Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

robbiel's avatar

403 - "This action is unauthorized."

I have a Settings nova Resource and a SettingsPolicy like below for this resource. The main goal of the policy is to hide the create button when there is already one Setting. The issue is that after adding the policy after update the resource I get a 403 error:

exception: "Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException"
file: "/var/www/html/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php"

message: "This action is unauthorized."
trace: [{file: "/var/www/html/vendor/laravel/

Policy:

class SettingsPolicy
{
    use HandlesAuthorization;


    public function create()
    {
        return Settings::count() === 0;
    }

    public function update()
    {
        return true;
    }

    public function delete()
    {
        return true;
    }
}
0 likes
8 replies
sr57's avatar

@robbiel

Check / modify to true the return of your authorize function from your request controllers in app/Http/Requets

robbiel's avatar

@sr57 sorry but I didn't understand properly. What you mean with check "/"?

sr57's avatar

@robbiel

The classes in app/Http/Request has an authorize functions that must return true (return false as default)

robbiel's avatar

@sr57 So its necessary to add an authorise method to the policy? Thanks

sr57's avatar
sr57
3 years ago
Best Answer
Level 39

@robbiel

I referred for one of my previous problem but it seems it not the same case for you.

Can you double check your setup?

  • namespace in your policy class?

  • policy registered?

  • correct action?

1 like
robbiel's avatar

@sr57 I just resisted it on the AuthServiceProvider but it seems that is not working, dd($this->registerPolicies()) shows always null. And it still shows the 403 error. Thanks!

class SettingsPolicy
{
    use HandlesAuthorization;


    public function create()
    {
        return Settings::count() === 0;
    }

    public function update()
    {
        return true;
    }

    public function delete()
    {
        return true;
    }
}

I tried to register the policy on the AuthServiceProvider but it seems that is not working, dd($this->registerPolicies()) shows always null. And it still shows the 403 error.

class AuthServiceProvider extends ServiceProvider
{
    /**
     * The policy mappings for the application.
     *
     * @var array<class-string, class-string>
     */
    protected $policies = [
        'App\Models\ Settings' => 'App\Policies\SettingsPolicy',
    ];

    /**
     * Register any authentication / authorization services.
     *
     * @return void
     */
    public function boot()
    {
        dd($this->registerPolicies()); // shows always null
    }
}
CodeX-Forge's avatar

i am a newbie in Laravel. but trying. If wrong anyone can correct me. As per i know stopping the script in boot does always returns "null". That ain't matter.

  1. check if you're calling authorize() like this: $this->authorize('create',Settings::class)

Laravel always states that you need to provide one Model atleast in methods without models:

Ex: PostPolicy.php

public function createPost(User $user)
    {
        return $user->hasRole(['writer','admin']);
    }

When using this in controller:

$this->authorize('createPost', Post::class);

Referrer: https://laravel.com/docs/8.x/authorization#methods-without-models

johnDoe220's avatar

if use request class for validation(i mean => app/http/requests) you shuold change false to true

Please or to participate in this conversation.