dbarzin · dbarzin · Feb 2, 2026 · Feb 2, 2026
diff --git a/app/Http/Controllers/API/ControlController.php b/app/Http/Controllers/API/ControlController.php
@@ -14,7 +14,7 @@ class ControlController extends Controller
 {
     public function index()
     {
-        abort_if(Auth::User()->role !== 4, Response::HTTP_FORBIDDEN, '403 Forbidden');
+        abort_if(!Auth::User()->isAPI(), Response::HTTP_FORBIDDEN, '403 Forbidden');
 
         $activities = Control::all();
 
@@ -23,7 +23,7 @@ public function index()
 
     public function store(Request $request)
     {
-        abort_if(Auth::User()->role !== 4, Response::HTTP_FORBIDDEN, '403 Forbidden');
+        abort_if(!Auth::User()->isAPI(), Response::HTTP_FORBIDDEN, '403 Forbidden');
 
         $control = Control::create($request->all());
 
@@ -50,14 +50,16 @@ public function store(Request $request)
 
     public function show(Control $control)
     {
-        abort_if(Auth::User()->role !== 4, Response::HTTP_FORBIDDEN, '403 Forbidden');
+        abort_if(!Auth::User()->isAPI(), Response::HTTP_FORBIDDEN, '403 Forbidden');
+
+        $control['measures'] = $control->measures()->pluck('id');
 
         return response()->json($control);
     }
 
     public function update(Request $request, Control $control)
     {
-        abort_if(Auth::User()->role !== 4, Response::HTTP_FORBIDDEN, '403 Forbidden');
+        abort_if(!Auth::User()->isAPI(), Response::HTTP_FORBIDDEN, '403 Forbidden');
 
         $control->update($request->all());
 
@@ -84,7 +86,7 @@ public function update(Request $request, Control $control)
 
     public function destroy(Control $control)
     {
-        abort_if(Auth::User()->role !== 4, Response::HTTP_FORBIDDEN, '403 Forbidden');
+        abort_if(!Auth::User()->isAPI(), Response::HTTP_FORBIDDEN, '403 Forbidden');
 
         $control->measures()->detach();
         $control->delete();

diff --git a/app/Http/Controllers/API/MeasureController.php b/app/Http/Controllers/API/MeasureController.php
@@ -12,7 +12,7 @@ class MeasureController extends Controller
 {
     public function index()
     {
-        abort_if(Auth::User()->isAPI(), Response::HTTP_FORBIDDEN, '403 Forbidden');
+        abort_if(!Auth::User()->isAPI(), Response::HTTP_FORBIDDEN, '403 Forbidden');
 
         $measures = Measure::all();
 
@@ -21,7 +21,7 @@ public function index()
 
     public function store(Request $request)
     {
-        abort_if(Auth::User()->isAPI(), Response::HTTP_FORBIDDEN, '403 Forbidden');
+        abort_if(!Auth::User()->isAPI(), Response::HTTP_FORBIDDEN, '403 Forbidden');
 
         $measure = Measure::query()->create($request->all());
         if ($request->has('controls')) {
@@ -33,14 +33,16 @@ public function store(Request $request)
 
     public function show(Measure $measure)
     {
-        abort_if(Auth::User()->isAPI(), Response::HTTP_FORBIDDEN, '403 Forbidden');
+        abort_if(!Auth::User()->isAPI(), Response::HTTP_FORBIDDEN, '403 Forbidden');
+
+        $measure['controls'] = $measure->controls()->pluck('id');
 
         return response()->json($measure);
     }
 
     public function update(Request $request, Measure $measure)
     {
-        abort_if(Auth::User()->isAPI(), Response::HTTP_FORBIDDEN, '403 Forbidden');
+        abort_if(!Auth::User()->isAPI(), Response::HTTP_FORBIDDEN, '403 Forbidden');
 
         $measure->update($request->all());
         if ($request->has('controls')) {
@@ -52,7 +54,7 @@ public function update(Request $request, Measure $measure)
 
     public function destroy(Measure $measure)
     {
-        abort_if(Auth::User()->isAPI(), Response::HTTP_FORBIDDEN, '403 Forbidden');
+        abort_if(!Auth::User()->isAPI(), Response::HTTP_FORBIDDEN, '403 Forbidden');
 
         $measure->delete();