[admin] Disallow changing configuration backend from UI #789

hypnoastic · hypnoastic · commit 242c45b4507f · 2026-03-17T16:17:08.000+05:30
Make the backend read-only on Django admin change forms for device configuration, template, and VPN server, while keeping it selectable on create forms. Fixes #789
diff --git a/openwisp_controller/config/admin.py b/openwisp_controller/config/admin.py
@@ -468,7 +468,9 @@ def _error_reason_field_conditional(self, obj, fields):
         return fields
 
     def get_readonly_fields(self, request, obj):
-        fields = super().get_readonly_fields(request, obj)
+        fields = list(super().get_readonly_fields(request, obj))
+        if obj and obj._has_config() and "backend" not in fields:
+            fields.append("backend")
         return self._error_reason_field_conditional(obj, fields)
 
     def get_fields(self, request, obj):
@@ -1082,6 +1084,12 @@ class TemplateAdmin(MultitenantAdminMixin, BaseConfigAdmin, SystemDefinedVariabl
     readonly_fields = ["system_context"]
     autocomplete_fields = ["vpn"]
 
+    def get_readonly_fields(self, request, obj=None):
+        fields = list(super().get_readonly_fields(request, obj))
+        if obj and "backend" not in fields:
+            fields.append("backend")
+        return fields
+
     @admin.action(permissions=["add"])
     def clone_selected_templates(self, request, queryset):
         selectable_orgs = None
@@ -1261,6 +1269,12 @@ class VpnAdmin(
         "modified",
     ]
 
+    def get_readonly_fields(self, request, obj=None):
+        fields = list(super().get_readonly_fields(request, obj))
+        if obj and "backend" not in fields:
+            fields.append("backend")
+        return fields
+
     class Media(BaseConfigAdmin):
         js = list(BaseConfigAdmin.Media.js) + [f"{prefix}js/vpn.js"]
 
diff --git a/openwisp_controller/config/tests/test_admin.py b/openwisp_controller/config/tests/test_admin.py
@@ -1435,12 +1435,38 @@ def test_default_device_backend(self):
         response = self.client.get(path)
         self.assertContains(response, '<option value="netjsonconfig.OpenWrt" selected')
 
-    def test_existing_device_backend(self):
+    def test_device_backend_readonly_on_change(self):
         d = self._create_device()
         self._create_config(device=d, backend="netjsonconfig.OpenWisp")
         path = reverse(f"admin:{self.app_label}_device_change", args=[d.pk])
         response = self.client.get(path)
-        self.assertContains(response, '<option value="netjsonconfig.OpenWisp" selected')
+        self.assertContains(response, "field-backend")
+        self.assertNotContains(response, 'name="config-0-backend"')
+
+    def test_device_backend_cannot_be_changed_from_change_form(self):
+        template = Template.objects.first()
+        device = self._create_device()
+        config = self._create_config(
+            device=device,
+            backend=template.backend,
+            config=template.config,
+        )
+        path = reverse(f"admin:{self.app_label}_device_change", args=[device.pk])
+        params = self._get_device_params(org=device.organization)
+        params.update(
+            {
+                "name": "device-backend-unchanged",
+                "config-0-id": str(config.pk),
+                "config-0-device": str(device.pk),
+                "config-0-backend": "totally.invalid.backend",
+                "config-0-templates": str(template.pk),
+                "config-INITIAL_FORMS": 1,
+            }
+        )
+        response = self.client.post(path, params)
+        self.assertNotContains(response, "errors field-backend")
+        config.refresh_from_db()
+        self.assertEqual(config.backend, template.backend)
 
     def test_device_search(self):
         d = self._create_device(name="admin-search-test")
@@ -1502,7 +1528,7 @@ def test_default_template_backend(self):
         response = self.client.get(path)
         self.assertContains(response, '<option value="netjsonconfig.OpenWrt" selected')
 
-    def test_existing_template_backend(self):
+    def test_template_backend_readonly_on_change(self):
         t = Template.objects.first()
         t.backend = "netjsonconfig.OpenWisp"
         t.config = {
@@ -1513,7 +1539,34 @@ def test_existing_template_backend(self):
         t.save()
         path = reverse(f"admin:{self.app_label}_template_change", args=[t.pk])
         response = self.client.get(path)
-        self.assertContains(response, '<option value="netjsonconfig.OpenWisp" selected')
+        self.assertContains(response, "field-backend")
+        self.assertNotContains(response, 'name="backend"')
+
+    def test_template_backend_cannot_be_changed_from_change_form(self):
+        template = self._create_template()
+        original_backend = template.backend
+        path = reverse(f"admin:{self.app_label}_template_change", args=[template.pk])
+        params = {
+            "name": "template-backend-unchanged",
+            "organization": str(template.organization_id or ""),
+            "type": template.type,
+            "backend": "totally.invalid.backend",
+            "vpn": str(template.vpn_id or ""),
+            "tags": ",".join(template.tags.names()),
+            "default_values": json.dumps(template.default_values or {}),
+            "config": json.dumps(template.config),
+        }
+        if template.auto_cert:
+            params["auto_cert"] = "on"
+        if template.default:
+            params["default"] = "on"
+        if template.required:
+            params["required"] = "on"
+        response = self.client.post(path, params)
+        self.assertNotContains(response, "errors field-backend", status_code=302)
+        template.refresh_from_db()
+        self.assertEqual(template.backend, original_backend)
+        self.assertEqual(template.name, "template-backend-unchanged")
 
     def test_preview_variables(self):
         path = reverse(f"admin:{self.app_label}_device_preview")
@@ -1626,6 +1679,39 @@ def test_add_vpn(self):
             response, 'value="openwisp_controller.vpn_backends.OpenVpn" selected'
         )
 
+    def test_vpn_backend_readonly_on_change(self):
+        vpn = self._create_vpn()
+        path = reverse(f"admin:{self.app_label}_vpn_change", args=[vpn.pk])
+        response = self.client.get(path)
+        self.assertContains(response, "field-backend")
+        self.assertNotContains(response, 'name="backend"')
+
+    def test_vpn_backend_cannot_be_changed_from_change_form(self):
+        vpn = self._create_vpn()
+        original_backend = vpn.backend
+        path = reverse(f"admin:{self.app_label}_vpn_change", args=[vpn.pk])
+        params = {
+            "organization": str(vpn.organization_id or ""),
+            "name": "vpn-backend-unchanged",
+            "host": vpn.host,
+            "key": vpn.key,
+            "backend": "totally.invalid.backend",
+            "ca": str(vpn.ca_id or ""),
+            "cert": str(vpn.cert_id or ""),
+            "subnet": str(vpn.subnet_id or ""),
+            "ip": str(vpn.ip_id or ""),
+            "webhook_endpoint": vpn.webhook_endpoint or "",
+            "auth_token": vpn.auth_token or "",
+            "notes": vpn.notes or "",
+            "dh": vpn.dh or "",
+            "config": json.dumps(vpn.config),
+        }
+        response = self.client.post(path, params)
+        self.assertNotContains(response, "errors field-backend", status_code=302)
+        vpn.refresh_from_db()
+        self.assertEqual(vpn.backend, original_backend)
+        self.assertEqual(vpn.name, "vpn-backend-unchanged")
+
     def test_vpn_clients_deleted(self):
         def _update_template(templates):
             params.update(
