From a4103ee09fb309250a2d2eb8897208323ada6f8f Mon Sep 17 00:00:00 2001
From: Andreas Granig <agranig@sipwise.com>
Date: Tue, 6 Aug 2013 10:55:06 +0200
Subject: [PATCH] Centrally reject any write-urls for r/o-users.

We currently filter for create/edit/delete in any part of the uri.
---
 lib/NGCP/Panel/Controller/Root.pm | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/NGCP/Panel/Controller/Root.pm b/lib/NGCP/Panel/Controller/Root.pm
index 64e77cbe99..acc8a1383a 100644
--- a/lib/NGCP/Panel/Controller/Root.pm
+++ b/lib/NGCP/Panel/Controller/Root.pm
@@ -52,6 +52,15 @@ sub auto :Private {
 
     $c->log->debug("*** Root::auto grant access for authenticated user");
 
+    # check for read_only on write operations
+    if($c->user->read_only && (
+        $c->req->uri->path =~ /create/
+        || $c->req->uri->path =~ /edit/
+        || $c->req->uri->path =~ /delete/
+    )) {
+        $c->detach('/denied_page');
+    }
+
     # load top menu widgets
     my $plugin_finder = NGCP::Panel::Widget->new;
     my $topmenu_templates = [];