Fixes #3755 - User with user_id 1 is show in admin interface (which should not)

app/models/user/search.rb

@@ -174,10 +174,13 @@ returns
 
         if is_query
           statement = statement.where(
-            '(users.firstname LIKE ? OR users.lastname LIKE ? OR users.email LIKE ? OR users.login LIKE ?) AND users.id != 1', "%#{query}%", "%#{query}%", "%#{query}%", "%#{query}%"
+            '(users.firstname LIKE ? OR users.lastname LIKE ? OR users.email LIKE ? OR users.login LIKE ?)', "%#{query}%", "%#{query}%", "%#{query}%", "%#{query}%"
           )
         end
 
+        # Fixes #3755 - User with user_id 1 is show in admin interface (which should not)
+        statement = statement.where('users.id != 1')
+
         statement.order(Arel.sql(order_sql))
           .offset(offset)
           .limit(limit)

spec/requests/user_spec.rb

@@ -1421,6 +1421,12 @@ RSpec.describe 'User', type: :request do
         make_request(query: '9U7Z', group_ids: { 999 => 'read' })
         expect(json_response.count).to eq(0)
       end
+
+      it 'does not list user with id 1' do
+        make_request(query: '')
+        not_in_response = json_response.none? { |item| item['id'] == 1 }
+        expect(not_in_response).to be(true)
+      end
     end
 
     describe 'with searchindex', searchindex: true do
@@ -1449,6 +1455,12 @@ RSpec.describe 'User', type: :request do
         make_request(query: '9U7Z', group_ids: { 999 => 'read' })
         expect(json_response.count).to eq(0)
       end
+
+      it 'does not list user with id 1' do
+        make_request(query: '')
+        not_in_response = json_response.none? { |item| item['id'] == 1 }
+        expect(not_in_response).to be(true)
+      end
     end
   end