if user has rw access to a hostgroup, and a host belongs to some other groups user has no access to, this user can remove host from that group and lose all access to it.

maybe permission check should be made and if user would lose permissions on some host by an action, action would be denied ?