2 files changed, 7 insertions, 4 deletions

diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb
index 6681182ba3e..7b5dc22815c 100644
--- a/app/controllers/graphql_controller.rb
+++ b/app/controllers/graphql_controller.rb
@@ -39,7 +39,7 @@ class GraphqlController < ApplicationController
   private
 
   def authorize_access_api!
-    render_404 unless can?(current_user, :access_api)
+    access_denied!("API not accessible for user.") unless can?(current_user, :access_api)
   end
 
   # Overridden from the ApplicationController to make the response look like
diff --git a/spec/controllers/graphql_controller_spec.rb b/spec/controllers/graphql_controller_spec.rb
index b071d01de5d..c19a752b07b 100644
--- a/spec/controllers/graphql_controller_spec.rb
+++ b/spec/controllers/graphql_controller_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe GraphqlController do
@@ -19,15 +21,16 @@ describe GraphqlController do
         expect(response).to have_gitlab_http_status(200)
       end
 
-      it 'returns 404 when user cannot access API' do
+      it 'returns access denied template when user cannot access API' do
         # User cannot access API in a couple of cases
         # * When user is internal(like ghost users)
         # * When user is blocked
-        allow(Ability).to receive(:allowed?).with(user, :access_api, :global).and_return(false)
+        expect(Ability).to receive(:allowed?).with(user, :access_api, :global).and_return(false)
 
         post :execute
 
-        expect(response).to have_gitlab_http_status(404)
+        expect(response.status).to eq(403)
+        expect(response).to render_template('errors/access_denied')
       end
     end