Better handle unknown projects and groups for autocomplete

app/controllers/autocomplete_controller.rb

@@ -2,6 +2,7 @@ class AutocompleteController < ApplicationController
   skip_before_action :authenticate_user!, only: [:users]
 
   def users
+    begin
       @users =
         if params[:project_id].present?
           project = Project.find(params[:project_id])
@@ -17,10 +18,18 @@ class AutocompleteController < ApplicationController
           end
         elsif current_user
           User.all
-      else
-        User.none
+        end
+    rescue ActiveRecord::RecordNotFound
+      if current_user
+        return render json: {}, status: 404
+      end
+    end
+
+    if @users.nil? && current_user.nil?
+      authenticate_user!
     end
 
+    @users ||= User.none
     @users = @users.search(params[:search]) if params[:search].present?
     @users = @users.active
     @users = @users.page(params[:page]).per(PER_PAGE)

spec/controllers/autocomplete_controller_spec.rb

@@ -9,34 +9,58 @@ describe AutocompleteController do
     before do
       sign_in(user)
       project.team << [user, :master]
-
-      get(:users, project_id: project.id)
     end
 
     let(:body) { JSON.parse(response.body) }
 
+    describe 'GET #users with project ID' do
+      before do
+        get(:users, project_id: project.id)
+      end
+
       it { expect(body).to be_kind_of(Array) }
       it { expect(body.size).to eq 1 }
       it { expect(body.first["username"]).to eq user.username }
     end
 
+    describe 'GET #users with unknown project' do
+      before do
+        get(:users, project_id: 'unknown')
+      end
+
+      it { expect(response.status).to eq(404) }
+    end
+  end
+
   context 'group members' do
     let(:group) { create(:group) }
 
     before do
       sign_in(user)
       group.add_owner(user)
-
-      get(:users, group_id: group.id)
     end
 
     let(:body) { JSON.parse(response.body) }
 
+    describe 'GET #users with group ID' do
+      before do
+        get(:users, group_id: group.id)
+      end
+
       it { expect(body).to be_kind_of(Array) }
       it { expect(body.size).to eq 1 }
       it { expect(body.first["username"]).to eq user.username }
     end
 
+    describe 'GET #users with unknown group ID' do
+      before do
+        get(:users, group_id: 'unknown')
+      end
+
+      it { expect(response.status).to eq(404) }
+    end
+  end
+
   context 'all users' do
     before do
       sign_in(user)
@@ -50,26 +74,50 @@ describe AutocompleteController do
   end
 
   context 'unauthenticated user' do
-    let(:project) { create(:project, :public) }
+    let(:public_project) { create(:project, :public) }
     let(:body) { JSON.parse(response.body) }
 
     describe 'GET #users with public project' do
       before do
-        project.team << [user, :guest]
-        get(:users, project_id: project.id)
+        public_project.team << [user, :guest]
+        get(:users, project_id: public_project.id)
       end
 
       it { expect(body).to be_kind_of(Array) }
       it { expect(body.size).to eq 1 }
     end
 
+    describe 'GET #users with project' do
+      before do
+        get(:users, project_id: project.id)
+      end
+
+      it { expect(response.status).to eq(302) }
+    end
+
+    describe 'GET #users with unknown project' do
+      before do
+        get(:users, project_id: 'unknown')
+      end
+
+      it { expect(response.status).to eq(302) }
+    end
+
+    describe 'GET #users with inaccessible group' do
+      before do
+        project.team << [user, :guest]
+        get(:users, group_id: user.namespace.id)
+      end
+
+      it { expect(response.status).to eq(302) }
+    end
+
     describe 'GET #users with no project' do
       before do
         get(:users)
       end
 
-      it { expect(body).to be_kind_of(Array) }
-      it { expect(body.size).to eq 0 }
+      it { expect(response.status).to eq(302) }
     end
   end
 end