From e8c029186e88b144fbe82356ccd687bd4b4ea86e Mon Sep 17 00:00:00 2001
From: Mike Koch <mkoch227@gmail.com>
Date: Wed, 28 Jun 2017 13:07:10 -0400
Subject: [PATCH] Don't allow non-GET requests in demo mode

---
 api/index.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/api/index.php b/api/index.php
index 77b28904..672bbf8b 100644
--- a/api/index.php
+++ b/api/index.php
@@ -16,6 +16,11 @@ function handle404() {
 }
 
 function before() {
+    if (defined('HESK_DEMO') && $_SERVER['REQUEST_METHOD'] !== 'GET') {
+        print_error('Demo Mode', 'Only read-only commands are available in demo mode!', null, 401);
+        die();
+    }
+
     $internalUse = \BusinessLogic\Helpers::getHeader('X-INTERNAL-CALL');
 
     if ($internalUse === 'true') {