From 4e678a3b0d46c608f1d26993e40a728217e5ab9d Mon Sep 17 00:00:00 2001 From: Jose Ignacio Ganora Date: Mon, 9 Mar 2026 14:17:04 -0300 Subject: [PATCH] Restriction on middleware to reject if allowed_country_code is set and the requested country code is out of the allowed country_codes --- app/Http/Middleware/ApiAuthMiddleware.php | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/app/Http/Middleware/ApiAuthMiddleware.php b/app/Http/Middleware/ApiAuthMiddleware.php index 72cdc81..bf23ea1 100644 --- a/app/Http/Middleware/ApiAuthMiddleware.php +++ b/app/Http/Middleware/ApiAuthMiddleware.php @@ -43,6 +43,12 @@ public function handle($request, Closure $next) return response()->json(['error' => 'Application is not allowed to access this API version'], 403); } + $canAccessOrganisation = $this->canAccessOrganisation($request->path(), (array) $application->rules); + + if (!$canAccessOrganisation) { + return response()->json(['error' => 'Application is not allowed to access this organisation'], 403); + } + $usageLog = new UsageLog; $usageLog->application_id = $application->id; $usageLog->method = $request->method(); @@ -71,4 +77,21 @@ private function canAccessRequestedVersion(string $path, array $rules): bool return true; } + + private function canAccessOrganisation(string $path, array $rules): bool + { + // Check if accessing org/{code}/whatnow endpoint + if (preg_match('#org/([^/]+)/whatnow#', $path, $matches)) { + $orgCode = $matches[1]; + + // If allowed_country_code is defined in rules, check if this org is restricted + if (isset($rules['allowed_country_code']) && is_array($rules['allowed_country_code'])) { + if (!in_array($orgCode, $rules['allowed_country_code'])) { + return false; + } + } + } + + return true; + } }