Addressed user detail harvesting issue

Altered access & usage of the /search/users/select endpoint with the
following changes:
- Removed searching of email address to prevent email detail discovery
  via hunting via search queries.
- Required the user to be logged in and have permission to manage users
  or manage permissions on items in some way.
- Removed the user migration option on user delete unless they have
  permission to manage users.

For #3108
Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/
Reported by @haxatron

tests/User/UserManagementTest.php

@@ -130,6 +130,21 @@ class UserManagementTest extends TestCase
         $resp->assertSee('new_owner_id');
     }
 
+    public function test_migrate_option_hidden_if_user_cannot_manage_users()
+    {
+        $editor = $this->getEditor();
+
+        $resp = $this->asEditor()->get("settings/users/{$editor->id}/delete");
+        $resp->assertDontSee('Migrate Ownership');
+        $resp->assertDontSee('new_owner_id');
+
+        $this->giveUserPermissions($editor, ['users-manage']);
+
+        $resp = $this->asEditor()->get("settings/users/{$editor->id}/delete");
+        $resp->assertSee('Migrate Ownership');
+        $resp->assertSee('new_owner_id');
+    }
+
     public function test_delete_with_new_owner_id_changes_ownership()
     {
         $page = Page::query()->first();

tests/User/UserSearchTest.php

@@ -0,0 +1,68 @@
+<?php
+
+namespace Tests\User;
+
+use BookStack\Auth\User;
+use Tests\TestCase;
+
+class UserSearchTest extends TestCase
+{
+
+    public function test_select_search_matches_by_name()
+    {
+        $viewer = $this->getViewer();
+        $admin = $this->getAdmin();
+        $resp = $this->actingAs($admin)->get('/search/users/select?search=' . urlencode($viewer->name));
+
+        $resp->assertOk();
+        $resp->assertSee($viewer->name);
+        $resp->assertDontSee($admin->name);
+    }
+
+    public function test_select_search_shows_first_by_name_without_search()
+    {
+        /** @var User $firstUser */
+        $firstUser = User::query()->orderBy('name', 'desc')->first();
+        $resp = $this->asAdmin()->get('/search/users/select');
+
+        $resp->assertOk();
+        $resp->assertSee($firstUser->name);
+    }
+
+    public function test_select_search_does_not_match_by_email()
+    {
+        $viewer = $this->getViewer();
+        $editor = $this->getEditor();
+        $resp = $this->actingAs($editor)->get('/search/users/select?search=' . urlencode($viewer->email));
+
+        $resp->assertDontSee($viewer->name);
+    }
+
+    public function test_select_requires_right_permission()
+    {
+        $permissions = ['users-manage', 'restrictions-manage-own', 'restrictions-manage-all'];
+        $user = $this->getViewer();
+
+        foreach ($permissions as $permission) {
+            $resp = $this->actingAs($user)->get('/search/users/select?search=a');
+            $this->assertPermissionError($resp);
+
+            $this->giveUserPermissions($user, [$permission]);
+            $resp = $this->actingAs($user)->get('/search/users/select?search=a');
+            $resp->assertOk();
+            $user->roles()->delete();
+            $user->clearPermissionCache();
+        }
+    }
+
+    public function test_select_requires_logged_in_user()
+    {
+        $this->setSettings(['app-public' => true]);
+        $defaultUser = User::getDefault();
+        $this->giveUserPermissions($defaultUser, ['users-manage']);
+
+        $resp = $this->get('/search/users/select?search=a');
+        $this->assertPermissionError($resp);
+    }
+
+}