Hi,
I am currently evaluating Metabase as a multi-tenancy solution on a local Metabase instance, however I've discovered a weird behaviour in the API permissions in that a non-privileged user (non-superuser) account is able to access /api/user
to get a list of all created accounts.
Is there a specific reason as to why such a user is able to get a list of all registered users?
this SS shows non-superuser
this SS shows /api/user
using the non-privileged users' access token