Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

bwrigley's avatar

403 when using Resource Controller

Hi There,

I've set up a new Resource Controller but as soon as I try to submit a form with the PUT or PATCH method I get a 403 error.

The syntax I have at the top of my form is:

<form method="POST" action="{{ route('admin.administrators.update',['admin' => $admin->id]) }}">
    {{ csrf_field() }}

    @method('PUT')

///

From what I've read this might be an issue with my configuration of nginx?

However this is what comes out of the box with Homestead.

Anyone brilliant who can tell me how to fix this?

0 likes
15 replies
Snapey's avatar

Often just a mismatch between the URL and the Route for the passed parameters.

If this is a resource route then the parameter in the route will not be admin it will be something like administrators

You can confirm this with php artisan route:list

Change the route in your form so that it does not name the parameter, eg;

    action="{{ route('admin.administrators.update',$admin->id) }}"

or use the correct resource name, eg;

    action="{{ route('admin.administrators.update',['administrators' => $admin->id]) }}"
1 like
bwrigley's avatar

@goatshark

Section of web.php

//Admin
Route::group(['middleware' => 'admin', 'prefix' => 'admin', 'as' => 'admin.'], function () {
   
    Route::get('', 'AdminController@dashboard')->name('dashboard');
    Route::resource('administrators', 'AdminController');
});
bwrigley's avatar

@snapey

You are right, when I look at the route list it is administrator, I thought this could be any parameter name I like.

However, this doesn't get rid of the 403 sadly

Snapey's avatar

did you change your route action as suggested?

bwrigley's avatar

@smoketm I could do it directly yes, but I want to use the new resource controllers as these are much cleaner and help keep the code following a sensible format in all controllers

Snapey's avatar

what does the form action look like when you view it in the browser source

bwrigley's avatar

@snapey

<form method="POST" action="https://domain.test/admin/administrators/1">
    <input type="hidden" name="_token" value="...">
    <input type="hidden" name="_method" value="PUT">
Snapey's avatar

when I look at the route list it is administrator,

can you check this again because the docs say it should be plural, and your browser source code is plural. If the route is singular then that would be the problem

ps, change this to a forward slash

Route::get('', 'AdminController@dashboard')->name('dashboard');
bwrigley's avatar

@snapey

I'm confused now, are you referring to the path or to the parameter? sorry if I'm being dumb.

Just to test, I have updated both to be singular now:

routes:

Route::group(['middleware' => 'admin', 'prefix' => 'admin', 'as' => 'admin.'], function () {
   
    Route::get('/', 'AdminController@dashboard')->name('dashboard');
    Route::resource('administrator', 'AdminController');
});

form:

<form method="POST" action="{{ route('admin.administrator.update',['administrator' => $admin->id]) }}">
    @csrf

    @method('PUT')

form source:

<form method="POST" action="https://domain.test/admin/administrator/1">
    <input type="hidden" name="_token" value="...">
    <input type="hidden" name="_method" value="PUT">

route.list:

|        | POST      | admin/administrator                      | admin.administrator.store   | App\Http\Controllers\AdminController@store                                  | web,admin    |
|        | GET|HEAD  | admin/administrator                      | admin.administrator.index   | App\Http\Controllers\AdminController@index                                  | web,admin    |
|        | GET|HEAD  | admin/administrator/create               | admin.administrator.create  | App\Http\Controllers\AdminController@create                                 | web,admin    |
|        | DELETE    | admin/administrator/{administrator}      | admin.administrator.destroy | App\Http\Controllers\AdminController@destroy                                | web,admin    |
|        | PUT|PATCH | admin/administrator/{administrator}      | admin.administrator.update  | App\Http\Controllers\AdminController@update                                 | web,admin    |
|        | GET|HEAD  | admin/administrator/{administrator}      | admin.administrator.show    | App\Http\Controllers\AdminController@show                                   | web,admin    |
|        | GET|HEAD  | admin/administrator/{administrator}/edit | admin.administrator.edit    | App\Http\Controllers\AdminController@edit                                   | web,admin    |

index works fine as does edit with the parameter, it is only the submission of the edit form that I get a 403.

Do you not think this could be an nginx configuration issue? I'm just using it as Homestead sets it up out of the box.

Really appreciate the time you are giving to this. thank you.

bwrigley's avatar
bwrigley
OP
7 years ago
Best Answer
Level 5

Walk of shame time...

I'm using a custom form request to validate the input data. I think I missed this bit:

class CreateAdminFormRequest extends FormRequest
{
    /**
     * Determine if the user is authorized to make this request.
     *
     * @return bool
     */
    public function authorize()
    {
        return false;

    }

huge apologies to all and thank you all for your time!

2 likes

Please or to participate in this conversation.