FEATURE: Hide suspended users from site-wide search to regular users (#14245)

config/locales/server.en.yml

@@ -1801,7 +1801,7 @@ en:
     external_emoji_url: "URL of the external service for emoji images. Leave blank to disable."
     use_site_small_logo_as_system_avatar: "Use the site's small logo instead of the system user's avatar. Requires the logo to be present."
     restrict_letter_avatar_colors: "A list of 6-digit hexadecimal color values to be used for letter avatar background."
-
+    enable_listing_suspended_users_on_search: "Enable regular users to find suspended users."
     selectable_avatars_enabled: "Force users to choose an avatar from the list."
     selectable_avatars: "List of avatars users can choose from."
 

config/site_settings.yml

@@ -2197,6 +2197,9 @@ uncategorized:
   use_site_small_logo_as_system_avatar:
     default: true
 
+  enable_listing_suspended_users_on_search:
+    default: false
+
   disable_system_edit_notifications: true
 
   notification_consolidation_threshold:

lib/search.rb

@@ -758,11 +758,11 @@ class Search
       # calling protected methods
       send("#{@results.type_filter}_search")
     else
-      unless @search_context
+      if @term.present? && !@search_context
-        user_search if @term.present?
+        user_search
-        category_search if @term.present?
+        category_search
-        tags_search if @term.present?
+        tags_search
-        groups_search if @term.present?
+        groups_search
       end
       topic_search
     end
@@ -832,6 +832,10 @@ class Search
       .order("last_posted_at DESC")
       .limit(limit)
 
+    if !SiteSetting.enable_listing_suspended_users_on_search && !@guardian.user&.admin
+      users = users.where(suspended_at: nil)
+    end
+
     users_custom_data_query = DB.query(<<~SQL, user_ids: users.pluck(:id), term: "%#{@original_term.downcase}%")
       SELECT user_custom_fields.user_id, user_fields.name, user_custom_fields.value FROM user_custom_fields
       INNER JOIN user_fields ON user_fields.id = REPLACE(user_custom_fields.name, 'user_field_', '')::INTEGER AND user_fields.searchable IS TRUE

spec/lib/search_spec.rb

@@ -165,6 +165,33 @@ describe Search do
         { name: "another custom field", value: "second user test" }
       ])
     end
+
+    context "when using SiteSetting.enable_listing_suspended_users_on_search" do
+      fab!(:suspended_user) { Fabricate(:user, username: 'revolver_ocelot', suspended_at: Time.now, suspended_till: 5.days.from_now) }
+
+      before { SearchIndexer.index(suspended_user, force: true) }
+
+      it "should list suspended users to regular users if the setting is enabled" do
+        SiteSetting.enable_listing_suspended_users_on_search = true
+
+        result = Search.execute("revolver_ocelot", guardian: Guardian.new(user))
+        expect(result.users).to contain_exactly(suspended_user)
+      end
+
+      it "shouldn't list suspended users to regular users if the setting is disabled" do
+        SiteSetting.enable_listing_suspended_users_on_search = false
+
+        result = Search.execute("revolver_ocelot", guardian: Guardian.new(user))
+        expect(result.users).to be_empty
+      end
+
+      it "should list suspended users to admins regardless of the setting" do
+        SiteSetting.enable_listing_suspended_users_on_search = false
+
+        result = Search.execute("revolver_ocelot", guardian: Guardian.new(Fabricate(:admin)))
+        expect(result.users).to contain_exactly(suspended_user)
+      end
+    end
   end
 
   context "categories" do