Show public RSS feeds to anonymous users

app/helpers/rss_helper.rb

+module RssHelper
+  def rss_url_options
+    { format: :atom, private_token: current_user.try(:private_token) }
+  end
+end

app/views/dashboard/_activities.html.haml

@@ -2,10 +2,9 @@
   = render "events/event_last_push", event: @last_push
 
 .nav-block
-  - if current_user
-    .controls
-      = link_to dashboard_projects_path(:atom, { private_token: current_user.private_token }), class: 'btn rss-btn has-tooltip', title: 'Subscribe' do
-        %i.fa.fa-rss
+  .controls
+    = link_to dashboard_projects_path(rss_url_options), class: 'btn rss-btn has-tooltip', title: 'Subscribe' do
+      %i.fa.fa-rss
   = render 'shared/event_filter'
 
 .content_list

app/views/dashboard/activity.html.haml

 = content_for :meta_tags do
-  - if current_user
-    = auto_discovery_link_tag(:atom, dashboard_projects_url(format: :atom, private_token: current_user.private_token), title: "All activity")
+  = auto_discovery_link_tag(:atom, dashboard_projects_url(rss_url_options), title: "All activity")
 
 - page_title    "Activity"
 - header_title  "Activity", activity_dashboard_path

app/views/dashboard/issues.html.haml

 - page_title "Issues"
 - header_title  "Issues", issues_dashboard_path(assignee_id: current_user.id)
 = content_for :meta_tags do
-  - if current_user
-    = auto_discovery_link_tag(:atom, url_for(params.merge(format: :atom, private_token: current_user.private_token)), title: "#{current_user.name} issues")
+  = auto_discovery_link_tag(:atom, params.merge(rss_url_options), title: "#{current_user.name} issues")
 
 .top-area
   = render 'shared/issuable/nav', type: :issues
   .nav-controls
-    - if current_user
-      = link_to url_for(params.merge(format: :atom, private_token: current_user.private_token)), class: 'btn' do
-        = icon('rss')
-        %span.icon-label
-          Subscribe
+    = link_to params.merge(rss_url_options), class: 'btn' do
+      = icon('rss')
+      %span.icon-label
+        Subscribe
     = render 'shared/new_project_item_select', path: 'issues/new', label: "New Issue"
 
 = render 'shared/issuable/filter', type: :issues

app/views/dashboard/projects/index.atom.builder

 xml.instruct!
 xml.feed "xmlns" => "http://www.w3.org/2005/Atom", "xmlns:media" => "http://search.yahoo.com/mrss/" do
   xml.title   "Activity"
-  xml.link    href: dashboard_projects_url(format: :atom, private_token: current_user.try(:private_token)), rel: "self", type: "application/atom+xml"
+  xml.link    href: dashboard_projects_url(rss_url_options), rel: "self", type: "application/atom+xml"
   xml.link    href: dashboard_projects_url, rel: "alternate", type: "text/html"
   xml.id      dashboard_projects_url
   xml.updated @events[0].updated_at.xmlschema if @events[0]

app/views/dashboard/projects/index.html.haml

 = content_for :meta_tags do
-  - if current_user
-    = auto_discovery_link_tag(:atom, dashboard_projects_url(format: :atom, private_token: current_user.private_token), title: "All activity")
+  = auto_discovery_link_tag(:atom, dashboard_projects_url(rss_url_options), title: "All activity")
 
 - page_title    "Projects"
 - header_title  "Projects", dashboard_projects_path

app/views/groups/_activities.html.haml

@@ -2,10 +2,9 @@
   = render "events/event_last_push", event: @last_push
 
 .nav-block
-  - if current_user
-    .controls
-      = link_to group_path(@group, format: :atom, private_token: current_user.private_token), class: 'btn rss-btn has-tooltip' , title: 'Subscribe' do
-        %i.fa.fa-rss
+  .controls
+    = link_to group_path(@group, rss_url_options), class: 'btn rss-btn has-tooltip' , title: 'Subscribe' do
+      %i.fa.fa-rss
   = render 'shared/event_filter'
 
