diff options
| -rw-r--r-- | lib/gitlab/search_results.rb | 2 | ||||
| -rw-r--r-- | spec/lib/gitlab/search_results_spec.rb | 8 |
2 files changed, 10 insertions, 0 deletions
diff --git a/lib/gitlab/search_results.rb b/lib/gitlab/search_results.rb index dd8854a89d4..301d5e326d9 100644 --- a/lib/gitlab/search_results.rb +++ b/lib/gitlab/search_results.rb @@ -138,6 +138,8 @@ module Gitlab # rubocop: enable CodeReuse/ActiveRecord def users + return User.none unless Ability.allowed?(current_user, :read_users_list) + UsersFinder.new(current_user, search: query).execute end diff --git a/spec/lib/gitlab/search_results_spec.rb b/spec/lib/gitlab/search_results_spec.rb index 1a42fd36de0..4b57eecff93 100644 --- a/spec/lib/gitlab/search_results_spec.rb +++ b/spec/lib/gitlab/search_results_spec.rb @@ -123,6 +123,14 @@ describe Gitlab::SearchResults do end describe '#users' do + it 'does not call the UsersFinder when the current_user is not allowed to read users list' do + allow(Ability).to receive(:allowed?).and_return(false) + + expect(UsersFinder).not_to receive(:new).with(user, search: 'foo').and_call_original + + results.objects('users') + end + it 'calls the UsersFinder' do expect(UsersFinder).to receive(:new).with(user, search: 'foo').and_call_original |