h3. Issue Summary Non-admin users (any licensed user) can query all the groups and members of the groups using the below API [Groups API|https://developer.atlassian.com/server/bitbucket/rest/v819/api-group-permission-management/#api-api-latest-admin-groups-get] [Group memberships API|https://developer.atlassian.com/server/bitbucket/rest/v819/api-group-permission-management/#api-api-latest-admin-groups-more-members-get] This is reproducible on Data Center: (yes) / (no) Yes h3. Steps to Reproduce As a licensed (non-admin user) run {code:java} curl –request GET –url 'https://{baseurl}/rest/api/latest/admin/groups' –header 'Accept: application/json' curl –request GET –url 'https://{baseurl}/rest/api/latest/admin/groups/more-members?context={context}' –header 'Accept: application/json' {code} h3. Expected Results The user shouldn't be able to fetch the details. API is expected to fail with AuthorisationException {"errors":[{"context":null,"message":"You are not permitted to access this resource","exceptionName":"com.atlassian.stash.exception.AuthorisationException"}]} h3. Actual Results The user can fetch the results h3. Workaround Currently there is no known workaround for this behavior. A workaround will be added here when…Read More