Change all the forms from _method to X-HTTP-Method-Override

This commit is contained in:
2026-06-13 00:11:56 +02:00
parent 1374ba2f13
commit 3b200d30cb
14 changed files with 26 additions and 37 deletions

View File

@@ -477,19 +477,8 @@ class API
# The HTTP_X_HTTP_METHOD_OVERRIDE header is allowed for API requests because
# some web servers do not support PUT or DELETE methods by default.
# This override is only applied when the request method is POST and the header is present.
$override = $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ?? null;
if ($method === 'POST' && is_string($override)) {
$override = strtoupper($override);
if (in_array($override, $allowedMethods, true)) {
$method = $override;
}
}
# Since browser doesnt allow DELETE or PUTs from the frontend forms (apart from some javascript/ajax fuckery)
# we need to check the _method POST value.
if ($this->user_type === 'frontend' && $method === 'POST' && isset($_POST['_method'])) {
$override = strtoupper($_POST['_method']);
if ($method === 'POST' && isset($_POST['X-HTTP-Method-Override'])) {
$override = strtoupper($_POST['X-HTTP-Method-Override']);
if (in_array($override, $allowedMethods, true)) {
$method = $override;

View File

@@ -25,7 +25,7 @@ if ($API_permissions->request_method === 'GET') {
$API_permissions->validateData($requiredFields, $optionalFields);
$permissions = $API_permissions->getPermission();
$API_permissions->apiOutput($code = 200, ['success' => $permissions], 'permission_retrieved');
$API_permissions->apiOutput($code = 200, $permissions, 'permission_retrieved');
} elseif ($API_permissions->request_method === 'POST') {

View File

@@ -55,7 +55,7 @@ if ($API_usergroups->request_method === 'GET') {
$API_usergroups->checkPermissions('admin-access-control-user-groups', 'RW');
# when called from the frontend will not be forwarding to a url since when its called from the frontend it doesnt need a redirection
# when called from the frontend will not be forwarding to a url since when it's called from the frontend it doesn't need a redirection
$API_usergroups->return_url = false;
$requiredFields = ['user_group_uuid' => ['type' => 'uuid']];