role === 'shop-owner') { return $next($request); } if (!$user->hasPermission($permission)) { abort(403, 'Unauthorized'); } return $next($request); } }