Only allow non-UI service ordering when the product setting is enabled

https://bugzilla.redhat.com/show_bug.cgi?id=1632416
ManageIQ · Oct 18, 2018 · e72f675 · e72f675
1 parent 73eee92
commit e72f675
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/app/controllers/api/mixins/service_templates.rb b/app/controllers/api/mixins/service_templates.rb
@@ -3,7 +3,9 @@ module Mixins
     module ServiceTemplates
       def order_service_template(id, data, scheduled_time = nil)
         service_template = resource_search(id, :service_templates, ServiceTemplate)
-        raise BadRequestError, "#{service_template_ident(service_template)} cannot be ordered" unless service_template.orderable?
+        unless api_request_allowed? && service_template.orderable?
+          raise BadRequestError, "#{service_template_ident(service_template)} cannot be ordered"
+        end
         init_defaults = !request_from_ui? && Settings.product.run_automate_methods_on_service_api_submit
         request_result = service_template.order(User.current_user, (data || {}), {:submit_workflow => request_from_ui?, :init_defaults => init_defaults}, scheduled_time)
         errors = request_result[:errors]
@@ -28,6 +30,15 @@ def token_info
       def service_template_ident(st)
         "Service Template id:#{st.id} name:'#{st.name}'"
       end
+
+      def api_request_allowed?
+        return true if request_from_ui?
+        Settings.product.allow_api_service_ordering
+      end
+
+      def request_from_ui?
+        !request.authorization.try(:downcase).try(:starts_with?, "basic")
+      end
     end
   end
 end
diff --git a/spec/requests/service_catalogs_spec.rb b/spec/requests/service_catalogs_spec.rb
@@ -375,6 +375,10 @@ def sc_template_url(id, st_id = nil)
       request_headers["x-auth-token"] = test_token
     end
 
+    before do
+      stub_settings_merge(:product => double(:allow_api_service_ordering => true))
+    end
+
     def init_st(service_template, resource_action)
       service_template.resource_actions = [resource_action]
       dialog1.dialog_tabs << tab1

diff --git a/spec/requests/service_templates_spec.rb b/spec/requests/service_templates_spec.rb
@@ -466,6 +466,12 @@
 
   describe "Service Templates order" do
     let(:service_template) { FactoryGirl.create(:service_template, :with_provision_resource_action_and_dialog, :orderable) }
+    let(:product_settings) { double(:allow_api_service_ordering => allow_api_service_ordering) }
+    let(:allow_api_service_ordering) { true }
+
+    before do
+      stub_settings_merge(:product => product_settings)
+    end
 
     it "is forbidden without appropriate role" do
       api_basic_authorize