Bug 1493788

Summary:	it's possible to add multiple shopping carts for the authenticated user
Product:	Red Hat CloudForms Management Engine	Reporter:	Martin Kourim <mkourim>
Component:	API	Assignee:	Gregg Tanzillo <gtanzill>
Status:	CLOSED ERRATA	QA Contact:	Parthvi Vala <pvala>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	5.8.0	CC:	dajohnso, jhardy, nansari, obarenbo, simaishi
Target Milestone:	GA	Keywords:	PrioBumpQA
Target Release:	5.10.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	api:rest:services
Fixed In Version:	5.10.0.0	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-02-07 23:02:46 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Martin Kourim 2017-09-20 23:57:40 UTC

Description of problem:
According to the documentation [1], "There is one and only one shopping cart for the authenticated user" and "A shopping cart is an /api/service_orders resource with a state of cart".
However it's possible to add multiple shopping carts, i.e. /api/service_orders resources with a state of "cart". The /api/service_orders/cart always points to the one with the lowest id.

http://manageiq.org/docs/reference/latest/api/reference/service_orders


Version-Release number of selected component (if applicable):
5.8.2


How reproducible:
very


Steps to Reproduce:
POST /api/service_orders
{ "action": "create", "name": "cart" }
and repeat any number of times

Actual results:
new /api/service_orders resources with a state of "cart"


Expected results:
only one shopping cart for the authenticated user can be created

Comment 2 Jillian Tullo 2017-10-13 14:49:24 UTC

PR: https://github.com/ManageIQ/manageiq-api/pull/123

Comment 3 Jillian Tullo 2017-10-30 21:22:53 UTC

updated PR https://github.com/ManageIQ/manageiq/pull/16351

Comment 4 Martin Kourim 2017-11-24 17:09:50 UTC

On 5.9.0.10 it's still possible to create multiple carts:

POST /api/service_orders
{ "name": "cart1"}

Response:
{
    "results": [
        {
            ...
            "name": "cart1",
            "tenant_id": "2",
            "user_id": "1",
            "user_name": "Administrator",
            "state": "cart",
            ...
        }
    ]
}

POST /api/service_orders
{ "name": "cart2"}

Response:
{
    "results": [
        {
            ...
            "name": "cart2",
            "tenant_id": "2",
            "user_id": "1",
            "user_name": "Administrator",
            "state": "cart",
            ...
        }
    ]
}

Comment 5 CFME Bot 2018-02-16 20:26:20 UTC

https://github.com/ManageIQ/manageiq-api/pull/324

Comment 6 CFME Bot 2018-02-16 21:46:14 UTC

New commit detected on ManageIQ/manageiq-api/master:
https://github.com/ManageIQ/manageiq-api/commit/fa36a7f18a4fa838b2dc64b2a9fa4297337a3c78

commit fa36a7f18a4fa838b2dc64b2a9fa4297337a3c78
Author:     Jillian Tullo <jtullo>
AuthorDate: Fri Feb 16 15:12:35 2018 -0500
Commit:     Jillian Tullo <jtullo>
CommitDate: Fri Feb 16 15:36:42 2018 -0500

    Only allow one cart to be created at a time
    
    This ensures that the user is assigned before saving, to ensure that only one cart is created at a time
    
    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1493788

 app/controllers/api/service_orders_controller.rb | 13 +++++++++++--
 spec/requests/service_orders_spec.rb             | 16 ++++++++++++++++
 2 files changed, 27 insertions(+), 2 deletions(-)

Comment 8 Parthvi Vala 2019-01-03 07:46:00 UTC

FIXED. Verified on 5.10.0.30.20181218191323_900a416.

Comment 9 errata-xmlrpc 2019-02-07 23:02:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0212