From f8cba5721ea397972df4d62260ca46936b97c67c Mon Sep 17 00:00:00 2001
From: Thomas Basler <thomas@familie-basler.net>
Date: Tue, 19 Sep 2023 18:59:20 +0200
Subject: [PATCH] Fix: Deny passwordless access to prometheus API if readonly
 access is disabled

Fix #1358
---
 src/WebApi_prometheus.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/WebApi_prometheus.cpp b/src/WebApi_prometheus.cpp
index 3decacf6..6178f533 100644
--- a/src/WebApi_prometheus.cpp
+++ b/src/WebApi_prometheus.cpp
@@ -25,6 +25,10 @@ void WebApiPrometheusClass::loop()
 
 void WebApiPrometheusClass::onPrometheusMetricsGet(AsyncWebServerRequest* request)
 {
+    if (!WebApi.checkCredentialsReadonly(request)) {
+        return;
+    }
+
     try {
         auto stream = request->beginResponseStream("text/plain; charset=utf-8", 40960);