 .content_list

app/views/groups/activity.html.haml

 = content_for :meta_tags do
-  - if current_user
-    = auto_discovery_link_tag(:atom, group_url(@group, format: :atom, private_token: current_user.private_token), title: "#{@group.name} activity")
+  = auto_discovery_link_tag(:atom, group_url(@group, rss_url_options), title: "#{@group.name} activity")
 
 - page_title "Activity"
 = render 'groups/head'

app/views/groups/issues.html.haml

 - page_title "Issues"
 = render "head_issues"
 = content_for :meta_tags do
-  - if current_user
-    = auto_discovery_link_tag(:atom, url_for(params.merge(format: :atom, private_token: current_user.private_token)), title: "#{@group.name} issues")
+  = auto_discovery_link_tag(:atom, params.merge(rss_url_options), title: "#{@group.name} issues")
 
 - if group_issues(@group).exists?
   .top-area
     = render 'shared/issuable/nav', type: :issues
-    - if current_user
-      .nav-controls
-        = link_to url_for(params.merge(format: :atom, private_token: current_user.private_token)), class: 'btn' do
-          = icon('rss')
-          %span.icon-label
-            Subscribe
-        = render 'shared/new_project_item_select', path: 'issues/new', label: "New Issue"
+    .nav-controls
+      = link_to params.merge(rss_url_options), class: 'btn' do
+        = icon('rss')
+        %span.icon-label
+          Subscribe
+      = render 'shared/new_project_item_select', path: 'issues/new', label: "New Issue"
 
   = render 'shared/issuable/filter', type: :issues
 

app/views/groups/show.atom.builder

 xml.instruct!
 xml.feed "xmlns" => "http://www.w3.org/2005/Atom", "xmlns:media" => "http://search.yahoo.com/mrss/" do
   xml.title   "#{@group.name} activity"
-  xml.link    href: group_url(@group, format: :atom, private_token: current_user.try(:private_token)), rel: "self", type: "application/atom+xml"
+  xml.link    href: group_url(@group, rss_url_options), rel: "self", type: "application/atom+xml"
   xml.link    href: group_url(@group), rel: "alternate", type: "text/html"
   xml.id      group_url(@group)
   xml.updated @events[0].updated_at.xmlschema if @events[0]

app/views/groups/show.html.haml

 - @no_container = true
 
 = content_for :meta_tags do
-  - if current_user
-    = auto_discovery_link_tag(:atom, group_url(@group, format: :atom, private_token: current_user.private_token), title: "#{@group.name} activity")
+  = auto_discovery_link_tag(:atom, group_url(@group, rss_url_options), title: "#{@group.name} activity")
 
 = render 'groups/head'
 = render 'groups/home_panel'

app/views/projects/_activity.html.haml

@@ -2,10 +2,9 @@
 
 %div{ class: container_class }
   .nav-block.activity-filter-block
-    - if current_user
-      .controls
-        = link_to namespace_project_path(@project.namespace, @project, format: :atom, private_token: current_user.private_token), title: "Subscribe", class: 'btn rss-btn has-tooltip' do
-          = icon('rss')
+    .controls
+      = link_to namespace_project_path(@project.namespace, @project, rss_url_options), title: "Subscribe", class: 'btn rss-btn has-tooltip' do
+        = icon('rss')
 
     = render 'shared/event_filter'
 

app/views/projects/commits/show.atom.builder

 xml.instruct!
 xml.feed "xmlns" => "http://www.w3.org/2005/Atom", "xmlns:media" => "http://search.yahoo.com/mrss/" do
   xml.title   "#{@project.name}:#{@ref} commits"
-  xml.link    href: namespace_project_commits_url(@project.namespace, @project, @ref, format: :atom, private_token: current_user.try(:private_token)), rel: "self", type: "application/atom+xml"
+  xml.link    href: namespace_project_commits_url(@project.namespace, @project, @ref, rss_url_options), rel: "self", type: "application/atom+xml"
   xml.link    href: namespace_project_commits_url(@project.namespace, @project, @ref), rel: "alternate", type: "text/html"
   xml.id      namespace_project_commits_url(@project.namespace, @project, @ref)
   xml.updated @commits.first.committed_date.xmlschema if @commits.any?

