[Security] User IP can be queried regardless the owner not being the user in current session

Grabbing `/api/user/admin/ip` as regular user (logged-in) should return no permission but instead it returns all IP addresses belong to `admin`