fix #35290 Make read-only API for public merge requests available without authentication
This commit is contained in:
parent
8d568fe324
commit
ff4e81e0ae
|
@ -244,6 +244,8 @@ class IssuableFinder
|
||||||
end
|
end
|
||||||
|
|
||||||
def by_scope(items)
|
def by_scope(items)
|
||||||
|
return items.none if current_user_related? && !current_user
|
||||||
|
|
||||||
case params[:scope]
|
case params[:scope]
|
||||||
when 'created-by-me', 'authored'
|
when 'created-by-me', 'authored'
|
||||||
items.where(author_id: current_user.id)
|
items.where(author_id: current_user.id)
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
title: made read-only APIs for public merge requests available without authentication
|
||||||
|
merge_request: 13291
|
||||||
|
author: haseebeqx
|
|
@ -2,7 +2,7 @@ module API
|
||||||
class MergeRequests < Grape::API
|
class MergeRequests < Grape::API
|
||||||
include PaginationParams
|
include PaginationParams
|
||||||
|
|
||||||
before { authenticate! }
|
before { authenticate_non_get! }
|
||||||
|
|
||||||
helpers ::Gitlab::IssuableMetadata
|
helpers ::Gitlab::IssuableMetadata
|
||||||
|
|
||||||
|
@ -55,6 +55,7 @@ module API
|
||||||
desc: 'Return merge requests for the given scope: `created-by-me`, `assigned-to-me` or `all`'
|
desc: 'Return merge requests for the given scope: `created-by-me`, `assigned-to-me` or `all`'
|
||||||
end
|
end
|
||||||
get do
|
get do
|
||||||
|
authenticate! unless params[:scope] == 'all'
|
||||||
merge_requests = find_merge_requests
|
merge_requests = find_merge_requests
|
||||||
|
|
||||||
options = { with: Entities::MergeRequestBasic,
|
options = { with: Entities::MergeRequestBasic,
|
||||||
|
|
|
@ -28,10 +28,29 @@ describe API::MergeRequests do
|
||||||
|
|
||||||
describe 'GET /merge_requests' do
|
describe 'GET /merge_requests' do
|
||||||
context 'when unauthenticated' do
|
context 'when unauthenticated' do
|
||||||
it 'returns authentication error' do
|
it 'returns an array of all merge requests' do
|
||||||
get api('/merge_requests')
|
get api('/merge_requests', user), scope: 'all'
|
||||||
|
|
||||||
expect(response).to have_gitlab_http_status(401)
|
expect(response).to have_http_status(200)
|
||||||
|
expect(json_response).to be_an Array
|
||||||
|
end
|
||||||
|
|
||||||
|
it "returns authentication error without any scope" do
|
||||||
|
get api("/merge_requests")
|
||||||
|
|
||||||
|
expect(response).to have_http_status(401)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "returns authentication error when scope is assigned-to-me" do
|
||||||
|
get api("/merge_requests"), scope: 'assigned-to-me'
|
||||||
|
|
||||||
|
expect(response).to have_http_status(401)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "returns authentication error when scope is created-by-me" do
|
||||||
|
get api("/merge_requests"), scope: 'created-by-me'
|
||||||
|
|
||||||
|
expect(response).to have_http_status(401)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -134,10 +153,18 @@ describe API::MergeRequests do
|
||||||
|
|
||||||
describe "GET /projects/:id/merge_requests" do
|
describe "GET /projects/:id/merge_requests" do
|
||||||
context "when unauthenticated" do
|
context "when unauthenticated" do
|
||||||
it "returns authentication error" do
|
it 'returns merge requests for public projects' do
|
||||||
get api("/projects/#{project.id}/merge_requests")
|
get api("/projects/#{project.id}/merge_requests")
|
||||||
|
|
||||||
expect(response).to have_gitlab_http_status(401)
|
expect(response).to have_http_status(200)
|
||||||
|
expect(json_response).to be_an Array
|
||||||
|
end
|
||||||
|
|
||||||
|
it "returns 404 for non public projects" do
|
||||||
|
project = create(:project, :private)
|
||||||
|
get api("/projects/#{project.id}/merge_requests")
|
||||||
|
|
||||||
|
expect(response).to have_http_status(404)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue