Limit @ mention list to authorized users

It looks like the update behavior is that only licensed users will be listed with the mention, but this doesn't take the limit far enough. Users who don't have permissions to a project shouldn't be available for mentions in the context of that project. For us this is a security issue, for most, this is still bad UI. It'll only create confusion and concern from a security perspective (The inevitable question will be does this person have access to our project? Why do they show up here?). This also creates the possibility of leaking sensitive client information. We're a hosting multiple clients with this application and it would allow them to search for each other, which is a problem for us.