app/views/projects/commits/show.html.haml

@@ -2,8 +2,7 @@
 
 - page_title "Commits", @ref
 = content_for :meta_tags do
-  - if current_user
-    = auto_discovery_link_tag(:atom, namespace_project_commits_url(@project.namespace, @project, @ref, format: :atom, private_token: current_user.private_token), title: "#{@project.name}:#{@ref} commits")
+  = auto_discovery_link_tag(:atom, namespace_project_commits_url(@project.namespace, @project, @ref, rss_url_options), title: "#{@project.name}:#{@ref} commits")
 
 = content_for :sub_nav do
   = render "head"
@@ -27,10 +26,9 @@
       .control
         = form_tag(namespace_project_commits_path(@project.namespace, @project, @id), method: :get, class: 'commits-search-form') do
           = search_field_tag :search, params[:search], { placeholder: 'Filter by commit message', id: 'commits-search', class: 'form-control search-text-input input-short', spellcheck: false }
-      - if current_user && current_user.private_token
-        .control
-          = link_to namespace_project_commits_path(@project.namespace, @project, @ref, { format: :atom, private_token: current_user.private_token }), title: "Commits Feed", class: 'btn' do
-            = icon("rss")
+      .control
+        = link_to namespace_project_commits_path(@project.namespace, @project, @ref, rss_url_options), title: "Commits Feed", class: 'btn' do
+          = icon("rss")
 
   %div{ id: dom_id(@project) }
     %ol#commits-list.list-unstyled.content_list

app/views/projects/issues/index.html.haml

@@ -10,17 +10,15 @@
   = page_specific_javascript_bundle_tag('filtered_search')
 
 = content_for :meta_tags do
-  - if current_user
-    = auto_discovery_link_tag(:atom, url_for(params.merge(format: :atom, private_token: current_user.private_token)), title: "#{@project.name} issues")
+  = auto_discovery_link_tag(:atom, params.merge(rss_url_options), title: "#{@project.name} issues")
 
 - if project_issues(@project).exists?
   %div{ class: (container_class) }
     .top-area
       = render 'shared/issuable/nav', type: :issues
       .nav-controls
-        - if current_user
-          = link_to url_for(params.merge(format: :atom, private_token: current_user.private_token)), class: 'btn append-right-10 has-tooltip', title: 'Subscribe' do
-            = icon('rss')
+        = link_to params.merge(rss_url_options), class: 'btn append-right-10 has-tooltip', title: 'Subscribe' do
+          = icon('rss')
         - if can? current_user, :create_issue, @project
           = link_to new_namespace_project_issue_path(@project.namespace,
                                                      @project,

app/views/projects/show.atom.builder

 xml.instruct!
 xml.feed "xmlns" => "http://www.w3.org/2005/Atom", "xmlns:media" => "http://search.yahoo.com/mrss/" do
   xml.title   "#{@project.name} activity"
-  xml.link    href: namespace_project_url(@project.namespace, @project, format: :atom, private_token: current_user.try(:private_token)), rel: "self", type: "application/atom+xml"
+  xml.link    href: namespace_project_url(@project.namespace, @project, rss_url_options), rel: "self", type: "application/atom+xml"
   xml.link    href: namespace_project_url(@project.namespace, @project), rel: "alternate", type: "text/html"
   xml.id      namespace_project_url(@project.namespace, @project)
   xml.updated @events[0].updated_at.xmlschema if @events[0]

app/views/projects/show.html.haml

 - @no_container = true
 
 = content_for :meta_tags do
-  - if current_user
-    = auto_discovery_link_tag(:atom, namespace_project_path(@project.namespace, @project, format: :atom, private_token: current_user.private_token), title: "#{@project.name} activity")
+  = auto_discovery_link_tag(:atom, namespace_project_path(@project.namespace, @project, rss_url_options), title: "#{@project.name} activity")
 
