Title: _method=DELETE – 403 Forbidden Last modified: May 15, 2017 --- # _method=DELETE – 403 Forbidden * Resolved [cartpauj](https://wordpress.org/support/users/cartpauj/) * (@cartpauj) * [9 years ago](https://wordpress.org/support/topic/_methoddelete-403-forbidden/) * When deleting an appointment, the admin-ajax.php request URI has the &_method =DELETE parameter (from Backbone???). This is triggering a 403 forbidden on some web-hosts I’ve tested this with. * ALL of the other ajax endpoints work fine and return a 200 ok. I can delete workers, locations, and services just fine. Only the deleting of Appointments seems to cause the 403. * After inspecting the HTTP requests for differences (see below), I’m thinking ( mostly a guess at this point) the &_method=DELETE GET parameter is showing up as suspicious in the security configuration of the web server which I cannot control or modify. * I’m not sure if you can make appointments delete in a similar way to the other objects that are deleting fine, but if so – that would be helpful. * Working: * ``` Request URL:http://site.com/wp-admin/admin-ajax.php?action=ea_location&id=3 Request Method:DELETE Status Code:200 OK REQUEST HEADERS: Accept:application/json, text/javascript, */*; q=0.01 Accept-Encoding:gzip, deflate, sdch Accept-Language:en-US,en;q=0.8 Connection:keep-alive Cookie:(REMOVED FOR SECURITY) Host:site.com Origin:http://site.com Referer:http://site.com/wp-admin/admin.php?page=easy_app_settings User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 X-Requested-With:XMLHttpRequest ``` * NOT Working: * ``` Request URL:http://site.com/wp-admin/admin-ajax.php?action=ea_appointment&id=374&_method=DELETE Request Method:POST Status Code:403 Forbidden REQUEST HEADERS: Accept:application/json, text/javascript, */*; q=0.01 Accept-Encoding:gzip, deflate Accept-Language:en-US,en;q=0.8 Connection:keep-alive Content-Length:0 Cookie:(REMOVED FOR SECURITY) Host:site.com Origin:http://site.com Referer:http://site.com/wp-admin/admin.php?page=easy_app_top_level User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 X-Requested-With:XMLHttpRequest ``` * I have verified that the file permissions and user:group ownership are correct as well. * Oddly enough visiting [http://site.com/wp-admin/admin-ajax.php?action=ea_appointment&id=374&_method=DELETE](http://site.com/wp-admin/admin-ajax.php?action=ea_appointment&id=374&_method=DELETE) directly in my browser (GET) works fine and the appointment is deleted okay as long as I’m logged in. So maybe you could change this ajax call to use GET instead of POST? * I’m not familiar enough with Backbone to even know where/how to make some changes and test the outcome. But if you could give me some pointers, I’d be happy to try them for you to see if the result is any different. It looks like settings. prod.js is where most of the ajax stuff for the admin is handled…but again I’m not sure what to modify. Viewing 4 replies - 1 through 4 (of 4 total) * Thread Starter [cartpauj](https://wordpress.org/support/users/cartpauj/) * (@cartpauj) * [9 years ago](https://wordpress.org/support/topic/_methoddelete-403-forbidden/#post-9134774) * Update: I was able to get this working by removing the `|| args.type === 'DELETE'` from the settings.prod.js file (Backbone.ajax): * ``` if(args.type === 'PUT') { change.type = 'POST'; change.url = args.url + '&_method=' + args.type; } ``` * Working Request: * ``` Request URL:http://site.com/wp-admin/admin-ajax.php?action=ea_appointment&id=377 Request Method:DELETE Status Code:200 OK REQUEST HEADERS: Accept:application/json, text/javascript, */*; q=0.01 Accept-Encoding:gzip, deflate, sdch Accept-Language:en-US,en;q=0.8 Connection:keep-alive Cookie:(REMOVED FOR SECURITY) Host:site.com Origin:http://site.com Referer:http://site.com/wp-admin/admin.php?page=easy_app_top_level User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 X-Requested-With:XMLHttpRequest ``` - This reply was modified 9 years ago by [cartpauj](https://wordpress.org/support/users/cartpauj/). * [Nikola Loncar](https://wordpress.org/support/users/loncar/) * (@loncar) * [9 years ago](https://wordpress.org/support/topic/_methoddelete-403-forbidden/#post-9150317) * Hi [@cartpauj](https://wordpress.org/support/users/cartpauj/), * sorry for the late response. You can simple fix that by marking **Compatibility mode** option inside Settings > Customize page. 🙂 * Best regards, Nikola * Thread Starter [cartpauj](https://wordpress.org/support/users/cartpauj/) * (@cartpauj) * [9 years ago](https://wordpress.org/support/topic/_methoddelete-403-forbidden/#post-9150728) * Thanks, what does the compatibility mode actually change? * [Nikola Loncar](https://wordpress.org/support/users/loncar/) * (@loncar) * [9 years ago](https://wordpress.org/support/topic/_methoddelete-403-forbidden/#post-9152795) * Hi [@cartpauj](https://wordpress.org/support/users/cartpauj/), it’s usidng POST instead of PUT (update) and DELETE (for deleting) http requests. By default it’s GET, POST, PUT, DELETE but not all servers allow all methods. * Best regards, Nikola Viewing 4 replies - 1 through 4 (of 4 total) The topic ‘_method=DELETE – 403 Forbidden’ is closed to new replies. * ![](https://ps.w.org/easy-appointments/assets/icon-256x256.png?rev=1472759) * [Easy Appointments](https://wordpress.org/plugins/easy-appointments/) * [Frequently Asked Questions](https://wordpress.org/plugins/easy-appointments/#faq) * [Support Threads](https://wordpress.org/support/plugin/easy-appointments/) * [Active Topics](https://wordpress.org/support/plugin/easy-appointments/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/easy-appointments/unresolved/) * [Reviews](https://wordpress.org/support/plugin/easy-appointments/reviews/) ## Tags * [403 Forbidden](https://wordpress.org/support/topic-tag/403-forbidden/) * 4 replies * 2 participants * Last reply from: [Nikola Loncar](https://wordpress.org/support/users/loncar/) * Last activity: [9 years ago](https://wordpress.org/support/topic/_methoddelete-403-forbidden/#post-9152795) * Status: resolved