From b035d3481c4be47e7d45cbce2c97cc0aa3396dff Mon Sep 17 00:00:00 2001
From: "D. Berge" <dberge@aaltronav.eu>
Date: Fri, 11 Jul 2025 22:49:28 +0200
Subject: [PATCH] Ensure users have at least read access to most endpoints

---
 lib/www/server/api/index.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/www/server/api/index.js b/lib/www/server/api/index.js
index 1f86ac3..c0b4a2b 100644
--- a/lib/www/server/api/index.js
+++ b/lib/www/server/api/index.js
@@ -94,6 +94,8 @@ app.map({
 // WARNING Every route from here onwards requires authentication!
 //
 app.use(mw.auth.authentify);
+// Read access required for anything below here
+app.use(mw.auth.access.read);
 
 // Don't process the request if the data hasn't changed
 app.use(mw.etag.ifNoneMatch);
@@ -101,7 +103,7 @@ app.use(mw.etag.ifNoneMatch);
 // We must be authenticated before we can access these
 app.map({
 	'/project': {
-		get: [ mw.project.get ],  // Get list of projects
+		get: [ mw.project.get ],  // Get list of projects, filtered by `read` access
 		post: [ mw.auth.access.admin, mw.project.post ], // Create a new project
 	},
 	'/project/:project': {