1 files changed, 20 insertions, 0 deletions

diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index a879426589d..b84202364e1 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -68,6 +68,13 @@ describe API::Users do
         expect(json_response.size).to eq(0)
       end
 
+      it "does not return the highest role" do
+        get api("/users"), params: { username: user.username }
+
+        expect(response).to match_response_schema('public_api/v4/user/basics')
+        expect(json_response.first.keys).not_to include 'highest_role'
+      end
+
       context "when public level is restricted" do
         before do
           stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
@@ -286,6 +293,13 @@ describe API::Users do
       expect(json_response.keys).not_to include 'is_admin'
     end
 
+    it "does not return the user's `highest_role`" do
+      get api("/users/#{user.id}", user)
+
+      expect(response).to match_response_schema('public_api/v4/user/basic')
+      expect(json_response.keys).not_to include 'highest_role'
+    end
+
     context 'when authenticated as admin' do
       it 'includes the `is_admin` field' do
         get api("/users/#{user.id}", admin)
@@ -300,6 +314,12 @@ describe API::Users do
         expect(response).to match_response_schema('public_api/v4/user/admin')
         expect(json_response.keys).to include 'created_at'
       end
+      it 'includes the `highest_role` field' do
+        get api("/users/#{user.id}", admin)
+
+        expect(response).to match_response_schema('public_api/v4/user/admin')
+        expect(json_response['highest_role']).to be(0)
+      end
     end
 
     context 'for an anonymous user' do