WordPress.org

Make WordPress Core

Changeset 36829


Ignore:
Timestamp:
03/03/2016 09:54:32 AM (5 years ago)
Author:
joehoyle
Message:

OPTIONS requests to REST API should return Allow header.

An OPTIONS request was incorrectly returning an "Accept" header which
was a typo of "Allow". This meant Accept was showing "GET, POST" for example,
however it was also not running the permission checks on the endpoints.

Instead, the correct route needs to be set on the request object, which means
the normal handling for the Allow header will kick in. This technically
breaks backwards compatibility, however given the value of Accept was also wrong
then this should not be an issue.

Fixes #35975.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api.php

    r36529 r36829  
    432432
    433433        $data = $handler->get_data_for_route( $route, $endpoints, 'help' );
    434         $accept = array_merge( $accept, $data['methods'] );
     434        $response->set_matched_route( $route );
    435435        break;
    436436    }
    437     $response->header( 'Accept', implode( ', ', $accept ) );
    438437
    439438    $response->set_data( $data );
  • trunk/tests/phpunit/tests/rest-api/rest-server.php

    r36674 r36829  
    286286    }
    287287
     288    public function test_allow_header_sent_on_options_request() {
     289        register_rest_route( 'test-ns', '/test', array(
     290            array(
     291                'methods'  => array( 'GET' ),
     292                'callback' => '__return_null',
     293            ),
     294            array(
     295                'methods'  => array( 'POST' ),
     296                'callback' => '__return_null',
     297                'permission_callback' => '__return_null',
     298            ),
     299        ) );
     300
     301        $request = new WP_REST_Request( 'OPTIONS', '/test-ns/test' );
     302        $response = $this->server->dispatch( $request );
     303
     304        $result = apply_filters( 'rest_post_dispatch', rest_ensure_response( $response ), $this->server, $request );
     305
     306        $headers = $result->get_headers();
     307
     308        $this->assertEquals( 'GET', $headers['Allow'] );
     309    }
     310
    288311    public function permission_denied() {
    289312        return new WP_Error( 'forbidden', 'You are not allowed to do this', array( 'status' => 403 ) );
Note: See TracChangeset for help on using the changeset viewer.