diff options
author | Rémy Coutable <remy@rymai.me> | 2017-09-18 17:29:18 +0000 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2017-09-18 17:29:18 +0000 |
commit | 727f51b8ef0af2b78087b4ac894ee728bfbabd1f (patch) | |
tree | 6903ef4fa30d5d467af3a9386423fcb7aeabb731 | |
parent | 8d568fe324dbf753e99e8f63df8f4cb1b484270d (diff) | |
parent | ff4e81e0aec38c26e75d960c3d2af9329576ca32 (diff) | |
download | gitlab-ce-727f51b8ef0af2b78087b4ac894ee728bfbabd1f.tar.gz |
Merge branch '35290_allow_public_project_apis' into 'master'
fix #35290 Make read-only API for public merge requests available without authentication
Closes #35290
See merge request gitlab-org/gitlab-ce!13291
-rw-r--r-- | app/finders/issuable_finder.rb | 2 | ||||
-rw-r--r-- | changelogs/unreleased/35290_allow_public_project_apis.yml | 4 | ||||
-rw-r--r-- | lib/api/merge_requests.rb | 3 | ||||
-rw-r--r-- | spec/requests/api/merge_requests_spec.rb | 37 |
4 files changed, 40 insertions, 6 deletions
diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb index 9848497f258..0a2e3c709d9 100644 --- a/app/finders/issuable_finder.rb +++ b/app/finders/issuable_finder.rb @@ -244,6 +244,8 @@ class IssuableFinder end def by_scope(items) + return items.none if current_user_related? && !current_user + case params[:scope] when 'created-by-me', 'authored' items.where(author_id: current_user.id) diff --git a/changelogs/unreleased/35290_allow_public_project_apis.yml b/changelogs/unreleased/35290_allow_public_project_apis.yml new file mode 100644 index 00000000000..1968eee0a53 --- /dev/null +++ b/changelogs/unreleased/35290_allow_public_project_apis.yml @@ -0,0 +1,4 @@ +--- +title: made read-only APIs for public merge requests available without authentication +merge_request: 13291 +author: haseebeqx diff --git a/lib/api/merge_requests.rb b/lib/api/merge_requests.rb index 56d72d511da..8aa1e0216ee 100644 --- a/lib/api/merge_requests.rb +++ b/lib/api/merge_requests.rb @@ -2,7 +2,7 @@ module API class MergeRequests < Grape::API include PaginationParams - before { authenticate! } + before { authenticate_non_get! } helpers ::Gitlab::IssuableMetadata @@ -55,6 +55,7 @@ module API desc: 'Return merge requests for the given scope: `created-by-me`, `assigned-to-me` or `all`' end get do + authenticate! unless params[:scope] == 'all' merge_requests = find_merge_requests options = { with: Entities::MergeRequestBasic, diff --git a/spec/requests/api/merge_requests_spec.rb b/spec/requests/api/merge_requests_spec.rb index 21d2c9644fb..c4f6e97b915 100644 --- a/spec/requests/api/merge_requests_spec.rb +++ b/spec/requests/api/merge_requests_spec.rb @@ -28,10 +28,29 @@ describe API::MergeRequests do describe 'GET /merge_requests' do context 'when unauthenticated' do - it 'returns authentication error' do - get api('/merge_requests') + it 'returns an array of all merge requests' do + get api('/merge_requests', user), scope: 'all' + + expect(response).to have_http_status(200) + expect(json_response).to be_an Array + end + + it "returns authentication error without any scope" do + get api("/merge_requests") + + expect(response).to have_http_status(401) + end + + it "returns authentication error when scope is assigned-to-me" do + get api("/merge_requests"), scope: 'assigned-to-me' - expect(response).to have_gitlab_http_status(401) + expect(response).to have_http_status(401) + end + + it "returns authentication error when scope is created-by-me" do + get api("/merge_requests"), scope: 'created-by-me' + + expect(response).to have_http_status(401) end end @@ -134,10 +153,18 @@ describe API::MergeRequests do describe "GET /projects/:id/merge_requests" do context "when unauthenticated" do - it "returns authentication error" do + it 'returns merge requests for public projects' do + get api("/projects/#{project.id}/merge_requests") + + expect(response).to have_http_status(200) + expect(json_response).to be_an Array + end + + it "returns 404 for non public projects" do + project = create(:project, :private) get api("/projects/#{project.id}/merge_requests") - expect(response).to have_gitlab_http_status(401) + expect(response).to have_http_status(404) end end |