Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

WJayadana's avatar

403 - This action is unauthorized

Hey Guys,

I am new to laravel and I always encounter a 403 not authorized error when I try to run an update function in one of my controllers.

I created a model/controller for "Role" and to be able to create a new Role

Here is my controller:

<?php

namespace App\Http\Controllers;

use Carbon\Carbon;
use Illuminate\Http\Request;
use Yajra\DataTables\DataTables;
use App\Http\Requests\RoleRequest;
use Illuminate\Support\Facades\DB;
use Spatie\Permission\Models\Role;
use Spatie\Permission\Models\Permission;

class RoleController extends Controller
{

    public function __construct()
{
    $this->middleware('auth');
    $this->middleware('permission:lihat role permission|tambah role permission|edit role permission|hapus role permission', ['only' => ['index']]);
    $this->middleware('permission:tambah role permission', ['only' => ['create', 'store']]);
    $this->middleware('permission:edit role permission', ['only' => ['edit', 'update']]);
    $this->middleware('permission:hapus role permission', ['only' => ['destroy']]);
}



    /**
     * Display a listing of the resource.
     */
    public function index()
    {
        return view('website.role.index');
    }

    /**
     * Show the form for creating a new resource.
     */
    public function create()
    {
        $permissions = Permission::all();
        return view('website.role.create', compact('permissions'));
    }

    /**
     * Store a newly created resource in storage.
     */
    public function store(RoleRequest $request)
    {
        $this->authorize('create', Role::class); // Gunakan policy jika diperlukan

        $role = Role::create(['name' => $request->name]);
        $role->syncPermissions($request->permission);

        toastr('Role Created Successfully', 'success', 'Role', ['positionClass' => 'toast-bottom-right']);

        return redirect()->route('roles.index');
    }

    /**
     * Show the form for editing the specified resource.
     */
    public function edit(Role $role)
    {
        $permissions = Permission::all();
        //Query untuk mengambil permission yang telah dimiliki oleh role terkait
        $hasPermission = DB::table('role_has_permissions')->select('permissions.name')->join('permissions', 'role_has_permissions.permission_id', '=', 'permissions.id')->where('role_id', $role->id)->get()->pluck('name')->all();
        return view('website.role.edit', compact('role', 'permissions', 'hasPermission'));
    }

    /**
     * Update the specified resource in storage.
     */
    public function update(RoleRequest $request, Role $role)
    {
        $role->update(['name' => $request->name]);
        $role->syncPermissions($request->permission);

        toastr('Role Updated Successfully', 'success', 'Role', ['positionClass' => 'toast-bottom-right']);

        return redirect()->route('roles.index');
    }

    /**
     * Remove the specified resource from storage.
     */
    public function destroy(Role $role)
    {
        $role->delete();
        toastr('Role Deleted Successfully', 'success', 'Role', ['positionClass' => 'toast-bottom-right']);

        return redirect()->route('roles.index');
    }

    public function datatable()
    {
        $roles = Role::orderBy('created_at', 'DESC');

        return DataTables::of($roles)
            ->addIndexColumn()
            ->editColumn('created_at', function ($data) {
                return Carbon::create($data->createad_at)->format('d F Y');
            })
            ->addColumn('action', function ($data) {
                return '<a href="' . route('roles.edit', $data->id) . '" class="btn btn-warning btn-sm"><i class="fas fa-edit"></i> </a>
                        <button onclick="deleteConfirm(\'' . $data->id . '\')" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></button>
                        <form method="POST" action="' . route('roles.destroy', $data->id) . '" style="display:inline-block;" id="submit_' . $data->id . '">
                            ' . method_field('delete') . csrf_field() . '
                        </form>';
            })
            ->rawColumns(['action', 'is_active'])
            ->make(true);
    }
}

Here's my Routes file:


<?php

use Illuminate\Support\Facades\Route;
use App\Http\Controllers\RoleController;
use App\Http\Controllers\KartuController;
use App\Http\Controllers\SiswaController;
use App\Http\Controllers\DeviceController;
use App\Http\Controllers\JurusanController;
use App\Http\Controllers\TingkatController;
use App\Http\Controllers\DashboardController;

/*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider and all of them will
| be assigned to the "web" middleware group. Make something great!
|
*/

Route::get('/', function () {
    return view('welcome');
});

Route::group(['middleware' => 'auth'], function() {
    Route::get('/',DashboardController::class)->name('home');

    Route::resource('jurusans', JurusanController::class)->except('show');
    Route::get('jurusans/ajax/datatable', [JurusanController::class, 'datatable'])->name('jurusans.ajax.datatable');

    Route::resource('tingkats', TingkatController::class)->except('show');
    Route::get('tingkats/ajax/datatable', [TingkatController::class, 'datatable'])->name('tingkats.ajax.datatable');

    Route::resource('kartus', KartuController::class)->only(['index', 'destroy']);
    Route::get('kartus/ajax/datatable', [KartuController::class, 'datatable'])->name('kartus.ajax.datatable');

    Route::resource('siswa', SiswaController::class);
    Route::get('siswa/ajax/datatable', [SiswaController::class, 'datatable'])->name('siswa.ajax.datatable');

    Route::resource('devices', DeviceController::class)->except('show');
    Route::get('devices/ajax/datatable', [DeviceController::class, 'datatable'])->name('devices.ajax.datatable');

    Route::resource('roles', RoleController::class)->except('show');
    Route::get('roles/ajax/datatable', [RoleController::class, 'datatable'])->name('roles.ajax.datatable');
});
0 likes
3 replies
danwah's avatar

Hello,

You've not posted your RoleRequest File. However my first guess is that you've got the authorize method set to the default false value?

/**
     * Determine if the user is authorized to make this request.
     */
    public function authorize(): bool
    {
        return false;
    }

If so, change that to true and it should work

lift_spindle's avatar

From https://spatie.be/docs/laravel-permission/v6/introduction, it says that "Because all permissions will be registered on Laravel's gate, you can check if a user has a permission with Laravel's default can function:"

$user->can('edit articles');

So to start debugging, you would want to be logged in as a user, and go to a route that will die and dump the result of that test. E.g.:

Route::get('/test', function () {

		$action = 'whatever you are trying to test';
		$testResult = $user->can($action);
		dd("User can perform action: {$testResult}");

});

So then you'll be able to figure out if the problem has something to do with the user's permissions or if you need to find a bug in your controller.

NekaDava's avatar

I hope you fixed the problem. I can also recommend you to extract the html to a view and return it

Please or to participate in this conversation.