Currently, the User Exporter exports ALL users, no matter which users the current user is allowed to see in the control panel.
- Create user: exporttest
- Create user: random user
- Create role: allowexport, assign permission: Portal -> General -> Export User
- Create organization: exporttestorg
- Assign user exporttest to organization exporttestorg
- Make user exporttest organization administrator
- Login with user exporttest
- Access control panel via <host>/group/control_panel, click on Users
- User exporttest only sees himself. (Because of organization membership, he only sees users of his organization)
- Click Export Users
- Open resulting csv file and see all users in the file
This violates view permissions established by organization membership.