From 6bd3d9076050001e182dacfac54f00537a26e12b Mon Sep 17 00:00:00 2001
From: Joseph Huckaby <jhuckaby@gmail.com>
Date: Mon, 15 Jul 2024 14:39:16 -0700
Subject: [PATCH] Version 0.9.54

- Added optional `job_read_only` privilege.  When set, a user (or API key) can ONLY run stock events from the schdule, with NO customization.
---
 lib/api/event.js | 3 +++
 package.json     | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/api/event.js b/lib/api/event.js
index fc6fb5b4..8bdc2e6a 100644
--- a/lib/api/event.js
+++ b/lib/api/event.js
@@ -387,6 +387,9 @@ module.exports = Class.create({
 				delete params.max_children;
 				delete params.session_id;
 				
+				// if user has special job_read_only privilege, remove all param keys (no customization)
+				if (!user.privileges.job_read_only) params = {};
+				
 				// allow for &params/foo=bar and the like
 				for (var key in params) {
 					if (key.match(/^(\w+)\/(\w+)$/)) {
diff --git a/package.json b/package.json
index 9bb65bbc..59c4ffc2 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "Cronicle",
-	"version": "0.9.53",
+	"version": "0.9.54",
 	"description": "A simple, distributed task scheduler and runner with a web based UI.",
 	"author": "Joseph Huckaby <jhuckaby@gmail.com>",
 	"homepage": "https://github.com/jhuckaby/Cronicle",