From 1abc1df5b8a68e0613eec7ca25c8ad667e1e2143 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 17 Jul 2017 15:26:38 +0200
Subject: [PATCH] auth: Check if the API is read-only on crypto keys methods

---
 pdns/ws-auth.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index 5142fd9b04..45511220a7 100644
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -952,13 +952,13 @@ static void apiZoneCryptokeys(HttpRequest *req, HttpResponse *resp) {
 
   if (req->method == "GET") {
     apiZoneCryptokeysGET(zonename, inquireKeyId, resp, &dk);
-  } else if (req->method == "DELETE") {
+  } else if (req->method == "DELETE" && !::arg().mustDo("api-readonly")) {
     if (inquireKeyId == -1)
       throw HttpBadRequestException();
     apiZoneCryptokeysDELETE(zonename, inquireKeyId, req, resp, &dk);
-  } else if (req->method == "POST") {
+  } else if (req->method == "POST" && !::arg().mustDo("api-readonly")) {
     apiZoneCryptokeysPOST(zonename, req, resp, &dk);
-  } else if (req->method == "PUT") {
+  } else if (req->method == "PUT" && !::arg().mustDo("api-readonly")) {
     if (inquireKeyId == -1)
       throw HttpBadRequestException();
     apiZoneCryptokeysPUT(zonename, inquireKeyId, req, resp, &dk);
-- 
2.47.2