[wp-trac] [WordPress Trac] #53223: REST API: Allow header does not contain DELETE for OPTIONS requests

WordPress Trac noreply at wordpress.org
Tue May 18 12:25:05 UTC 2021


#53223: REST API: Allow header does not contain DELETE for OPTIONS requests
--------------------------+------------------------------
 Reporter:  talldanwp     |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  REST API      |     Version:
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+------------------------------
Description changed by SergeyBiryukov:

Old description:

> Similar to https://core.trac.wordpress.org/ticket/45753.
>
> A Gutenberg issue (https://github.com/WordPress/gutenberg/issues/31918)
> flagged that OPTIONS requests don't seem to return DELETE in the allow
> header.
>
> The presence of PUT might also need to be tested if there are endpoints
> that support that verb.
>
> To reproduce:
> 1. Login as an admin user
> 2. Open the post editor
> 3. In the console run `wp.data.select( 'core' ).canUser( 'delete',
> 'posts' );`
> 4. Switch to the browser dev tools network tab and check the options
> request that was just made.
> 5. Observe that the allow header does not contain DELETE, even though the
> user can delete posts.
>
> Other types of requests to the same endpoint (e.g. `GET`) return a
> different allow header with the `DELETE` verb present.

New description:

 Similar to #45753.

 A Gutenberg issue (https://github.com/WordPress/gutenberg/issues/31918)
 flagged that OPTIONS requests don't seem to return DELETE in the allow
 header.

 The presence of PUT might also need to be tested if there are endpoints
 that support that verb.

 To reproduce:
 1. Login as an admin user
 2. Open the post editor
 3. In the console run `wp.data.select( 'core' ).canUser( 'delete', 'posts'
 );`
 4. Switch to the browser dev tools network tab and check the options
 request that was just made.
 5. Observe that the allow header does not contain DELETE, even though the
 user can delete posts.

 Other types of requests to the same endpoint (e.g. `GET`) return a
 different allow header with the `DELETE` verb present.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/53223#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list