External users should not be able to enumerate all users

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

External user accounts are useful since they allow for providing restricted access to projects, tasks, etc. However, there is currently an information leak through which an external user can list all users on the GitLab installation. For us this is a deal-breaker that will force us to find an alternative solution for some projects.

Steps to reproduce:

1. Sign in as external user
2. Browse to any Issues page (either /dashboard/issues or /group/project/issues)
3. Either:
   1. Press the Author filter selector, OR
   2. Press the Assignee filter selector

In either selection dropdown, the full list of users is displayed. In my opinion these lists should only be populated with users that the external user is already "related" to through group or project affiliations.

Thank you for a most awesome software!