Harbor: /api/users list exposes password hashes as part of output

It seems like there's a difference between calling /api/users and /api/users/{id} where the former will actually return the salted password hash as part of the call:

curl -u admin:$password http://harbor.default.svc/api/users 2>/dev/null | jq
[
  {
    "user_id": 3,
    "username": "test-user",
    "email": "[email protected]",
    "password": "5f0312458e714970e39b9a45a4eccc74",
    "realname": "Test User",
    "comment": "",
    "deleted": false,
    "role_name": "",
    "role_id": 0,
    "has_admin_role": false,
    "reset_uuid": "",
    "creation_time": "2019-01-28T22:51:35Z",
    "update_time": "2019-01-28T22:51:35Z"
  }

vs.

/ # curl -u admin:$password http://harbor.default.svc/api/users/3 2>/dev/null | jq
{
  "user_id": 3,
  "username": "test-user",
  "email": "[email protected]",
  "password": "",
  "realname": "Test User",
  "comment": "",
  "deleted": false,
  "role_name": "",
  "role_id": 0,
  "has_admin_role": false,
  "reset_uuid": "",
  "creation_time": "2019-01-28T22:51:35Z",
  "update_time": "2019-01-28T22:51:35Z"
}

Note how password in the first call is set to a value while it is empty in the second call.

I would have expected these two calls to produce identical output to populate the user object. I'm assuming that the salted password hash is supposed to be removed from UserAPI.List() just like it is in UserAPI.Get(): https://github.com/goharbor/harbor/blob/master/src/core/api/user.go#L120.

The fix is fairly straightforward and I'm happy to contribute a fix, but I'd like to make sure that the password hashes aren't being exposed intentionally (for some reason!) before I do.

Steps to reproduce the problem:
See above for curl commands to reproduce.

Versions:
Please specify the versions of following systems.

• harbor version: [1.7.1]