From 41fd52db52dae889ced5f0cd317462216026f5e0 Mon Sep 17 00:00:00 2001
From: Bernhard Kirchen <schlimmchen@posteo.net>
Date: Sat, 2 Nov 2024 22:08:26 +0100
Subject: [PATCH] Fix: protect api/powerlimiter/status endpoint

this endpoint must not spill info if read-only access is disabled.
---
 src/WebApi_powerlimiter.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/WebApi_powerlimiter.cpp b/src/WebApi_powerlimiter.cpp
index 89e671d8c..e7033c809 100644
--- a/src/WebApi_powerlimiter.cpp
+++ b/src/WebApi_powerlimiter.cpp
@@ -27,6 +27,10 @@ void WebApiPowerLimiterClass::init(AsyncWebServer& server, Scheduler& scheduler)
 
 void WebApiPowerLimiterClass::onStatus(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentialsReadonly(request)) {
+        return;
+    }
+
     AsyncJsonResponse* response = new AsyncJsonResponse();
     auto& root = response->getRoot();
     auto const& config = Configuration.get();