Failed to get operation permission checker: Certificate is restricted error_code: 500 > >...

So this is a wont fix @markylaing ?

Or do we need to keep it open for fine grained users and update the title?