Describe the bug
Whenever a user is created they are assigned a UID of last UID +1. I.e, Admin user is user 1, the next user created is 2, the next 3 and so on and so forth.

This means that you can query the database and build an entire replica of every user (including profile pictures) by simply visiting url.com/bookstack/user/1, url.com/bookstack/user/2 and so forth. There isn't any email addresses or login details exposed, but I would suggest this isn't particularly good practice exposing so much data in this way.

Expected behavior
Each user should be provided a non-sequential UID, a random generated number of reasonable length.