From c164e3a146529ca0e1bcaba4cff5a349e5e5fa1d Mon Sep 17 00:00:00 2001 From: Graham Herceg Date: Thu, 12 Dec 2024 15:46:38 -0500 Subject: [PATCH] Return 403 if device limit is exceeded --- corehq/apps/ota/views.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/corehq/apps/ota/views.py b/corehq/apps/ota/views.py index f262f378d347..7905701179a0 100644 --- a/corehq/apps/ota/views.py +++ b/corehq/apps/ota/views.py @@ -20,7 +20,7 @@ from iso8601 import iso8601 from looseversion import LooseVersion from memoized import memoized -from tastypie.http import HttpTooManyRequests +from tastypie.http import HttpForbidden, HttpTooManyRequests from casexml.apps.case.cleanup import claim_case, get_first_claims from casexml.apps.case.fixtures import CaseDBFixture @@ -70,9 +70,11 @@ from corehq.util.quickcache import quickcache from .case_restore import get_case_restore_response +from .const import DEVICES_PER_USER from .models import DeviceLogRequest, MobileRecoveryMeasure, SerialIdBucket from .rate_limiter import rate_limit_restore from .utils import ( + can_login_on_device, demo_user_restore_response, get_restore_user, handle_401_response, @@ -97,6 +99,11 @@ def restore(request, domain, app_id=None): if rate_limit_restore(domain): return HttpTooManyRequests() + if not can_login_on_device(request.couch_user._id, request.GET.get('device_id')): + return HttpForbidden( + _("Your user has exceeded the daily device limit of {limit}.").format(limit=DEVICES_PER_USER) + ) + response, timing_context = get_restore_response( domain, request.couch_user, app_id, **get_restore_params(request, domain)) return response