summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorhaseeb <haseebeqx@gmail.com>2017-09-18 17:29:17 +0000
committerRémy Coutable <remy@rymai.me>2017-09-18 17:29:17 +0000
commitff4e81e0aec38c26e75d960c3d2af9329576ca32 (patch)
tree6903ef4fa30d5d467af3a9386423fcb7aeabb731
parent8d568fe324dbf753e99e8f63df8f4cb1b484270d (diff)
downloadgitlab-ce-ff4e81e0aec38c26e75d960c3d2af9329576ca32.tar.gz
fix #35290 Make read-only API for public merge requests available without authentication
-rw-r--r--app/finders/issuable_finder.rb2
-rw-r--r--changelogs/unreleased/35290_allow_public_project_apis.yml4
-rw-r--r--lib/api/merge_requests.rb3
-rw-r--r--spec/requests/api/merge_requests_spec.rb37
4 files changed, 40 insertions, 6 deletions
diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb
index 9848497f258..0a2e3c709d9 100644
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -244,6 +244,8 @@ class IssuableFinder
end
def by_scope(items)
+ return items.none if current_user_related? && !current_user
+
case params[:scope]
when 'created-by-me', 'authored'
items.where(author_id: current_user.id)
diff --git a/changelogs/unreleased/35290_allow_public_project_apis.yml b/changelogs/unreleased/35290_allow_public_project_apis.yml
new file mode 100644
index 00000000000..1968eee0a53
--- /dev/null
+++ b/changelogs/unreleased/35290_allow_public_project_apis.yml
@@ -0,0 +1,4 @@
+---
+title: made read-only APIs for public merge requests available without authentication
+merge_request: 13291
+author: haseebeqx
diff --git a/lib/api/merge_requests.rb b/lib/api/merge_requests.rb
index 56d72d511da..8aa1e0216ee 100644
--- a/lib/api/merge_requests.rb
+++ b/lib/api/merge_requests.rb
@@ -2,7 +2,7 @@ module API
class MergeRequests < Grape::API
include PaginationParams
- before { authenticate! }
+ before { authenticate_non_get! }
helpers ::Gitlab::IssuableMetadata
@@ -55,6 +55,7 @@ module API
desc: 'Return merge requests for the given scope: `created-by-me`, `assigned-to-me` or `all`'
end
get do
+ authenticate! unless params[:scope] == 'all'
merge_requests = find_merge_requests
options = { with: Entities::MergeRequestBasic,
diff --git a/spec/requests/api/merge_requests_spec.rb b/spec/requests/api/merge_requests_spec.rb
index 21d2c9644fb..c4f6e97b915 100644
--- a/spec/requests/api/merge_requests_spec.rb
+++ b/spec/requests/api/merge_requests_spec.rb
@@ -28,10 +28,29 @@ describe API::MergeRequests do
describe 'GET /merge_requests' do
context 'when unauthenticated' do
- it 'returns authentication error' do
- get api('/merge_requests')
+ it 'returns an array of all merge requests' do
+ get api('/merge_requests', user), scope: 'all'
+
+ expect(response).to have_http_status(200)
+ expect(json_response).to be_an Array
+ end
+
+ it "returns authentication error without any scope" do
+ get api("/merge_requests")
+
+ expect(response).to have_http_status(401)
+ end
+
+ it "returns authentication error when scope is assigned-to-me" do
+ get api("/merge_requests"), scope: 'assigned-to-me'
- expect(response).to have_gitlab_http_status(401)
+ expect(response).to have_http_status(401)
+ end
+
+ it "returns authentication error when scope is created-by-me" do
+ get api("/merge_requests"), scope: 'created-by-me'
+
+ expect(response).to have_http_status(401)
end
end
@@ -134,10 +153,18 @@ describe API::MergeRequests do
describe "GET /projects/:id/merge_requests" do
context "when unauthenticated" do
- it "returns authentication error" do
+ it 'returns merge requests for public projects' do
+ get api("/projects/#{project.id}/merge_requests")
+
+ expect(response).to have_http_status(200)
+ expect(json_response).to be_an Array
+ end
+
+ it "returns 404 for non public projects" do
+ project = create(:project, :private)
get api("/projects/#{project.id}/merge_requests")
- expect(response).to have_gitlab_http_status(401)
+ expect(response).to have_http_status(404)
end
end