Flag to disable oembed_retrieve

closes INTEROP-7991 flag=disable_oembed_retrieve Test plan: * with FF off, go to external_content/retrieve/oembed * you should get some kind of error, but not the 410 * with FF on, go to external_content/retrieve/oembed * you should get a 410 Change-Id: I834d159c5d7e1461b5128a2cb9be10602412d224 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/317879 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Steve Mcgee <steve.mcgee@instructure.com> QA-Review: Steve Mcgee <steve.mcgee@instructure.com> Product-Review: Alexis Nast <alexis.nast@instructure.com>
2023-05-09 22:49:59 +00:00 · 2023-05-09 22:49:59 +00:00 · 433483aba0
parent 1c15214a63
commit 433483aba0
3 changed files with 22 additions and 0 deletions
--- a/app/controllers/external_content_controller.rb
+++ b/app/controllers/external_content_controller.rb
@ -28,6 +28,7 @@ class ExternalContentController < ApplicationController
  protect_from_forgery except: [:selection_test, :success], with: :exception

  before_action :require_user, only: :oembed_retrieve
+  before_action :check_disable_oembed_retrieve_feature_flag, only: :oembed_retrieve
  before_action :validate_oembed_token!, only: :oembed_retrieve

  rescue_from Lti::Concerns::Oembed::OembedAuthorizationError do |error|
@ -101,6 +102,12 @@ class ExternalContentController < ApplicationController
    params[:return_type] = return_types[params[:return_type]] if return_types.key? params[:return_type]
  end

+  def check_disable_oembed_retrieve_feature_flag
+    if @domain_root_account.feature_enabled?(:disable_oembed_retrieve)
+      render json: { message: "This endpoint is no longer supported." }, status: :gone
+    end
+  end
+
  def oembed_retrieve
    begin
      res = CanvasHttp.get(oembed_object_uri.to_s)
--- a/config/feature_flags/interop_release_flags.yml
+++ b/config/feature_flags/interop_release_flags.yml
@ -174,3 +174,11 @@ dynamic_lti_environment_overrides:
      state: allowed_on
    ci:
      state: allowed_on
+disable_oembed_retrieve:
+  state: hidden
+  applies_to: RootAccount
+  display_name: Disable oembed_retrieve endpoint
+  description: |-
+    If enabled, the deprecated oembed_retrieve endpoint will be unavailable.
+    This is to ease transitioning any potential users off this endpoint before
+    removing it altogether.
--- a/spec/controllers/external_content_controller_spec.rb
+++ b/spec/controllers/external_content_controller_spec.rb
@ -458,6 +458,13 @@ describe ExternalContentController do
          expect(subject).to be_successful
        end

+        context "when the disable_oembed_retrieve feature flag is enabled" do
+          it "returns a 410 gone" do
+            Account.default.enable_feature!(:disable_oembed_retrieve)
+            expect(subject.status).to eq(410)
+          end
+        end
+
        context "when a disabled tool shares the same consumer key" do
          before do
            disabled_tool = tool.dup