IFRCGo · joseganora · Mar 6, 2026 · Mar 6, 2026 · Mar 6, 2026
diff --git a/app/Classes/RcnApi/Resources/ApplicationResource.php b/app/Classes/RcnApi/Resources/ApplicationResource.php
@@ -93,4 +93,17 @@ public function deleteApplication(int $id)
             $this->http->delete('apps/' . $id);
         });
     }
+
+    public function updateRules(int $tenantUserId, array $rules)
+    {
+        return $this->handleApiCall(function () use ($tenantUserId, $rules) {
+            $response = $this->http->post('applications/rules', [
+                'json' => [
+                    'tenant_user_id' => (string) $tenantUserId,
+                    'rules' => $rules,
+                ],
+            ]);
+            return json_decode($response->getBody()->getContents(), true);
+        });
+    }
 }
diff --git a/app/Http/Controllers/Auth/UserController.php b/app/Http/Controllers/Auth/UserController.php
@@ -366,6 +366,9 @@ public function update(Request $request, int $userId)
             'organisations' => 'array',
             'organisations.*' => 'string|distinct|min:3|max:3',
             'confirmed_role' => 'nullable|boolean',
+
+            'can_access_legacy_whatnow' => 'nullable|boolean',
+            'can_access_preparedness_v2' => 'nullable|boolean',
         ]);
 
 
@@ -402,11 +405,33 @@ public function update(Request $request, int $userId)
             'terms_version' => $termsVersion ?? null,
         ]);
 
+        // Track if access flags are being changed
+        $rulesChanged = $request->has('can_access_legacy_whatnow') || $request->has('can_access_preparedness_v2');
+
+        // Apply access flags directly to user model before saving
+        if ($request->has('can_access_legacy_whatnow')) {
+            $user->can_access_legacy_whatnow = (bool) $request->get('can_access_legacy_whatnow');
+        }
+        if ($request->has('can_access_preparedness_v2')) {
+            $user->can_access_preparedness_v2 = (bool) $request->get('can_access_preparedness_v2');
+        }
+
         $user = $this->users->updateUser($user, $input);
         $user->load('organisations');
 
         event(new UserUpdated($user));
 
+        // Call external API if access flags changed
+        if ($rulesChanged) {
+            try {
+                $this->rcnApiClient->application()->updateRules($user->id, [
+                    'can_access_legacy_whatnow' => (bool) $user->can_access_legacy_whatnow,
+                    'can_access_preparedness_v2' => (bool) $user->can_access_preparedness_v2,
+                ]);
+            } catch (\Exception $e) {
+                Log::error('Failed to update rules for user ' . $user->id . ': ' . $e->getMessage());
+            }
+        }
 
         return UserResource::make($user);
     }

diff --git a/app/Http/Resources/UserResource.php b/app/Http/Resources/UserResource.php
@@ -7,7 +7,7 @@
 
 class UserResource extends Resource
 {
-    
+
     public function toArray($request)
     {
         $user = [
@@ -20,6 +20,8 @@ public function toArray($request)
             'created_at' => $this->created_at->format('c'),
             'user_profile' => UserProfileResource::make($this->userProfile),
             'confirmed_role' => $this->confirmed_role,
+            'can_access_legacy_whatnow' => (bool) $this->can_access_legacy_whatnow,
+            'can_access_preparedness_v2' => (bool) $this->can_access_preparedness_v2,
         ];
 
         $roles = $this->whenLoaded('roles');

diff --git a/app/Models/Access/User/User.php b/app/Models/Access/User/User.php
@@ -17,69 +17,72 @@ class User extends Authenticatable implements JWTSubject
         SoftDeletes,
         UserAccess,
         UserRelationship;
-    
-    
+
+
     protected $fillable = [
-        'email', 'password', 'confirmation_code', 'confirmed_role'
+        'email', 'password', 'confirmation_code', 'confirmed_role',
+        'can_access_legacy_whatnow', 'can_access_preparedness_v2',
     ];
 
