Return 403 if device limit is exceeded

corehq/apps/ota/views.py

@@ -20,7 +20,7 @@
 from iso8601 import iso8601
 from looseversion import LooseVersion
 from memoized import memoized
-from tastypie.http import HttpTooManyRequests
+from tastypie.http import HttpForbidden, HttpTooManyRequests
 
 from casexml.apps.case.cleanup import claim_case, get_first_claims
 from casexml.apps.case.fixtures import CaseDBFixture
@@ -70,9 +70,11 @@
 from corehq.util.quickcache import quickcache
 
 from .case_restore import get_case_restore_response
+from .const import DEVICES_PER_USER
 from .models import DeviceLogRequest, MobileRecoveryMeasure, SerialIdBucket
 from .rate_limiter import rate_limit_restore
 from .utils import (
+    can_login_on_device,
     demo_user_restore_response,
     get_restore_user,
     handle_401_response,
@@ -97,6 +99,11 @@ def restore(request, domain, app_id=None):
     if rate_limit_restore(domain):
         return HttpTooManyRequests()
 
+    if not can_login_on_device(request.couch_user._id, request.GET.get('device_id')):
+        return HttpForbidden(
+            _("Your user has exceeded the daily device limit of {limit}.").format(limit=DEVICES_PER_USER)
+        )
+
     response, timing_context = get_restore_response(
         domain, request.couch_user, app_id, **get_restore_params(request, domain))
     return response