Commit ff4e81e0 authored by haseeb's avatar haseeb Committed by Rémy Coutable

fix #35290 Make read-only API for public merge requests available without authentication

parent 8d568fe3
...@@ -244,6 +244,8 @@ class IssuableFinder ...@@ -244,6 +244,8 @@ class IssuableFinder
end end
def by_scope(items) def by_scope(items)
return items.none if current_user_related? && !current_user
case params[:scope] case params[:scope]
when 'created-by-me', 'authored' when 'created-by-me', 'authored'
items.where(author_id: current_user.id) items.where(author_id: current_user.id)
......
---
title: made read-only APIs for public merge requests available without authentication
merge_request: 13291
author: haseebeqx
...@@ -2,7 +2,7 @@ module API ...@@ -2,7 +2,7 @@ module API
class MergeRequests < Grape::API class MergeRequests < Grape::API
include PaginationParams include PaginationParams
before { authenticate! } before { authenticate_non_get! }
helpers ::Gitlab::IssuableMetadata helpers ::Gitlab::IssuableMetadata
...@@ -55,6 +55,7 @@ module API ...@@ -55,6 +55,7 @@ module API
desc: 'Return merge requests for the given scope: `created-by-me`, `assigned-to-me` or `all`' desc: 'Return merge requests for the given scope: `created-by-me`, `assigned-to-me` or `all`'
end end
get do get do
authenticate! unless params[:scope] == 'all'
merge_requests = find_merge_requests merge_requests = find_merge_requests
options = { with: Entities::MergeRequestBasic, options = { with: Entities::MergeRequestBasic,
......
...@@ -28,10 +28,29 @@ describe API::MergeRequests do ...@@ -28,10 +28,29 @@ describe API::MergeRequests do
describe 'GET /merge_requests' do describe 'GET /merge_requests' do
context 'when unauthenticated' do context 'when unauthenticated' do
it 'returns authentication error' do it 'returns an array of all merge requests' do
get api('/merge_requests') get api('/merge_requests', user), scope: 'all'
expect(response).to have_http_status(200)
expect(json_response).to be_an Array
end
it "returns authentication error without any scope" do
get api("/merge_requests")
expect(response).to have_http_status(401)
end
it "returns authentication error when scope is assigned-to-me" do
get api("/merge_requests"), scope: 'assigned-to-me'
expect(response).to have_gitlab_http_status(401) expect(response).to have_http_status(401)
end
it "returns authentication error when scope is created-by-me" do
get api("/merge_requests"), scope: 'created-by-me'
expect(response).to have_http_status(401)
end end
end end
...@@ -134,10 +153,18 @@ describe API::MergeRequests do ...@@ -134,10 +153,18 @@ describe API::MergeRequests do
describe "GET /projects/:id/merge_requests" do describe "GET /projects/:id/merge_requests" do
context "when unauthenticated" do context "when unauthenticated" do
it "returns authentication error" do it 'returns merge requests for public projects' do
get api("/projects/#{project.id}/merge_requests")
expect(response).to have_http_status(200)
expect(json_response).to be_an Array
end
it "returns 404 for non public projects" do
project = create(:project, :private)
get api("/projects/#{project.id}/merge_requests") get api("/projects/#{project.id}/merge_requests")
expect(response).to have_gitlab_http_status(401) expect(response).to have_http_status(404)
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment