From d3e4be66dd7f9170e6b5be6d7dd3de0560538c05 Mon Sep 17 00:00:00 2001
From: Chris Meyers <chris.meyers.fsu@gmail.com>
Date: Wed, 12 Jul 2017 15:16:51 -0400
Subject: [PATCH] disallow new survey spec with password default $encrypted$

---
 awx/api/views.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/awx/api/views.py b/awx/api/views.py
index ecc40fe8e9..f289f6a2b9 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -2907,10 +2907,14 @@ class JobTemplateSurveySpec(GenericAPIView):
 
             if survey_item["type"] == "password":
                 if survey_item.get("default") and survey_item["default"].startswith('$encrypted$'):
-                    old_spec = obj.survey_spec
-                    for old_item in old_spec['spec']:
-                        if old_item['variable'] == survey_item['variable']:
-                            survey_item['default'] = old_item['default']
+                    if not obj.survey_spec:
+                        return Response(dict(error=_("$encrypted$ is reserved keyword and may not be used as a default for password {}.".format(str(idx)))), 
+                                        status=status.HTTP_400_BAD_REQUEST)
+                    else:
+                        old_spec = obj.survey_spec
+                        for old_item in old_spec['spec']:
+                            if old_item['variable'] == survey_item['variable']:
+                                survey_item['default'] = old_item['default']
             idx += 1
 
         obj.survey_spec = new_spec