From 38f094fb4c1259b7eaf4345644327f055f2a6409 Mon Sep 17 00:00:00 2001
From: jessevz <jesse.van.zutphen@nfi.nl>
Date: Tue, 2 Jun 2026 16:36:03 +0200
Subject: [PATCH 1/2] Fixed apitoken permission check by correctly parsing the
 permissions

---
 src/inc/apiv2/auth/JWTBeforeHandler.php  |  3 ++-
 src/inc/apiv2/common/AbstractBaseAPI.php | 30 ++++++++++++++----------
 2 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/src/inc/apiv2/auth/JWTBeforeHandler.php b/src/inc/apiv2/auth/JWTBeforeHandler.php
index 1eaf318d4..5336e5c34 100644
--- a/src/inc/apiv2/auth/JWTBeforeHandler.php
+++ b/src/inc/apiv2/auth/JWTBeforeHandler.php
@@ -26,6 +26,7 @@ public function __invoke(ServerRequestInterface $request, array $arguments): Ser
       }
     }
     // adds the decoded userId and scope to the request attributes
-    return $request->withAttribute("userId", $arguments["decoded"]["userId"])->withAttribute("scope", $arguments["decoded"]["scope"]);
+    return $request->withAttribute("userId", $arguments["decoded"]["userId"])->withAttribute("scope", $arguments["decoded"]["scope"])
+                    ->withAttribute("aud", $arguments["decoded"]["aud"]);
   }
 }
\ No newline at end of file
diff --git a/src/inc/apiv2/common/AbstractBaseAPI.php b/src/inc/apiv2/common/AbstractBaseAPI.php
index ad512b51d..9a651211e 100644
--- a/src/inc/apiv2/common/AbstractBaseAPI.php
+++ b/src/inc/apiv2/common/AbstractBaseAPI.php
@@ -1091,7 +1091,7 @@ protected function makeExpandables(Request $request, array $validExpandables): a
       }
       array_push($required_perms, ...$expandedPerms);
     }
-    $permissionResponse = $this->validatePermissions($request->getAttribute("scope"), $required_perms, $request->getMethod(), $permsExpandMatching);
+    $permissionResponse = $this->validatePermissions($request->getAttribute("scope"), $required_perms, $request->getMethod(), $request->getAttribute("aud"), $permsExpandMatching);
     $expands_to_remove = [];
     
     // remove expands with missing permissions
@@ -1406,7 +1406,7 @@ protected function processExpands(
   /**
    * Validate permissions
    */
-  protected function validatePermissions(string $permissions, array $required_perms, string $method, array $permsExpandMatching = []): bool|array {
+  protected function validatePermissions(string $permissions, array $required_perms, string $method, string $aud, array $permsExpandMatching = []): bool|array {
     // Retrieve permissions from RightGroup part of the User
     
     if ($permissions == 'ALL') {
@@ -1417,17 +1417,21 @@ protected function validatePermissions(string $permissions, array $required_perm
     else {
       $rightgroup_perms = json_decode($permissions, true);
     }
+
+    if ($aud === "user_hashtopolis") {
+      // Validate if no undefined permissions are set in $acl_mapping for the legacy permissions
+      assert(count(array_diff(array_keys($rightgroup_perms), array_keys(self::$acl_mapping))) == 0);
+      // Create listing of available permissions for user
+      $user_available_perms = array();
+      foreach ($rightgroup_perms as $rightgroup_perm => $permission_set) {
+        if ($permission_set) {
+          $user_available_perms = array_unique(array_merge($user_available_perms, self::$acl_mapping[$rightgroup_perm]));
+        }
+      };
+    } else {
+      $user_available_perms = array_keys($rightgroup_perms, true, true);
+    }
     
-    // Validate if no undefined permissions are set in $acl_mapping
-    assert(count(array_diff(array_keys($rightgroup_perms), array_keys(self::$acl_mapping))) == 0);
-    
-    // Create listing of available permissions for user
-    $user_available_perms = array();
-    foreach ($rightgroup_perms as $rightgroup_perm => $permission_set) {
-      if ($permission_set) {
-        $user_available_perms = array_unique(array_merge($user_available_perms, self::$acl_mapping[$rightgroup_perm]));
-      }
-    };
     
     // Sort to display values in a unified format for user and debugging
     sort($required_perms);
@@ -1541,7 +1545,7 @@ protected function preCommon(Request $request): void {
       );
     }
     
-    if ($this->validatePermissions($request->getAttribute("scope"), $required_perms, $request->getMethod()) === FALSE) {
+    if ($this->validatePermissions($request->getAttribute("scope"), $required_perms, $request->getMethod(), $request->getAttribute("aud")) === FALSE) {
       throw new HttpForbidden(join('||', $this->permissionErrors));
     }
   }

From 7701b21ffebbe2d5719225cb0023cb30db72c00d Mon Sep 17 00:00:00 2001
From: jessevz <jesse.van.zutphen@nfi.nl>
Date: Tue, 2 Jun 2026 16:44:47 +0200
Subject: [PATCH 2/2] Fixed copilot suggestion

---
 src/inc/apiv2/auth/JWTBeforeHandler.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/inc/apiv2/auth/JWTBeforeHandler.php b/src/inc/apiv2/auth/JWTBeforeHandler.php
index 5336e5c34..73fc512fc 100644
--- a/src/inc/apiv2/auth/JWTBeforeHandler.php
+++ b/src/inc/apiv2/auth/JWTBeforeHandler.php
@@ -25,8 +25,9 @@ public function __invoke(ServerRequestInterface $request, array $arguments): Ser
         throw new HttpForbidden("Token is revoked");
       }
     }
-    // adds the decoded userId and scope to the request attributes
+    // adds the decoded userId, scope and aud to the request attributes
+    $aud = $arguments["decoded"]["aud"] ?? "user_hashtopolis";
     return $request->withAttribute("userId", $arguments["decoded"]["userId"])->withAttribute("scope", $arguments["decoded"]["scope"])
-                    ->withAttribute("aud", $arguments["decoded"]["aud"]);
+                    ->withAttribute("aud", $aud);
   }
 }
\ No newline at end of file