From 0c0e014b5c7754dca268cce102621ffc0fe9a1d8 Mon Sep 17 00:00:00 2001
From: Juan24 <93536474+juanbroder24@users.noreply.github.com>
Date: Tue, 10 Mar 2026 14:56:37 -0300
Subject: [PATCH] Enforce country restrictions for WhatNow entities

Import WhatNowEntity and add a path-based check in ApiAuthMiddleware to enforce allowed country codes for WhatNow resources. The middleware matches requests to whatnow/{id} (excluding paths containing 'org/'), loads the WhatNowEntity with its organisation, and denies access if the entity or organisation is missing or the organisation's country_code is not listed in the rules['allowed_country_code'] array.
---
 app/Http/Middleware/ApiAuthMiddleware.php | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/app/Http/Middleware/ApiAuthMiddleware.php b/app/Http/Middleware/ApiAuthMiddleware.php
index bf23ea1..337c42a 100644
--- a/app/Http/Middleware/ApiAuthMiddleware.php
+++ b/app/Http/Middleware/ApiAuthMiddleware.php
@@ -4,6 +4,7 @@
 
 use App\Models\Application;
 use App\Models\UsageLog;
+use App\Models\WhatNowEntity;
 use Carbon\Carbon;
 use Closure;
 use Illuminate\Support\Facades\Log;
@@ -92,6 +93,22 @@ private function canAccessOrganisation(string $path, array $rules): bool
             }
         }
 
+        if (preg_match('#whatnow/(\d+)(?:/|$)#', $path, $matches) && !str_contains($path, 'org/')) {
+            if (isset($rules['allowed_country_code']) && is_array($rules['allowed_country_code'])) {
+                $whatnowId = $matches[1];
+
+                $entity = WhatNowEntity::with('organisation')->find($whatnowId);
+
+                if (!$entity || !$entity->organisation) {
+                    return false;
+                }
+
+                if (!in_array($entity->organisation->country_code, $rules['allowed_country_code'])) {
+                    return false;
+                }
+            }
+        }
+
         return true;
     }
 }