We have a small application where we post a PATCH request to a content object using jQuery.
This works against a standard Plone sandbox w/o reverse proxy but fails against a staging system behind Apache.The PATCH always return 403/Forbidden although the authentication cookie is includes with the PATCH call. I do not see any errors (even with verbose security, debug mode on and Python security mode enabled). The PATCH call does not seem to arrive on the plone.restapi layer but seems to be intercepted earlier. The only difference is really the Apache reverse proxy...no obvious CORS issues since the request goes against the same host/URL. Any ideas?
Appears related to the Apache mod_proxy configuration:
AH01797: client denied by server configuration: proxy:http://localhost:11001/VirtualHostBase/
Solved (classical own goal)...PATCH was missing here:
<LimitExcept GET POST HEAD PATCH>
Order Allow,Deny
Deny from all
Satisfy all
</LimitExcept>