check ability for user search results

2 files changed, 10 insertions, 0 deletions

diff --git a/lib/gitlab/search_results.rb b/lib/gitlab/search_results.rb
index dd8854a89d4..301d5e326d9 100644
--- a/lib/gitlab/search_results.rb
+++ b/lib/gitlab/search_results.rb
@@ -138,6 +138,8 @@ module Gitlab
     # rubocop: enable CodeReuse/ActiveRecord
 
     def users
+      return User.none unless Ability.allowed?(current_user, :read_users_list)
+
       UsersFinder.new(current_user, search: query).execute
     end
 
diff --git a/spec/lib/gitlab/search_results_spec.rb b/spec/lib/gitlab/search_results_spec.rb
index 1a42fd36de0..4b57eecff93 100644
--- a/spec/lib/gitlab/search_results_spec.rb
+++ b/spec/lib/gitlab/search_results_spec.rb
@@ -123,6 +123,14 @@ describe Gitlab::SearchResults do
     end
 
     describe '#users' do
+      it 'does not call the UsersFinder when the current_user is not allowed to read users list' do
+        allow(Ability).to receive(:allowed?).and_return(false)
+
+        expect(UsersFinder).not_to receive(:new).with(user, search: 'foo').and_call_original
+
+        results.objects('users')
+      end
+
       it 'calls the UsersFinder' do
         expect(UsersFinder).to receive(:new).with(user, search: 'foo').and_call_original