Commit 789eb36c authored by haseeb's avatar haseeb Committed by Rémy Coutable

Remove authentication for readonly endpoints in issues API

parent 984e0f1a
---
title: made listing and showing public issue apis available without authentication
merge_request: 18638
author: haseebeqx
type: changed
...@@ -2,7 +2,7 @@ module API ...@@ -2,7 +2,7 @@ module API
class Issues < Grape::API class Issues < Grape::API
include PaginationParams include PaginationParams
before { authenticate! } before { authenticate_non_get! }
helpers ::Gitlab::IssuableMetadata helpers ::Gitlab::IssuableMetadata
...@@ -70,6 +70,7 @@ module API ...@@ -70,6 +70,7 @@ module API
desc: 'Return issues for the given scope: `created-by-me`, `assigned-to-me` or `all`' desc: 'Return issues for the given scope: `created-by-me`, `assigned-to-me` or `all`'
end end
get do get do
authenticate! unless params[:scope] == 'all'
issues = paginate(find_issues) issues = paginate(find_issues)
options = { options = {
......
...@@ -64,12 +64,32 @@ describe API::Issues do ...@@ -64,12 +64,32 @@ describe API::Issues do
describe "GET /issues" do describe "GET /issues" do
context "when unauthenticated" do context "when unauthenticated" do
it "returns authentication error" do it "returns an array of all issues" do
get api("/issues"), scope: 'all'
expect(response).to have_http_status(200)
expect(json_response).to be_an Array
end
it "returns authentication error without any scope" do
get api("/issues") get api("/issues")
expect(response).to have_gitlab_http_status(401) expect(response).to have_http_status(401)
end
it "returns authentication error when scope is assigned-to-me" do
get api("/issues"), scope: 'assigned-to-me'
expect(response).to have_http_status(401)
end
it "returns authentication error when scope is created-by-me" do
get api("/issues"), scope: 'created-by-me'
expect(response).to have_http_status(401)
end end
end end
context "when authenticated" do context "when authenticated" do
let(:first_issue) { json_response.first } let(:first_issue) { json_response.first }
...@@ -379,9 +399,6 @@ describe API::Issues do ...@@ -379,9 +399,6 @@ describe API::Issues do
end end
let!(:group_note) { create(:note_on_issue, author: user, project: group_project, noteable: group_issue) } let!(:group_note) { create(:note_on_issue, author: user, project: group_project, noteable: group_issue) }
before do
group_project.add_reporter(user)
end
let(:base_url) { "/groups/#{group.id}/issues" } let(:base_url) { "/groups/#{group.id}/issues" }
context 'when group has subgroups', :nested_groups do context 'when group has subgroups', :nested_groups do
...@@ -408,6 +425,19 @@ describe API::Issues do ...@@ -408,6 +425,19 @@ describe API::Issues do
end end
end end
context 'when user is unauthenticated' do
it 'lists all issues in public projects' do
get api(base_url)
expect_paginated_array_response(size: 2)
end
end
context 'when user is a group member' do
before do
group_project.add_reporter(user)
end
it 'returns all group issues (including opened and closed)' do it 'returns all group issues (including opened and closed)' do
get api(base_url, admin) get api(base_url, admin)
...@@ -576,10 +606,20 @@ describe API::Issues do ...@@ -576,10 +606,20 @@ describe API::Issues do
expect(response_dates).to eq(response_dates.sort) expect(response_dates).to eq(response_dates.sort)
end end
end end
end
describe "GET /projects/:id/issues" do describe "GET /projects/:id/issues" do
let(:base_url) { "/projects/#{project.id}" } let(:base_url) { "/projects/#{project.id}" }
context 'when unauthenticated' do
it 'returns public project issues' do
get api("/projects/#{project.id}/issues")
expect_paginated_array_response(size: 2)
expect(json_response.first['title']).to eq(issue.title)
end
end
it 'avoids N+1 queries' do it 'avoids N+1 queries' do
control_count = ActiveRecord::QueryRecorder.new do control_count = ActiveRecord::QueryRecorder.new do
get api("/projects/#{project.id}/issues", user) get api("/projects/#{project.id}/issues", user)
...@@ -789,6 +829,14 @@ describe API::Issues do ...@@ -789,6 +829,14 @@ describe API::Issues do
end end
describe "GET /projects/:id/issues/:issue_iid" do describe "GET /projects/:id/issues/:issue_iid" do
context 'when unauthenticated' do
it 'returns public issues' do
get api("/projects/#{project.id}/issues/#{issue.iid}")
expect(response).to have_gitlab_http_status(200)
end
end
it 'exposes known attributes' do it 'exposes known attributes' do
get api("/projects/#{project.id}/issues/#{issue.iid}", user) get api("/projects/#{project.id}/issues/#{issue.iid}", user)
...@@ -1581,6 +1629,14 @@ describe API::Issues do ...@@ -1581,6 +1629,14 @@ describe API::Issues do
create(:merge_requests_closing_issues, issue: issue, merge_request: merge_request) create(:merge_requests_closing_issues, issue: issue, merge_request: merge_request)
end end
context 'when unauthenticated' do
it 'return public project issues' do
get api("/projects/#{project.id}/issues/#{issue.iid}/closed_by")
expect_paginated_array_response(size: 1)
end
end
it 'returns merge requests that will close issue on merge' do it 'returns merge requests that will close issue on merge' do
get api("/projects/#{project.id}/issues/#{issue.iid}/closed_by", user) get api("/projects/#{project.id}/issues/#{issue.iid}/closed_by", user)
...@@ -1605,6 +1661,14 @@ describe API::Issues do ...@@ -1605,6 +1661,14 @@ describe API::Issues do
describe "GET /projects/:id/issues/:issue_iid/user_agent_detail" do describe "GET /projects/:id/issues/:issue_iid/user_agent_detail" do
let!(:user_agent_detail) { create(:user_agent_detail, subject: issue) } let!(:user_agent_detail) { create(:user_agent_detail, subject: issue) }
context 'when unauthenticated' do
it "returns unautorized" do
get api("/projects/#{project.id}/issues/#{issue.iid}/user_agent_detail")
expect(response).to have_gitlab_http_status(401)
end
end
it 'exposes known attributes' do it 'exposes known attributes' do
get api("/projects/#{project.id}/issues/#{issue.iid}/user_agent_detail", admin) get api("/projects/#{project.id}/issues/#{issue.iid}/user_agent_detail", admin)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment