Make read-only API for public merge requests available without authentication

Summary

Currently, the read-only API for public merge requests requires authentication while the same information is available through the UI without authentication.

Example Project

https://gitlab.com/winniehell/water-child

What is the current bug behavior?

Listing merge requests

$ curl -sI https://gitlab.com/winniehell/water-child/merge_requests |
head -n 1
HTTP/1.1 200 OK

$ curl -sI
https://gitlab.com/api/v4/projects/winniehell%2Fwater-child/merge_requests
| head -n 1
HTTP/1.1 401 Unauthorized

Getting a single merge request by ID

$ curl -sI https://gitlab.com/winniehell/water-child/merge_requests/9 |
head -n 1
HTTP/1.1 200 OK

$ curl -sI
https://gitlab.com/api/v4/projects/winniehell%2Fwater-child/merge_requests/9
| head -n 1
HTTP/1.1 401 Unauthorized

Getting merge request changes

$ curl -sI
https://gitlab.com/winniehell/water-child/merge_requests/9/diffs | head -n 1
HTTP/1.1 200 OK

$ curl -sI
https://gitlab.com/api/v4/projects/winniehell%2Fwater-child/merge_requests/9/changes
| head -n 1
HTTP/1.1 401 Unauthorized

What is the expected correct behavior?

Same information that is available without authentication through the UI is also available through the API.