_method=DELETE – 403 Forbidden
-
When deleting an appointment, the admin-ajax.php request URI has the &_method=DELETE parameter (from Backbone???). This is triggering a 403 forbidden on some web-hosts I’ve tested this with.
ALL of the other ajax endpoints work fine and return a 200 ok. I can delete workers, locations, and services just fine. Only the deleting of Appointments seems to cause the 403.
After inspecting the HTTP requests for differences (see below), I’m thinking (mostly a guess at this point) the &_method=DELETE GET parameter is showing up as suspicious in the security configuration of the web server which I cannot control or modify.
I’m not sure if you can make appointments delete in a similar way to the other objects that are deleting fine, but if so – that would be helpful.
Working:
Request URL:https://site.com/wp-admin/admin-ajax.php?action=ea_location&id=3 Request Method:DELETE Status Code:200 OK REQUEST HEADERS: Accept:application/json, text/javascript, */*; q=0.01 Accept-Encoding:gzip, deflate, sdch Accept-Language:en-US,en;q=0.8 Connection:keep-alive Cookie:(REMOVED FOR SECURITY) Host:site.com Origin:https://site.com Referer:https://site.com/wp-admin/admin.php?page=easy_app_settings User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 X-Requested-With:XMLHttpRequestNOT Working:
Request URL:https://site.com/wp-admin/admin-ajax.php?action=ea_appointment&id=374&_method=DELETE Request Method:POST Status Code:403 Forbidden REQUEST HEADERS: Accept:application/json, text/javascript, */*; q=0.01 Accept-Encoding:gzip, deflate Accept-Language:en-US,en;q=0.8 Connection:keep-alive Content-Length:0 Cookie:(REMOVED FOR SECURITY) Host:site.com Origin:https://site.com Referer:https://site.com/wp-admin/admin.php?page=easy_app_top_level User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 X-Requested-With:XMLHttpRequestI have verified that the file permissions and user:group ownership are correct as well.
Oddly enough visiting https://site.com/wp-admin/admin-ajax.php?action=ea_appointment&id=374&_method=DELETE directly in my browser (GET) works fine and the appointment is deleted okay as long as I’m logged in. So maybe you could change this ajax call to use GET instead of POST?
I’m not familiar enough with Backbone to even know where/how to make some changes and test the outcome. But if you could give me some pointers, I’d be happy to try them for you to see if the result is any different. It looks like settings.prod.js is where most of the ajax stuff for the admin is handled…but again I’m not sure what to modify.
-
Update: I was able to get this working by removing the
|| args.type === 'DELETE'from the settings.prod.js file (Backbone.ajax):if(args.type === 'PUT') { change.type = 'POST'; change.url = args.url + '&_method=' + args.type; }Working Request:
Request URL:https://site.com/wp-admin/admin-ajax.php?action=ea_appointment&id=377 Request Method:DELETE Status Code:200 OK REQUEST HEADERS: Accept:application/json, text/javascript, */*; q=0.01 Accept-Encoding:gzip, deflate, sdch Accept-Language:en-US,en;q=0.8 Connection:keep-alive Cookie:(REMOVED FOR SECURITY) Host:site.com Origin:https://site.com Referer:https://site.com/wp-admin/admin.php?page=easy_app_top_level User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 X-Requested-With:XMLHttpRequest
- The topic ‘_method=DELETE – 403 Forbidden’ is closed to new replies.
