Bug 1493788

Summary: it's possible to add multiple shopping carts for the authenticated user
Product: Red Hat CloudForms Management Engine Reporter: Martin Kourim <mkourim>
Component: APIAssignee: Gregg Tanzillo <gtanzill>
Status: CLOSED ERRATA QA Contact: Parthvi Vala <pvala>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.8.0CC: dajohnso, jhardy, nansari, obarenbo, simaishi
Target Milestone: GAKeywords: PrioBumpQA
Target Release: 5.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: api:rest:services
Fixed In Version: 5.10.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-07 23:02:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Martin Kourim 2017-09-20 23:57:40 UTC
Description of problem:
According to the documentation [1], "There is one and only one shopping cart for the authenticated user" and "A shopping cart is an /api/service_orders resource with a state of cart".
However it's possible to add multiple shopping carts, i.e. /api/service_orders resources with a state of "cart". The /api/service_orders/cart always points to the one with the lowest id.

http://manageiq.org/docs/reference/latest/api/reference/service_orders


Version-Release number of selected component (if applicable):
5.8.2


How reproducible:
very


Steps to Reproduce:
POST /api/service_orders
{ "action": "create", "name": "cart" }
and repeat any number of times

Actual results:
new /api/service_orders resources with a state of "cart"


Expected results:
only one shopping cart for the authenticated user can be created

Comment 2 Jillian Tullo 2017-10-13 14:49:24 UTC
PR: https://github.com/ManageIQ/manageiq-api/pull/123

Comment 3 Jillian Tullo 2017-10-30 21:22:53 UTC
updated PR https://github.com/ManageIQ/manageiq/pull/16351

Comment 4 Martin Kourim 2017-11-24 17:09:50 UTC
On 5.9.0.10 it's still possible to create multiple carts:

POST /api/service_orders
{ "name": "cart1"}

Response:
{
    "results": [
        {
            ...
            "name": "cart1",
            "tenant_id": "2",
            "user_id": "1",
            "user_name": "Administrator",
            "state": "cart",
            ...
        }
    ]
}

POST /api/service_orders
{ "name": "cart2"}

Response:
{
    "results": [
        {
            ...
            "name": "cart2",
            "tenant_id": "2",
            "user_id": "1",
            "user_name": "Administrator",
            "state": "cart",
            ...
        }
    ]
}

Comment 6 CFME Bot 2018-02-16 21:46:14 UTC
New commit detected on ManageIQ/manageiq-api/master:
https://github.com/ManageIQ/manageiq-api/commit/fa36a7f18a4fa838b2dc64b2a9fa4297337a3c78

commit fa36a7f18a4fa838b2dc64b2a9fa4297337a3c78
Author:     Jillian Tullo <jtullo@redhat.com>
AuthorDate: Fri Feb 16 15:12:35 2018 -0500
Commit:     Jillian Tullo <jtullo@redhat.com>
CommitDate: Fri Feb 16 15:36:42 2018 -0500

    Only allow one cart to be created at a time
    
    This ensures that the user is assigned before saving, to ensure that only one cart is created at a time
    
    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1493788

 app/controllers/api/service_orders_controller.rb | 13 +++++++++++--
 spec/requests/service_orders_spec.rb             | 16 ++++++++++++++++
 2 files changed, 27 insertions(+), 2 deletions(-)

Comment 8 Parthvi Vala 2019-01-03 07:46:00 UTC
FIXED. Verified on 5.10.0.30.20181218191323_900a416.

Comment 9 errata-xmlrpc 2019-02-07 23:02:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0212