1 files changed, 14 insertions, 4 deletions

diff --git a/app/finders/environment_names_finder.rb b/app/finders/environment_names_finder.rb
index a92998921c7..e9063ef4c90 100644
--- a/app/finders/environment_names_finder.rb
+++ b/app/finders/environment_names_finder.rb
@@ -13,7 +13,7 @@
 class EnvironmentNamesFinder
   attr_reader :project_or_group, :current_user
 
-  def initialize(project_or_group, current_user)
+  def initialize(project_or_group, current_user = nil)
     @project_or_group = project_or_group
     @current_user = current_user
   end
@@ -31,14 +31,24 @@ class EnvironmentNamesFinder
   end
 
   def namespace_environments
-    projects =
-      project_or_group.all_projects.public_or_visible_to_user(current_user)
+    # We assume reporter access is needed for the :read_environment permission
+    # here. This expection is also present in
+    # IssuableFinder::Params#min_access_level, which is used for filtering out
+    # merge requests that don't have the right permissions.
+    #
+    # We use this approach so we don't need to load every project into memory
+    # just to verify if we can see their environments. Doing so would not be
+    # efficient, and possibly mess up pagination if certain projects are not
+    # meant to be visible.
+    projects = project_or_group
+      .all_projects
+      .public_or_visible_to_user(current_user, Gitlab::Access::REPORTER)
 
     Environment.for_project(projects)
   end
 
   def project_environments
-    if current_user.can?(:read_environment, project_or_group)
+    if Ability.allowed?(current_user, :read_environment, project_or_group)
       project_or_group.environments
     else
       Environment.none