Change all the forms from _method to X-HTTP-Method-Override

This commit is contained in:
2026-06-13 00:11:56 +02:00
parent 1374ba2f13
commit 3b200d30cb
14 changed files with 26 additions and 37 deletions

View File

@@ -477,19 +477,8 @@ class API
# The HTTP_X_HTTP_METHOD_OVERRIDE header is allowed for API requests because
# some web servers do not support PUT or DELETE methods by default.
# This override is only applied when the request method is POST and the header is present.
$override = $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ?? null;
if ($method === 'POST' && is_string($override)) {
$override = strtoupper($override);
if (in_array($override, $allowedMethods, true)) {
$method = $override;
}
}
# Since browser doesnt allow DELETE or PUTs from the frontend forms (apart from some javascript/ajax fuckery)
# we need to check the _method POST value.
if ($this->user_type === 'frontend' && $method === 'POST' && isset($_POST['_method'])) {
$override = strtoupper($_POST['_method']);
if ($method === 'POST' && isset($_POST['X-HTTP-Method-Override'])) {
$override = strtoupper($_POST['X-HTTP-Method-Override']);
if (in_array($override, $allowedMethods, true)) {
$method = $override;

View File

@@ -25,7 +25,7 @@ if ($API_permissions->request_method === 'GET') {
$API_permissions->validateData($requiredFields, $optionalFields);
$permissions = $API_permissions->getPermission();
$API_permissions->apiOutput($code = 200, ['success' => $permissions], 'permission_retrieved');
$API_permissions->apiOutput($code = 200, $permissions, 'permission_retrieved');
} elseif ($API_permissions->request_method === 'POST') {

View File

@@ -55,7 +55,7 @@ if ($API_usergroups->request_method === 'GET') {
$API_usergroups->checkPermissions('admin-access-control-user-groups', 'RW');
# when called from the frontend will not be forwarding to a url since when its called from the frontend it doesnt need a redirection
# when called from the frontend will not be forwarding to a url since when it's called from the frontend it doesn't need a redirection
$API_usergroups->return_url = false;
$requiredFields = ['user_group_uuid' => ['type' => 'uuid']];

View File

@@ -79,7 +79,7 @@ if ($device_found) {
$formBuilder->startForm();
?>
<form id="FormValidation" enctype="multipart/form-data" method="post" action="/api/v1/devices">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<input type="hidden" name="_return" value="/devices/?edit=<?php echo $device_data['device_uuid']; ?>">
<input type="hidden" name="device_uuid" value="<?php echo $device_data['device_uuid'] ?>">
<div class="card-body">

View File

@@ -60,7 +60,7 @@ function makeFileTables($API, $dataFolder, $device_slugify)
<?php if ($API->checkPermissions('admin-devices-files', 'RW', true)) { ?>
<form action="/api/v1/autop/devices/files" method="post">
<input type="hidden" name="filePath" value="">
<input type="hidden" name="_method" value="DELETE">
<input type="hidden" name="X-HTTP-Method-Override" value="DELETE">
<a href="#" class="btn btn-danger btn-sm btn-rounded delete-btn" data-item-uuid="<?php echo $urlPath ?>" data-api-url="/api/v1/autop/devices/files/" data-item-name="file_name"><i class="fas fa-trash-alt"></i></a>
</form>
<?php } ?>

View File

@@ -58,7 +58,7 @@ if ($platform_data) {
<form id="FormValidation" enctype="multipart/form-data" method="post" action="/api/v1/autop/platforms/">
<input type="hidden" name="platform_uuid" value="<?php echo $platform_data["platform_uuid"] ?>">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<div class="card-body">
<div class="form-group form-show-validation row">
<label for="platform_name" class="col-lg-3 col-md-3 col-sm-4 mt-sm-2"><?php echo __('platform_name') ?></label>

