DELETE method not being treated as unsafe

[sommelon]

I am using djoser and I was wondering why isn't the request body of the DELETE method showing up, because it needs the current password in the body. I spent an hour debugging/writing extensions, but nothing worked. Then I stumbled upon this line. Is there a reason the DELETE method is not included there?

[tfranzel]

this is one of the few remaining original lines, and i have not really put a lot of thought in it. a quick search has led me to this SO question, where there are quite a few opinions on the topic: https://stackoverflow.com/questions/299628/is-an-entity-body-allowed-for-an-http-delete-request

tl;dr: the HTTP RFC does not explicitly forbid it, Roy Fielding does not like it, OpenAPI 3.0.3 does not allow it.

i tested it and the OpenAPI 3.0.3 spec does indeed not validate anymore. It looks like OpenAPI 3.1.0 will discourage but support it

[sommelon]

Alright, thanks. The comment above the line is a bit misleading, because DELETE is unsafe. But I don't really know anything about OpenAPI, so maybe that's just me.

[tfranzel]

yes that comment is incorrect strictly speaking, but its just wording. i'll close the ticket as there is currently no need to change anything, except for the comment of course.