From bd23ac87bf068394096066065390e7526872eebb Mon Sep 17 00:00:00 2001
From: Ludovic Muller <ludovicmuller1@gmail.com>
Date: Mon, 16 Oct 2023 14:40:25 +0200
Subject: [PATCH] be more restrictive with default permissions

---
 .changeset/perfect-dodos-speak.md | 13 +++++++++++++
 README.md                         |  6 ++++++
 config/shiro.ini                  |  3 +++
 3 files changed, 22 insertions(+)
 create mode 100644 .changeset/perfect-dodos-speak.md

diff --git a/.changeset/perfect-dodos-speak.md b/.changeset/perfect-dodos-speak.md
new file mode 100644
index 0000000..3eb3298
--- /dev/null
+++ b/.changeset/perfect-dodos-speak.md
@@ -0,0 +1,13 @@
+---
+"fuseki-geosparql": major
+---
+
+Require to be authenticated for endpoints with write access.
+
+Starting this version, all routes that are ending with:
+
+- `/data`
+- `/upload`
+- `/update`
+
+are also protected and require authentication.
diff --git a/README.md b/README.md
index 1de2a25..afaf361 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,12 @@ All other routes that have are prefixed with `/$/` needs basic authentication:
 - username: `admin`
 - password: value of the `ADMIN_PASSWORD` environment variable
 
+Some routes that are known to be used for write permissions are also protected; there are the ones ending with:
+
+- `/data`
+- `/upload`
+- `/update`
+
 All other routes are publicly available.
 
 If you want to change this behavior, you will need to change the `config/shiro.ini` file.
diff --git a/config/shiro.ini b/config/shiro.ini
index bd788f9..f06a24a 100644
--- a/config/shiro.ini
+++ b/config/shiro.ini
@@ -19,6 +19,9 @@ admin = ${ADMIN_PASSWORD}
 
 ## and the rest are restricted to admin user
 /$/** = authcBasic,user[admin]
+/**/data = authcBasic,user[admin]
+/**/upload = authcBasic,user[admin]
+/**/update = authcBasic,user[admin]
 
 # Everything else
 /**=anon