Server-side authorization missing for capacity field writes
The blade template gates the capacity UI section behind Roles::admin, but the controller method that processes the form submission (likely update or a similar method) is not shown in this diff. If the server-side handler does not independently verify the caller has admin privileges before writing weekly_hours or employment_type, any authenticated user could craft a POST request to set these fields on any user (including themselves) via IDOR or direct param tampering. The buildValuesFromPost method in the diff reads these fields directly from $_POST without any ownership or role check. This would allow privilege escalation (setting employment type) and data integrity issues for downstream capacity planning.