Allow accessing `_api/cluser/endpoints` as authenticated user via the `_system` database. (#7342)

arangod/GeneralServer/GeneralCommTask.cpp

@@ -135,11 +135,11 @@ bool resolveRequestContext(GeneralRequest& req) {
   if (!guard) {
     return false;
   }
-  
+
   // the vocbase context is now responsible for releasing the vocbase
   req.setRequestContext(guard.get(), true);
   guard.release();
-  
+
   // the "true" means the request is the owner of the context
   return true;
 }
@@ -489,11 +489,12 @@ rest::ResponseCode GeneralCommTask::canAccessPath(
     // no authentication required at all
     return rest::ResponseCode::OK;
   }
-    
+
   std::string const& path = request.requestPath();
   std::string const& username = request.user();
+  bool userAuthenticated = request.authenticated();
 
-  rest::ResponseCode result = request.authenticated()
+  rest::ResponseCode result = userAuthenticated
                                   ? rest::ResponseCode::OK
                                   : rest::ResponseCode::UNAUTHORIZED;
 
@@ -505,7 +506,7 @@ rest::ResponseCode GeneralCommTask::canAccessPath(
     result = rest::ResponseCode::UNAUTHORIZED;
     LOG_TOPIC(TRACE, Logger::AUTHORIZATION) << "Access forbidden to " << path;
 
-    if (request.authenticated()) {
+    if (userAuthenticated) {
       request.setAuthenticated(false);
     }
   }
@@ -552,6 +553,10 @@ rest::ResponseCode GeneralCommTask::canAccessPath(
         // req.user when it could be validated
         result = rest::ResponseCode::OK;
         vc->forceSuperuser();
+      } else if (userAuthenticated && path == "/_api/cluster/endpoints") {
+        // allow authenticated users to access cluster/endpoints
+        result = rest::ResponseCode::OK;
+        //vc->forceReadOnly();
       } else if (request.requestType() == RequestType::POST &&
                  !username.empty() &&
                  StringUtils::isPrefix(path, ApiUser + username + '/')) {