json(['message' => 'Unauthorized.'], 401); } if ($this->allowed($user)) { return $next($request); } return response()->json(['message' => 'Forbidden.'], 403); } private function allowed(User $user): bool { $roles = $user->roles() ->pluck('roles.name') ->map(fn ($name) => strtolower((string) $name)) ->toArray(); foreach (['administrator', 'admin', 'principal', 'vice_principal', 'vice-principal'] as $role) { if (in_array($role, $roles, true)) { return true; } } foreach (['teacher', 'teacher_assistant'] as $role) { if (in_array($role, $roles, true)) { return true; } } return false; } }