OPTIONS requests to REST API should return Allow header.

An OPTIONS request was incorrectly returning an "Accept" header which was a typo of "Allow". This meant Accept was showing "GET, POST" for example, however it was also not running the permission checks on the endpoints. Instead, the correct route needs to be set on the request object, which means the normal handling for the Allow header will kick in. This technically breaks backwards compatibility, however given the value of Accept was also wrong then this should not be an issue. Fixes #35975. git-svn-id: https://develop.svn.wordpress.org/trunk@36829 602fd350-edb4-49c9-b593-d223f7449a82
2016-03-03 09:54:32 +00:00 · 2016-03-03 09:54:32 +00:00 · b38ea44e9a
parent 1178047725
commit b38ea44e9a
2 changed files with 24 additions and 2 deletions
--- a/src/wp-includes/rest-api.php
+++ b/src/wp-includes/rest-api.php
@ -431,10 +431,9 @@ function rest_handle_options_request( $response, $handler, $request ) {
 		}

 		$data = $handler->get_data_for_route( $route, $endpoints, 'help' );
-		$accept = array_merge( $accept, $data['methods'] );
+		$response->set_matched_route( $route );
 		break;
 	}
-	$response->header( 'Accept', implode( ', ', $accept ) );

 	$response->set_data( $data );
 	return $response;
--- a/tests/phpunit/tests/rest-api/rest-server.php
+++ b/tests/phpunit/tests/rest-api/rest-server.php
@ -285,6 +285,29 @@ class Tests_REST_Server extends WP_Test_REST_TestCase {
 		$this->assertEquals( $sent_headers['Allow'], 'POST' );
 	}

+	public function test_allow_header_sent_on_options_request() {
+		register_rest_route( 'test-ns', '/test', array(
+			array(
+				'methods'  => array( 'GET' ),
+				'callback' => '__return_null',
+			),
+			array(
+				'methods'  => array( 'POST' ),
+				'callback' => '__return_null',
+				'permission_callback' => '__return_null',
+			),
+		) );
+
+		$request = new WP_REST_Request( 'OPTIONS', '/test-ns/test' );
+		$response = $this->server->dispatch( $request );
+
+		$result = apply_filters( 'rest_post_dispatch', rest_ensure_response( $response ), $this->server, $request );
+
+		$headers = $result->get_headers();
+
+		$this->assertEquals( 'GET', $headers['Allow'] );
+	}
+
 	public function permission_denied() {
 		return new WP_Error( 'forbidden', 'You are not allowed to do this', array( 'status' => 403 ) );
 	}