dhymik
March 17, 2025, 4:13pm
1
When trying to delete an form, I receive “Delete failed” in the backoffice and browser console shows:
405 (Method Not Allowed)
error.
I am on Umbraco 13 on IIS / Windows server. Is there a state-of the art, secure way to get around this error? I found numerous old posts about this issue for ASP.NET / Umbraco 7 cases, but it seems to me that these do not apply these days with ASP.NET Core.
Any input highly appreciated!
Kind regards, Mikael
mttblss
March 17, 2025, 5:45pm
2
The fix to this issue might be something to investigate, particularly if you’ve got any virtual routes…
/// Ensures the surface controller requests takes priority over other things like virtual routes.
/// Also ensures that requests to a surface controller on a virtual route will return 405, like HttpMethodMatcherPolicy ensures for non-virtual route requests.
v10/dev ← v10/bugfix/13836_fix_http_get_surface_controllers_on_virtual_routes
opened 12:17PM - 07 Mar 23 UTC
Fixed issue mentioned in #13836
Now surface controller requests always has h… igher priority than other. So if this is both a surface controller request and a virtual page request, it will execute the surface controller.
This is done using a `SurfaceControllerMatcherPolicy` that will invalidate all other endpoints than the surface controller, if a surface controller matched the request (This should only ever happen, if the magic query string is added)
### Test steps
There are a couple of usecases to test out. Please follow guide here: https://github.com/umbraco/Umbraco-CMS/pull/13919.
We have to test the combinations:
| - | Regular page ('/') | Hijacked page ('/hijacked') | Virtual page ('/demo') with no http verbs | Virtual page ('/demo') with HttpGet | Virtual page ('/demo') with HttpPost | Virtual page ('/demo') with HttpGet and HttpPost |
| ------------- | ------------- | ------------- |------------- |------------ | ------------- |------------- |
| **No http verbs on surface actions** | We expect it to work on both httpGet and httpPost | We expect it to work on both httpGet and httpPost | We expect it to work on both httpGet and httpPost | We expect it to work on both httpGet and httpPost | We expect it to work on both httpGet and httpPost | We expect it to work on both httpGet and httpPost |
| **HttpGet and HttpPost on surface actions** | We expect it to work on both httpGet and httpPost | We expect it to work on both httpGet and httpPost | We expect it to work on both httpGet and httpPost | We expect it to work on both httpGet and httpPost | We expect it to work on both httpGet and httpPost | We expect it to work on both httpGet and httpPost |
| **HttpGet on surface actions** | only get should work. post should give 405 | only get should work. post should give 405 | only get should work. post should give 405 | only get should work. post should give 405 | only get should work. post should give 405 | only get should work. post should give 405 |
| **HttpPost on surface actions** | only post should work. get should give 405 | only post should work. get should give 405 | only post should work. get should give 405 | only post should work. get should give 405 | only post should work. get should give 405 | only post should work. get should give 405 |