From 47fed5b99a86ff0c491be041a173b31d256b98ff Mon Sep 17 00:00:00 2001
From: Étienne Loks <etienne.loks@iggdrasil.net>
Date: Tue, 28 Oct 2025 11:10:52 +0100
Subject: ✨ GIS API: verify read-only permission
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ishtar_common/views_api.py | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'ishtar_common/views_api.py')

diff --git a/ishtar_common/views_api.py b/ishtar_common/views_api.py
index e0226811b..71bf921da 100644
--- a/ishtar_common/views_api.py
+++ b/ishtar_common/views_api.py
@@ -65,6 +65,8 @@ class GISSourceAPI(GISAPIView):
 
     def get(self, request, format=None):
         serializer = ImporterTypeSerializer(self.get_queryset(), many=True)
+        for source in serializer.data:
+            source["access_type"] = request.auth.access_type
         return Response(serializer.data)
 
 
@@ -143,6 +145,9 @@ class GISImportAPI(GISBaseImportView, GISAPIView):
         if not importer:
             return Response({"error": "Importer not found"},
                             status=status.HTTP_400_BAD_REQUEST)
+        if request.auth.access_type != "W":
+            return Response({"error": "No write permission"},
+                            status=status.HTTP_403_FORBIDDEN)
         data = {}
         for k in request.data:
             data[k] = request.data.get(k)
-- 
cgit v1.2.3