 = content_for :flash_message do
   - if current_user && can?(current_user, :download_code, @project)

app/views/projects/tree/show.html.haml

@@ -2,8 +2,7 @@
 
 - page_title @path.presence || "Files", @ref
 = content_for :meta_tags do
-  - if current_user
-    = auto_discovery_link_tag(:atom, namespace_project_commits_url(@project.namespace, @project, @ref, format: :atom, private_token: current_user.private_token), title: "#{@project.name}:#{@ref} commits")
+  = auto_discovery_link_tag(:atom, namespace_project_commits_url(@project.namespace, @project, @ref, rss_url_options), title: "#{@project.name}:#{@ref} commits")
 = render "projects/commits/head"
 = render 'projects/last_push'
 

app/views/users/show.html.haml

@@ -24,13 +24,12 @@
           = link_to new_abuse_report_path(user_id: @user.id, ref_url: request.referrer), class: 'btn btn-gray',
             title: 'Report abuse', data: { toggle: 'tooltip', placement: 'bottom', container: 'body' } do
             = icon('exclamation-circle')
-      - if current_user
-        = link_to user_path(@user, :atom, { private_token: current_user.private_token }), class: 'btn btn-gray' do
-          = icon('rss')
-        - if current_user.admin?
-          = link_to [:admin, @user], class: 'btn btn-gray', title: 'View user in admin area',
-            data: {toggle: 'tooltip', placement: 'bottom', container: 'body'} do
-            = icon('users')
+      = link_to user_path(@user, rss_url_options), class: 'btn btn-gray' do
+        = icon('rss')
+      - if current_user && current_user.admin?
+        = link_to [:admin, @user], class: 'btn btn-gray', title: 'View user in admin area',
+          data: {toggle: 'tooltip', placement: 'bottom', container: 'body'} do
+          = icon('users')
 
     .profile-header
       .avatar-holder

changelogs/unreleased/2629-show-public-rss-feeds-to-anonymous-users.yml

+---
+title: Show public RSS feeds to anonymous users
+merge_request:
+author:

spec/features/dashboard/activity_spec.rb

+require 'spec_helper'
+
+RSpec.describe 'Dashboard Activity', feature: true do
+  before do
+    login_as(create :user)
+    visit activity_dashboard_path
+  end
+  
+  it_behaves_like "it has an RSS button with current_user's private token"
+  it_behaves_like "an autodiscoverable RSS feed with current_user's private token"
+end

spec/features/dashboard/issues_spec.rb

@@ -45,4 +45,7 @@
     expect(page).to have_content(assigned_issue.title)
     expect(page).to have_content(other_issue.title)
   end
+
+  it_behaves_like "it has an RSS button with current_user's private token"
+  it_behaves_like "an autodiscoverable RSS feed with current_user's private token"
 end

spec/features/dashboard/projects_spec.rb

+require 'spec_helper'
+
+RSpec.describe 'Dashboard Projects', feature: true do
+  before do
+    login_as(create :user)
+    visit dashboard_projects_path
+  end
+  
+  it_behaves_like "an autodiscoverable RSS feed with current_user's private token"
+end

spec/features/groups/activity_spec.rb

+require 'spec_helper'
+
+feature 'Group activity page', feature: true do
+  let(:group) { create(:group) }
+  let(:path) { activity_group_path(group) }
+
+  context 'when signed in' do
+    before do
+      user = create(:group_member, :developer, user: create(:user), group: group ).user
+      login_as(user)
+      visit path
+    end
+
+    it_behaves_like "it has an RSS button with current_user's private token"
+    it_behaves_like "an autodiscoverable RSS feed with current_user's private token"
+  end
+
+  context 'when signed out' do
+    before do
+      visit path
+    end
+
+    it_behaves_like "it has an RSS button without a private token"
+    it_behaves_like "an autodiscoverable RSS feed without a private token"
+  end
+end

