From aa342d1cc14a815f8ea615f984636236226beb0b Mon Sep 17 00:00:00 2001
From: Christina Lin <44586776+chrstinalin@users.noreply.github.com>
Date: Mon, 18 Nov 2024 09:42:59 -0500
Subject: [PATCH] Ensure enable-submissions Disabling Correctly Allows
 Bypassing (#22834)

---
 src/olympia/addons/tests/test_views.py  | 9 +++++++++
 src/olympia/addons/views.py             | 7 ++++---
 src/olympia/files/tests/test_views.py   | 3 +++
 src/olympia/files/views.py              | 3 ++-
 src/olympia/signing/tests/test_views.py | 5 +++++
 src/olympia/signing/views.py            | 5 +++--
 6 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/src/olympia/addons/tests/test_views.py b/src/olympia/addons/tests/test_views.py
index cac7ecc740..bfa87bfe23 100644
--- a/src/olympia/addons/tests/test_views.py
+++ b/src/olympia/addons/tests/test_views.py
@@ -953,6 +953,9 @@ class TestAddonViewSetCreate(UploadMixin, AddonViewSetCreateUpdateMixin, TestCas
         response = self.request()
         assert response.status_code == 503
         assert response.json() == expected
+        self.create_flag('enable-submissions', note=':-(', users=[self.user.id])
+        response = self.request()
+        assert response.status_code != 503
 
     def test_invalid_upload(self):
         self.upload.update(valid=False)
@@ -3530,6 +3533,9 @@ class TestVersionViewSetCreate(UploadMixin, VersionViewSetCreateUpdateMixin, Tes
         response = self.request()
         assert response.status_code == 503
         assert response.json() == expected
+        self.create_flag('enable-submissions', note=':-(', users=[self.user.id])
+        response = self.request()
+        assert response.status_code != 503
 
     def test_basic_unlisted(self):
         response = self.client.post(
@@ -7324,6 +7330,9 @@ class TestAddonPreviewViewSet(TestCase):
             'error': 'Add-on uploads are temporarily unavailable.',
             'reason': ':-(',
         }
+        self.create_flag('enable-submissions', note=':-(', users=[self.user.id])
+        response = self.client.post(url)
+        assert response.status_code != 503
 
     def test_cannot_create_for_themes(self):
         self.client.login_api(self.user)
diff --git a/src/olympia/addons/views.py b/src/olympia/addons/views.py
index 03f1d53dfa..1efd7910bb 100644
--- a/src/olympia/addons/views.py
+++ b/src/olympia/addons/views.py
@@ -5,6 +5,7 @@ from django.db.models import F, Max, Prefetch
 from django.db.transaction import non_atomic_requests
 from django.shortcuts import redirect
 from django.utils.cache import patch_cache_control
+from django.utils.decorators import method_decorator
 from django.utils.translation import gettext
 
 from drf_yasg.utils import swagger_auto_schema
@@ -399,7 +400,7 @@ class AddonViewSet(
             self.action = 'create'
             return self.create(request, *args, **kwargs)
 
-    @require_submissions_enabled
+    @method_decorator(require_submissions_enabled)
     @swagger_auto_schema(
         operation_description="""
             This endpoint allows a submission of an upload to create a new add-on
@@ -637,7 +638,7 @@ class AddonVersionViewSet(
             queryset = queryset.transform(Version.transformer_license)
         return queryset
 
-    @require_submissions_enabled
+    @method_decorator(require_submissions_enabled)
     def create(self, request, *args, **kwargs):
         addon = self.get_addon_object()
         has_source = request.data.get('source')
@@ -774,7 +775,7 @@ class AddonPreviewViewSet(
     def get_queryset(self):
         return self.get_addon_object().previews.all()
 
-    @require_submissions_enabled
+    @method_decorator(require_submissions_enabled)
     def create(self, request, *args, **kwargs):
         response = super().create(request, *args, **kwargs)
         return response
diff --git a/src/olympia/files/tests/test_views.py b/src/olympia/files/tests/test_views.py
index d54d091ace..71cc26ea58 100644
--- a/src/olympia/files/tests/test_views.py
+++ b/src/olympia/files/tests/test_views.py
@@ -130,6 +130,9 @@ class TestFileUploadViewSet(TestCase):
         response = self._create_post()
         assert response.status_code == 503
         assert response.json() == expected
+        self.create_flag('enable-submissions', note=':-(', users=[self.user.id])
+        response = self._create_post()
+        assert response.status_code != 503
 
     def test_not_authenticated(self):
         self.client.logout_api()
diff --git a/src/olympia/files/views.py b/src/olympia/files/views.py
index 379c0bcef5..d17fdfc2bd 100644
--- a/src/olympia/files/views.py
+++ b/src/olympia/files/views.py
@@ -1,6 +1,7 @@
 from django import http, shortcuts
 from django.core.exceptions import PermissionDenied
 from django.utils.crypto import constant_time_compare
+from django.utils.decorators import method_decorator
 from django.utils.translation import gettext
 
 from rest_framework import exceptions, status
@@ -73,7 +74,7 @@ class FileUploadViewSet(CreateModelMixin, ReadOnlyModelViewSet):
     def get_queryset(self):
         return super().get_queryset().filter(user=self.request.user)
 
-    @require_submissions_enabled
+    @method_decorator(require_submissions_enabled)
     def create(self, request):
         if 'upload' in request.FILES:
             filedata = request.FILES['upload']
diff --git a/src/olympia/signing/tests/test_views.py b/src/olympia/signing/tests/test_views.py
index 659908f99e..442d9bab2d 100644
--- a/src/olympia/signing/tests/test_views.py
+++ b/src/olympia/signing/tests/test_views.py
@@ -140,6 +140,11 @@ class TestUploadVersion(BaseUploadVersionTestMixin, TestCase):
         response = self.request('PUT')
         assert response.status_code == 503
         assert response.json() == expected
+        self.create_flag('enable-submissions', note=':-(', users=[self.user.id])
+        response = self.request('POST')
+        assert response.status_code != 503
+        response = self.request('PUT')
+        assert response.status_code != 503
 
     def test_addon_does_not_exist(self):
         guid = '@create-version'
diff --git a/src/olympia/signing/views.py b/src/olympia/signing/views.py
index 9ad72d4909..5090158195 100644
--- a/src/olympia/signing/views.py
+++ b/src/olympia/signing/views.py
@@ -1,6 +1,7 @@
 import functools
 
 from django import forms
+from django.utils.decorators import method_decorator
 from django.utils.translation import gettext
 
 from rest_framework import status
@@ -83,7 +84,7 @@ class VersionView(APIView):
     permission_classes = [IsAuthenticated, IsSubmissionAllowedFor]
     throttle_classes = addon_submission_throttles
 
-    @require_submissions_enabled
+    @method_decorator(require_submissions_enabled)
     def post(self, request, *args, **kwargs):
         version_string = request.data.get('version', None)
 
@@ -99,8 +100,8 @@ class VersionView(APIView):
         )
         return Response(serializer.data, status=status.HTTP_201_CREATED)
 
-    @require_submissions_enabled
     @with_addon(allow_missing=True)
+    @method_decorator(require_submissions_enabled)
     def put(self, request, addon, version_string, guid=None):
         try:
             file_upload, created = self.handle_upload(