The current girder implementation has a public endpoint to list all users (and their login), see for example:
I think this is a big security problem, since it opens doors for password brute-forcing.
The user list should be only available to users which have a valid login.
I was told that it is possible to use the extension API to change such a default behavior and would be happy to get help on how to disable the user listing for non-logged-in request.
Before every endpoint is actually called Girder triggers an event
rest.<verb>.<path>.before. You can use it to restrict access, e.g.:
# -*- coding: utf-8 -*-
from girder.api import access, rest
from girder import events
def _restrictUsers(self, event):
events.bind('rest.get.user.before', 'my_plugin', _restrictUsers)
would only let authenticated users access