Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Only allow non-UI service ordering when the product setting is enabled
Browse files Browse the repository at this point in the history
eclarizio committed Sep 27, 2018
1 parent ec0a7e5 commit f6c1828
Showing 2 changed files with 38 additions and 1 deletion.
13 changes: 12 additions & 1 deletion app/controllers/api/mixins/service_templates.rb
Original file line number Diff line number Diff line change
@@ -3,7 +3,9 @@ module Mixins
module ServiceTemplates
def order_service_template(id, data, scheduled_time = nil)
service_template = resource_search(id, :service_templates, ServiceTemplate)
raise BadRequestError, "#{service_template_ident(service_template)} cannot be ordered" unless service_template.orderable?
unless api_request_allowed? && service_template.orderable?
raise BadRequestError, "#{service_template_ident(service_template)} cannot be ordered"
end
request_result = service_template.order(User.current_user, (data || {}), {:submit_workflow => true}, scheduled_time)
errors = request_result[:errors]
if errors.present?
@@ -17,6 +19,15 @@ def order_service_template(id, data, scheduled_time = nil)
def service_template_ident(st)
"Service Template id:#{st.id} name:'#{st.name}'"
end

def api_request_allowed?
return true if request_from_ui?
Settings.product.allow_api_service_ordering
end

def request_from_ui?
!request.authorization.try(:downcase).try(:starts_with?, "basic")
end
end
end
end
26 changes: 26 additions & 0 deletions spec/requests/service_templates_spec.rb
Original file line number Diff line number Diff line change
@@ -576,6 +576,32 @@
expect(actions).to_not include("order")
end
end

context "with the product setting not allowing standalone service template ordering" do
let(:template_no_display) { FactoryGirl.create(:service_template, :display => false) }
let(:product_settings) { double(:allow_api_service_ordering => false) }

before do
stub_settings_merge(:product => product_settings)
end

context "with basic authorization" do
it "rejects the request" do
api_basic_authorize action_identifier(:service_templates, :order, :resource_actions, :post)

post(api_service_template_url(nil, template_no_display), :params => { :action => "order" })

expected = {
"error" => a_hash_including(
"kind" => "bad_request",
"message" => /cannot be ordered/
)
}
expect(response).to have_http_status(:bad_request)
expect(response.parsed_body).to include(expected)
end
end
end
end

describe "Service Templates archive" do

0 comments on commit f6c1828

Please sign in to comment.