Merge pull request #8476 from tomaioo/fix/security/unbounded-limit-parameter-in-user-search

Security: Unbounded `limit` parameter in user search can be abused for resource exhaustion

Author: mejo-

lib/Controller/UserApiController.php

@@ -37,6 +37,7 @@ public function __construct(
 	#[NoAdminRequired]
 	#[RequireDocumentSession]
 	public function index(string $filter = '', int $limit = 5): DataResponse {
+		$limit = min($limit, 50);
 		$sessions = $this->sessionService->getAllSessions($this->getSession()->getDocumentId());
 
 		$users = [];