[change] Disable API operations on deactivated devices

openwisp · Aug 9, 2024 · 34c1e10 · 34c1e10
1 parent ecc2165
commit 34c1e10
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/openwisp_firmware_upgrader/api/views.py b/openwisp_firmware_upgrader/api/views.py
@@ -3,7 +3,7 @@
 from django.http import Http404
 from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework import filters, generics, pagination, serializers, status
-from rest_framework.exceptions import NotFound
+from rest_framework.exceptions import NotFound, PermissionDenied
 from rest_framework.request import clone_request
 from rest_framework.response import Response
 from rest_framework.utils.serializer_helpers import ReturnDict
@@ -257,6 +257,12 @@ class DeviceFirmwareDetailView(
     lookup_url_kwarg = 'pk'
     organization_field = 'device__organization'
 
+    def get_object(self):
+        obj = super().get_object()
+        if self.request.method not in ('GET', 'HEAD') and obj.device.is_deactivated():
+            raise PermissionDenied
+        return obj
+
     def get_serializer_context(self):
         context = super().get_serializer_context()
         context.update({'device_id': self.kwargs['pk']})

diff --git a/openwisp_firmware_upgrader/tests/test_api.py b/openwisp_firmware_upgrader/tests/test_api.py
@@ -924,6 +924,27 @@ def test_device_firmware_detail_400(self):
             self.assertEqual(r.status_code, 400)
             self.assertIn('Invalid pk', r.json()['image'][0])
 
+    def test_deactivated_device(self):
+        device_fw = self._create_device_firmware()
+        device_fw.device.deactivate()
+        url = reverse('upgrader:api_devicefirmware_detail', args=[device_fw.device.pk])
+
+        with self.subTest('Test retrieving DeviceFirmwareImage'):
+            response = self.client.get(url)
+            self.assertEqual(response.status_code, 200)
+
+        with self.subTest('Test updating DeviceFirmwareImage'):
+            response = self.client.put(
+                url,
+                data={'image': device_fw.image.pk},
+                content_type='application/json',
+            )
+            self.assertEqual(response.status_code, 403)
+
+        with self.subTest('Test deleting DeviceFirmwareImage'):
+            response = self.client.delete(url)
+            self.assertEqual(response.status_code, 403)
+
     def test_device_firmware_detail_delete(self):
         device_fw = self._create_device_firmware()
         self.assertEqual(DeviceFirmware.objects.count(), 1)