spec/features/groups/issues_spec.rb

@@ -5,4 +5,22 @@
   let(:issuable) { create(:issue, project: project, title: "this is my created issuable")}
 
   include_examples 'project features apply to issuables', Issue
+
+  context 'rss feed' do
+    let(:access_level) { ProjectFeature::ENABLED }
+
+    context 'when signed in' do
+      let(:user) { user_in_group }
+
+      it_behaves_like "it has an RSS button with current_user's private token"
+      it_behaves_like "an autodiscoverable RSS feed with current_user's private token"
+    end
+
+    context 'when signed out' do
+      let(:user) { nil }
+
+      it_behaves_like "it has an RSS button without a private token"
+      it_behaves_like "an autodiscoverable RSS feed without a private token"
+    end
+  end
 end

spec/features/groups/show_spec.rb

+require 'spec_helper'
+
+feature 'Group show page', feature: true do
+  let(:group) { create(:group) }
+  let(:path) { group_path(group) }
+
+  context 'when signed in' do
+    before do
+      user = create(:group_member, :developer, user: create(:user), group: group ).user
+      login_as(user)
+      visit path
+    end
+
+    it_behaves_like "an autodiscoverable RSS feed with current_user's private token"
+  end
+
+  context 'when signed out' do
+    before do
+      visit path
+    end
+
+    it_behaves_like "an autodiscoverable RSS feed without a private token"
+  end
+end

spec/features/projects/activity/rss_spec.rb

+require 'spec_helper'
+
+feature 'Project Activity RSS' do
+  let(:project) { create(:empty_project, visibility_level: Gitlab::VisibilityLevel::PUBLIC) }
+  let(:path) { activity_namespace_project_path(project.namespace, project) }
+
+  before do
+    create(:issue, project: project)
+  end
+
+  context 'when signed in' do
+    before do
+      user = create(:user)
+      project.team << [user, :developer]
+      login_as(user)
+      visit path
+    end
+
+    it_behaves_like "it has an RSS button with current_user's private token"
+  end
+
+  context 'when signed out' do
+    before do
+      visit path
+    end
+
+    it_behaves_like "it has an RSS button without a private token"
+  end
+end

spec/features/projects/commit/rss_spec.rb

+require 'spec_helper'
+
+feature 'Project Commits RSS' do
+  let(:project) { create(:project, :repository, visibility_level: Gitlab::VisibilityLevel::PUBLIC) }
+  let(:path) { namespace_project_commits_path(project.namespace, project, :master) }
+
+  context 'when signed in' do
+    before do
+      user = create(:user)
+      project.team << [user, :developer]
+      login_as(user)
+      visit path
+    end
+
+    it_behaves_like "it has an RSS button with current_user's private token"
+    it_behaves_like "an autodiscoverable RSS feed with current_user's private token"
+  end
+
+  context 'when signed out' do
+    before do
+      visit path
+    end
+
+    it_behaves_like "it has an RSS button without a private token"
+    it_behaves_like "an autodiscoverable RSS feed without a private token"
+  end
+end

spec/features/projects/issues/rss_spec.rb

+require 'spec_helper'
+
+feature 'Project Issues RSS' do
+  let(:project) { create(:empty_project, visibility_level: Gitlab::VisibilityLevel::PUBLIC) }
+  let(:path) { namespace_project_issues_path(project.namespace, project) }
+
+  before do
+    create(:issue, project: project)
+  end
+
+  context 'when signed in' do
+    before do
+      user = create(:user)
+      project.team << [user, :developer]
+      login_as(user)
+      visit path
+    end
+
+    it_behaves_like "it has an RSS button with current_user's private token"
+    it_behaves_like "an autodiscoverable RSS feed with current_user's private token"
+  end
+
+  context 'when signed out' do
+    before do
+      visit path
+    end
+
+    it_behaves_like "it has an RSS button without a private token"
+    it_behaves_like "an autodiscoverable RSS feed without a private token"
+  end
+end

