REST API: When limit parameter is used on user resource /rest/api/1.0/users unreliable results are retrieved

Issue Summary

When limit parameter is used less results than expected are retrieved.

Environment

• Bitbucket 5.9.1

Steps to Reproduce

1. A local instance has 1753 users:
   
   3 of them are granted direct global permission, one having System Admin permission and the other 2 having Bitbucket User permission:
   
   6 of them are granted indirect Bitbucket User permission by belonging to stash-users group that has Bitbucket User permission:
   
   Notes:
   User fkraemer shows up twice because this user is given direct permission as System Admin and indirect permission via group membership as Bitbucket User.
2. All the other users are unlicensed.
3. Running the following REST API retrieves 8 users, as expected:

    curl -u fkraemer -X GET -H "Content=Type: application/json" 'http://localhost:7990/rest/api/1.0/users?permission=LICENSED_USER'
   Enter host password for user 'fkraemer':
   
   {"size":8,"limit":25,"isLastPage":true,"values":[{"name":"admrodrigo","emailAddress":"admin@admin.com","id":162,"displayName":"Rodrigo Adami","active":true,"slug":"admrodrigo","type":"NORMAL","links":{"self":[{"href":"http://localhost:7990/users/admrodrigo"}]}},{"name":"bamboo.user0000","emailAddress":"bamboo.user0000@atlassian.com","id":1312,"displayName":"bamboo.user0000","active":true,"slug":"bamboo.user0000","type":"NORMAL","links":{"self":[{"href":"http://localhost:7990/users/bamboo.user0000"}]}},{"name":"bitbuckettest","emailAddress":"","id":986,"displayName":"Bit Bucket","active":true,"slug":"bitbuckettest","type":"NORMAL","links":{"self":[{"href":"http://localhost:7990/users/bitbuckettest"}]}},{"name":"bob","emailAddress":"brosa@atlassian.com","id":1095,"displayName":"bob test","active":true,"slug":"bob","type":"NORMAL","links":{"self":[{"href":"http://localhost:7990/users/bob"}]}},{"name":"fkraemer","emailAddress":"fkraemer@atlassian.com","id":1,"displayName":"Felipe Kraemer","active":true,"slug":"fkraemer","type":"NORMAL","links":{"self":[{"href":"http://localhost:7990/users/fkraemer"}]}},{"name":"JoaoP1","emailAddress":"jpalharini@atlassian.com","id":878,"displayName":"Joao P 1","active":true,"slug":"joaop1","type":"NORMAL","links":{"self":[{"href":"http://localhost:7990/users/joaop1"}]}},{"name":"rmadalozzo-ldap","emailAddress":"","id":1049,"displayName":"Rodrigo Mada","active":true,"slug":"rmadalozzo-ldap","type":"NORMAL","links":{"self":[{"href":"http://localhost:7990/users/rmadalozzo-ldap"}]}},{"name":"user1","emailAddress":"user1@atlassian.com","id":52,"displayName":"User One","active":true,"slug":"user1","type":"NORMAL","links":{"self":[{"href":"http://localhost:7990/users/user1"}]}}],"start":0}
   

   This is because users having LICENSED_USER permission have been retrieved, so the user fkraemer which has direct System Admin permission was not included in the result.

4. However, if ?limit=10000 (which is higher than the number of users) is appended to the end of the request URL, only 2 users are retrieved:

   curl -u fkraemer -X GET -H "Content=Type: application/json" 'http://localhost:7990/rest/api/1.0/users?permission=LICENSED_USER&limit=10000'
   Enter host password for user 'fkraemer':
   {"size":2,"limit":10000,"isLastPage":true,"values":[{"name":"admrodrigo","emailAddress":"admin@admin.com","id":162,"displayName":"Rodrigo Adami","active":true,"slug":"admrodrigo","type":"NORMAL","links":{"self":[{"href":"http://localhost:7990/users/admrodrigo"}]}},{"name":"bamboo.user0000","emailAddress":"bamboo.user0000@atlassian.com","id":1312,"displayName":"bamboo.user0000","active":true,"slug":"bamboo.user0000","type":"NORMAL","links":{"self":[{"href":"http://localhost:7990/users/bamboo.user0000"}]}}],"start":0}
   

Expected Results

The same 8 users should have been retrieved.

Actual Results

Only 2 users were retrieved.

Workaround

Use the endpoint /rest/api/1.0/admin/license suggested under Resolutions section of KB - How do I find which users count against my Bitbucket Server license?.