Optionally, with a new product setting, disable ordering a Service through the REST-API. How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: https://bugzilla.redhat.com/show_bug.cgi?id=1461212
Just to add a bit more info: How to add the product setting: Go to the Configuration screen Go to the Advanced tab Find the section that is labeled ':product:' and is at the outermost level of indentation. If it doesn't exist, create it. One level of indentation in, add ':deny_api_service_ordering: true' without the quotes. Now, if you order a service through the UI, it should work, but if you try to order directly via the API (via curl or something similar) then it should fail.
https://github.com/ManageIQ/manageiq-api/pull/476
https://github.com/ManageIQ/manageiq/pull/18029
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/5517c4032119f73908ed325a0331a35d849c6896 commit 5517c4032119f73908ed325a0331a35d849c6896 Author: Erik Clarizio <eclarizi> AuthorDate: Thu Sep 27 14:07:06 2018 -0400 Commit: Erik Clarizio <eclarizi> CommitDate: Thu Sep 27 14:07:06 2018 -0400 Add product setting default for allowing API service ordering https://bugzilla.redhat.com/show_bug.cgi?id=1632416 config/settings.yml | 1 + 1 file changed, 1 insertion(+)
New commits detected on ManageIQ/manageiq-api/master: https://github.com/ManageIQ/manageiq-api/commit/b46e4c0780d92216710d7690f90043032706bbfa commit b46e4c0780d92216710d7690f90043032706bbfa Author: Erik Clarizio <eclarizio> AuthorDate: Mon Sep 24 12:50:07 2018 -0400 Commit: Erik Clarizio <eclarizio> CommitDate: Mon Sep 24 12:50:07 2018 -0400 Only allow non-UI service ordering when the product setting is enabled https://bugzilla.redhat.com/show_bug.cgi?id=1632416 app/controllers/api/mixins/service_templates.rb | 13 +- spec/requests/service_catalogs_spec.rb | 4 + spec/requests/service_templates_spec.rb | 6 + 3 files changed, 22 insertions(+), 1 deletion(-) https://github.com/ManageIQ/manageiq-api/commit/86d0986d623b9f4b0f7b54ab95e04105c6891c09 commit 86d0986d623b9f4b0f7b54ab95e04105c6891c09 Author: Erik Clarizio <eclarizio> AuthorDate: Fri Sep 28 13:58:05 2018 -0400 Commit: Erik Clarizio <eclarizio> CommitDate: Fri Sep 28 13:58:05 2018 -0400 Validate ui request via auth token instead of auth strategy https://bugzilla.redhat.com/show_bug.cgi?id=1632416 app/controllers/api/mixins/service_templates.rb | 31 +- spec/requests/service_catalogs_spec.rb | 5 +- spec/requests/service_templates_spec.rb | 11 +- 3 files changed, 29 insertions(+), 18 deletions(-)
New commit detected on ManageIQ/manageiq/hammer: https://github.com/ManageIQ/manageiq/commit/b310e6f18f068213165a6b568c91c451720e3600 commit b310e6f18f068213165a6b568c91c451720e3600 Author: Brandon Dunne <brandondunne> AuthorDate: Fri Oct 19 15:08:17 2018 -0400 Commit: Brandon Dunne <brandondunne> CommitDate: Fri Oct 19 15:08:17 2018 -0400 Merge pull request #18029 from eclarizio/BZ1632416-Addendum Add product setting default for allowing API service ordering (cherry picked from commit e65f4d354f2f15a07f2417692b6c5ce0f5182916) https://bugzilla.redhat.com/show_bug.cgi?id=1632416 config/settings.yml | 1 + 1 file changed, 1 insertion(+)
New commit detected on ManageIQ/manageiq-api/hammer: https://github.com/ManageIQ/manageiq-api/commit/55732b3d20dece9cf4743fa0cd850af5c0c11e82 commit 55732b3d20dece9cf4743fa0cd850af5c0c11e82 Author: Brandon Dunne <brandondunne> AuthorDate: Mon Oct 22 11:49:56 2018 -0400 Commit: Brandon Dunne <brandondunne> CommitDate: Mon Oct 22 11:49:56 2018 -0400 Merge pull request #476 from eclarizio/dialog_ordering_security_issue Deny standalone service template ordering when product setting is enabled (cherry picked from commit 7343ad7cad22f24639a23ff3a9d6c5182d64172d) https://bugzilla.redhat.com/show_bug.cgi?id=1632416 app/controllers/api/mixins/service_templates.rb | 20 +- spec/requests/service_catalogs_spec.rb | 7 + spec/requests/service_templates_spec.rb | 13 +- 3 files changed, 36 insertions(+), 4 deletions(-)
New commit detected on ManageIQ/manageiq-api/hammer: https://github.com/ManageIQ/manageiq-api/commit/c96df66b4c40a2bf837f8e93e9d9e08a07a73318 commit c96df66b4c40a2bf837f8e93e9d9e08a07a73318 Author: Brandon Dunne <brandondunne> AuthorDate: Mon Oct 22 20:37:20 2018 -0400 Commit: Brandon Dunne <brandondunne> CommitDate: Mon Oct 22 20:37:20 2018 -0400 Merge pull request #498 from AparnaKarve/fix_order_service_template provide `service_template` to `orderable?` method (cherry picked from commit 41b245d34c08e9fe8b6c72f04ea697baeffc0e2c) https://bugzilla.redhat.com/show_bug.cgi?id=1632416 app/controllers/api/mixins/service_templates.rb | 4 +- 1 file changed, 2 insertions(+), 2 deletions(-)
New commit detected on ManageIQ/manageiq-api/hammer: https://github.com/ManageIQ/manageiq-api/commit/8475b1b2b099e9905231f7b0e39de84bfa752305 commit 8475b1b2b099e9905231f7b0e39de84bfa752305 Author: Brandon Dunne <brandondunne> AuthorDate: Wed Oct 31 15:00:05 2018 -0400 Commit: Brandon Dunne <brandondunne> CommitDate: Wed Oct 31 15:00:05 2018 -0400 Merge pull request #504 from eclarizio/dialog_ordering_security_issue_addendum Ensure ServiceTemplate ordering passes through the submit_workflow flag (cherry picked from commit bed1032d1e1fe54926e6717f116ff89cf5b55414) https://bugzilla.redhat.com/show_bug.cgi?id=1632416 app/controllers/api/mixins/service_templates.rb | 3 +- spec/requests/service_templates_spec.rb | 19 + 2 files changed, 21 insertions(+), 1 deletion(-)
FIXED. Verified on 5.10.0.24.20181113213923_03b81fd. Steps taken to verify: 1. Go to `Configuration` and select `Advanced` tab. 2. Under the outermost `:product:`, set `:allow_api_service_ordering:` to `false` 3. Create a dialog, catalog and catalog item. 4. Send a request to order the service. Request: POST /api/service_catalogs/:id/service_templates/:id Query: { "action" : "order" } Response: { "error": { "kind": "bad_request", "message": "Service Template id:1 name:'catalog_item_1' cannot be ordered", "klass": "Api::BadRequestError" } }