Enforce http_method restrictions via API

awx/api/serializers.py

@@ -4237,6 +4237,8 @@ class NotificationTemplateSerializer(BaseSerializer):
                 continue
             if field_type == "password" and field_val == "$encrypted$" and object_actual is not None:
                 attrs['notification_configuration'][field] = object_actual.notification_configuration[field]
+            if field == "http_method" and field_val.lower() not in ['put', 'post']:
+                error_list.append(_("HTTP method must be either 'POST' or 'PUT'."))
         if missing_fields:
             error_list.append(_("Missing required fields for Notification Configuration: {}.").format(missing_fields))
         if incorrect_type_fields:

awx/main/notifications/webhook_backend.py

@@ -38,7 +38,7 @@ class WebhookBackend(AWXBaseEmailBackend):
         sent_messages = 0
         if 'User-Agent' not in self.headers:
             self.headers['User-Agent'] = "Tower {}".format(get_awx_version())
-        if self.http_method.lower() not in ('put', 'post'):
+        if self.http_method.lower() not in ['put','post']:
             raise ValueError("HTTP method must be either 'POST' or 'PUT'.")
         chosen_method = getattr(requests, self.http_method.lower(), None)
         for m in messages: