added support for the HTTP_X_HTTP_METHOD_OVERRIDE headder in the API

This commit is contained in:
2026-05-31 00:29:46 +02:00
parent d00108db3c
commit a60ebadd60

View File

@@ -474,21 +474,32 @@ class API
$allowedMethods = ['GET', 'POST', 'PUT', 'DELETE']; $allowedMethods = ['GET', 'POST', 'PUT', 'DELETE'];
$method = $_SERVER['REQUEST_METHOD'] ?? ''; $method = $_SERVER['REQUEST_METHOD'] ?? '';
if (!in_array($method, $allowedMethods)) { # The HTTP_X_HTTP_METHOD_OVERRIDE header is allowed for API requests because
return false; # some web servers do not support PUT or DELETE methods by default.
# This override is only applied when the request method is POST and the header is present.
$override = $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ?? null;
if ($method === 'POST' && is_string($override)) {
$override = strtoupper($override);
if (in_array($override, $allowedMethods, true)) {
$method = $override;
}
} }
# Since browser doesnt allow DELETE or PUTs from the frontend forms (apart from some javascript/ajax fuckery) # Since browser doesnt allow DELETE or PUTs from the frontend forms (apart from some javascript/ajax fuckery)
# we need to check the _method POST value. # we need to check the _method POST value.
if ($this->user_type === 'frontend' && $method === 'POST' && isset($_POST['_method'])) { if ($this->user_type === 'frontend' && $method === 'POST' && isset($_POST['_method'])) {
$overrideMethod = strtoupper($_POST['_method']); $override = strtoupper($_POST['_method']);
if (in_array($overrideMethod, ['PUT', 'DELETE'])) { if (in_array($override, $allowedMethods, true)) {
$this->request_method = $overrideMethod; $method = $override;
return true;
} }
} }
if (!in_array($method, $allowedMethods, true)) {
return false;
}
$this->request_method = $method; $this->request_method = $method;
return true; return true;
} }