From ff4e81e0aec38c26e75d960c3d2af9329576ca32 Mon Sep 17 00:00:00 2001
From: haseeb <haseebeqx@gmail.com>
Date: Mon, 18 Sep 2017 17:29:17 +0000
Subject: fix #35290 Make read-only API for public merge requests available
 without authentication

---
 lib/api/merge_requests.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib/api/merge_requests.rb')

diff --git a/lib/api/merge_requests.rb b/lib/api/merge_requests.rb
index 56d72d511da..8aa1e0216ee 100644
--- a/lib/api/merge_requests.rb
+++ b/lib/api/merge_requests.rb
@@ -2,7 +2,7 @@ module API
   class MergeRequests < Grape::API
     include PaginationParams
 
-    before { authenticate! }
+    before { authenticate_non_get! }
 
     helpers ::Gitlab::IssuableMetadata
 
@@ -55,6 +55,7 @@ module API
                          desc: 'Return merge requests for the given scope: `created-by-me`, `assigned-to-me` or `all`'
       end
       get do
+        authenticate! unless params[:scope] == 'all'
         merge_requests = find_merge_requests
 
         options = { with: Entities::MergeRequestBasic,
-- 
cgit v1.2.1