[MAGNOLIA-8168] OPTIONS requests should not require write permissions Created: 25/Aug/21  Updated: 26/Aug/21

Status: Selected
Project: Magnolia
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Canh Nguyen Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2021-08-25-15-11-38-800.png    
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled

 Description   

Steps to reproduce

  1.  Setup an SPA project that call REST endpoints with custom headers
  2.  The browser will send an OPTIONS request before the main request to ask if the server accept custom headers that the request will send.
  3. The OPTIONS request is failed with HTTP 401

Expected results

The OPTIONS request and the main request should be successful.

Actual results

The OPTIONS request and the main request are failed

Workaround

Set rest-anonymous GET&POST permission on /.rest/delivery/*

Development notes

See isAuthorized method in SiteUriSecurityFilter and URISecurityFilter.


Generated at Mon Feb 12 04:30:15 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.