View File

@@ -55,7 +55,7 @@ $formBuilder->startForm();
if ($vendor_data) { ?>
<form id="FormValidation" enctype="multipart/form-data" method="post" action="/api/v1/autop/vendors">
<input type="hidden" name="vendor_uuid" value="<?php echo $vendor_data["vendor_uuid"] ?>">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<div class="card-body">
<div class="form-group form-show-validation row">
<label for="vendor_name" class="col-lg-3 col-md-3 col-sm-4 mt-sm-2"><?php echo __('vendor_name') ?></label>

View File

@@ -60,7 +60,7 @@ $pageNavbar->outPutNavbar();
if ($admin_data) {
$formBuilder->startForm(); ?>
<form id="FormValidation" enctype="multipart/form-data" method="post" action="/api/v1/portal-management/users/">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<input type="hidden" name="_return" value="/accesscontrol/?admin_view=<?php echo $user_uuid ?>">
<input type="hidden" name="user_uuid" value="<?php echo $user_uuid; ?>"/>
<div class="card-body">

View File

@@ -61,7 +61,7 @@ if ($permission_data) {
$formBuilder->startForm(); ?>
<form id="FormValidation" method="post" action="/api/v1/portal-management/permissions/">
<input type="hidden" name="_return" value="/accesscontrol/?permission_view=<?php echo $permission_uuid ?>">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<input type="hidden" name="permission_uuid" value="<?php echo $permission_uuid ?>">
<div class="card-body">
<div class="form-group form-show-validation row">

View File

@@ -53,7 +53,7 @@ $pageNavbar->outPutNavbar();
$formBuilder->startForm();
?>
<form id="FormValidation" enctype="multipart/form-data" method="post" action="/api/v1/portal-management/user-groups/">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<input type="hidden" name="user_group_uuid" value="<?php echo $user_group['user_group_uuid'] ?>"/>
<input type="hidden" name="user_group_slugify" value="<?php echo $user_group['user_group_slugify'] ?>"/>
<div class="card-body">

View File

@@ -86,7 +86,7 @@ while ($module = $system_modules_data->fetch_assoc()) {
</div>
<div class="card">
<form id="FormValidation" method="post" action="/api/v1/portal-management/configure/">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<input type="hidden" name="_return" value="/systemconfig/#global-settings">
<input type="hidden" name="portal_uuid" value="<?php echo $portal_settings['portal_uuid']; ?>">
<div class="card-body">
@@ -175,7 +175,7 @@ while ($module = $system_modules_data->fetch_assoc()) {
<div class="card">
<form id="FormValidation" method="post" action="/api/v1/portal-management/mail/configure/">
<input type="hidden" name="portal_uuid" value="<?php echo $portal_settings['portal_uuid']; ?>">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<input type="hidden" name="_return" value="/systemconfig/#mail-settings">
<div class="card-body">
<div class="form-group form-show-validation row">
@@ -271,7 +271,7 @@ while ($module = $system_modules_data->fetch_assoc()) {
</p>
<form id="FormValidation" method="post" action="/api/v1/portal-management/mail/test/">
<input type="hidden" name="portal_uuid" value="<?php echo $portal_settings['portal_uuid']; ?>">
<input type="hidden" name="_method" value="POST">
<input type="hidden" name="X-HTTP-Method-Override" value="POST">
<input type="hidden" name="_return" value="/systemconfig/#mail-settings">
<div class="form-group form-show-validation row">
<label for="mail_to" class="col-lg-3 col-md-3 col-sm-4 mt-sm-2"><?php echo __('mail_to') ?>:</label>
@@ -308,7 +308,7 @@ while ($module = $system_modules_data->fetch_assoc()) {
<div class="card p-3">
<form id="FormValidation" method="post" action="/api/v1/modules/">
<input type="hidden" name="portal_uuid" value="<?php echo $portal_settings['portal_uuid']; ?>">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<input type="hidden" name="_return" value="/systemconfig/#modules">
<table class="multi-filter-select display table table-striped table-hover" data-skip-columns="0,5">
<thead>

