Issue #3079209 Hide POST, PUT, and DELETE endpoints when JSON:API is configured to be read-only

https://www.drupal.org/project/openapi_jsonapi/issues/3079209

Closes #3079209

src/Plugin/openapi/OpenApiGenerator/JsonApiGenerator.php

@@ -220,7 +220,18 @@ class JsonApiGenerator extends OpenApiGeneratorBase {
   public function getPaths() {
     $routes = $this->getJsonApiRoutes();
     $api_paths = [];
+    $read_only_mode_is_enabled = $this->configFactory->get('jsonapi.settings')->get('read_only');
+    $read_only_methods = ['GET', 'HEAD', 'OPTIONS', 'TRACE'];
+
     foreach ($routes as $route_name => $route) {
+      if ($read_only_mode_is_enabled === TRUE) {
+        $supported_methods = $route->getMethods();
+        assert(count($supported_methods) > 0, 'JSON:API routes always have a method specified.');
+        if (!empty(array_diff($supported_methods, $read_only_methods))) {
+          continue;
+        }
+      }
+
       /** @var \Drupal\jsonapi\ResourceType\ResourceType $resource_type */
       $resource_type = $this->getResourceType($route_name, $route);
       if (!$resource_type instanceof ResourceType) {