more fixes

app/Http/Middleware/ConditionalCors.php

@@ -0,0 +1,34 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Middleware\HandleCors as BaseHandleCors;
+use Illuminate\Http\Request;
+
+class ConditionalCors
+{
+    /**
+     * Handle an incoming request.
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        $paths = config('cors.paths', null);
+
+        // If paths are empty the CORS config intentionally disables CORS.
+        if (is_array($paths) && count($paths) === 0) {
+            return $next($request);
+        }
+
+        // Fallback to env if config wasn't populated for some reason.
+        $enabled = env('CP_ENABLE_CORS', true);
+
+        if (! $enabled) {
+            return $next($request);
+        }
+
+        $handler = app(BaseHandleCors::class);
+
+        return $handler->handle($request, $next);
+    }
+}

app/Http/Middleware/EnsureCreatorAccess.php

@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class EnsureCreatorAccess
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        $user = $request->user();
+        if ($user === null) {
+            abort(403, 'Authentication required.');
+        }
+
+        $role = strtolower((string) ($user->role ?? 'user'));
+        $isCreatorRole = in_array($role, ['creator', 'user', 'admin', 'moderator', 'mod'], true);
+
+        if (! $isCreatorRole || (property_exists($user, 'is_active') && $user->is_active === false)) {
+            abort(403, 'Creator access is required.');
+        }
+
+        return $next($request);
+    }
+}