From a60ebadd601f92d062f21d39d4447ab54b7944df Mon Sep 17 00:00:00 2001 From: Meteo Date: Sun, 31 May 2026 00:29:46 +0200 Subject: [PATCH] added support for the HTTP_X_HTTP_METHOD_OVERRIDE headder in the API --- pub/api/classes/API.php | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/pub/api/classes/API.php b/pub/api/classes/API.php index b145c53..703c2fd 100644 --- a/pub/api/classes/API.php +++ b/pub/api/classes/API.php @@ -474,21 +474,32 @@ class API $allowedMethods = ['GET', 'POST', 'PUT', 'DELETE']; $method = $_SERVER['REQUEST_METHOD'] ?? ''; - if (!in_array($method, $allowedMethods)) { - return false; + # The HTTP_X_HTTP_METHOD_OVERRIDE header is allowed for API requests because + # some web servers do not support PUT or DELETE methods by default. + # This override is only applied when the request method is POST and the header is present. + $override = $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ?? null; + if ($method === 'POST' && is_string($override)) { + $override = strtoupper($override); + + if (in_array($override, $allowedMethods, true)) { + $method = $override; + } } # Since browser doesnt allow DELETE or PUTs from the frontend forms (apart from some javascript/ajax fuckery) # we need to check the _method POST value. if ($this->user_type === 'frontend' && $method === 'POST' && isset($_POST['_method'])) { - $overrideMethod = strtoupper($_POST['_method']); + $override = strtoupper($_POST['_method']); - if (in_array($overrideMethod, ['PUT', 'DELETE'])) { - $this->request_method = $overrideMethod; - return true; + if (in_array($override, $allowedMethods, true)) { + $method = $override; } } + if (!in_array($method, $allowedMethods, true)) { + return false; + } + $this->request_method = $method; return true; }