User assignment proposals broken

[fnetX]

Gitea Version

1.16.3 (codeberg)

Git Version

No response

Operating System

No response

How are you running Gitea?

codeberg deployment (= building from source with patches)

Database

MySQL

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Description

We have received several concerning reports of users that the "Assign user" feature for issues, as well as mentioning via @ in the text box shows up strange users (users in no relation to the project). Also, some users who have access to the repo are apparently missing.

I could reproduce at https://try.gitea.io/repoCountIssues/9 (see screenshots). This user is not a collaborator of the repo, not in the org, not a watcher nor stargazer, nor has it opened an issue. I can't find any relation.

We received multiple reports via email, direct messages and a public post on Mastodon a while ago, see https://mastodon.social/@unfa/107875501190417072

It's a little concerning, and it would be nice to get a confirmation this does not grant strangers any permissions on those repos.

Screenshots

[fnetX]

FYI: If you actually try to assign such an erroneously showed user, the response is a 500 screen.