user()->currentAccessToken(); $hasTokenPermission = $token->can('root') || $token->can('read:sensitive'); $teamId = (int) data_get($token, 'team_id'); $isAdmin = $teamId ? $request->user()->isAdminOfTeam($teamId) : false; // Allow access to sensitive data only if token has permission AND user is admin/owner $request->attributes->add([ 'can_read_sensitive' => $hasTokenPermission && $isAdmin, ]); return $next($request); } }