diff --git a/pub/api/classes/API.php b/pub/api/classes/API.php index b78b09a..e8e8387 100644 --- a/pub/api/classes/API.php +++ b/pub/api/classes/API.php @@ -474,14 +474,20 @@ class API $allowedMethods = ['GET', 'POST', 'PUT', 'DELETE']; $method = $_SERVER['REQUEST_METHOD'] ?? ''; - # The HTTP_X_HTTP_METHOD_OVERRIDE header is allowed for API requests because + # The X-HTTP-Method-Override header is allowed for API requests because # some web servers do not support PUT or DELETE methods by default. # This override is only applied when the request method is POST and the header is present. - if ($method === 'POST' && isset($_POST['X-HTTP-Method-Override'])) { - $override = strtoupper($_POST['X-HTTP-Method-Override']); + if ($method === 'POST') { + # $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] is from API calls + # $_POST['X-HTTP-Method-Override'] if from API calls from the frontend. + $override = $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ?? $_POST['X-HTTP-Method-Override'] ?? null; - if (in_array($override, $allowedMethods, true)) { - $method = $override; + if (is_string($override)) { + $override = strtoupper($override); + + if (in_array($override, $allowedMethods, true)) { + $method = $override; + } } }