Merge branch '8541-remove-authorization-for-get-licence' into 'master'

Remove authorization from /managed_licenses

Closes #8541

See merge request gitlab-org/gitlab-ee!9693

doc/api/managed_licenses.md

@@ -10,7 +10,7 @@ GET /projects/:id/managed_licenses
 
 | Attribute | Type    | Required | Description           |
 | --------- | ------- | -------- | --------------------- |
-| `id`      | integer/string    | yes      | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user |
+| `id`      | integer/string    | yes      | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) |
 
 ```bash
 curl --header "PRIVATE-TOKEN: <your_access_token>" https://gitlab.example.com/api/v4/projects/1/managed_licenses

doc/user/permissions.md

@@ -77,7 +77,7 @@ The following table depicts the various user permission levels in a project.
 | Update a container registry           |         |            | ✓           | ✓        | ✓      |
 | Remove a container registry image     |         |            | ✓           | ✓        | ✓      |
 | Create/edit/delete project milestones |         |            | ✓           | ✓        | ✓      |
-| View approved/blacklisted licenses **[ULTIMATE]** |         |            | ✓           | ✓        | ✓      |
+| View approved/blacklisted licenses **[ULTIMATE]** | ✓       | ✓          | ✓           | ✓        | ✓      |
 | Use security dashboard **[ULTIMATE]** |         |            | ✓           | ✓        | ✓      |
 | Dismiss vulnerability **[ULTIMATE]**  |         |            | ✓           | ✓        | ✓      |
 | Apply code change suggestions         |         |            | ✓           | ✓        | ✓      |

ee/changelogs/unreleased/8541-remove-authorization-for-get-licence.yml

+---
+title: Remove authorization from /managed_licenses
+merge_request: 8541
+author:
+type: changed

ee/lib/api/managed_licenses.rb

@@ -4,7 +4,7 @@ module API
   class ManagedLicenses < Grape::API
     include PaginationParams
 
-    before { authenticate! }
+    before { authenticate! unless route.settings[:skip_authentication] }
 
     helpers do
       # Make the software license policy specified by id in the request available
@@ -31,6 +31,7 @@ module API
       desc 'Get project software license policies' do
         success Entities::ManagedLicense
       end
+      route_setting :skip_authentication, true
       params do
         use :pagination
       end

ee/spec/requests/api/managed_licenses_spec.rb

@@ -4,7 +4,7 @@ require 'spec_helper'
 
 describe API::ManagedLicenses do
   let(:project) do
-    create(:project).tap do |p|
+    create(:project, :public).tap do |p|
       @software_license_policy = create(:software_license_policy, project: p)
     end
   end
@@ -74,11 +74,30 @@ describe API::ManagedLicenses do
       end
     end
 
-    context 'unauthorized user' do
-      it 'does not return project managed licenses' do
+    context 'with unauthorized user' do
+      it 'returns project managed licenses for public project' do
         get api("/projects/#{project.id}/managed_licenses")
 
-        expect(response).to have_gitlab_http_status(401)
+        expect(response).to have_gitlab_http_status(200)
+        expect(response).to match_response_schema('managed_licenses', dir: 'ee')
+      end
+
+      it 'responses with 404 Not Found for not existing project' do
+        get api("/projects/0/managed_licenses")
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+
+      context 'when project is private' do
+        before do
+          project.update!(visibility_level: 'private')
+        end
+
+        it 'responses with 404 Not Found' do
+          get api("/projects/#{project.id}/managed_licenses")
+
+          expect(response).to have_gitlab_http_status(404)
+        end
       end
     end
   end