diff --git a/app/controllers/autocomplete_controller.rb b/app/controllers/autocomplete_controller.rb
index 202e9da9eee..aa0268b8d62 100644
--- a/app/controllers/autocomplete_controller.rb
+++ b/app/controllers/autocomplete_controller.rb
@@ -1,34 +1,8 @@
 class AutocompleteController < ApplicationController
   skip_before_action :authenticate_user!, only: [:users]
+  before_action :find_users, only: [:users]
 
   def users
-    begin
-      @users =
-        if params[:project_id].present?
-          project = Project.find(params[:project_id])
-
-          if can?(current_user, :read_project, project)
-            project.team.users
-          end
-        elsif params[:group_id]
-          group = Group.find(params[:group_id])
-
-          if can?(current_user, :read_group, group)
-            group.users
-          end
-        elsif current_user
-          User.all
-        end
-    rescue ActiveRecord::RecordNotFound
-      if current_user
-        return render json: {}, status: 404
-      end
-    end
-
-    if @users.nil? && current_user.nil?
-      authenticate_user!
-    end
-
     @users ||= User.none
     @users = @users.search(params[:search]) if params[:search].present?
     @users = @users.active
@@ -49,4 +23,25 @@ class AutocompleteController < ApplicationController
     @user = User.find(params[:id])
     render json: @user, only: [:name, :username, :id], methods: [:avatar_url]
   end
+
+  private
+
+  def find_users
+    @users =
+      if params[:project_id].present?
+        project = Project.find(params[:project_id])
+        return render_404 unless can?(current_user, :read_project, project)
+
+        project.team.users
+      elsif params[:group_id].present?
+        group = Group.find(params[:group_id])
+        return render_404 unless can?(current_user, :read_group, group)
+
+        group.users
+      elsif current_user
+        User.all
+      else
+        User.none
+      end
+  end
 end
diff --git a/spec/controllers/autocomplete_controller_spec.rb b/spec/controllers/autocomplete_controller_spec.rb
index aa8d6cb807f..85379a8e984 100644
--- a/spec/controllers/autocomplete_controller_spec.rb
+++ b/spec/controllers/autocomplete_controller_spec.rb
@@ -114,7 +114,7 @@ describe AutocompleteController do
         get(:users, project_id: project.id)
       end
 
-      it { expect(response.status).to eq(302) }
+      it { expect(response.status).to eq(404) }
     end
 
     describe 'GET #users with unknown project' do
@@ -122,7 +122,7 @@ describe AutocompleteController do
         get(:users, project_id: 'unknown')
       end
 
-      it { expect(response.status).to eq(302) }
+      it { expect(response.status).to eq(404) }
     end
 
     describe 'GET #users with inaccessible group' do
@@ -131,7 +131,7 @@ describe AutocompleteController do
         get(:users, group_id: user.namespace.id)
       end
 
-      it { expect(response.status).to eq(302) }
+      it { expect(response.status).to eq(404) }
     end
 
     describe 'GET #users with no project' do
@@ -139,7 +139,8 @@ describe AutocompleteController do
         get(:users)
       end
 
-      it { expect(response.status).to eq(302) }
+      it { expect(body).to be_kind_of(Array) }
+      it { expect(body.size).to eq 0 }
     end
   end
 end