Skip to content

fix: Not execute _route on preflight requests#1564

Open
ArneGudermann wants to merge 2 commits intoviur-framework:mainfrom
ArneGudermann:fix/preflight-route
Open

fix: Not execute _route on preflight requests#1564
ArneGudermann wants to merge 2 commits intoviur-framework:mainfrom
ArneGudermann:fix/preflight-route

Conversation

@ArneGudermann
Copy link
Copy Markdown
Contributor

@ArneGudermann ArneGudermann commented Sep 11, 2025

When you call a list with the x-viur-bonelist header, the browser starts a preflight request. This request is sent without cookies, so if you have an access check in the list filter, the core response is a 401 error, and the browser thinks it cannot send the header.

@ArneGudermann ArneGudermann added this to the ViUR-core v3.8 milestone Sep 11, 2025
@ArneGudermann ArneGudermann added bug(fix) Something isn't working or address a specific issue or vulnerability Priority: High After critical issues are fixed, these should be dealt with before any further issues. labels Sep 11, 2025
@phorward phorward added the viur-meeting Issues to discuss in the next ViUR meeting label Sep 12, 2025
phorward
phorward requested changes Sep 13, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@phorward phorward left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @ArneGudermann,

I think this solution is wrong, because inside of self._route(), there are several more tests on self.method == "options" which won't be accessible anymore by your change.

Please make a deeper determination of the problem, maybe exceptions must be handled differently in pre-flight requests.

@phorward phorward removed the viur-meeting Issues to discuss in the next ViUR meeting label Sep 15, 2025
@ArneGudermann
Copy link
Copy Markdown
Contributor Author

ArneGudermann commented Sep 23, 2025
edited
Loading

Okay I think this my fault. In https://fetch.spec.whatwg.org/#cors-protocol-and-credentials it's described that this problem only on CORS request exist.
Maybe we should talk about that in the viur meeting.

@ArneGudermann ArneGudermann added the viur-meeting Issues to discuss in the next ViUR meeting label Sep 23, 2025
@phorward phorward added Priority: Low This issue can be considered with enough idle time. and removed Priority: High After critical issues are fixed, these should be dealt with before any further issues. viur-meeting Issues to discuss in the next ViUR meeting labels Sep 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@phorward phorward phorward requested changes

@sveneberth sveneberth Awaiting requested review from sveneberth

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

bug(fix) Something isn't working or address a specific issue or vulnerability Priority: Low This issue can be considered with enough idle time.

Projects

Documentation
Status: Todo

Milestone

ViUR-core v3.8

Development

Successfully merging this pull request may close these issues.

2 participants

@ArneGudermann @phorward