[BUG]: User without user read permission can list all users

[correct-horse-battery-bench]

Version Information

Rainbow 5

Hashcat

No response

Description

Currently it seems that a user without read permissions can list all users. Other permissions are correctly handled. A user neither can list specific details of another user or update another user. Just the all users endpoint is affected.

Reproduce.

1. Add user to permission group without user permission's
2. Either disabling client side route guard for users page and navigating there or sending curl command with bearer token of the user without permissions
   curl -X GET
   'http://localhost:8080/api/v2/ui/users?page%5Bsize%5D=25&include=globalPermissionGroup'
   -H 'Authorization: Bearer <INSERT_BEARER_TOKEN_HERE>'
   -H 'Accept: application/json'

[gluafamichl]

Looks for me like a critical bug, which should be fixed with high priority

[jessevz]

Yes but this was implemented with intent. If you dont have user access, the only thing you are allowed to see is the username (and i guess the ID aswell) becasue this needs to be public. I dont remember for what exactly (I think it was for adding usermembers to accessgroups but @s3inlc probably knows)