New commit detected on ManageIQ/manageiq/gaprindashvili: https://github.com/ManageIQ/manageiq/commit/d5feeaaa2a80148ba582f2f27b6edf5d7814ca1c commit d5feeaaa2a80148ba582f2f27b6edf5d7814ca1c Author: Brandon Dunne <brandondunne> AuthorDate: Fri Oct 19 15:08:17 2018 -0400 Commit: Brandon Dunne <brandondunne> CommitDate: Fri Oct 19 15:08:17 2018 -0400 Merge pull request #18029 from eclarizio/BZ1632416-Addendum Add product setting default for allowing API service ordering (cherry picked from commit e65f4d354f2f15a07f2417692b6c5ce0f5182916) https://bugzilla.redhat.com/show_bug.cgi?id=1646435 config/settings.yml | 1 + 1 file changed, 1 insertion(+)
New commits detected on ManageIQ/manageiq-api/gaprindashvili: https://github.com/ManageIQ/manageiq-api/commit/068184ec96943dcff4cab92dff2a4c60e2bc10fe commit 068184ec96943dcff4cab92dff2a4c60e2bc10fe Author: Brandon Dunne <brandondunne> AuthorDate: Mon Oct 22 11:49:56 2018 -0400 Commit: Brandon Dunne <brandondunne> CommitDate: Mon Oct 22 11:49:56 2018 -0400 Merge pull request #476 from eclarizio/dialog_ordering_security_issue Deny standalone service template ordering when product setting is enabled (cherry picked from commit 7343ad7cad22f24639a23ff3a9d6c5182d64172d) https://bugzilla.redhat.com/show_bug.cgi?id=1646435 app/controllers/api/mixins/service_templates.rb | 20 +- spec/requests/service_catalogs_spec.rb | 7 + spec/requests/service_templates_spec.rb | 13 +- 3 files changed, 36 insertions(+), 4 deletions(-) https://github.com/ManageIQ/manageiq-api/commit/a2572b3838432e92a573a348ac34da357edc3569 commit a2572b3838432e92a573a348ac34da357edc3569 Author: Brandon Dunne <brandondunne> AuthorDate: Wed Oct 31 15:00:05 2018 -0400 Commit: Brandon Dunne <brandondunne> CommitDate: Wed Oct 31 15:00:05 2018 -0400 Merge pull request #504 from eclarizio/dialog_ordering_security_issue_addendum Ensure ServiceTemplate ordering passes through the submit_workflow flag (cherry picked from commit bed1032d1e1fe54926e6717f116ff89cf5b55414) https://bugzilla.redhat.com/show_bug.cgi?id=1646435 app/controllers/api/mixins/service_templates.rb | 3 +- spec/requests/service_templates_spec.rb | 19 + 2 files changed, 21 insertions(+), 1 deletion(-)
New commit detected on ManageIQ/manageiq-api/gaprindashvili: https://github.com/ManageIQ/manageiq-api/commit/1298a242bc3f5a4b9c7c4c90d005355cf772c1f2 commit 1298a242bc3f5a4b9c7c4c90d005355cf772c1f2 Author: Brandon Dunne <brandondunne> AuthorDate: Mon Oct 22 20:37:20 2018 -0400 Commit: Brandon Dunne <brandondunne> CommitDate: Mon Oct 22 20:37:20 2018 -0400 Merge pull request #498 from AparnaKarve/fix_order_service_template provide `service_template` to `orderable?` method (cherry picked from commit 41b245d34c08e9fe8b6c72f04ea697baeffc0e2c) https://bugzilla.redhat.com/show_bug.cgi?id=1646435 app/controllers/api/mixins/service_templates.rb | 4 +- 1 file changed, 2 insertions(+), 2 deletions(-)
FIXED. Verified on 5.9.6.1.20181115153524_306f39f. Steps taken to verify: 1. Go to `Configuration` and select `Advanced` tab. 2. Under the outermost `:product:`, set `:allow_api_service_ordering:` to `false` 3. Create a dialog, catalog and catalog item. 4. Send a request to order the service. Request: POST /api/service_catalogs/:id/service_templates/:id Query: { "action" : "order" } Response: { "error": { "kind": "bad_request", "message": "Service Template id:1 name:'catalog_item_1' cannot be ordered", "klass": "Api::BadRequestError" } }
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3816