From 303805a38947ecbbe4f9e0c62abb70cac38cbfae Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Sun, 11 Apr 2021 21:31:15 -0700
Subject: [PATCH] ipn/localapi: require write access to PATCH prefs

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 ipn/localapi/localapi.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ipn/localapi/localapi.go b/ipn/localapi/localapi.go
index 2d8b7cabf..d4f89f51f 100644
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -228,6 +228,10 @@ func (h *Handler) servePrefs(w http.ResponseWriter, r *http.Request) {
 	var prefs *ipn.Prefs
 	switch r.Method {
 	case "PATCH":
+		if !h.PermitWrite {
+			http.Error(w, "prefs write access denied", http.StatusForbidden)
+			return
+		}
 		mp := new(ipn.MaskedPrefs)
 		if err := json.NewDecoder(r.Body).Decode(mp); err != nil {
 			http.Error(w, err.Error(), 400)