mdn-backend / app /Http /Middleware /RequirePermission.php
internationalscholarsprogram's picture
feat(auth): implement AUTH_BYPASS + seed CARE_COVER permissions and admin user
e7550e0
Raw
History Blame Contribute Delete
818 Bytes
<?php
namespace App\Http\Middleware;
use App\Domain\Identity\RbacService;
use App\Shared\Http\ApiResponse;
use Closure;
use Illuminate\Http\Request;
class RequirePermission
{
public function __construct(private readonly RbacService $rbac)
{
}
public function handle(Request $request, Closure $next, string $permission)
{
// Staging bypass: skip permission check when auth bypass is active.
if (config('app.auth_bypass', false)) {
return $next($request);
}
$userId = $request->attributes->get('actor_user_id');
if ($userId === null || ! $this->rbac->can($userId, $permission)) {
return ApiResponse::error('FORBIDDEN', 'You are not authorized to perform this action.', [], 403);
}
return $next($request);
}
}