Check can :read_clusters in finder

This is in addtion to the can checks we have in the controller, as a
finder can be used elsewhere in the future.

app/finders/cluster_ancestors_finder.rb

 # frozen_string_literal: true
 
 class ClusterAncestorsFinder
-  def initialize(clusterable, user)
+  def initialize(clusterable, current_user)
     @clusterable = clusterable
-    @user = user
+    @current_user = current_user
   end
 
   def execute
+    return [] unless can_read_clusters?
+
     clusterable.clusters + ancestor_clusters
   end
 
   private
 
-  attr_reader :clusterable, :user
+  attr_reader :clusterable, :current_user
+
+  def can_read_clusters?
+    Ability.allowed?(current_user, :read_cluster, clusterable)
+  end
 
   def ancestor_clusters
     Clusters::Cluster.ancestor_clusters_for_clusterable(clusterable)

spec/finders/cluster_ancestors_finder_spec.rb

@@ -20,6 +20,10 @@ describe ClusterAncestorsFinder, '#execute' do
   context 'for a project' do
     let(:clusterable) { project }
 
+    before do
+      project.add_maintainer(user)
+    end
+
     it 'returns the project clusters followed by group clusters' do
       is_expected.to eq([project_cluster, group_cluster])
     end
@@ -38,9 +42,21 @@ describe ClusterAncestorsFinder, '#execute' do
     end
   end
 
+  context 'user cannot read clusters for clusterable' do
+    let(:clusterable) { project }
+
+    it 'returns nothing' do
+      is_expected.to be_empty
+    end
+  end
+
   context 'for a group' do
     let(:clusterable) { group }
 
+    before do
+      group.add_maintainer(user)
+    end
+
     it 'returns the list of group clusters' do
       is_expected.to eq([group_cluster])
     end