From 4d83ca22b507bf847685bb419873f8cb5ecde866 Mon Sep 17 00:00:00 2001
From: Tobias Trabelsi
 <64127335+tobias-trabelsi-sonarsource@users.noreply.github.com>
Date: Wed, 9 Sep 2020 07:12:24 +0200
Subject: [PATCH] [DOCS] improved documentation about api endpoints

---
 .../pages/instance-administration/security.md | 45 ++++++++++++++++++-
 .../qualityprofile/ws/ProjectsAction.java     |  3 +-
 .../server/usertoken/ws/SearchAction.java     |  5 ++-
 3 files changed, 49 insertions(+), 4 deletions(-)

diff --git a/server/sonar-docs/src/pages/instance-administration/security.md b/server/sonar-docs/src/pages/instance-administration/security.md
index 87b91e7524f..84619a73708 100644
--- a/server/sonar-docs/src/pages/instance-administration/security.md
+++ b/server/sonar-docs/src/pages/instance-administration/security.md
@@ -28,6 +28,50 @@ To force user authentication, log in as a system administrator, go to **[Adminis
 [[info]]
 | SonarQube does not support sharing email addresses across multiple users.
 
+### API Endpoints Authentication
+
+If the **Force user authentication** property is set to false, the following API endpoints are accessible **without authentication** (click **API endpoints** below to expand the list):
+
+[[collapse]]
+| ## API endpoints
+|
+| * api/components/search
+| * api/issues/tags
+| * api/languages/list
+| * api/metrics/domains
+| * api/metrics/search
+| * api/metrics/types
+| * api/plugins/installed
+| * api/project_tags/search
+| * api/qualitygates/list
+| * api/qualitygates/search
+| * api/qualitygates/show
+| * api/qualityprofiles/backup
+| * api/qualityprofiles/changelog
+| * api/qualityprofiles/export
+| * api/qualityprofiles/exporters
+| * api/qualityprofiles/importers
+| * api/qualityprofiles/inheritance
+| * api/qualityprofiles/projects
+| * api/qualityprofiles/search
+| * api/rules/repositories
+| * api/rules/search
+| * api/rules/show
+| * api/rules/tags
+| * api/server/version
+| * api/sources/scm (for public repositories)
+| * api/sources/show (for public repositories)
+| * api/system/db_migration_status
+| * api/system/migrate_db
+| * api/system/ping
+| * api/system/status
+| * api/system/upgrades
+| * api/users/search
+| * api/views/run
+| * api/webservices/list
+| * api/webservices/response_example
+
+It is advised to enable **Force user authentication** if you have your SonarQube instance publicly accessible.
 
 ### Authentication Mechanisms
 Authentication can be managed through a number of mechanisms:
@@ -157,4 +201,3 @@ sonar.jdbc.password={aes}CCGCFg4Xpm6r+PiJb1Swfg==  # Encrypted DB password
 ...
 sonar.secretKeyPath=C:/path/to/my/secure/location/my_secret_key.txt
 ```
-
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/qualityprofile/ws/ProjectsAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/qualityprofile/ws/ProjectsAction.java
index fa00e7ddf18..1ad0f1691a6 100644
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/qualityprofile/ws/ProjectsAction.java
+++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/qualityprofile/ws/ProjectsAction.java
@@ -65,7 +65,8 @@ public class ProjectsAction implements QProfileWsAction {
     NewAction action = controller.createAction("projects")
       .setSince("5.2")
       .setHandler(this)
-      .setDescription("List projects with their association status regarding a quality profile")
+      .setDescription("List projects with their association status regarding a quality profile <br/>" +
+        "See api/qualitygates/search in order to get the Quality Gate Profile Key")
       .setResponseExample(getClass().getResource("projects-example.json"));
 
     action.setChangelog(
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/usertoken/ws/SearchAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/usertoken/ws/SearchAction.java
index 23fcdf35184..2abe73025be 100644
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/usertoken/ws/SearchAction.java
+++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/usertoken/ws/SearchAction.java
@@ -51,8 +51,9 @@ public class SearchAction implements UserTokensWsAction {
     WebService.NewAction action = context.createAction(ACTION_SEARCH)
       .setDescription("List the access tokens of a user.<br>" +
         "The login must exist and active.<br>" +
-        "Field 'lastConnectionDate' is only updated every hour, so it may not be accurate, for instance when a user is using a token many times in less than one hour.<br/" +
-        "It requires administration permissions to specify a 'login' and list the tokens of another user. Otherwise, tokens for the current user are listed.")
+        "Field 'lastConnectionDate' is only updated every hour, so it may not be accurate, for instance when a user is using a token many times in less than one hour.<br> " +
+        "It requires administration permissions to specify a 'login' and list the tokens of another user. Otherwise, tokens for the current user are listed. <br> " +
+        "Authentication is required for this API endpoint")
       .setChangelog(new Change("7.7", "New field 'lastConnectionDate' is added to response"))
       .setResponseExample(getClass().getResource("search-example.json"))
       .setSince("5.3")
-- 
2.39.5