From 1c299c6d91a6091fdf0fe3417ef49467e484853c Mon Sep 17 00:00:00 2001
From: webchick <drupal@webchick.net>
Date: Wed, 9 Oct 2019 23:33:02 -0700
Subject: [PATCH] Issue #3068275 by Wim Leers, alexpott, shimpy, gabesullice,
 xjm: Add status report message about JSON:API's read-only mode

---
 core/modules/jsonapi/jsonapi.install | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/core/modules/jsonapi/jsonapi.install b/core/modules/jsonapi/jsonapi.install
index add7e17ddc30..a1ada646df33 100644
--- a/core/modules/jsonapi/jsonapi.install
+++ b/core/modules/jsonapi/jsonapi.install
@@ -5,6 +5,8 @@
  * Module install file.
  */
 
+use Drupal\Core\Url;
+
 /**
  * Implements hook_install().
  */
@@ -58,7 +60,18 @@ function jsonapi_requirements($phase) {
         ':jsonapi-docs' => 'https://www.drupal.org/docs/8/modules/jsonapi/revisions',
       ]),
     ];
-
+    $requirements['jsonapi_read_only_mode'] = [
+      'title' => t('JSON:API allowed operations'),
+      'value' => t('Read-only'),
+      'severity' => REQUIREMENT_INFO,
+    ];
+    if (!\Drupal::configFactory()->get('jsonapi.settings')->get('read_only')) {
+      $requirements['jsonapi_read_only_mode']['value'] = t('All (create, read, update, delete)');
+      $requirements['jsonapi_read_only_mode']['description'] = t('It is recommended to <a href=":configure-url">configure</a> JSON:API to only accept all operations if the site requires it. <a href=":docs">Learn more about securing your site with JSON:API.</a>', [
+        ':docs' => 'https://www.drupal.org/docs/8/modules/jsonapi/security-considerations',
+        ':configure-url' => Url::fromRoute('jsonapi.settings')->toString(),
+      ]);
+    }
   }
   return $requirements;
 }
-- 
GitLab