Make read-only API for public merge requests available without authentication
Summary
Currently, the read-only API for public merge requests requires authentication while the same information is available through the UI without authentication.
Example Project
https://gitlab.com/winniehell/water-child
What is the current bug behavior?
Listing merge requests
$ curl -sI https://gitlab.com/winniehell/water-child/merge_requests |
head -n 1
HTTP/1.1 200 OK
$ curl -sI
https://gitlab.com/api/v4/projects/winniehell%2Fwater-child/merge_requests
| head -n 1
HTTP/1.1 401 Unauthorized
Getting a single merge request by ID
$ curl -sI https://gitlab.com/winniehell/water-child/merge_requests/9 |
head -n 1
HTTP/1.1 200 OK
$ curl -sI
https://gitlab.com/api/v4/projects/winniehell%2Fwater-child/merge_requests/9
| head -n 1
HTTP/1.1 401 Unauthorized
Getting merge request changes
$ curl -sI
https://gitlab.com/winniehell/water-child/merge_requests/9/diffs | head -n 1
HTTP/1.1 200 OK
$ curl -sI
https://gitlab.com/api/v4/projects/winniehell%2Fwater-child/merge_requests/9/changes
| head -n 1
HTTP/1.1 401 Unauthorized
What is the expected correct behavior?
Same information that is available without authentication through the UI is also available through the API.