Add latest changes from gitlab-org/security/gitlab@14-8-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-02-25 19:54:51 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-02-25 19:54:51 +0300
commit: cdc3d9991b0cca2d2243bdf452f61aae40d778cd (patch)
tree: f05b5b8c2e3fd10e210c35637292f3d28ac6f510 /app
parent: e92c90758eb4126acc84962d37bb273d6d87b27b (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/app/graphql/resolvers/users_resolver.rb b/app/graphql/resolvers/users_resolver.rb
index c6de3dba41a..1424c14083d 100644
--- a/app/graphql/resolvers/users_resolver.rb
+++ b/app/graphql/resolvers/users_resolver.rb
@@ -29,7 +29,7 @@ module Resolvers
               description: 'Return only admin users.'
 
     def resolve(ids: nil, usernames: nil, sort: nil, search: nil, admins: nil)
-      authorize!
+      authorize!(usernames)
 
       ::UsersFinder.new(context[:current_user], finder_params(ids, usernames, sort, search, admins)).execute
     end
@@ -46,8 +46,11 @@ module Resolvers
       super
     end
 
-    def authorize!
-      Ability.allowed?(context[:current_user], :read_users_list) || raise_resource_not_available_error!
+    def authorize!(usernames)
+      authorized = Ability.allowed?(context[:current_user], :read_users_list)
+      authorized &&= usernames.present? if context[:current_user].blank?
+
+      raise_resource_not_available_error! unless authorized
     end
 
     private
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-02-25 19:54:51 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-02-25 19:54:51 +0300
commit	cdc3d9991b0cca2d2243bdf452f61aae40d778cd (patch)
tree	f05b5b8c2e3fd10e210c35637292f3d28ac6f510 /app
parent	e92c90758eb4126acc84962d37bb273d6d87b27b (diff)