From ff4e81e0aec38c26e75d960c3d2af9329576ca32 Mon Sep 17 00:00:00 2001
From: haseeb <haseebeqx@gmail.com>
Date: Mon, 18 Sep 2017 17:29:17 +0000
Subject: fix #35290 Make read-only API for public merge requests available
 without authentication

---
 spec/requests/api/merge_requests_spec.rb | 37 +++++++++++++++++++++++++++-----
 1 file changed, 32 insertions(+), 5 deletions(-)

(limited to 'spec/requests/api/merge_requests_spec.rb')

diff --git a/spec/requests/api/merge_requests_spec.rb b/spec/requests/api/merge_requests_spec.rb
index 21d2c9644fb..c4f6e97b915 100644
--- a/spec/requests/api/merge_requests_spec.rb
+++ b/spec/requests/api/merge_requests_spec.rb
@@ -28,10 +28,29 @@ describe API::MergeRequests do
 
   describe 'GET /merge_requests' do
     context 'when unauthenticated' do
-      it 'returns authentication error' do
-        get api('/merge_requests')
+      it 'returns an array of all merge requests' do
+        get api('/merge_requests', user), scope: 'all'
+
+        expect(response).to have_http_status(200)
+        expect(json_response).to be_an Array
+      end
+
+      it "returns authentication error without any scope" do
+        get api("/merge_requests")
+
+        expect(response).to have_http_status(401)
+      end
+
+      it "returns authentication error  when scope is assigned-to-me" do
+        get api("/merge_requests"), scope: 'assigned-to-me'
 
-        expect(response).to have_gitlab_http_status(401)
+        expect(response).to have_http_status(401)
+      end
+
+      it "returns authentication error  when scope is created-by-me" do
+        get api("/merge_requests"), scope: 'created-by-me'
+
+        expect(response).to have_http_status(401)
       end
     end
 
@@ -134,10 +153,18 @@ describe API::MergeRequests do
 
   describe "GET /projects/:id/merge_requests" do
     context "when unauthenticated" do
-      it "returns authentication error" do
+      it 'returns merge requests for public projects' do
+        get api("/projects/#{project.id}/merge_requests")
+
+        expect(response).to have_http_status(200)
+        expect(json_response).to be_an Array
+      end
+
+      it "returns 404 for non public projects" do
+        project = create(:project, :private)
         get api("/projects/#{project.id}/merge_requests")
 
-        expect(response).to have_gitlab_http_status(401)
+        expect(response).to have_http_status(404)
       end
     end
 
-- 
cgit v1.2.1