Wordpress REST API custom post type DELETE access forbidden

3
votes

I have the following problem in Wordpress.

I created a new custom post type called "coursenote". I'm using the REST API for Ajax calls (using jQuery). Creating new posts and updating posts is working fine, but deleting doesn't work.

My custom post type definition:

register_post_type( 'coursenote',
    [
        'labels'       => [
            'name'          => __( 'User notes' ),
            'singular_name' => __( 'User note' ),
        ],
        'public'       => false,
        'show_in_menu' => true,
        'show_ui' => true,
        'show_in_rest' => true,
        'rest_base'    => 'usernote',
        'has_archive'  => false,
        'supports'     => array(
            'page-attributes',
            'title',
            'editor',
            'author',
        ),
    ]
);

The REST URL for the custom post type is "http://.../usernote". I can read, post and update, but I can't delete a post. Deleting should work via DELETE method on http://.../usernote/[id]/ (see Wordpress documentation), but I get a 403 forbidden message.

That's the jQuery Ajax code:

ajaxRequestUserNotes = jQuery.ajax({
    method: 'DELETE',
    url: "http://.../usernote/" + id + '?force=true',
    beforeSend: function (xhr) {
        xhr.setRequestHeader('X-WP-Nonce', nonce);
    },
    success: function (result) {
        console.log(result);
    }
});

As you can see, the authentication header is also set (like this it's working on new posts and updating posts).

What am I missing here?

1
phpjqueryajaxwordpressrest
That is about database user permission... - Louys Patrice Bessette
@LouysPatriceBessette This has nothing to do with database user permissions. It's about Wordpress user permissions - Felix G.

1 Answers

1
votes

I found the problem. It was a misconfigured Apache server.

The error.log showed the following error:

[authz_core:error] [pid 13102] [client ::1:44796] AH01630: client denied by server configuration:

So, I checked the server configuration and found the following block in the Apache config:

<Limit GET POST OPTIONS>
        Require all granted
</Limit>
<LimitExcept GET POST OPTIONS>
        Require all denied
</LimitExcept>

As you can see, "DELETE" is missing. You need to add it like this:

<Limit GET POST OPTIONS DELETE>
        Require all granted
</Limit>
<LimitExcept GET POST OPTIONS DELETE>
        Require all denied
</LimitExcept>

I hope this helps other people.