sergiotarxz
/
Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

OPTIONS requests to REST API should return Allow header. 

An OPTIONS request was incorrectly returning an "Accept" header which
was a typo of "Allow". This meant Accept was showing "GET, POST" for example,
however it was also not running the permission checks on the endpoints.

Instead, the correct route needs to be set on the request object, which means
the normal handling for the Allow header will kick in. This technically
breaks backwards compatibility, however given the value of Accept was also wrong
then this should not be an issue.

Fixes #35975.


git-svn-id: https://develop.svn.wordpress.org/trunk@36829 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Joe Hoyle 2016-03-03 09:54:32 +00:00
parent 1178047725
commit b38ea44e9a
2 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/wp-includes/rest-api.php
View File

@ -431,10 +431,9 @@ function rest_handle_options_request( $response, $handler, $request ) {
} }
$data = $handler->get_data_for_route( $route, $endpoints, 'help' ); $data = $handler->get_data_for_route( $route, $endpoints, 'help' );
$accept = array_merge( $accept, $data['methods'] ); $response->set_matched_route( $route );
break; break;
} }
$response->header( 'Accept', implode( ', ', $accept ) );
$response->set_data( $data ); $response->set_data( $data );
return $response; return $response;

23
tests/phpunit/tests/rest-api/rest-server.php
View File

@ -285,6 +285,29 @@ class Tests_REST_Server extends WP_Test_REST_TestCase {
$this->assertEquals( $sent_headers['Allow'], 'POST' ); $this->assertEquals( $sent_headers['Allow'], 'POST' );
} }
public function test_allow_header_sent_on_options_request() {
register_rest_route( 'test-ns', '/test', array(
array(
'methods' => array( 'GET' ),
'callback' => '__return_null',
),
array(
'methods' => array( 'POST' ),
'callback' => '__return_null',
'permission_callback' => '__return_null',
),
) );
$request = new WP_REST_Request( 'OPTIONS', '/test-ns/test' );
$response = $this->server->dispatch( $request );
$result = apply_filters( 'rest_post_dispatch', rest_ensure_response( $response ), $this->server, $request );
$headers = $result->get_headers();
$this->assertEquals( 'GET', $headers['Allow'] );
}
public function permission_denied() { public function permission_denied() {
return new WP_Error( 'forbidden', 'You are not allowed to do this', array( 'status' => 403 ) ); return new WP_Error( 'forbidden', 'You are not allowed to do this', array( 'status' => 403 ) );
} }