Allow public access to some Project API endpoints

Signed-off-by: Rémy Coutable <remy@rymai.me>

Allow public access to some Project API endpoints
Signed-off-by: Rémy Coutable <remy@rymai.me>
d7572472 · Rémy Coutable · e91afc0d · d7572472 · d7572472 · d7572472
Commit d7572472 authored Nov 30, 2016 by Rémy Coutable
5 changed files
--- a/changelogs/unreleased/4269-public-api.yml
+++ b/changelogs/unreleased/4269-public-api.yml
+---
+title: Allow public access to some Project API endpoints
+merge_request: 7843
+author:
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -141,6 +141,10 @@ module API
      unauthorized! unless current_user
    end
+    def authenticate_non_get!
+      authenticate! unless %w[GET HEAD].include?(route.route_method)
+    end
    def authenticate_by_gitlab_shell_token!
      input = params['secret_token'].try(:chomp)
      unless Devise.secure_compare(secret_token, input)
@@ -149,6 +153,7 @@ module API
    end
    def authenticated_as_admin!
+      authenticate!
      forbidden! unless current_user.is_admin?
    end

--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -3,7 +3,7 @@ module API
  class Projects < Grape::API
    include PaginationParams
-    before { authenticate! }
+    before { authenticate_non_get! }
    helpers do
      params :optional_params do
@@ -61,7 +61,7 @@ module API
        end
      end
-      desc 'Get a projects list for authenticated user' do
+      desc 'Get a list of visible projects for authenticated user' do
        success Entities::BasicProjectDetails
      end
      params do
@@ -70,15 +70,15 @@ module API
        use :filter_params
        use :pagination
      end
-      get do
+      get '/visible' do
-        projects = current_user.authorized_projects
+        projects = ProjectsFinder.new.execute(current_user)
        projects = filter_projects(projects)
-        entity = params[:simple] ? Entities::BasicProjectDetails : Entities::ProjectWithAccess
+        entity = params[:simple] || !current_user ? Entities::BasicProjectDetails : Entities::ProjectWithAccess
        present paginate(projects), with: entity, user: current_user
      end
-      desc 'Get a list of visible projects for authenticated user' do
+      desc 'Get a projects list for authenticated user' do
        success Entities::BasicProjectDetails
      end
      params do
@@ -87,8 +87,10 @@ module API
        use :filter_params
        use :pagination
      end
-      get '/visible' do
+      get do
-        projects = ProjectsFinder.new.execute(current_user)
+        authenticate!
+        projects = current_user.authorized_projects
        projects = filter_projects(projects)
        entity = params[:simple] ? Entities::BasicProjectDetails : Entities::ProjectWithAccess
@@ -103,6 +105,8 @@ module API
        use :pagination
      end
      get '/owned' do
+        authenticate!
        projects = current_user.owned_projects
        projects = filter_projects(projects)
@@ -117,6 +121,8 @@ module API
        use :pagination
      end
      get '/starred' do
+        authenticate!
        projects = current_user.viewable_starred_projects
        projects = filter_projects(projects)
@@ -132,6 +138,7 @@ module API
      end
      get '/all' do
        authenticated_as_admin!
        projects = Project.all
        projects = filter_projects(projects)
@@ -213,7 +220,8 @@ module API
        success Entities::ProjectWithAccess
      end
      get ":id" do
-        present user_project, with: Entities::ProjectWithAccess, user: current_user,
+        entity = current_user ? Entities::ProjectWithAccess : Entities::BasicProjectDetails
+        present user_project, with: entity, user: current_user,
                              user_can_admin_project: can?(current_user, :admin_project, user_project)
      end
@@ -433,7 +441,7 @@ module API
        use :pagination
      end
      get ':id/users' do
-        users = User.where(id: user_project.team.users.map(&:id))
+        users = user_project.team.users
        users = users.search(params[:search]) if params[:search].present?
        present paginate(users), with: Entities::UserBasic

--- a/spec/requests/api/api_helpers_spec.rb
+++ b/spec/requests/api/api_helpers_spec.rb
@@ -47,7 +47,7 @@ describe API::Helpers, api: true do
  end
  def error!(message, status)
-    raise Exception
+    raise Exception.new("#{status} - #{message}")
  end
  describe ".current_user" do
@@ -290,4 +290,56 @@ describe API::Helpers, api: true do
      handle_api_exception(exception)
    end
  end
+  describe '.authenticate_non_get!' do
+    %w[HEAD GET].each do |method_name|
+      context "method is #{method_name}" do
+        before do
+          expect_any_instance_of(self.class).to receive(:route).and_return(double(route_method: method_name))
+        end
+        it 'does not raise an error' do
+          expect_any_instance_of(self.class).not_to receive(:authenticate!)
+          expect { authenticate_non_get! }.not_to raise_error
+        end
+      end
+    end
+    %w[POST PUT PATCH DELETE].each do |method_name|
+      context "method is #{method_name}" do
+        before do
+          expect_any_instance_of(self.class).to receive(:route).and_return(double(route_method: method_name))
+        end
+        it 'calls authenticate!' do
+          expect_any_instance_of(self.class).to receive(:authenticate!)
+          authenticate_non_get!
+        end
+      end
+    end
+  end
+  describe '.authenticate!' do
+    context 'current_user is nil' do
+      before do
+        expect_any_instance_of(self.class).to receive(:current_user).and_return(nil)
+      end
+      it 'returns a 401 response' do
+        expect { authenticate! }.to raise_error '401 - {"message"=>"401 Unauthorized"}'
+      end
+    end
+    context 'current_user is present' do
+      before do
+        expect_any_instance_of(self.class).to receive(:current_user).and_return(true)
+      end
+      it 'does not raise an error' do
+        expect { authenticate! }.not_to raise_error
+      end
+    end
+  end
 end
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb