Fix user autocomplete for unauthenticated users accessing public projects

Closes #1955

CHANGELOG

 Please view this file on the master branch, on stable branches it's out of date.
 
 v 7.13.0 (unreleased)
+  - Fix user autocomplete for unauthenticated users accessing public projects (Stan Hu)
   - Fix redirection to home page URL for unauthorized users (Daniel Gerhardt)
   - Add branch switching support for graphs (Daniel Gerhardt)
   - Fix external issue tracker hook/test for HTTPS URLs (Daniel Gerhardt)

app/controllers/autocomplete_controller.rb

 class AutocompleteController < ApplicationController
+  skip_before_action :authenticate_user!, only: [:users]
+
   def users
     @users =
       if params[:project_id].present?
@@ -13,8 +15,10 @@ class AutocompleteController < ApplicationController
         if can?(current_user, :read_group, group)
           group.users
         end
-      else
+      elsif current_user
         User.all
+      else
+        User.none
       end
 
     @users = @users.search(params[:search]) if params[:search].present?

spec/controllers/autocomplete_controller_spec.rb

@@ -48,4 +48,28 @@ describe AutocompleteController do
     it { expect(body).to be_kind_of(Array) }
     it { expect(body.size).to eq User.count }
   end
+
+  context 'unauthenticated user' do
+    let(:project) { create(:project, :public) }
+    let(:body) { JSON.parse(response.body) }
+
+    describe 'GET #users with public project' do
+      before do
+        project.team << [user, :guest]
+        get(:users, project_id: project.id)
+      end
+
+      it { expect(body).to be_kind_of(Array) }
+      it { expect(body.size).to eq 1 }
+    end
+
+    describe 'GET #users with no project' do
+      before do
+        get(:users)
+      end
+
+      it { expect(body).to be_kind_of(Array) }
+      it { expect(body.size).to eq 0 }
+    end
+  end
 end