Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

soulbork's avatar

Form request always returning false (unauthorised)

I have the following line in my web.php:

//web.php
    Route::resource('/players', PlayerController::class);

I have the following method in my PlayerController:

//PlayerController.php
    public function update(UpdatePlayerRequest $request, Player $player)
    {
        $player = $this->playerService->updatePlayer($player, $request->validated());
        return redirect('/games/'.$player->game_id);
    }

My UpdatePlayerRequest looks like this:

//UpdatePlayerRequest.php
<?php

namespace App\Http\Requests\Players;

use Illuminate\Foundation\Http\FormRequest;

class UpdatePlayerRequest extends FormRequest
{
    /**
     * Determine if the user is authorized to make this request.
     */
    public function authorize(): bool
    {
        return $this->user()->can('update', $this->player);
    }

    /**
     * Get the validation rules that apply to the request.
     *
     * @return array<string, \Illuminate\Contracts\Validation\Rule|array|string>
     */
    public function rules(): array
    {
        return [
			//
        ];
    }
}

My app is always returning a 403 Unauthorised response to responses that should be authorised. I can even set my PlayerPolicy to return true like below:

//PlayerPolicy.php
    public function update(User $user, Player $player)
    {
        return true;
    }

Can anyone help me identify why this is not working or what steps I should take to debug?

0 likes
6 replies
LaryAI's avatar
LaryAI
AI
3 years ago
Level 58

The issue might be that the player property is not defined in the UpdatePlayerRequest class. You can define it by adding a constructor to the class and passing the Player instance to it. Here's an example:

class UpdatePlayerRequest extends FormRequest
{
    private $player;

    public function __construct(Player $player)
    {
        $this->player = $player;
    }

    public function authorize(): bool
    {
        return $this->user()->can('update', $this->player);
    }

    public function rules(): array
    {
        return [
            //
        ];
    }
}

Then, in your PlayerController, you can pass the Player instance to the UpdatePlayerRequest constructor like this:

public function update(Player $player, UpdatePlayerRequest $request)
{
    $player = $this->playerService->updatePlayer($player, $request->validated());
    return redirect('/games/'.$player->game_id);
}

This should ensure that the authorize method has access to the Player instance and can properly authorize the request.

Snapey's avatar

is your resource route inside a route group?

soulbork's avatar

@Snapey Yes the resource route is inside the route group below:

Route::middleware('auth')->group(function () {

	//Other routes

    Route::resource('/players', PlayerController::class);

});
soulbork's avatar

@Snapey Auth middleware is just checking the user is logged in. It doesn't know about permissions, and I've confirmed the user is logged in.

soulbork's avatar
soulbork
OP
3 years ago
Best Answer
Level 1

I'm not sure what the problem was, but I've ended up using Controller Helpers to fix it.

//PlayerController.php
    public function __construct(...)
    {
		//Do stuff

        $this->authorizeResource(Player::class);
    }

//UpdatePlayerRequest.php
class UpdatePlayerRequest extends FormRequest
{
    public function authorize()
    {
        return true;
    }
...
}

Please or to participate in this conversation.