Merge branch...

Merge branch '349706-the-users-username-exists-action-shouldn-t-be-available-when-gitlab-instance-doesn-t-allow' into 'master'

Prevent user exists route when GitLab instance doesn't allow registration

See merge request gitlab-org/gitlab!78490

app/controllers/users_controller.rb

@@ -148,7 +148,11 @@ class UsersController < ApplicationController
   end
 
   def exists
+    if Gitlab::CurrentSettings.signup_enabled? || current_user
       render json: { exists: !!Namespace.find_by_path_or_name(params[:username]) }
+    else
+      render json: { error: _('You must be authenticated to access this path.') }, status: :unauthorized
+    end
   end
 
   def follow

locale/gitlab.pot

@@ -41154,6 +41154,9 @@ msgstr ""
 msgid "You may close the milestone now."
 msgstr ""
 
+msgid "You must be authenticated to access this path."
+msgstr ""
+
 msgid "You must be logged in to search across all of GitLab"
 msgstr ""
 

spec/requests/users_controller_spec.rb

@@ -634,13 +634,13 @@ RSpec.describe UsersController do
   end
 
   describe 'GET #exists' do
+    context 'when user exists' do
       before do
         sign_in(user)
 
         allow(::Gitlab::ApplicationRateLimiter).to receive(:throttled?).and_return(false)
       end
 
-    context 'when user exists' do
       it 'returns JSON indicating the user exists' do
         get user_exists_url user.username
 
@@ -661,6 +661,15 @@ RSpec.describe UsersController do
     end
 
     context 'when the user does not exist' do
+      it 'will not show a signup page if registration is disabled' do
+        stub_application_setting(signup_enabled: false)
+        get user_exists_url 'foo'
+
+        expected_json = { error: "You must be authenticated to access this path." }.to_json
+        expect(response).to have_gitlab_http_status(:unauthorized)
+        expect(response.body).to eq(expected_json)
+      end
+
       it 'returns JSON indicating the user does not exist' do
         get user_exists_url 'foo'