diff --git a/openwisp_controller/geo/api/views.py b/openwisp_controller/geo/api/views.py
index b5514cf26..eb923abe4 100644
--- a/openwisp_controller/geo/api/views.py
+++ b/openwisp_controller/geo/api/views.py
@@ -115,6 +115,7 @@ class DeviceLocationView(
     lookup_field = "content_object"
     lookup_url_kwarg = "pk"
     organization_field = "content_object__organization"
+    organization_lookup = "organization__in"
     _device_field = "content_object"
 
     def get_queryset(self):
diff --git a/openwisp_controller/geo/tests/test_api.py b/openwisp_controller/geo/tests/test_api.py
index 4cc37519f..8c103784b 100644
--- a/openwisp_controller/geo/tests/test_api.py
+++ b/openwisp_controller/geo/tests/test_api.py
@@ -9,6 +9,7 @@
 from django.urls import reverse
 from django.urls.exceptions import NoReverseMatch
 from PIL import Image
+from rest_framework import status
 from rest_framework.authtoken.models import Token
 from swapper import load_model
 
@@ -1036,3 +1037,20 @@ def test_deactivated_device(self):
         with self.subTest("Test deleting DeviceLocation"):
             response = self.client.delete(url)
             self.assertEqual(response.status_code, 403)
+
+    def test_device_location_view_parent_permission(self):
+        org1 = self._create_org(name="Org One")
+        device1 = self._create_device(organization=org1)
+        org2 = self._create_org(name="Org Two")
+        manager_org2 = self._create_administrator(
+            organizations=[org2],
+            username="manager_org2",
+            password="test_password",
+            is_superuser=False,
+            is_staff=True,
+        )
+        self.client.force_login(manager_org2)
+        url = reverse("geo_api:device_location", args=[device1.pk])
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+        self.client.logout()