From ed7e5585750ab1f2e123afb1bd2b53c2ad921d9f Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Fri, 14 Jul 2017 23:48:42 -0400
Subject: [PATCH] add various validation for schedule extra_data

---
 awx/api/serializers.py                         | 18 ++++++++++++++++++
 .../tests/functional/api/test_schedules.py     | 12 ++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 awx/main/tests/functional/api/test_schedules.py

diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index 0bbab1cc07..a55f765761 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -3427,6 +3427,24 @@ class ScheduleSerializer(BaseSerializer):
                 'Schedule its source project `{}` instead.'.format(value.source_project.name)))
         return value
 
+    def validate_extra_data(self, value):
+        if isinstance(value, dict):
+            return value
+        return vars_validate_or_raise(value)
+
+    def validate(self, attrs):
+        extra_data = parse_yaml_or_json(attrs.get('extra_data', {}))
+        if extra_data:
+            ujt = None
+            if 'unified_job_template' in attrs:
+                ujt = attrs['unified_job_template']
+            elif self.instance:
+                ujt = self.instance.unified_job_template
+            if ujt and isinstance(ujt, (Project, InventorySource)):
+                raise serializers.ValidationError({'extra_data': _(
+                    'Projects and inventory updates cannot accept extra variables.')})
+        return super(ScheduleSerializer, self).validate(attrs)
+
     # We reject rrules if:
     # - DTSTART is not include
     # - INTERVAL is not included
diff --git a/awx/main/tests/functional/api/test_schedules.py b/awx/main/tests/functional/api/test_schedules.py
new file mode 100644
index 0000000000..54d8035643
--- /dev/null
+++ b/awx/main/tests/functional/api/test_schedules.py
@@ -0,0 +1,12 @@
+import pytest
+
+from awx.api.versioning import reverse
+
+
+@pytest.mark.django_db
+def test_non_job_extra_vars_prohibited(post, project, admin_user):
+    rrule = 'DTSTART:20151117T050000Z RRULE:FREQ=DAILY;INTERVAL=1;COUNT=1'
+    url = reverse('api:project_schedules_list', kwargs={'pk': project.id})
+    r = post(url, {'name': 'test sch', 'rrule': rrule, 'extra_data': '{"a": 5}'},
+             admin_user, expect=400)
+    assert 'cannot accept extra variables' in r.data['extra_data'][0]