PXG_2026_API/app/Http/Middleware/EnsureAdminRole.php

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;

class EnsureAdminRole
{
    public function handle(Request $request, Closure $next, ...$roles)
    {
        $user = $request->user();
        if (!$user) return response()->json(['message' => 'Unauthorized'], 401);

        if (!empty($roles)) {
            $role = $user->role ?? 'committee';
            if (!in_array($role, $roles, true)) {
                return response()->json(['message' => 'Forbidden'], 403);
            }
        }
        return $next($request);
    }
}