2024-12-09 09:28:34 +00:00
< ? php
namespace App\Http\Middleware ;
use Laravel\Sanctum\Http\Middleware\CheckForAnyAbility ;
class ApiAbility extends CheckForAnyAbility
{
2026-02-27 10:41:01 +00:00
/**
* Permissions that only admins / owners may use .
*/
private const MEMBER_DISALLOWED_ABILITIES = [
'root' ,
'write' ,
'write:sensitive' ,
'deploy' ,
'read:sensitive' ,
];
2024-12-09 09:28:34 +00:00
public function handle ( $request , $next , ... $abilities )
{
try {
2026-02-27 10:41:01 +00:00
$token = $request -> user () -> currentAccessToken ();
2026-02-27 21:42:48 +00:00
$teamId = data_get ( $token , 'team_id' );
2026-02-27 10:41:01 +00:00
2026-02-27 21:42:48 +00:00
if ( $teamId !== null && ! $request -> user () -> isAdminOfTeam (( int ) $teamId )) {
2026-02-27 10:41:01 +00:00
$tokenAbilities = $token -> abilities ? ? [];
$disallowed = array_intersect ( $tokenAbilities , self :: MEMBER_DISALLOWED_ABILITIES );
if ( ! empty ( $disallowed )) {
return response () -> json ([
'message' => 'This API token has permissions (' . implode ( ', ' , $disallowed ) . ') that exceed your current role as a team member. Members are restricted to read-only API access. Please revoke this token and create a new one with only read permissions.' ,
], 403 );
}
}
2024-12-09 09:52:38 +00:00
if ( $request -> user () -> tokenCan ( 'root' )) {
return $next ( $request );
}
2024-12-09 09:28:34 +00:00
return parent :: handle ( $request , $next , ... $abilities );
} catch ( \Illuminate\Auth\AuthenticationException $e ) {
return response () -> json ([
'message' => 'Unauthenticated.' ,
], 401 );
} catch ( \Exception $e ) {
return response () -> json ([
'message' => 'Missing required permissions: ' . implode ( ', ' , $abilities ),
], 403 );
}
}
}