Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

abkrim's avatar
abkrim
OP
4 years ago
Level 13

Error 403 when user tries to delete a recourse or more in production

Hi I have a problem that only affects the production version.

It is when try to erase any resource or resources. It happens to me, when I do it from the index or from the details view.

And it only happens to me in production. In develop work fine.

Also in delete resource in shell using tinker with Campaign::destroy(136) resource has not any problem for delete. Imagen

DELETE https://mydomain.tld/nova-api/campaigns?search=&filters=W10%3D&trashed=&resources[]=133 403
(anónimo) @ vendor.js?id=e2c07eb6c9b9faf610fc:1
t.exports @ vendor.js?id=e2c07eb6c9b9faf610fc:1
t.exports @ vendor.js?id=e2c07eb6c9b9faf610fc:1
XmWM.l.request @ vendor.js?id=e2c07eb6c9b9faf610fc:1
(anónimo) @ vendor.js?id=e2c07eb6c9b9faf610fc:1
value @ app.js?id=1c7abbbe8cf05b9e2ece:1
deleteResources @ vendor.js?id=e2c07eb6c9b9faf610fc:1
It @ vendor.js?id=e2c07eb6c9b9faf610fc:1
n @ vendor.js?id=e2c07eb6c9b9faf610fc:1
It @ vendor.js?id=e2c07eb6c9b9faf610fc:1
t.$emit @ vendor.js?id=e2c07eb6c9b9faf610fc:1
deleteResource @ app.js?id=1c7abbbe8cf05b9e2ece:1
confirmDelete @ app.js?id=1c7abbbe8cf05b9e2ece:1
It @ vendor.js?id=e2c07eb6c9b9faf610fc:1
n @ vendor.js?id=e2c07eb6c9b9faf610fc:1
It @ vendor.js?id=e2c07eb6c9b9faf610fc:1
t.$emit @ vendor.js?id=e2c07eb6c9b9faf610fc:1
handleConfirm @ app.js?id=1c7abbbe8cf05b9e2ece:1
submit @ app.js?id=1c7abbbe8cf05b9e2ece:1
It @ vendor.js?id=e2c07eb6c9b9faf610fc:1
n @ vendor.js?id=e2c07eb6c9b9faf610fc:1
Qr.o._wrapper @ vendor.js?id=e2c07eb6c9b9faf610fc:1

vendor.js?id=e2c07eb6c9b9faf610fc:1 Error: Request failed with status code 403
    at FtD3.t.exports (vendor.js?id=e2c07eb6c9b9faf610fc:1)
    at t.exports (vendor.js?id=e2c07eb6c9b9faf610fc:1)
    at XMLHttpRequest.y (vendor.js?id=e2c07eb6c9b9faf610fc:1)

Any ideas?

NOTES

Not use any policies, not gates. Only gate of Nova

NovaServiceProvider

protected function gate()
{
    Gate::define('viewNova', function ($user) {
        return auth()->check();
    });
}

Logs

Not even, putting in local mode and debugging the application, errors are shown at the Laravel level. Only javascript level.

0 likes
5 replies
mabdullahsari's avatar

Create a policy which allows the deletion of the resource. viewNova does not affect this.

abkrim's avatar
abkrim
OP
4 years ago
Level 13

@mabdullahsari But I don't understand this.

If I use the nova gate, if I don't use policies, ...

why it gives me the 403 error in production and not in development?

I have no need according to the manual to create a police to delete.

I don't know, I don't understand the statement or the solution.

mabdullahsari's avatar
mabdullahsari
4 years ago
Best Answer
Level 16

@abkrim Check your network tab. Is the error from your application or webserver? I suspect your web server might not be properly initialized disallowing PUT or DELETE.

1 like
abkrim's avatar
abkrim
OP
4 years ago
Level 13

@mabdullahsari @mabdullahsari

fetch("https://central.domain.es/nova-api/templates?search=&filters=W10%3D&trashed=&resources[]=385", {
  "headers": {
    "accept": "application/json, text/plain, */*",
    "accept-language": "es-ES,es;q=0.9,en-US;q=0.8,en;q=0.7",
    "cache-control": "no-cache",
    "pragma": "no-cache",
    "sec-fetch-dest": "empty",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "same-origin",
    "sec-gpc": "1",
    "x-csrf-token": "MJ9XL4QcvPPf6yxKCXeQB45v7iQ2GjT2uonLDQIt",
    "x-requested-with": "XMLHttpRequest",
    "x-xsrf-token": "eyJpdiI6InA2dXJ3WHNWNjNYb25LN3hCL0FyNGc9PSIsInZhbHVlIjoiMzBZb2RydXlNWDV1aGFQOXoyRDRmUXpncjJDSlZlVEw4Zk1oVXR0djZnMDVQdFRqQS9wTmRNNkRlWnkyVm9ZZ0d5ZWNpT0NEZmZFRnFvbXNpM1RWRTJmaTFFU2JZQlNrMkJjTWtzQW8yd0ZEeHhjL3ZqaG9wUlNsUmFpd1dUWDYiLCJtYWMiOiIxYmI2ZmY5MzQzZTQ5NWRiMmY5ZTI1NmFiNmZmZDIzZTljYmFiYThhZWE2M2U5NjYzMzE4OGMwZDRjZWEyOTAxIiwidGFnIjoiIn0="
  },
  "referrer": "https://central.domain.es/nova/resources/templates",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "DELETE",
  "mode": "cors",
  "credentials": "include"
});

Solicitar URL: https://central.domain.es/nova-api/templates?search=&filters=W10%3D&trashed=&resources[]=385
Método de la solicitud: DELETE
Código de estado: 403 
Dirección remota: 88.88.88.88:443
Política de referencia: strict-origin-when-cross-origin

Log Apache

92.59.240.169 - - [03/Jan/2022:08:48:22 +0100] "DELETE /nova-api/templates?search=&filters=W10%3D&trashed=&resources[]=385 HTTP/2.0" 403 60506 "https://central.domain.es/nova/resources/templates" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"

I'm lost.

https://imgur.com/a/oiNodno https://imgur.com/a/NGUHv2B

abkrim's avatar
abkrim
OP
4 years ago
Level 13

@mabdullahsari A lot of thanks.

Apache is not problem. Problem is mod_security.

I forget, that my servers has a Mod Security installed.

Two rules get throw exception and forbidden action.

Deactivate two rules work fine.

Please or to participate in this conversation.