From d9fbe68d5e0b6fded6349547513475045de16067 Mon Sep 17 00:00:00 2001
From: Tommi Vainikainen <tvainika@aiven.io>
Date: Tue, 7 Nov 2023 15:24:23 +0200
Subject: [PATCH] Fix authentication check with referencedby route

---
 karapace/schema_registry_apis.py               | 1 +
 tests/integration/test_schema_registry_auth.py | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/karapace/schema_registry_apis.py b/karapace/schema_registry_apis.py
index f4d22cd78..e510dde9b 100644
--- a/karapace/schema_registry_apis.py
+++ b/karapace/schema_registry_apis.py
@@ -291,6 +291,7 @@ def _add_schema_registry_routes(self) -> None:
             callback=self.subject_version_referencedby_get,
             method="GET",
             schema_request=True,
+            auth=self._auth,
         )
         self.route(
             "/subjects/<subject:path>",
diff --git a/tests/integration/test_schema_registry_auth.py b/tests/integration/test_schema_registry_auth.py
index fbc3adb70..d58fde421 100644
--- a/tests/integration/test_schema_registry_auth.py
+++ b/tests/integration/test_schema_registry_auth.py
@@ -94,6 +94,9 @@ async def test_sr_auth_endpoints(registry_async_client_auth: Client) -> None:
     res = await registry_async_client_auth.get(f"subjects/{quote(subject)}/versions/1/schema")
     assert res.status_code == 401
 
+    res = await registry_async_client_auth.get(f"subjects/{quote(subject)}/versions/1/referencedby")
+    assert res.status_code == 401
+
     res = await registry_async_client_auth.delete(f"subjects/{quote(subject)}")
     assert res.status_code == 401