Allow non-admin user to get GPG keys

Removes the requirement of administration privileges for the endpoint GET `/users/:id/gpg_keys` With this change the scope `read_user` is now required. Resolves https://gitlab.com/gitlab-org/gitlab/-/issues/21584 Make GPG Keys public Add changelog

Allow non-admin user to get GPG keys
Removes the requirement of administration privileges for the endpoint GET `/users/:id/gpg_keys` With this change the scope `read_user` is now required. Resolves https://gitlab.com/gitlab-org/gitlab/-/issues/21584 Make GPG Keys public Add changelog
b60fe2bd · Lorenz Leutgeb · Michelle Gill · 82f7405e · b60fe2bd · b60fe2bd
Commit b60fe2bd authored Nov 12, 2019 by Lorenz Leutgeb Committed by Michelle Gill Sep 29, 2020
4 changed files
--- a/changelogs/unreleased/api-expose-gpg.yml
+++ b/changelogs/unreleased/api-expose-gpg.yml
+---
+title: Allow a users public GPG Keys to be API accessible
+merge_request: 43332
+author:
+type: added
--- a/doc/api/users.md
+++ b/doc/api/users.md
@@ -950,7 +950,7 @@ Returns `204 No Content` on success, or `404 Not found` if the key cannot be fou

 ## List all GPG keys for given user

-Get a list of a specified user's GPG keys. Available only for admins.
+Get a list of a specified user's GPG keys. This endpoint can be accessed without authentication.

 ```plaintext
 GET /users/:id/gpg_keys

--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -348,7 +348,7 @@ module API
      end
      # rubocop: enable CodeReuse/ActiveRecord

-      desc 'Get the GPG keys of a specified user. Available only for admins.' do
+      desc 'Get the GPG keys of a specified user.' do
        detail 'This feature was added in GitLab 10.0'
        success Entities::GpgKey
      end
@@ -358,8 +358,6 @@ module API
      end
      # rubocop: disable CodeReuse/ActiveRecord
      get ':id/gpg_keys' do
-        authenticated_as_admin!
-
        user = User.find_by(id: params[:id])
        not_found!('User') unless user


--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -1460,39 +1460,22 @@ RSpec.describe API::Users, :do_not_mock_admin_mode do
  end

  describe 'GET /user/:id/gpg_keys' do
-    context 'when unauthenticated' do
-      it 'returns authentication error' do
-        get api("/users/#{user.id}/gpg_keys")
+    it 'returns 404 for non-existing user' do
+      get api('/users/0/gpg_keys')

-        expect(response).to have_gitlab_http_status(:unauthorized)
-      end
+      expect(response).to have_gitlab_http_status(:not_found)
+      expect(json_response['message']).to eq('404 User Not Found')
    end

-    context 'when authenticated' do
-      it 'returns 404 for non-existing user' do
-        get api('/users/0/gpg_keys', admin)
-
-        expect(response).to have_gitlab_http_status(:not_found)
-        expect(json_response['message']).to eq('404 User Not Found')
-      end
-
-      it 'returns 404 error if key not foud' do
-        delete api("/users/#{user.id}/gpg_keys/#{non_existing_record_id}", admin)
-
-        expect(response).to have_gitlab_http_status(:not_found)
-        expect(json_response['message']).to eq('404 GPG Key Not Found')
-      end
-
-      it 'returns array of GPG keys' do
-        user.gpg_keys << gpg_key
+    it 'returns array of GPG keys' do
+      user.gpg_keys << gpg_key

-        get api("/users/#{user.id}/gpg_keys", admin)
+      get api("/users/#{user.id}/gpg_keys")

-        expect(response).to have_gitlab_http_status(:ok)
-        expect(response).to include_pagination_headers
-        expect(json_response).to be_an Array
-        expect(json_response.first['key']).to eq(gpg_key.key)
-      end
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(response).to include_pagination_headers
+      expect(json_response).to be_an Array
+      expect(json_response.first['key']).to eq(gpg_key.key)
    end
  end