attributes->get('actor_user_id'); if ($userId === null || ! $this->rbac->can($userId, $permission)) { return ApiResponse::error('FORBIDDEN', 'You are not authorized to perform this action.', [], 403); } return $next($request); } }