From 4451c889b864434e6468c662db797610367e6f2c Mon Sep 17 00:00:00 2001
From: Juan24 <juanjaramillo@ubp.edu.ar>
Date: Tue, 19 May 2026 11:00:11 -0300
Subject: [PATCH] Only enforce org check for v2 API

Make organisation access enforcement conditional on API version by defaulting $canAccessOrganisation to true and only calling canAccessOrganisation() for paths starting with 'v2/'. This avoids applying organisation-level rules to non-v2 endpoints and prevents unnecessary 403 responses for older API versions.
---
 app/Http/Middleware/ApiAuthMiddleware.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/app/Http/Middleware/ApiAuthMiddleware.php b/app/Http/Middleware/ApiAuthMiddleware.php
index 337c42a..991753c 100644
--- a/app/Http/Middleware/ApiAuthMiddleware.php
+++ b/app/Http/Middleware/ApiAuthMiddleware.php
@@ -44,7 +44,10 @@ public function handle($request, Closure $next)
                 return response()->json(['error' => 'Application is not allowed to access this API version'], 403);
             }
 
-            $canAccessOrganisation = $this->canAccessOrganisation($request->path(), (array) $application->rules);
+            $canAccessOrganisation = true;
+            if (strpos($request->path(), 'v2/') === 0) {
+                $canAccessOrganisation = $this->canAccessOrganisation($request->path(), (array) $application->rules);
+            }
 
             if (!$canAccessOrganisation) {
                 return response()->json(['error' => 'Application is not allowed to access this organisation'], 403);