Fix broken access control vulnerability in settings API

- Modified app/api/settings_api.rb to require authentication for sensitive endpoints
- Created a new public endpoint for non-sensitive settings
- Added authentication requirement to privacy settings endpoint
- Added SettingsApi to the authentication helpers list in app/api/api_root.rb
- Prevents unauthorized access to system configuration

Author: theiris6

app/api/api_root.rb

@@ -114,6 +114,7 @@ class ApiRoot < Grape::API
   AuthenticationHelpers.add_auth_to LearningAlignmentApi
   AuthenticationHelpers.add_auth_to ProjectsApi
   AuthenticationHelpers.add_auth_to StudentsApi
+  AuthenticationHelpers.add_auth_to SettingsApi
   AuthenticationHelpers.add_auth_to Submission::PortfolioApi
   AuthenticationHelpers.add_auth_to Submission::PortfolioEvidenceApi
   AuthenticationHelpers.add_auth_to Submission::BatchTaskApi

app/api/settings_api.rb

@@ -1,11 +1,15 @@
 require 'grape'
 
 class SettingsApi < Grape::API
+  helpers AuthenticationHelpers
+  helpers AuthorisationHelpers
   #
   # Returns the current auth method
   #
   desc 'Return configurable details for the Doubtfire front end'
   get '/settings' do
+    # Require authentication for the main settings endpoint
+    authenticated?
     response = {
       externalName: Doubtfire::Application.config.institution[:product_name],
       overseerEnabled: Doubtfire::Application.config.overseer_enabled,
@@ -16,6 +20,19 @@ class SettingsApi < Grape::API
     present response, with: Grape::Presenters::Presenter
   end
 
+  #
+  # Public endpoint - safe to access without authentication
+  #
+  desc 'Return public application settings without authentication'
+  get '/settings/public' do
+    response = {
+      externalName: Doubtfire::Application.config.institution[:product_name]
+      # Include only non-sensitive settings here
+    }
+
+    present response, with: Grape::Presenters::Presenter
+  end
+
   desc 'Return privacy policy details'
   get '/settings/privacy' do
     response = {