From 4a9652a9e44e8e3aa56f85e6b275d8c87332c4a4 Mon Sep 17 00:00:00 2001 From: "Graham R. Cobb" Date: Wed, 10 Mar 2021 18:56:30 +0000 Subject: [PATCH] Only allow DELETE or PATCH operations if "readonly" is set to true. Note: default is false which is a **NOT BACKWARDS COMPATIBLE** change. Signed-off-by: Graham R. Cobb --- beetsplug/web/__init__.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/beetsplug/web/__init__.py b/beetsplug/web/__init__.py index c8f979fa6..e4d83f8d2 100644 --- a/beetsplug/web/__init__.py +++ b/beetsplug/web/__init__.py @@ -116,12 +116,18 @@ def resource(name, patchable=False): entities = [entity for entity in entities if entity] if get_method() == "DELETE": + if app.config.get('READONLY', True): + return flask.abort(405) + for entity in entities: entity.remove(delete=is_delete()) return flask.make_response(jsonify({'deleted': True}), 200) elif get_method() == "PATCH" and patchable: + if app.config.get('READONLY', True): + return flask.abort(405) + for entity in entities: entity.update(flask.request.get_json()) entity.try_sync(True, False) # write, don't move @@ -162,12 +168,18 @@ def resource_query(name, patchable=False): entities = query_func(queries) if get_method() == "DELETE": + if app.config.get('READONLY', True): + return flask.abort(405) + for entity in entities: entity.remove(delete=is_delete()) return flask.make_response(jsonify({'deleted': True}), 200) elif get_method() == "PATCH" and patchable: + if app.config.get('READONLY', True): + return flask.abort(405) + for entity in entities: entity.update(flask.request.get_json()) entity.try_sync(True, False) # write, don't move