Change all the forms from _method to X-HTTP-Method-Override
This commit is contained in:
@@ -477,19 +477,8 @@ class API
|
||||
# The HTTP_X_HTTP_METHOD_OVERRIDE header is allowed for API requests because
|
||||
# some web servers do not support PUT or DELETE methods by default.
|
||||
# This override is only applied when the request method is POST and the header is present.
|
||||
$override = $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ?? null;
|
||||
if ($method === 'POST' && is_string($override)) {
|
||||
$override = strtoupper($override);
|
||||
|
||||
if (in_array($override, $allowedMethods, true)) {
|
||||
$method = $override;
|
||||
}
|
||||
}
|
||||
|
||||
# Since browser doesnt allow DELETE or PUTs from the frontend forms (apart from some javascript/ajax fuckery)
|
||||
# we need to check the _method POST value.
|
||||
if ($this->user_type === 'frontend' && $method === 'POST' && isset($_POST['_method'])) {
|
||||
$override = strtoupper($_POST['_method']);
|
||||
if ($method === 'POST' && isset($_POST['X-HTTP-Method-Override'])) {
|
||||
$override = strtoupper($_POST['X-HTTP-Method-Override']);
|
||||
|
||||
if (in_array($override, $allowedMethods, true)) {
|
||||
$method = $override;
|
||||
|
||||
Reference in New Issue
Block a user