From 136965be8e314dc83fd04f8675356a8fb36089de Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 22 Aug 2017 11:48:07 +0200
Subject: [PATCH] auth: Deny cache flush, zone retrieve and notify if the API
 is RO

---
 pdns/ws-auth.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index d30bd6d771..70f4ce779d 100644
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -1443,7 +1443,7 @@ static void apiServerZoneExport(HttpRequest* req, HttpResponse* resp) {
 static void apiServerZoneAxfrRetrieve(HttpRequest* req, HttpResponse* resp) {
   DNSName zonename = apiZoneIdToName(req->parameters["id"]);
 
-  if(req->method != "PUT")
+  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
     throw HttpMethodNotAllowedException();
 
   UeberBackend B;
@@ -1462,7 +1462,7 @@ static void apiServerZoneAxfrRetrieve(HttpRequest* req, HttpResponse* resp) {
 static void apiServerZoneNotify(HttpRequest* req, HttpResponse* resp) {
   DNSName zonename = apiZoneIdToName(req->parameters["id"]);
 
-  if(req->method != "PUT")
+  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
     throw HttpMethodNotAllowedException();
 
   UeberBackend B;
@@ -1824,7 +1824,7 @@ static void apiServerSearchData(HttpRequest* req, HttpResponse* resp) {
 }
 
 void apiServerCacheFlush(HttpRequest* req, HttpResponse* resp) {
-  if(req->method != "PUT")
+  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
     throw HttpMethodNotAllowedException();
 
   DNSName canon = apiNameToDNSName(req->getvars["domain"]);
-- 
2.47.2