[WIP] Check mobile endpoints access across the board.

corehq/apps/ota/decorators.py

@@ -3,16 +3,15 @@
 
 from django.http import HttpResponseForbidden
 
-from dimagi.utils.couch.cache.cache_core import get_redis_client
-
-from corehq.apps.domain.models import Domain
 from corehq.apps.domain.auth import BASIC
 from corehq.apps.domain.decorators import (
     get_multi_auth_decorator,
     two_factor_exempt,
 )
+from corehq.apps.domain.models import Domain
 from corehq.apps.users.decorators import require_permission
 from corehq.apps.users.models import Permissions
+from dimagi.utils.couch.cache.cache_core import get_redis_client
 
 auth_logger = logging.getLogger("commcare_auth")
 

corehq/apps/receiverwrapper/views.py

@@ -34,6 +34,7 @@
     two_factor_exempt,
 )
 from corehq.apps.locations.permissions import location_safe
+from corehq.apps.ota.decorators import require_mobile_access
 from corehq.apps.ota.utils import handle_401_response
 from corehq.apps.receiverwrapper.auth import (
     AuthContext,
@@ -238,6 +239,7 @@ def post(request, domain, app_id=None):
     )
 
 
+@require_mobile_access
 def _noauth_post(request, domain, app_id=None):
     """
     This is explicitly called for a submission that has secure submissions enabled, but is manually
@@ -309,6 +311,7 @@ def case_block_ok(case_updates):
 
 @login_or_digest_ex(allow_cc_users=True)
 @two_factor_exempt
+@require_mobile_access
 @set_request_duration_reporting_threshold(60)
 def _secure_post_digest(request, domain, app_id=None):
     """only ever called from secure post"""
@@ -324,6 +327,7 @@ def _secure_post_digest(request, domain, app_id=None):
 @handle_401_response
 @login_or_basic_ex(allow_cc_users=True)
 @two_factor_exempt
+@require_mobile_access
 @set_request_duration_reporting_threshold(60)
 def _secure_post_basic(request, domain, app_id=None):
     """only ever called from secure post"""
@@ -339,6 +343,7 @@ def _secure_post_basic(request, domain, app_id=None):
 @login_or_api_key_ex()
 @require_permission(Permissions.edit_data)
 @require_permission(Permissions.access_api)
+@require_mobile_access
 @set_request_duration_reporting_threshold(60)
 def _secure_post_api_key(request, domain, app_id=None):
     """only ever called from secure post"""