🔒️(backend) limit user listing endpoint with security flag

Deactivate inherited user listing capability that allows authenticated users
to retrieve all application users in JSON format. This potentially unsecure
endpoint exposes user database to scraping and isn't currently used in the
application.

Implement security flag to disable access until properly refactored for
upcoming invitation feature. Will revisit and adapt endpoint behavior when
developing user invitation functionality.

src/backend/core/api/viewsets.py

@@ -150,9 +150,8 @@ class UserViewSet(
         queryset = self.queryset
 
         if self.action == "list":
-            # Exclude all users already in the given document
-            if document_id := self.request.GET.get("document_id", ""):
-                queryset = queryset.exclude(documentaccess__document_id=document_id)
+            if not settings.ALLOW_UNSECURE_USER_LISTING:
+                return models.User.objects.none()
 
             # Filter users by email similarity
             if query := self.request.GET.get("q", ""):