2 files changed, 23 insertions, 10 deletions

diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index cbafa952ef6..7f94ede7940 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -141,6 +141,10 @@ module API
       unauthorized! unless current_user
     end
 
+    def authenticate_non_get!
+      authenticate! unless %w[GET HEAD].include?(route.route_method)
+    end
+
     def authenticate_by_gitlab_shell_token!
       input = params['secret_token'].try(:chomp)
       unless Devise.secure_compare(secret_token, input)
@@ -149,6 +153,7 @@ module API
     end
 
     def authenticated_as_admin!
+      authenticate!
       forbidden! unless current_user.is_admin?
     end
 
diff --git a/lib/api/projects.rb b/lib/api/projects.rb
index 8975b1a751c..2929d2157dc 100644
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -3,7 +3,7 @@ module API
   class Projects < Grape::API
     include PaginationParams
 
-    before { authenticate! }
+    before { authenticate_non_get! }
 
     helpers do
       params :optional_params do
@@ -61,7 +61,7 @@ module API
         end
       end
 
-      desc 'Get a projects list for authenticated user' do
+      desc 'Get a list of visible projects for authenticated user' do
         success Entities::BasicProjectDetails
       end
       params do
@@ -70,15 +70,15 @@ module API
         use :filter_params
         use :pagination
       end
-      get do
-        projects = current_user.authorized_projects
+      get '/visible' do
+        projects = ProjectsFinder.new.execute(current_user)
         projects = filter_projects(projects)
-        entity = params[:simple] ? Entities::BasicProjectDetails : Entities::ProjectWithAccess
+        entity = params[:simple] || !current_user ? Entities::BasicProjectDetails : Entities::ProjectWithAccess
 
         present paginate(projects), with: entity, user: current_user
       end
 
-      desc 'Get a list of visible projects for authenticated user' do
+      desc 'Get a projects list for authenticated user' do
         success Entities::BasicProjectDetails
       end
       params do
@@ -87,8 +87,10 @@ module API
         use :filter_params
         use :pagination
       end
-      get '/visible' do
-        projects = ProjectsFinder.new.execute(current_user)
+      get do
+        authenticate!
+
+        projects = current_user.authorized_projects
         projects = filter_projects(projects)
         entity = params[:simple] ? Entities::BasicProjectDetails : Entities::ProjectWithAccess
 
@@ -103,6 +105,8 @@ module API
         use :pagination
       end
       get '/owned' do
+        authenticate!
+
         projects = current_user.owned_projects
         projects = filter_projects(projects)
 
@@ -117,6 +121,8 @@ module API
         use :pagination
       end
       get '/starred' do
+        authenticate!
+
         projects = current_user.viewable_starred_projects
         projects = filter_projects(projects)
 
@@ -132,6 +138,7 @@ module API
       end
       get '/all' do
         authenticated_as_admin!
+
         projects = Project.all
         projects = filter_projects(projects)
 
@@ -213,7 +220,8 @@ module API
         success Entities::ProjectWithAccess
       end
       get ":id" do
-        present user_project, with: Entities::ProjectWithAccess, user: current_user,
+        entity = current_user ? Entities::ProjectWithAccess : Entities::BasicProjectDetails
+        present user_project, with: entity, user: current_user,
                               user_can_admin_project: can?(current_user, :admin_project, user_project)
       end
 
@@ -433,7 +441,7 @@ module API
         use :pagination
       end
       get ':id/users' do
-        users = User.where(id: user_project.team.users.map(&:id))
+        users = user_project.team.users
         users = users.search(params[:search]) if params[:search].present?
 
         present paginate(users), with: Entities::UserBasic