Change all the forms from _method to X-HTTP-Method-Override fix
This commit is contained in:
@@ -474,14 +474,20 @@ class API
|
||||
$allowedMethods = ['GET', 'POST', 'PUT', 'DELETE'];
|
||||
$method = $_SERVER['REQUEST_METHOD'] ?? '';
|
||||
|
||||
# The HTTP_X_HTTP_METHOD_OVERRIDE header is allowed for API requests because
|
||||
# The X-HTTP-Method-Override header is allowed for API requests because
|
||||
# some web servers do not support PUT or DELETE methods by default.
|
||||
# This override is only applied when the request method is POST and the header is present.
|
||||
if ($method === 'POST' && isset($_POST['X-HTTP-Method-Override'])) {
|
||||
$override = strtoupper($_POST['X-HTTP-Method-Override']);
|
||||
if ($method === 'POST') {
|
||||
# $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] is from API calls
|
||||
# $_POST['X-HTTP-Method-Override'] if from API calls from the frontend.
|
||||
$override = $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ?? $_POST['X-HTTP-Method-Override'] ?? null;
|
||||
|
||||
if (in_array($override, $allowedMethods, true)) {
|
||||
$method = $override;
|
||||
if (is_string($override)) {
|
||||
$override = strtoupper($override);
|
||||
|
||||
if (in_array($override, $allowedMethods, true)) {
|
||||
$method = $override;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user