All users' userInfo are visible to any authenticated user

[minottic]

Issue Name

userInfo permissions

Summary

Information stored in the UserInfo collection, which includes accessGroups and email, is visible to any user as long as they have an authentication token.

Steps to Reproduce

Go to the explorer, set your access token and query the UserInfo table. All users' info are displayed

Current Behaviour

All users' info is displayed

Expected Behaviour

Only info limited to the current user should be displayed (if we want to limit its visibility)

Extra Details

Here you should include details about the system (if it is unique) and possible information about a fix (feel free to link to code where relevant). Screenshots/GIFs are also fine here.

[nitrosx]

I'm not able to reproduce the issue.

When I query our production instance with the following command:
curl -X GET --header 'Accept: application/json' 'https://scicat.ess.eu/api/v3/Users?access_token=<ACCESS_TOKEN>

and I get:
"error":{"statusCode":401,"name":"Error","message":"Authorization Required","code":"AUTHORIZATION_REQUIRED"}}