From b38ea44e9ad6564713398d902fd383232f72fa2d Mon Sep 17 00:00:00 2001 From: Joe Hoyle Date: Thu, 3 Mar 2016 09:54:32 +0000 Subject: [PATCH] OPTIONS requests to REST API should return Allow header. An OPTIONS request was incorrectly returning an "Accept" header which was a typo of "Allow". This meant Accept was showing "GET, POST" for example, however it was also not running the permission checks on the endpoints. Instead, the correct route needs to be set on the request object, which means the normal handling for the Allow header will kick in. This technically breaks backwards compatibility, however given the value of Accept was also wrong then this should not be an issue. Fixes #35975. git-svn-id: https://develop.svn.wordpress.org/trunk@36829 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/rest-api.php | 3 +-- tests/phpunit/tests/rest-api/rest-server.php | 23 ++++++++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/src/wp-includes/rest-api.php b/src/wp-includes/rest-api.php index d4c0acac3b..3a5fc1ad95 100644 --- a/src/wp-includes/rest-api.php +++ b/src/wp-includes/rest-api.php @@ -431,10 +431,9 @@ function rest_handle_options_request( $response, $handler, $request ) { } $data = $handler->get_data_for_route( $route, $endpoints, 'help' ); - $accept = array_merge( $accept, $data['methods'] ); + $response->set_matched_route( $route ); break; } - $response->header( 'Accept', implode( ', ', $accept ) ); $response->set_data( $data ); return $response; diff --git a/tests/phpunit/tests/rest-api/rest-server.php b/tests/phpunit/tests/rest-api/rest-server.php index 7d5cf68041..3c2c930075 100644 --- a/tests/phpunit/tests/rest-api/rest-server.php +++ b/tests/phpunit/tests/rest-api/rest-server.php @@ -285,6 +285,29 @@ class Tests_REST_Server extends WP_Test_REST_TestCase { $this->assertEquals( $sent_headers['Allow'], 'POST' ); } + public function test_allow_header_sent_on_options_request() { + register_rest_route( 'test-ns', '/test', array( + array( + 'methods' => array( 'GET' ), + 'callback' => '__return_null', + ), + array( + 'methods' => array( 'POST' ), + 'callback' => '__return_null', + 'permission_callback' => '__return_null', + ), + ) ); + + $request = new WP_REST_Request( 'OPTIONS', '/test-ns/test' ); + $response = $this->server->dispatch( $request ); + + $result = apply_filters( 'rest_post_dispatch', rest_ensure_response( $response ), $this->server, $request ); + + $headers = $result->get_headers(); + + $this->assertEquals( 'GET', $headers['Allow'] ); + } + public function permission_denied() { return new WP_Error( 'forbidden', 'You are not allowed to do this', array( 'status' => 403 ) ); }