Fix code

app/controllers/groups/group_members_controller.rb

 class Groups::GroupMembersController < Groups::ApplicationController
   # Authorize
   before_action :authorize_admin_group_member!, except: [:index, :leave]
-  before_action :authorize_read_group_members, only: [:index]
+  before_action :authorize_read_group_members!, only: [:index]
   def index
     @project = @group.projects.find(params[:project_id]) if params[:project_id]
@@ -83,7 +83,7 @@ class Groups::GroupMembersController < Groups::ApplicationController
   private
-  def authorize_read_group_members
+  def authorize_read_group_members!
     render_404 unless can?(current_user, :read_group_members, @group)
   end
 end

app/controllers/users_controller.rb

 class UsersController < ApplicationController
   skip_before_action :authenticate_user!
-  #TODO felipe_artur: Remove this "set_user" before action. It is not good to use before filters for loading database records.
   before_action :set_user, except: [:show]
-  before_action :authorize_read_user, only: [:show]
+  before_action :authorize_read_user!, only: [:show]
   def show
     respond_to do |format|
@@ -76,7 +75,8 @@ class UsersController < ApplicationController
   end
   private
-  def authorize_read_user
+
+  def authorize_read_user!
     set_user
     render_404 unless can?(current_user, :read_user, @user)
   end

app/models/ability.rb

 class Ability
-  @public_restricted = nil
   class << self
     def allowed(user, subject)
@@ -72,7 +71,6 @@ class Ability
         # Allow to read issues by anonymous user if issue is not confidential
         rules << :read_issue unless subject.is_a?(Issue) && subject.confidential?
-        # Allow anonymous users to read project members if public is not a restricted level
         rules << :read_project_member unless restricted_public_level?
         rules - project_disabled_features_rules(project)
@@ -100,7 +98,6 @@ class Ability
       if group
         rules << [:read_group] if group.public?
-        # Allow anonymous users to read project members if public is not a restricted level
         rules << [:read_group_members] unless restricted_public_level?
       end
@@ -493,7 +490,6 @@ class Ability
     def restricted_public_level?
       @public_restricted ||= current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
-      @public_restricted
     end
     def named_abilities(name)

spec/controllers/groups/group_members_controller_spec.rb

@@ -4,8 +4,7 @@ describe Groups::GroupMembersController do
   let(:user)  { create(:user) }
   let(:group) { create(:group) }
-
-  context "When public visibility level is restricted" do
+  context "when public visibility level is restricted" do
     before do
       group.add_owner(user)
       stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])

spec/controllers/users_controller_spec.rb

@@ -54,9 +54,10 @@ describe UsersController do
       context 'when logged in' do
         before { sign_in(user) }
-        it 'renders 404' do
+        it 'renders show' do
           get :show, username: user.username
           expect(response.status).to eq(200)
+          expect(response).to render_template('show')
         end
       end
     end