Make WordPress Core

Opened 3 months ago

Closed 3 months ago

#53223 closed defect (bug) (invalid)

REST API: Allow header does not contain DELETE for OPTIONS requests

Reported by: talldanwp Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: REST API Keywords:
Focuses: Cc:

Description (last modified by SergeyBiryukov)

Similar to #45753.

A Gutenberg issue (https://github.com/WordPress/gutenberg/issues/31918) flagged that OPTIONS requests don't seem to return DELETE in the allow header.

The presence of PUT might also need to be tested if there are endpoints that support that verb.

To reproduce:

  1. Login as an admin user
  2. Open the post editor
  3. In the console run wp.data.select( 'core' ).canUser( 'delete', 'posts' );
  4. Switch to the browser dev tools network tab and check the options request that was just made.
  5. Observe that the allow header does not contain DELETE, even though the user can delete posts.

Other types of requests to the same endpoint (e.g. GET) return a different allow header with the DELETE verb present.

Change History (3)

#1 @talldanwp
3 months ago

  • Description modified (diff)

#2 @SergeyBiryukov
3 months ago

  • Description modified (diff)

#3 @TimothyBlynJacobs
3 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

There is no DELETE endpoint for /wp/v2/posts, you can only delete a single post. And the delete post capability checks require that post id to be accurate. Making an OPTIONS request to for instance /wp/v2/posts/1 does include the DELETE method in the allow header.

Note: See TracTickets for help on using tickets.