From 92a2e840f4076de3ecd3ecad016c99234d2b792b Mon Sep 17 00:00:00 2001
From: ramfox <klhuizinga@gmail.com>
Date: Thu, 22 Mar 2018 23:55:10 -0400
Subject: [PATCH] feat(readonly): add check for readonly & GET in middleware

if in readonly mode, check to make sure we are only allowing GET
requests through
---
 api/middleware.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/api/middleware.go b/api/middleware.go
index ba0223089..ebe1e81c4 100644
--- a/api/middleware.go
+++ b/api/middleware.go
@@ -2,8 +2,11 @@ package api
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"time"
+
+	util "github.com/datatogether/api/apiutil"
 )
 
 // middleware handles request logging
@@ -30,10 +33,19 @@ func (s *Server) middleware(handler http.HandlerFunc) http.HandlerFunc {
 		// }
 		s.addCORSHeaders(w, r)
 
-		handler(w, r)
+		if ok := s.readOnlyCheck(r); ok {
+			handler(w, r)
+		} else {
+			util.WriteErrResponse(w, http.StatusForbidden, fmt.Errorf("qri server is in read-only mode, only certain GET requests are allowed"))
+		}
 	}
 }
 
+func (s *Server) readOnlyCheck(r *http.Request) bool {
+	// return !s.cfg.ReadOnly || r.Method == "GET"
+	return true
+}
+
 // addCORSHeaders adds CORS header info for whitelisted servers
 func (s *Server) addCORSHeaders(w http.ResponseWriter, r *http.Request) {
 	origin := r.Header.Get("Origin")