Remove authentication for public endpoints #4181
Description
This belongs to the OAuth Epic: #4004 - please read this for the big picture of what this issue is for :)
The authorization method needs to be changed to allow access to the following API endpoints without requiring authentication:
GET /ghost/api/v0.1/posts/(status == published)GET /ghost/api/v0.1/posts/<id>(status == published)GET /ghost/api/v0.1/posts/slug/<slug>(status == published)GET /ghost/api/v0.1/tags/GET /ghost/api/v0.1/settings/(type == blog)GET /ghost/api/v0.1/settings/<key>(type == blog)GET /ghost/api/v0.1/users/<id>GET /ghost/api/v0.1/users/slug/<slug>GET /ghost/api/v0.1/users/email/<email>
While implementing this issue it would be good to investigate if it is possible to do the authentication only if a bearer token is available in the request body and let canThis() deny access if authentication is required.
Attention: Third party access to public endpoints should not be allowed before all permissions are in place (#3911).