Bug 1646435

New commit detected on ManageIQ/manageiq/gaprindashvili:

https://github.com/ManageIQ/manageiq/commit/d5feeaaa2a80148ba582f2f27b6edf5d7814ca1c
commit d5feeaaa2a80148ba582f2f27b6edf5d7814ca1c
Author:     Brandon Dunne <brandondunne>
AuthorDate: Fri Oct 19 15:08:17 2018 -0400
Commit:     Brandon Dunne <brandondunne>
CommitDate: Fri Oct 19 15:08:17 2018 -0400

    Merge pull request #18029 from eclarizio/BZ1632416-Addendum

    Add product setting default for allowing API service ordering

    (cherry picked from commit e65f4d354f2f15a07f2417692b6c5ce0f5182916)

    https://bugzilla.redhat.com/show_bug.cgi?id=1646435

 config/settings.yml | 1 +
 1 file changed, 1 insertion(+)

New commits detected on ManageIQ/manageiq-api/gaprindashvili:

https://github.com/ManageIQ/manageiq-api/commit/068184ec96943dcff4cab92dff2a4c60e2bc10fe
commit 068184ec96943dcff4cab92dff2a4c60e2bc10fe
Author:     Brandon Dunne <brandondunne>
AuthorDate: Mon Oct 22 11:49:56 2018 -0400
Commit:     Brandon Dunne <brandondunne>
CommitDate: Mon Oct 22 11:49:56 2018 -0400

    Merge pull request #476 from eclarizio/dialog_ordering_security_issue

    Deny standalone service template ordering when product setting is enabled

    (cherry picked from commit 7343ad7cad22f24639a23ff3a9d6c5182d64172d)

    https://bugzilla.redhat.com/show_bug.cgi?id=1646435

 app/controllers/api/mixins/service_templates.rb | 20 +-
 spec/requests/service_catalogs_spec.rb | 7 +
 spec/requests/service_templates_spec.rb | 13 +-
 3 files changed, 36 insertions(+), 4 deletions(-)


https://github.com/ManageIQ/manageiq-api/commit/a2572b3838432e92a573a348ac34da357edc3569
commit a2572b3838432e92a573a348ac34da357edc3569
Author:     Brandon Dunne <brandondunne>
AuthorDate: Wed Oct 31 15:00:05 2018 -0400
Commit:     Brandon Dunne <brandondunne>
CommitDate: Wed Oct 31 15:00:05 2018 -0400

    Merge pull request #504 from eclarizio/dialog_ordering_security_issue_addendum

    Ensure ServiceTemplate ordering passes through the submit_workflow flag

    (cherry picked from commit bed1032d1e1fe54926e6717f116ff89cf5b55414)

    https://bugzilla.redhat.com/show_bug.cgi?id=1646435

 app/controllers/api/mixins/service_templates.rb | 3 +-
 spec/requests/service_templates_spec.rb | 19 +
 2 files changed, 21 insertions(+), 1 deletion(-)

New commit detected on ManageIQ/manageiq-api/gaprindashvili:

https://github.com/ManageIQ/manageiq-api/commit/1298a242bc3f5a4b9c7c4c90d005355cf772c1f2
commit 1298a242bc3f5a4b9c7c4c90d005355cf772c1f2
Author:     Brandon Dunne <brandondunne>
AuthorDate: Mon Oct 22 20:37:20 2018 -0400
Commit:     Brandon Dunne <brandondunne>
CommitDate: Mon Oct 22 20:37:20 2018 -0400

    Merge pull request #498 from AparnaKarve/fix_order_service_template

    provide `service_template` to `orderable?` method

    (cherry picked from commit 41b245d34c08e9fe8b6c72f04ea697baeffc0e2c)

    https://bugzilla.redhat.com/show_bug.cgi?id=1646435

 app/controllers/api/mixins/service_templates.rb | 4 +-
 1 file changed, 2 insertions(+), 2 deletions(-)

FIXED. Verified on 5.9.6.1.20181115153524_306f39f.

Steps taken to verify:
1. Go to `Configuration` and select `Advanced` tab.
2. Under the outermost `:product:`, set `:allow_api_service_ordering:` to `false`
3. Create a dialog, catalog and catalog item.
4. Send a request to order the service.

Request: POST /api/service_catalogs/:id/service_templates/:id
Query: { "action" : "order" }

Response: {
	"error": {
		"kind": "bad_request",
		"message": "Service Template id:1 name:'catalog_item_1' cannot be ordered",
		"klass": "Api::BadRequestError"
	}
}

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3816