Merge branch '4269-public-files-api' into 'master'

Allow unauthenticated access to Repositories Files API GET endpoints See merge request !8149

Merge branch '4269-public-files-api' into 'master'
Allow unauthenticated access to Repositories Files API GET endpoints See merge request !8149
d4376e0c · Sean McGivern · Douglas Barbosa Alexandre · ef047d07 · d4376e0c · d4376e0c
Commit d4376e0c authored Dec 20, 2016 by Sean McGivern Committed by Douglas Barbosa Alexandre Dec 21, 2016
8 changed files
--- a/changelogs/unreleased/4269-public-api.yml
+++ b/changelogs/unreleased/4269-public-api.yml
 ---
-title: Allow public access to some Project API endpoints
+title: Allow unauthenticated access to some Project API GET endpoints
 merge_request: 7843
 author:
--- a/changelogs/unreleased/4269-public-files-api.yml
+++ b/changelogs/unreleased/4269-public-files-api.yml
+---
+title: Allow unauthenticated access to Repositories Files API GET endpoints
+merge_request:
+author:
--- a/changelogs/unreleased/4269-public-repositories-api.yml
+++ b/changelogs/unreleased/4269-public-repositories-api.yml
 ---
-title: Allow Repositories API GET endpoints to be requested anonymously
+title: Allow unauthenticated access to Repositories API GET endpoints
 merge_request: 8148
 author:
--- a/doc/api/repository_files.md
+++ b/doc/api/repository_files.md
@@ -6,7 +6,9 @@

 ## Get file from repository

-Allows you to receive information about file in repository like name, size, content. Note that file content is Base64 encoded.
+Allows you to receive information about file in repository like name, size,
+content. Note that file content is Base64 encoded. This endpoint can be accessed
+without authentication if the repository is publicly accessible.

 ```
 GET /projects/:id/repository/files

--- a/lib/api/files.rb
+++ b/lib/api/files.rb
 module API
  # Projects API
  class Files < Grape::API
-    before { authenticate! }
-
    helpers do
      def commit_params(attrs)
        {

--- a/spec/requests/api/files_spec.rb
+++ b/spec/requests/api/files_spec.rb
@@ -4,7 +4,14 @@ describe API::Files, api: true  do
  include ApiHelpers
  let(:user) { create(:user) }
  let!(:project) { create(:project, namespace: user.namespace ) }
+  let(:guest) { create(:user).tap { |u| create(:project_member, :guest, user: u, project: project) } }
  let(:file_path) { 'files/ruby/popen.rb' }
+  let(:params) do
+    {
+      file_path: file_path,
+      ref: 'master'
+    }
+  end
  let(:author_email) { FFaker::Internet.email }

  # I have to remove periods from the end of the name
@@ -24,36 +31,72 @@ describe API::Files, api: true  do
  before { project.team << [user, :developer] }

  describe "GET /projects/:id/repository/files" do
-    it "returns file info" do
-      params = {
-        file_path: file_path,
-        ref: 'master',
-      }
+    let(:route) { "/projects/#{project.id}/repository/files" }

-      get api("/projects/#{project.id}/repository/files", user), params
+    shared_examples_for 'repository files' do
+      it "returns file info" do
+        get api(route, current_user), params

-      expect(response).to have_http_status(200)
-      expect(json_response['file_path']).to eq(file_path)
-      expect(json_response['file_name']).to eq('popen.rb')
-      expect(json_response['last_commit_id']).to eq('570e7b2abdd848b95f2f578043fc23bd6f6fd24d')
-      expect(Base64.decode64(json_response['content']).lines.first).to eq("require 'fileutils'\n")
-    end
+        expect(response).to have_http_status(200)
+        expect(json_response['file_path']).to eq(file_path)
+        expect(json_response['file_name']).to eq('popen.rb')
+        expect(json_response['last_commit_id']).to eq('570e7b2abdd848b95f2f578043fc23bd6f6fd24d')
+        expect(Base64.decode64(json_response['content']).lines.first).to eq("require 'fileutils'\n")
+      end

-    it "returns a 400 bad request if no params given" do
-      get api("/projects/#{project.id}/repository/files", user)
+      context 'when no params are given' do
+        it_behaves_like '400 response' do
+          let(:request) { get api(route, current_user) }
+        end
+      end

-      expect(response).to have_http_status(400)
+      context 'when file_path does not exist' do
+        let(:params) do
+          {
+            file_path: 'app/models/application.rb',
+            ref: 'master',
+          }
+        end
+
+        it_behaves_like '404 response' do
+          let(:request) { get api(route, current_user), params }
+          let(:message) { '404 File Not Found' }
+        end
+      end
+
+      context 'when repository is disabled' do
+        include_context 'disabled repository'
+
+        it_behaves_like '403 response' do
+          let(:request) { get api(route, current_user), params }
+        end
+      end
    end

-    it "returns a 404 if such file does not exist" do
-      params = {
-        file_path: 'app/models/application.rb',
-        ref: 'master',
-      }
+    context 'when unauthenticated', 'and project is public' do
+      it_behaves_like 'repository files' do
+        let(:project) { create(:project, :public) }
+        let(:current_user) { nil }
+      end
+    end

-      get api("/projects/#{project.id}/repository/files", user), params
+    context 'when unauthenticated', 'and project is private' do
+      it_behaves_like '404 response' do
+        let(:request) { get api(route), params }
+        let(:message) { '404 Project Not Found' }
+      end
+    end
+
+    context 'when authenticated', 'as a developer' do
+      it_behaves_like 'repository files' do
+        let(:current_user) { user }
+      end
+    end

-      expect(response).to have_http_status(404)
+    context 'when authenticated', 'as a guest' do
+      it_behaves_like '403 response' do
+        let(:request) { get api(route, guest), params }
+      end
    end
  end


--- a/spec/requests/api/repositories_spec.rb
+++ b/spec/requests/api/repositories_spec.rb
@@ -11,17 +11,6 @@ describe API::Repositories, api: true  do
  let!(:project) { create(:project, creator_id: user.id) }
  let!(:master) { create(:project_member, :master, user: user, project: project) }

-  shared_context 'disabled repository' do
-    before do
-      project.project_feature.update_attributes!(
-        repository_access_level: ProjectFeature::DISABLED,
-        merge_requests_access_level: ProjectFeature::DISABLED,
-        builds_access_level: ProjectFeature::DISABLED
-      )
-      expect(project.feature_available?(:repository, current_user)).to be false
-    end
-  end
-
  describe "GET /projects/:id/repository/tree" do
    let(:route) { "/projects/#{project.id}/repository/tree" }


--- a/spec/support/api/repositories_shared_context.rb
+++ b/spec/support/api/repositories_shared_context.rb
+shared_context 'disabled repository' do
+  before do
+    project.project_feature.update_attributes!(
+      repository_access_level: ProjectFeature::DISABLED,
+      merge_requests_access_level: ProjectFeature::DISABLED,
+      builds_access_level: ProjectFeature::DISABLED
+    )
+    expect(project.feature_available?(:repository, current_user)).to be false
+  end
+end