PUT on the browsable API renderer actually performs POST #138

andreareina · 2021-09-11T03:35:51Z

Given a route that accepts PUT and GET but not POST, the browsable API renderer performs a POST despite the button very clearly showing PUT.

from flask_api import FlaskAPI

app = FlaskAPI(__name__)

@app.route("/", methods=["PUT", "GET"])
def index():
    return {}

if __name__ == "__main__":
    app.run(debug=True)

requirements.txt

auvipy · 2021-09-11T06:51:13Z

ops

papiveron · 2021-11-01T17:45:58Z

I've got the same issue and treated browser POST method as PUT in my API code.

But the same behaviour appears with DELETE.
The browsable API renderer performs a POST despite the button very clearly showing DELETE.

I'dont if it's the UI which maps DELETE button method on POST method, or if it's at the browser side.

I'm still looking for how to identify and solve the issue.

Eugène NG

papiveron · 2021-11-01T20:09:42Z

I edited the library code and move the form method there from POST to DELETE thinking it could solve the problem this way :

104         {% if 'DELETE' in allowed_methods %}
105             <form class="button-form" action="{{ request.url }}" method="DELETE" class="pull-right">
106                 <!-- csrf_token -->
107                 <input type="hidden" name="_method" value="DELETE" />
108                 <button class="btn btn-danger js-tooltip" title="Make a DELETE request on the resource">DELETE</button>
109             </form>
110         {% endif %}

But not, the browser is now sending a GET request with the query string _method=DELETE, instead of DELETE request/method.

Still checking

papiveron · 2021-11-02T15:20:13Z

I searched and figured out that it's just because we can't sent DELETE or PUT request in a HTML form.

So the good thing will be to replace this html code block with javascript jquery/ajax code :

104         {% if 'DELETE' in allowed_methods %}
105             <form class="button-form" action="$delte"  method="POST" class="pull-right">
106                 <!-- csrf_token -->
107                 <input type="hidden" name="_method" value="DELETE" />
108                 <button class="btn btn-danger js-tooltip" title="Make a DELETE request on the resource">DELETE</button>
109             </form>
110         {% endif %}

How to achieve that please?

papiveron · 2021-11-02T16:33:15Z

I abandoned the effort of making the browser sending DELETE requests, and dealed with form hiden inputs, keeping POST as the form's method

104         {% if 'DELETE' in allowed_methods %}
105             <form class="button-form" action="{{ request.url }}" method="POST" class="pull-right">
106                 <!-- csrf_token -->
107                 <input type="hidden" name="_method" value="DELETE" />
108                 <button class="btn btn-danger js-tooltip" title="Make a DELETE request on the resource">DELETE</button>
109             </form>
110         {% endif %}

We can do the same thing for PUT

Forme the issue should be closed we identified the problem and have workarounds

Nadav-Ruskin · 2022-07-05T13:16:23Z

This is still a problem.

auvipy · 2022-07-06T05:15:10Z

a fix need to be applied

jacebrowning added bug help wanted labels Nov 1, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

PUT on the browsable API renderer actually performs POST #138

PUT on the browsable API renderer actually performs POST #138

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

PUT on the browsable API renderer actually performs POST #138

PUT on the browsable API renderer actually performs POST #138

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!