fix #35290 Make read-only API for public merge requests available without authentication

2017-09-18 17:29:17 +00:00 · 2017-09-18 17:29:17 +00:00 · ff4e81e0ae
commit ff4e81e0ae
parent 8d568fe324
4 changed files with 40 additions and 6 deletions
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@ -244,6 +244,8 @@ class IssuableFinder
  end

  def by_scope(items)
+    return items.none if current_user_related? && !current_user
+
    case params[:scope]
    when 'created-by-me', 'authored'
      items.where(author_id: current_user.id)
--- a/changelogs/unreleased/35290_allow_public_project_apis.yml
+++ b/changelogs/unreleased/35290_allow_public_project_apis.yml
@ -0,0 +1,4 @@
+---
+title: made read-only APIs for public merge requests available without authentication
+merge_request: 13291
+author: haseebeqx
--- a/lib/api/merge_requests.rb
+++ b/lib/api/merge_requests.rb
@ -2,7 +2,7 @@ module API
  class MergeRequests < Grape::API
    include PaginationParams

-    before { authenticate! }
+    before { authenticate_non_get! }

    helpers ::Gitlab::IssuableMetadata

@ -55,6 +55,7 @@ module API
                         desc: 'Return merge requests for the given scope: `created-by-me`, `assigned-to-me` or `all`'
      end
      get do
+        authenticate! unless params[:scope] == 'all'
        merge_requests = find_merge_requests

        options = { with: Entities::MergeRequestBasic,
--- a/spec/requests/api/merge_requests_spec.rb
+++ b/spec/requests/api/merge_requests_spec.rb
@ -28,10 +28,29 @@ describe API::MergeRequests do

  describe 'GET /merge_requests' do
    context 'when unauthenticated' do
-      it 'returns authentication error' do
-        get api('/merge_requests')
+      it 'returns an array of all merge requests' do
+        get api('/merge_requests', user), scope: 'all'

-        expect(response).to have_gitlab_http_status(401)
+        expect(response).to have_http_status(200)
+        expect(json_response).to be_an Array
+      end
+
+      it "returns authentication error without any scope" do
+        get api("/merge_requests")
+
+        expect(response).to have_http_status(401)
+      end
+
+      it "returns authentication error  when scope is assigned-to-me" do
+        get api("/merge_requests"), scope: 'assigned-to-me'
+
+        expect(response).to have_http_status(401)
+      end
+
+      it "returns authentication error  when scope is created-by-me" do
+        get api("/merge_requests"), scope: 'created-by-me'
+
+        expect(response).to have_http_status(401)
      end
    end

@ -134,10 +153,18 @@ describe API::MergeRequests do

  describe "GET /projects/:id/merge_requests" do
    context "when unauthenticated" do
-      it "returns authentication error" do
+      it 'returns merge requests for public projects' do
        get api("/projects/#{project.id}/merge_requests")

-        expect(response).to have_gitlab_http_status(401)
+        expect(response).to have_http_status(200)
+        expect(json_response).to be_an Array
+      end
+
+      it "returns 404 for non public projects" do
+        project = create(:project, :private)
+        get api("/projects/#{project.id}/merge_requests")
+
+        expect(response).to have_http_status(404)
      end
    end