DefGuard · wojcik91 · Sep 8, 2025 · Sep 8, 2025 · Sep 8, 2025 · Sep 8, 2025
diff --git a/crates/defguard_core/src/handlers/wireguard.rs b/crates/defguard_core/src/handlers/wireguard.rs
@@ -1299,6 +1299,18 @@ pub(crate) async fn download_config(
     Path((network_id, device_id)): Path<(i64, i64)>,
 ) -> Result<String, WebError> {
     debug!("Creating config for device {device_id} in network {network_id}");
+
+    let settings = EnterpriseSettings::get(&appstate.pool).await?;
+    if settings.only_client_activation && !session.is_admin {
+        warn!(
+            "User {} tried to download device config, but manual device management is disaled",
+            session.user.username
+        );
+        return Err(WebError::Forbidden(
+            "Manual device management is disabled".into(),
+        ));
+    }
+
     let network = find_network(network_id, &appstate.pool).await?;
     let device = device_for_admin_or_self(&appstate.pool, &session, device_id).await?;
     let wireguard_network_device =

diff --git a/crates/defguard_core/tests/integration/api/enterprise_settings.rs b/crates/defguard_core/tests/integration/api/enterprise_settings.rs
@@ -237,7 +237,7 @@ async fn dg25_12_test_enforce_client_activation_only(_: PgPoolOptions, options:
         .await;
     assert_eq!(response.status(), StatusCode::CREATED);
 
-    // setup admin devices management
+    // disable manual device management
     let settings = EnterpriseSettings {
         admin_device_management: false,
         disable_all_traffic: false,
@@ -297,3 +297,61 @@ async fn dg25_12_test_enforce_client_activation_only(_: PgPoolOptions, options:
 
     assert_eq!(response.status(), StatusCode::FORBIDDEN);
 }
+
+#[sqlx::test]
+async fn dg25_13_test_disable_device_config(_: PgPoolOptions, options: PgConnectOptions) {
+    let pool = setup_pool(options).await;
+
+    // admin login
+    let (client, _) = make_test_client(pool).await;
+    let auth = Auth::new("admin", "pass123");
+    let response = client.post("/api/v1/auth").json(&auth).send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    exceed_enterprise_limits(&client).await;
+
+    // create network
+    let response = client
+        .post("/api/v1/network")
+        .json(&make_network())
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    // disable manual device management
+    let settings = EnterpriseSettings {
+        admin_device_management: false,
+        disable_all_traffic: false,
+        only_client_activation: true,
+    };
+    let response = client
+        .patch("/api/v1/settings_enterprise")
+        .json(&settings)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    // add device for normal user
+    let device = json!({
+        "name": "device",
+        "wireguard_pubkey": "LQKsT6/3HWKuJmMulH63R8iK+5sI8FyYEL6WDIi6lQU=",
+    });
+    let response = client
+        .post("/api/v1/device/hpotter")
+        .json(&device)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    // admin can view device config
+    let response = client.get("/api/v1/network/1/device/1/config").send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    // ensure normal users can't access device config
+    let auth = Auth::new("hpotter", "pass123");
+    let response = client.post("/api/v1/auth").json(&auth).send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    let response = client.get("/api/v1/network/1/device/1/config").send().await;
+    assert_eq!(response.status(), StatusCode::FORBIDDEN);
+}