Summary

• Supports PUT, PATCH, and DELETE method spoofing
• Only applies to POST requests for security
• Case-insensitive method values
• Preserves all request data
• Automatic support in x-form component
• Backward compatible (HEAD→GET fallback preserved)
• Secure by design (doesn't allow GET spoofing)

Changes

This updates the MatchRouteMiddleware to:

• Check for a _method parameter in the request body
• Validate and allow only PUT, PATCH, and DELETE methods for security

This also updates the x-form.view.php component to:

• Automatically detects when method is PUT, PATCH, or DELETE
• Render the form with method="POST" for browser compatibility
• Automatically insert a hidden _method field with the original method value

Examples

If using the <form> HTML tag, you'll need to set the method attribute of the form to POST and add a hidden input with the method you want:

<form action="/books/{{ $book->id }}" method="POST">
    <input type="hidden" name="_method" value="PUT" />
</form>

If you're using the x-form component, it's even easier:

<x-form action="/books/{{ $book->id }}" method="PUT">
</x-form>

This will render the <form> tag, setting the method to POST and automatically inserting a hidden _method input with the value you set.

Fixes #1510