From ec82b2add0fb9f42d092918c211ef7c188d30b10 Mon Sep 17 00:00:00 2001 From: Meteo Date: Sat, 13 Jun 2026 14:27:10 +0200 Subject: [PATCH] Change all the forms from _method to X-HTTP-Method-Override fix --- pub/api/classes/API.php | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/pub/api/classes/API.php b/pub/api/classes/API.php index b78b09a..e8e8387 100644 --- a/pub/api/classes/API.php +++ b/pub/api/classes/API.php @@ -474,14 +474,20 @@ class API $allowedMethods = ['GET', 'POST', 'PUT', 'DELETE']; $method = $_SERVER['REQUEST_METHOD'] ?? ''; - # The HTTP_X_HTTP_METHOD_OVERRIDE header is allowed for API requests because + # The X-HTTP-Method-Override header is allowed for API requests because # some web servers do not support PUT or DELETE methods by default. # This override is only applied when the request method is POST and the header is present. - if ($method === 'POST' && isset($_POST['X-HTTP-Method-Override'])) { - $override = strtoupper($_POST['X-HTTP-Method-Override']); + if ($method === 'POST') { + # $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] is from API calls + # $_POST['X-HTTP-Method-Override'] if from API calls from the frontend. + $override = $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ?? $_POST['X-HTTP-Method-Override'] ?? null; - if (in_array($override, $allowedMethods, true)) { - $method = $override; + if (is_string($override)) { + $override = strtoupper($override); + + if (in_array($override, $allowedMethods, true)) { + $method = $override; + } } }