Spaces:
Running
Running
| namespace App\Http\Middleware; | |
| use App\Domain\Identity\RbacService; | |
| use App\Shared\Http\ApiResponse; | |
| use Closure; | |
| use Illuminate\Http\Request; | |
| class RequirePermission | |
| { | |
| public function __construct(private readonly RbacService $rbac) | |
| { | |
| } | |
| public function handle(Request $request, Closure $next, string $permission) | |
| { | |
| // Staging bypass: skip permission check when auth bypass is active. | |
| if (config('app.auth_bypass', false)) { | |
| return $next($request); | |
| } | |
| $userId = $request->attributes->get('actor_user_id'); | |
| if ($userId === null || ! $this->rbac->can($userId, $permission)) { | |
| return ApiResponse::error('FORBIDDEN', 'You are not authorized to perform this action.', [], 403); | |
| } | |
| return $next($request); | |
| } | |
| } | |