Merge branch '346247_authorize_auto_complete_action_for_vulnerabilities' into 'master'

Do not try to auto-complete vulnerabilities if the user is nil

See merge request gitlab-org/gitlab!75112

ee/app/finders/autocomplete/vulnerabilities_autocomplete_finder.rb

@@ -20,7 +20,7 @@ module Autocomplete
     DEFAULT_AUTOCOMPLETE_LIMIT = 5
 
     def execute
-      return ::Vulnerability.none unless vulnerable.feature_available?(:security_dashboard)
+      return ::Vulnerability.none unless current_user && vulnerable.feature_available?(:security_dashboard)
 
       ::Security::VulnerabilitiesFinder # rubocop: disable CodeReuse/Finder
         .new(vulnerable)

ee/spec/finders/autocomplete/vulnerabilities_autocomplete_finder_spec.rb

@@ -7,13 +7,21 @@ RSpec.describe Autocomplete::VulnerabilitiesAutocompleteFinder do
     let_it_be(:group, refind: true) { create(:group) }
     let_it_be(:project, refind: true) { create(:project, group: group) }
     let_it_be(:vulnerability) { create(:vulnerability, project: project) }
-    let(:params) { {} }
 
-    let_it_be(:user) { create(:user) }
+    let(:params) { {} }
 
     subject { described_class.new(user, vulnerable, params).execute }
 
     shared_examples 'autocomplete vulnerabilities finder' do
+      context 'when the given user is nil' do
+        let(:user) { nil }
+
+        it { is_expected.to be_empty }
+      end
+
+      context 'when the given user is not nil' do
+        let_it_be(:user) { create(:user) }
+
         context 'when user does not have access to project' do
           it { is_expected.to be_empty }
         end
@@ -70,6 +78,7 @@ RSpec.describe Autocomplete::VulnerabilitiesAutocompleteFinder do
           end
         end
       end
+    end
 
     context 'when vulnerable is project' do
       let(:vulnerable) { project }