open-data · JVickery-TBS · Jan 26, 2026 · Jan 19, 2026 · Jan 19, 2026 · Jan 19, 2026
diff --git a/changes/219.canada.feature b/changes/219.canada.feature
@@ -0,0 +1 @@
+Added a `ckan.site_read_only` config option which disables `_create`, `_update`, `_patch`, and `_delete` actions for non-sysadmin users.
diff --git a/ckan/authz.py b/ckan/authz.py
@@ -225,6 +225,13 @@ def is_authorized(action: str, context: Context,
                 if not getattr(auth_function, 'auth_sysadmins_check', False):
                     return {'success': True}
 
+        # (canada fork only): site read only mode
+        # TODO: upstream contrib!!!
+        if config.get('ckan.site_read_only', False):
+            if not getattr(p.toolkit.get_action(action), 'side_effect_free', False):
+                return {'success': False,
+                        'msg': _('Site is in read only mode')}
+
         # If the auth function is flagged as not allowing anonymous access,
         # and an existing user object is not provided in the context, deny
         # access straight away
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Added a `ckan.site_read_only` config option which disables `_create`, `_update`, `_patch`, and `_delete` actions for non-sysadmin users.
JVickery-TBS marked this conversation as resolved. Outdated Show resolved Hide resolved