Non privileged user has access to list of all users

Jxperforml · August 18, 2022, 12:41am

Hi,
I am currently evaluating Metabase as a multi-tenancy solution on a local Metabase instance, however I've discovered a weird behaviour in the API permissions in that a non-privileged user (non-superuser) account is able to access /api/user to get a list of all created accounts.

Is there a specific reason as to why such a user is able to get a list of all registered users?

this SS shows non-superuser

this SS shows /api/user using the non-privileged users' access token

flamber · August 18, 2022, 7:04am

Hi @Jxperforml
It's used for Subscription autocomplete for users among other. You're interested in this:
Option for restricting pulse recipients to those in the same group · Issue #10795 · metabase/metabase · GitHub - upvote by clicking on the first post