List public ssh keys by id or username without authentication

7d55c135 · Ronald Claveau · 227cc997 · 7d55c135 · 7d55c135 · 7d55c135
Commit 7d55c135 authored Jun 28, 2018 by Ronald Claveau
4 changed files
--- a/changelogs/unreleased/features-unauth-access-ssh-keys.yml
+++ b/changelogs/unreleased/features-unauth-access-ssh-keys.yml
+---
+title: Enable unauthenticated access to public SSH keys via the API
+merge_request: 20118
+author: Ronald Claveau
+type: changed
--- a/doc/api/users.md
+++ b/doc/api/users.md
@@ -556,7 +556,7 @@ Parameters:

 ## List SSH keys for user

-Get a list of a specified user's SSH keys. Available only for admin
+Get a list of a specified user's SSH keys.

 ```
 GET /users/:id/keys

--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -254,7 +254,7 @@ module API
      end
      # rubocop: enable CodeReuse/ActiveRecord

-      desc 'Get the SSH keys of a specified user. Available only for admins.' do
+      desc 'Get the SSH keys of a specified user.' do
        success Entities::SSHKey
      end
      params do
@@ -263,10 +263,8 @@ module API
      end
      # rubocop: disable CodeReuse/ActiveRecord
      get ':id/keys' do
-        authenticated_as_admin!
-
        user = User.find_by(id: params[:id])
-        not_found!('User') unless user
+        not_found!('User') unless user && can?(current_user, :read_user, user)

        present paginate(user.keys), with: Entities::SSHKey
      end

--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -785,35 +785,25 @@ describe API::Users do
  end

  describe 'GET /user/:id/keys' do
-    before do
-      admin
-    end
+    it 'returns 404 for non-existing user' do
+      user_id = not_existing_user_id

-    context 'when unauthenticated' do
-      it 'returns authentication error' do
-        get api("/users/#{user.id}/keys")
-        expect(response).to have_gitlab_http_status(401)
-      end
-    end
+      get api("/users/#{user_id}/keys")

-    context 'when authenticated' do
-      it 'returns 404 for non-existing user' do
-        get api('/users/999999/keys', admin)
-        expect(response).to have_gitlab_http_status(404)
-        expect(json_response['message']).to eq('404 User Not Found')
-      end
+      expect(response).to have_gitlab_http_status(404)
+      expect(json_response['message']).to eq('404 User Not Found')
+    end

-      it 'returns array of ssh keys' do
-        user.keys << key
-        user.save
+    it 'returns array of ssh keys' do
+      user.keys << key
+      user.save

-        get api("/users/#{user.id}/keys", admin)
+      get api("/users/#{user.id}/keys")

-        expect(response).to have_gitlab_http_status(200)
-        expect(response).to include_pagination_headers
-        expect(json_response).to be_an Array
-        expect(json_response.first['title']).to eq(key.title)
-      end
+      expect(response).to have_gitlab_http_status(200)
+      expect(response).to include_pagination_headers
+      expect(json_response).to be_an Array
+      expect(json_response.first['title']).to eq(key.title)
    end
  end