User lookup ajax call returns emoji-username users

Summary

User lookup ajax call always returns users whose names consist of a single emoji symbol.

Steps to reproduce

create a user on gitlab.com
create a private project
try to add an issue
the "Filter by Assignee" dropdown contains logged in user + a lot of unrelated usernames

You can also login to gitlab.com and open the url:

https://gitlab.com/autocomplete/users.json?search=

which shows all users whose names consist of a single emoji.

Example Project

Not specific to any project.

What is the current bug behavior?

As described above.

What is the expected correct behavior?

Only the users that can access the private project should appear in the drop down. At least, there is no need for single-emoji-usernames to be sitting in that list.

For the user lookup ajax call, if the "search" field is empty, and other parameters (like "current_user") are not specified, then do not return any result.

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Edited Jun 13, 2018 by MD