diff --git a/changes/219.canada.feature b/changes/219.canada.feature
new file mode 100644
index 00000000000..1fad4a3b3a1
--- /dev/null
+++ b/changes/219.canada.feature
@@ -0,0 +1,5 @@
+Added a `ckan.site_read_only` config option which disables actions causing side effects,
+such as `*_create`, `*_update`, and `*_delete`, for non-sysadmin users.
+
+This setting does not prevent updates to the database from sysadmin users or updates
+that skip the action API, such as collecting page view tracking data.
\ No newline at end of file
diff --git a/ckan/authz.py b/ckan/authz.py
index fdb18494e3f..cea2c4b5575 100644
--- a/ckan/authz.py
+++ b/ckan/authz.py
@@ -225,6 +225,13 @@ def is_authorized(action: str, context: Context,
                 if not getattr(auth_function, 'auth_sysadmins_check', False):
                     return {'success': True}
 
+        # (canada fork only): site read only mode
+        # TODO: upstream contrib!!!
+        if config.get('ckan.site_read_only', False):
+            if not getattr(p.toolkit.get_action(action), 'side_effect_free', False):
+                return {'success': False,
+                        'msg': _('Site is in read only mode')}
+
         # If the auth function is flagged as not allowing anonymous access,
         # and an existing user object is not provided in the context, deny
         # access straight away