I am currently evaluating Metabase as a multi-tenancy solution on a local Metabase instance, however I've discovered a weird behaviour in the API permissions in that a non-privileged user (non-superuser) account is able to access
/api/user to get a list of all created accounts.
Is there a specific reason as to why such a user is able to get a list of all registered users?
this SS shows non-superuser
this SS shows
/api/user using the non-privileged users' access token