View File

@@ -56,7 +56,7 @@ $pageNavbar->outPutNavbar();
</div>
<form id="FormValidation" method="post" action="/api/v1/portal-management/sources/inserve/">
<input type="hidden" name="_method" value="POST">
<input type="hidden" name="X-HTTP-Method-Override" value="POST">
<input type="hidden" name="_return" value="/portal-management/sources/inserve">
<div class="card-body">

View File

@@ -110,7 +110,7 @@ $logo = $logos[$baseos] ?? 'server';
if ($API->checkPermissions('servers', 'RW', true)) {
$pageNavbar->AddHTMLButton(
'<form id="FormValidation" enctype="multipart/form-data" method="post" action="/api/v1/servers/">
<input type="hidden" name="_method" value="POST">
<input type="hidden" name="X-HTTP-Method-Override" value="POST">
<input type="hidden" name="_return" value="/servers?view=' . $server_data['server_uuid'] . '">
<input type="hidden" name="server_vm_id" value="' . $server_data['server_vm_id'] . '"/>' .
(
@@ -155,7 +155,7 @@ $pageNavbar->outPutNavbar();
<div class="col-lg-auto col-md-auto">
<table class="table table-borderless">
<form id="FormValidation" enctype="multipart/form-data" method="post" action="/api/v1/servers/">
<input type="hidden" name="_method" value="POST">
<input type="hidden" name="X-HTTP-Method-Override" value="POST">
<input type="hidden" name="_return" value="/servers?view=<?php echo $server_data['server_uuid'] ?>">
<input type="hidden" name="server_vm_id" value="<?php echo $server_data['server_vm_id'] ?>"/>
<tr>

View File

@@ -248,7 +248,7 @@ if (isset($this->jsScriptLoadData['activateCompany'])) { ?>
const params = {
company_uuid: companyUuid,
company_state: newState,
_method: 'PUT'
"X-HTTP-Method-Override": "PUT"
};
const rootStyles = getComputedStyle(document.documentElement);
@@ -641,7 +641,7 @@ if (isset($this->jsScriptLoadData['stompjes'])) { ?>
// Make the POST request to delete the device
$.post(apiUrl, {
[itemName]: itemUuid,
_method: "POST"
"X-HTTP-Method-Override": "POST"
})
.done(function (response) {
@@ -712,7 +712,7 @@ if (isset($this->jsScriptLoadData['stompjes'])) { ?>
// Make the POST request to delete the device
$.post(deleteStompOptions.apiUrl, {
[deleteStompOptions.itemName]: deleteStompOptions.itemUuid,
_method: "DELETE"
"X-HTTP-Method-Override": "DELETE"
})
.done(function (response) {
@@ -963,7 +963,7 @@ if (isset($this->jsScriptLoadData['delete_confirmation'])) { ?>
// Make the POST request to delete the item
$.post(apiUrl, {
[itemName]: itemUuid,
_method: "DELETE"
"X-HTTP-Method-Override": "DELETE"
})
.done(function (response) {
@@ -1154,7 +1154,7 @@ if (isset($this->jsScriptLoadData['updateToggle'])) { ?>
}
// Add method override
dataObj._method = 'PUT';
dataObj['X-HTTP-Method-Override'] = 'PUT';
// Convert to URL-encoded string
const formBody = new URLSearchParams(dataObj).toString();
@@ -1169,8 +1169,8 @@ if (isset($this->jsScriptLoadData['updateToggle'])) { ?>
});
if (response.ok) {
// Remove _method before saving back
delete dataObj._method;
// Remove X-HTTP-Method-Override before saving back
delete dataObj['X-HTTP-Method-Override']
input.setAttribute('data-api-data', JSON.stringify(dataObj));
} else {
input.checked = !input.checked; // revert toggle
@@ -1209,7 +1209,7 @@ if (isset($this->jsScriptLoadData['updatePermissions'])) { ?>
formData.append('permission_uuid', permissionUUID);
formData.append('user_group_uuid', userGroupUUID);
formData.append('permission_value', permissionValue);
formData.append('_method', 'PUT')
formData.append('X-HTTP-Method-Override', 'PUT')
try {
const response = await fetch(apiUrl, {