The current girder implementation has a public endpoint to list all users (and their login), see for example:
https://challenge.kitware.com/girder/api/v1/user
I think this is a big security problem, since it opens doors for password brute-forcing.
The user list should be only available to users which have a valid login.
I was told that it is possible to use the extension API to change such a default behavior and would be happy to get help on how to disable the user listing for non-logged-in request.