From 1587b6aed9aa1555c612ae674e94231726537ecb Mon Sep 17 00:00:00 2001
From: Marius Bobin <mbobin@gitlab.com>
Date: Wed, 14 Aug 2019 17:36:33 +0300
Subject: Read pipelines from public projects though API

Allow users to read pipelines for public projects
with public builds enabled without providing an access token.
---
 lib/api/pipelines.rb                |  3 ++-
 spec/requests/api/pipelines_spec.rb | 49 +++++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/lib/api/pipelines.rb b/lib/api/pipelines.rb
index 667bf1ec801..9e888368e7b 100644
--- a/lib/api/pipelines.rb
+++ b/lib/api/pipelines.rb
@@ -4,7 +4,7 @@ module API
   class Pipelines < Grape::API
     include PaginationParams
 
-    before { authenticate! }
+    before { authenticate_non_get! }
 
     params do
       requires :id, type: String, desc: 'The project ID'
@@ -32,6 +32,7 @@ module API
       end
       get ':id/pipelines' do
         authorize! :read_pipeline, user_project
+        authorize! :read_build, user_project
 
         pipelines = PipelinesFinder.new(user_project, current_user, params).execute
         present paginate(pipelines), with: Entities::PipelineBasic
diff --git a/spec/requests/api/pipelines_spec.rb b/spec/requests/api/pipelines_spec.rb
index 35b3dd219f7..c87ab433e1e 100644
--- a/spec/requests/api/pipelines_spec.rb
+++ b/spec/requests/api/pipelines_spec.rb
@@ -285,6 +285,55 @@ describe API::Pipelines do
         expect(json_response).not_to be_an Array
       end
     end
+
+    context 'projects with public visibility' do
+      let(:visibility) { 'public' }
+      let(:project) { create(:project, :repository, creator: user, visibility: visibility, public_builds: public_builds) }
+
+      context 'with public builds' do
+        let(:public_builds) { true }
+
+        context 'with non assigned user' do
+          it 'does return project pipelines' do
+            get api("/projects/#{project.id}/pipelines", non_member)
+
+            expect(response).to have_gitlab_http_status(200)
+            expect(json_response).to be_an Array
+          end
+        end
+
+        context 'without any user' do
+          it 'does return project pipelines' do
+            get api("/projects/#{project.id}/pipelines")
+
+            expect(response).to have_gitlab_http_status(200)
+            expect(json_response).to be_an Array
+          end
+        end
+      end
+
+      context 'without public builds' do
+        let(:public_builds) { false }
+
+        context 'with non assigned user' do
+          it 'does return project pipelines' do
+            get api("/projects/#{project.id}/pipelines", non_member)
+
+            expect(response).to have_gitlab_http_status(403)
+            expect(json_response).not_to be_an Array
+          end
+        end
+
+        context 'without any user' do
+          it 'does return project pipelines' do
+            get api("/projects/#{project.id}/pipelines")
+
+            expect(response).to have_gitlab_http_status(403)
+            expect(json_response).not_to be_an Array
+          end
+        end
+      end
+    end
   end
 
   describe 'POST /projects/:id/pipeline ' do
-- 
cgit v1.2.1