As the title says, you can view all API routes without any authentication, which is a security issue considering the users API is exposed and everyone can see the full list of users. There should definitely be, authentication for, at least, the sensitive routes of the API.
Related question: are the edit/delete routes protected by authentication? If they are, is there a check for the auth of the user to edit only the objects where the user has rights to edit?
As the title says, you can view all API routes without any authentication, which is a security issue considering the users API is exposed and everyone can see the full list of users. There should definitely be, authentication for, at least, the sensitive routes of the API. Related question: are the edit/delete routes protected by authentication? If they are, is there a check for the auth of the user to edit only the objects where the user has rights to edit?