From 1a7148dc809ae4873d3d4f47ecee48dd77ed2db8 Mon Sep 17 00:00:00 2001
From: Jeff Bradberry <jeff.bradberry@gmail.com>
Date: Thu, 26 Sep 2019 14:37:04 -0400
Subject: [PATCH] Prevent search on the
 NotificationTemplate.notification_configuration field

---
 awx/main/models/notifications.py                    | 4 ++--
 awx/main/tests/functional/api/test_notifications.py | 8 ++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/awx/main/models/notifications.py b/awx/main/models/notifications.py
index 7ecdc244db..ef428bcdfa 100644
--- a/awx/main/models/notifications.py
+++ b/awx/main/models/notifications.py
@@ -17,7 +17,7 @@ from jinja2.exceptions import TemplateSyntaxError, UndefinedError, SecurityError
 
 # AWX
 from awx.api.versioning import reverse
-from awx.main.models.base import CommonModelNameNotUnique, CreatedModifiedModel
+from awx.main.models.base import CommonModelNameNotUnique, CreatedModifiedModel, prevent_search
 from awx.main.utils import encrypt_field, decrypt_field, set_environ
 from awx.main.notifications.email_backend import CustomEmailBackend
 from awx.main.notifications.slack_backend import SlackBackend
@@ -70,7 +70,7 @@ class NotificationTemplate(CommonModelNameNotUnique):
         choices=NOTIFICATION_TYPE_CHOICES,
     )
 
-    notification_configuration = JSONField(blank=False)
+    notification_configuration = prevent_search(JSONField(blank=False))
 
     def default_messages():
         return {'started': None, 'success': None, 'error': None}
diff --git a/awx/main/tests/functional/api/test_notifications.py b/awx/main/tests/functional/api/test_notifications.py
index d211026b07..1a64220dfa 100644
--- a/awx/main/tests/functional/api/test_notifications.py
+++ b/awx/main/tests/functional/api/test_notifications.py
@@ -127,3 +127,11 @@ def test_post_wfjt_running_notification(get, post, admin, notification_template,
     response = get(url, admin)
     assert response.status_code == 200
     assert len(response.data['results']) == 1
+
+
+@pytest.mark.django_db
+def test_search_on_notification_configuration_is_prevented(get, admin):
+    url = reverse('api:notification_template_list')
+    response = get(url, {'notification_configuration__regex': 'ABCDEF'}, admin)
+    assert response.status_code == 403
+    assert response.data == {"detail": "Filtering on notification_configuration is not allowed."}