From 5c20e50f46c6cf7634a20027c5ae257a6c25d995 Mon Sep 17 00:00:00 2001
From: Ben Boeckel <ben.boeckel@kitware.com>
Date: Thu, 26 Jan 2017 13:58:05 -0500
Subject: [PATCH] lfs: do not require auth for public repositories

LFS has the `authenticated` field in the response for downloads of
objects to indicate that the object does not need authentication to
access it.

Spec: https://github.com/git-lfs/git-lfs/blob/master/docs/api/batch.md#successful-responses

Fixes #23360.
---
 app/controllers/projects/lfs_api_controller.rb   | 4 ++++
 changelogs/unreleased/lfs-noauth-public-repo.yml | 4 ++++
 spec/requests/lfs_http_spec.rb                   | 1 +
 3 files changed, 9 insertions(+)
 create mode 100644 changelogs/unreleased/lfs-noauth-public-repo.yml

diff --git a/app/controllers/projects/lfs_api_controller.rb b/app/controllers/projects/lfs_api_controller.rb
index 440259b643c..8a5a645ed0e 100644
--- a/app/controllers/projects/lfs_api_controller.rb
+++ b/app/controllers/projects/lfs_api_controller.rb
@@ -48,6 +48,10 @@ class Projects::LfsApiController < Projects::GitHttpClientController
     objects.each do |object|
       if existing_oids.include?(object[:oid])
         object[:actions] = download_actions(object)
+
+        if Guest.can?(:download_code, project)
+          object[:authenticated] = true
+        end
       else
         object[:error] = {
           code: 404,
diff --git a/changelogs/unreleased/lfs-noauth-public-repo.yml b/changelogs/unreleased/lfs-noauth-public-repo.yml
new file mode 100644
index 00000000000..60f62d7691b
--- /dev/null
+++ b/changelogs/unreleased/lfs-noauth-public-repo.yml
@@ -0,0 +1,4 @@
+---
+title: Support unauthenticated LFS object downloads for public projects
+merge_request: 8824
+author: Ben Boeckel
diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb
index 9bfc84c7425..c0e7bab8199 100644
--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@@ -600,6 +600,7 @@ describe 'Git LFS API and storage' do
             expect(json_response).to eq('objects' => [
               { 'oid' => sample_oid,
                 'size' => sample_size,
+                'authenticated' => true,
                 'actions' => {
                   'download' => {
                     'href' => "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}",