Partner sharing discloses list of (non-public) users

[mrchapp]

I have searched the existing issues, both open and closed, to make sure this is not a duplicate report.

• Yes

The bug

I seem to recall from previous versions that it was not possible to see which other users existed on the Immich instance if the System Settings -> Server Settings -> Public Users toggle was set to off. The note there says that "[w]hen disabled, the user list will only be available to admin users".

The OS that Immich Server is running on

Docker ghcr.io/immich-app/immich-server:v2.3.1

Version of Immich Server

v2.3.1

Version of Immich Mobile App

Android 2.3.0 build.3027; iOS 2.0.0 build.229

Platform with the issue

• Server
• Web
• Mobile

Device make and model

No response

Your docker-compose.yml content

Same as release asset for v2.3.1.

Your .env content

Same as release asset for v2.3.1.

Reproduction steps

On the web app, when trying to add a partner there's a note saying: "Looks like you shared your photos with all users or you don't have any user to share with."

On mobile, the list of users fully appears on Library -> Partners -> [Add partner].

Relevant log output

Additional information

This more or less aligns with CWE-200 and CAPEC-116.