Updated API auth to allow public user if given permission

app/Http/Middleware/ApiAuthenticate.php

@@ -35,9 +35,9 @@ class ApiAuthenticate
     {
         // Return if the user is already found to be signed in via session-based auth.
         // This is to make it easy to browser the API via browser after just logging into the system.
-        if (signedInUser()) {
+        if (signedInUser() || session()->isStarted()) {
             $this->ensureEmailConfirmedIfRequested();
-            if (!auth()->user()->can('access-api')) {
+            if (!user()->can('access-api')) {
                 throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
             }
             return;

tests/Api/ApiDocsTest.php

@@ -1,5 +1,6 @@
 <?php namespace Tests\Api;
 
+use BookStack\Auth\User;
 use Tests\TestCase;
 
 class ApiDocsTest extends TestCase
@@ -39,4 +40,19 @@ class ApiDocsTest extends TestCase
             ] ]
         ]);
     }
+
+    public function test_docs_page_visible_by_public_user_if_given_permission()
+    {
+        $this->setSettings(['app-public' => true]);
+        $guest = User::getDefault();
+
+        $this->startSession();
+        $resp = $this->get('/api/docs');
+        $resp->assertStatus(403);
+
+        $this->giveUserPermissions($guest, ['access-api']);
+
+        $resp = $this->get('/api/docs');
+        $resp->assertStatus(200);
+    }
 }