Deny standalone service template ordering when product setting is ena…

…bled
ManageIQ · Sep 24, 2018 · bce5997 · bce5997
1 parent ec0a7e5
commit bce5997
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 1 deletion.
diff --git a/app/controllers/api/mixins/service_templates.rb b/app/controllers/api/mixins/service_templates.rb
@@ -3,7 +3,9 @@ module Mixins
     module ServiceTemplates
       def order_service_template(id, data, scheduled_time = nil)
         service_template = resource_search(id, :service_templates, ServiceTemplate)
-        raise BadRequestError, "#{service_template_ident(service_template)} cannot be ordered" unless service_template.orderable?
+        unless api_request_allowed? && service_template.orderable?
+          raise BadRequestError, "#{service_template_ident(service_template)} cannot be ordered"
+        end
         request_result = service_template.order(User.current_user, (data || {}), {:submit_workflow => true}, scheduled_time)
         errors = request_result[:errors]
         if errors.present?
@@ -17,6 +19,14 @@ def order_service_template(id, data, scheduled_time = nil)
       def service_template_ident(st)
         "Service Template id:#{st.id} name:'#{st.name}'"
       end
+
+      def api_request_allowed?
+        standalone_api_request? ? !Settings.product.deny_api_service_ordering : true
+      end
+
+      def standalone_api_request?
+        request.authorization.present? && request.authorization.to_s.split(" ", 2).first.downcase == "basic"
+      end
     end
   end
 end
diff --git a/spec/requests/service_templates_spec.rb b/spec/requests/service_templates_spec.rb
@@ -576,6 +576,32 @@
         expect(actions).to_not include("order")
       end
     end
+
+    context "with the product setting denying standalone service template ordering" do
+      let(:template_no_display) { FactoryGirl.create(:service_template, :display => false) }
+      let(:product_settings) { double(:deny_api_service_ordering => true) }
+
+      before do
+        allow(Settings).to receive(:product).and_return(product_settings)
+      end
+
+      context "with basic authorization" do
+        it "rejects the request" do
+          api_basic_authorize action_identifier(:service_templates, :order, :resource_actions, :post)
+
+          post(api_service_template_url(nil, template_no_display), :params => { :action => "order" })
+
+          expected = {
+            "error" => a_hash_including(
+              "kind"    => "bad_request",
+              "message" => /cannot be ordered/
+            )
+          }
+          expect(response).to have_http_status(:bad_request)
+          expect(response.parsed_body).to include(expected)
+        end
+      end
+    end
   end
 
   describe "Service Templates archive" do