Permission Level for fetching "Users" resource

Hi,
According to the documentation, level 7 is required to fetch users which is the next one down from level 8 full access, not many users have that but i can see why it it is required due to the private data that is included against users. Would it be possible to provide a reduced data set for “Users” when requested by a user which has level 3 (contacts and projects)?

I can already see the same kind of behaviour with “Projects” because if a request project with a level 1 user, I only get the project name and a couple of other details, none of the budget info is there unless i request it using a level 3 user, which makes sense (however this does not seem to be documented behaviour, i expected it not work at all unless level 3).

All i need is to be able to get the users first_name and last_name properties using a level3 user. This would fit with the other API permissions because as a level3 user, all user’s timeslips can be downloaded, so the ability to lookup the user’s name from the id makes sense too. I noticed that i can also download timeslips for all users from a level1 user which i found surprising, i expected only to be able to receive that user’s own timeslips.

Thanks!

+1 for this, it’s been a long-standing feature which honestly I think is a security issue, that endpoints which are accessible on lower security levels (timesheet and expenses) allow any user to retrieve data for all users. This means that anyone with user access to your Freeagent account can download all the timesheets and expenses for the entire company, rather than just their own.

A good solution to this would be to apply a context-based filter to the timesheets and expenses so that low-privilege users can only see their own timesheets and expenses (as per the website), and also then that it ought to be possible to retrieve just one’s own user record from the users API in the same way.