Any way to disallow any logged-in users to get full user list?

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  • what are you trying to achieve
  • what have you tried so far to achieve this

version: SonarQube 9.6
I was wondering if there’s any way we can limit any logged-in non-admin users from accessing this API.
“GET /api/users/search” allows normal users to retrieve full list of users. It would be best if only admin users can do this. Is there any toggle or setting I can change to achieve this?

Hey there.

This is not configurable. There are features in SonarQube, such as assigning issues, that require this information be available to non-administrator users.

1 Like