return 400 on users search and feature is disabled

as the params block is evaluated when loading the class and the db
connection is not available yet we can't use the feature toggle inside
that block.

lib/api/search.rb

@@ -53,15 +53,14 @@ module API
         # EE, without having to modify this file directly.
       end
 
-      params :scope do |options|
+      def check_users_search_allowed!
-        scope_entities =
+        if Feature.disabled?(:users_search, default_enabled: true) && params[:scope].to_sym == :users
-          if Feature.enabled?(:users_search, default_enabled: true)
+          render_api_error!({ error: _("Scope not supported with disabled 'users_search' feature!") }, 400)
-            SCOPE_ENTITY
+        end
-          else
+      end
-            SCOPE_ENTITY.reject { |key, value| key == :users }
-          end
 
-        values = scope_entities.stringify_keys.slice(*options[:values]).keys
+      params :scope do |options|
+        values = SCOPE_ENTITY.stringify_keys.slice(*options[:values]).keys
 
         requires :scope,
           type: String,
@@ -81,6 +80,7 @@ module API
       end
       get do
         verify_search_scope!
+        check_users_search_allowed!
 
         present search, with: entity
       end
@@ -98,6 +98,7 @@ module API
       end
       get ':id/(-/)search' do
         verify_search_scope!
+        check_users_search_allowed!
 
         present search(group_id: user_group.id), with: entity
       end
@@ -114,6 +115,8 @@ module API
         use :pagination
       end
       get ':id/(-/)search' do
+        check_users_search_allowed!
+
         present search(project_id: user_project.id), with: entity
       end
     end

locale/gitlab.pot

@@ -6632,6 +6632,9 @@ msgstr ""
 msgid "Scope"
 msgstr ""
 
+msgid "Scope not supported with disabled 'users_search' feature!"
+msgstr ""
+
 msgid "Scroll down to <strong>Google Code Project Hosting</strong> and enable the switch on the right."
 msgstr ""
 

spec/requests/api/search_spec.rb

@@ -81,10 +81,22 @@ describe API::Search do
         before do
           create(:user, name: 'billy')
 
-          get api('/search', user), scope: 'users', search: 'billy'
+          get api('/search', user), params: { scope: 'users', search: 'billy' }
         end
 
         it_behaves_like 'response is correct', schema: 'public_api/v4/user/basics'
+
+        context 'when users search feature is disabled' do
+          before do
+            allow(Feature).to receive(:disabled?).with(:users_search, default_enabled: true).and_return(true)
+
+            get api('/search', user), params: { scope: 'users', search: 'billy' }
+          end
+
+          it 'returns 400 error' do
+            expect(response).to have_gitlab_http_status(400)
+          end
+        end
       end
 
       context 'for snippet_titles scope' do
@@ -203,15 +215,27 @@ describe API::Search do
         it_behaves_like 'response is correct', schema: 'public_api/v4/milestones'
       end
 
-      context 'for user scope' do
+      context 'for users scope' do
         before do
           user = create(:user, name: 'billy')
           create(:group_member, :developer, user: user, group: group)
 
-          get api("/groups/#{group.id}/search", user), scope: 'users', search: 'billy'
+          get api("/groups/#{group.id}/search", user), params: { scope: 'users', search: 'billy' }
         end
 
         it_behaves_like 'response is correct', schema: 'public_api/v4/user/basics'
+
+        context 'when users search feature is disabled' do
+          before do
+            allow(Feature).to receive(:disabled?).with(:users_search, default_enabled: true).and_return(true)
+
+            get api("/groups/#{group.id}/search", user), params: { scope: 'users', search: 'billy' }
+          end
+
+          it 'returns 400 error' do
+            expect(response).to have_gitlab_http_status(400)
+          end
+        end
       end
 
       context 'for users scope with group path as id' do
@@ -219,7 +243,7 @@ describe API::Search do
           user1 = create(:user, name: 'billy')
           create(:group_member, :developer, user: user1, group: group)
 
-          get api("/groups/#{CGI.escape(group.full_path)}/search", user), scope: 'users', search: 'billy'
+          get api("/groups/#{CGI.escape(group.full_path)}/search", user), params: { scope: 'users', search: 'billy' }
         end
 
         it_behaves_like 'response is correct', schema: 'public_api/v4/user/basics'
@@ -306,10 +330,22 @@ describe API::Search do
           user1 = create(:user, name: 'billy')
           create(:project_member, :developer, user: user1, project: project)
 
-          get api("/projects/#{project.id}/search", user), scope: 'users', search: 'billy'
+          get api("/projects/#{project.id}/search", user), params: { scope: 'users', search: 'billy' }
         end
 
         it_behaves_like 'response is correct', schema: 'public_api/v4/user/basics'
+
+        context 'when users search feature is disabled' do
+          before do
+            allow(Feature).to receive(:disabled?).with(:users_search, default_enabled: true).and_return(true)
+
+            get api("/projects/#{project.id}/search", user), params: { scope: 'users', search: 'billy' }
+          end
+
+          it 'returns 400 error' do
+            expect(response).to have_gitlab_http_status(400)
+          end
+        end
       end
 
       context 'for notes scope' do