spec/features/projects/main/rss_spec.rb

+require 'spec_helper'
+
+feature 'Project RSS' do
+  let(:project) { create(:project, :repository, visibility_level: Gitlab::VisibilityLevel::PUBLIC) }
+  let(:path) { namespace_project_path(project.namespace, project) }
+
+  context 'when signed in' do
+    before do
+      user = create(:user)
+      project.team << [user, :developer]
+      login_as(user)
+      visit path
+    end
+
+    it_behaves_like "an autodiscoverable RSS feed with current_user's private token"
+  end
+
+  context 'when signed out' do
+    before do
+      visit path
+    end
+
+    it_behaves_like "an autodiscoverable RSS feed without a private token"
+  end
+end

spec/features/projects/tree/rss_spec.rb

+require 'spec_helper'
+
+feature 'Project Tree RSS' do
+  let(:project) { create(:project, :repository, visibility_level: Gitlab::VisibilityLevel::PUBLIC) }
+  let(:path) { namespace_project_tree_path(project.namespace, project, :master) }
+
+  context 'when signed in' do
+    before do
+      user = create(:user)
+      project.team << [user, :developer]
+      login_as(user)
+      visit path
+    end
+
+    it_behaves_like "an autodiscoverable RSS feed with current_user's private token"
+  end
+
+  context 'when signed out' do
+    before do
+      visit path
+    end
+
+    it_behaves_like "an autodiscoverable RSS feed without a private token"
+  end
+end

spec/features/users/rss_spec.rb

+require 'spec_helper'
+
+feature 'User RSS' do
+  let(:path) { user_path(create(:user)) }
+
+  context 'when signed in' do
+    before do
+      login_as(create(:user))
+      visit path
+    end
+
+    it_behaves_like "it has an RSS button with current_user's private token"
+  end
+
+  context 'when signed out' do
+    before do
+      visit path
+    end
+
+    it_behaves_like "it has an RSS button without a private token"
+  end
+end

spec/helpers/rss_helper_spec.rb

+require 'spec_helper'
+
+describe RssHelper do
+  describe '#rss_url_options' do
+    context 'when signed in' do
+      it "includes the current_user's private_token" do
+        current_user = create(:user)
+        allow(helper).to receive(:current_user).and_return(current_user)
+        expect(helper.rss_url_options).to include private_token: current_user.private_token
+      end
+    end
+
+    context 'when signed out' do
+      it "does not have a private_token" do
+        allow(helper).to receive(:current_user).and_return(nil)
+        expect(helper.rss_url_options[:private_token]).to be_nil
+      end
+    end
+  end
+end

spec/support/features/rss_shared_examples.rb

+shared_examples "an autodiscoverable RSS feed with current_user's private token" do
+  it "has an RSS autodiscovery link tag with current_user's private token" do
+    expect(page).to have_css("link[type*='atom+xml'][href*='private_token=#{Thread.current[:current_user].private_token}']", visible: false)
+  end
+end
+
+shared_examples "it has an RSS button with current_user's private token" do
+  it "shows the RSS button with current_user's private token" do
+    expect(page).to have_css("a:has(.fa-rss)[href*='private_token=#{Thread.current[:current_user].private_token}']")
+  end
+end
+
+shared_examples "an autodiscoverable RSS feed without a private token" do
+  it "has an RSS autodiscovery link tag without a private token" do
+    expect(page).to have_css("link[type*='atom+xml']:not([href*='private_token'])", visible: false)
+  end
+end
+
+shared_examples "it has an RSS button without a private token" do
+  it "shows the RSS button without a private token" do
+    expect(page).to have_css("a:has(.fa-rss):not([href*='private_token'])")
+  end
+end

spec/support/project_features_apply_to_issuables_shared_examples.rb

@@ -18,7 +18,7 @@ def project_args
 
   before do
     _ = issuable
-    login_as(user)
+    login_as(user) if user
     visit path
   end