Opened 4 years ago
Closed 4 years ago
#53223 closed defect (bug) (invalid)
REST API: Allow header does not contain DELETE for OPTIONS requests
Reported by: | talldanwp | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | REST API | Keywords: | |
Focuses: | Cc: |
Description (last modified by )
Similar to #45753.
A Gutenberg issue (https://github.com/WordPress/gutenberg/issues/31918) flagged that OPTIONS requests don't seem to return DELETE in the allow header.
The presence of PUT might also need to be tested if there are endpoints that support that verb.
To reproduce:
- Login as an admin user
- Open the post editor
- In the console run
wp.data.select( 'core' ).canUser( 'delete', 'posts' );
- Switch to the browser dev tools network tab and check the options request that was just made.
- Observe that the allow header does not contain DELETE, even though the user can delete posts.
Other types of requests to the same endpoint (e.g. GET
) return a different allow header with the DELETE
verb present.
Change History (3)
Note: See
TracTickets for help on using
tickets.
There is no
DELETE
endpoint for/wp/v2/posts
, you can only delete a single post. And the delete post capability checks require that post id to be accurate. Making anOPTIONS
request to for instance/wp/v2/posts/1
does include theDELETE
method in the allow header.