-    
+
     protected $casts = [
         'activated' => 'boolean',
         'confirmed' => 'boolean',
         'confirmed_role' => 'boolean',
+        'can_access_legacy_whatnow' => 'boolean',
+        'can_access_preparedness_v2' => 'boolean',
     ];
 
-    
+
     protected $attributes = [
         'activated' => true
     ];
 
-    
+
     protected $dates = ['deleted_at', 'password_updated_at', 'created_at', 'updated_at', 'last_logged_in_at'];
 
-    
+
     protected $hidden = [
         'password', 'remember_token',
     ];
 
-    
+
     protected $appends = [
         'photo_url',
     ];
 
-    
+
     protected $with = [
         'userProfile'
     ];
 
-    
+
     public function getPhotoUrlAttribute()
     {
         return 'https://www.gravatar.com/avatar/'.md5(strtolower($this->email)).'.jpg?s=200&d=mm';
     }
 
-    
+
     public function oauthProviders()
     {
         return $this->hasMany(OAuthProvider::class);
     }
 
-    
+
     public function getJWTIdentifier()
     {
         return $this->getKey();
     }
 
-    
+
     public function getJWTCustomClaims()
     {
         return [
             'permissions' => $this->getPermissions()
         ];
     }
 
-    
+
     public function hasSetOwnPassword()
     {
         return !is_null($this->password_updated_at);
@@ -97,13 +100,13 @@ public function confirm()
         $this->save();
     }
 
-    
+
     public function isConfirmed()
     {
         return $this->confirmed === true;
     }
 
-    
+
     public function isActive()
     {
         return $this->activated === true;

diff --git a/config/cors.php b/config/cors.php
@@ -1,13 +1,9 @@
 <?php
 
 return [
-
-
     'cors_profile' => Spatie\Cors\CorsProfile\DefaultProfile::class,
 
-
     'default_profile' => [
-
         'allow_origins' => [
             '*',
         ],
@@ -26,9 +22,10 @@
             'X-Auth-Token',
             'Origin',
             'Authorization',
+            'x-api-key',
         ],
 
-        
+
         'max_age' => 60 * 60 * 24,
     ],
 ];
diff --git a/database/migrations/2026_03_04_000000_add_access_flags_to_users_table.php b/database/migrations/2026_03_04_000000_add_access_flags_to_users_table.php
@@ -0,0 +1,34 @@
+<?php
+
+use Illuminate\Support\Facades\Schema;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Migrations\Migration;
+
+class AddAccessFlagsToUsersTable extends Migration
+{
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->boolean('can_access_legacy_whatnow')->default(false)->after('confirmed_role');
+            $table->boolean('can_access_preparedness_v2')->default(false)->after('can_access_legacy_whatnow');
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->dropColumn(['can_access_legacy_whatnow', 'can_access_preparedness_v2']);
+        });
+    }
+}
+
diff --git a/resources/assets/js/pages/users/edit.vue b/resources/assets/js/pages/users/edit.vue
@@ -227,6 +227,42 @@
           </b-card>
         </b-col>
          </b-row>
+      <hr>
+         <b-row class="pl-4 pr-4 pb-4 pt-3 bg-white" v-if="!isMe && can(authUser, permissions.USERS_EDIT)">
+            <b-col>
+              <h3 class="styled-heading text-uppercase">
+                {{ $t('users.edit.access_permissions') }}
+              </h3>
+              <b-card class="bg-grey">
+                <b-row class="mb-3">
+                  <b-col cols="12">
+                    <div class="d-flex align-items-center mb-3">
+                      <b-form-checkbox
+                        v-model="user.can_access_legacy_whatnow"
+                        switch
+                        size="lg"
+                        class="mr-3"
+                        :class="{ 'switch-active': user.can_access_legacy_whatnow }"
+                      >
+                        <strong>{{ $t('users.edit.can_access_legacy_whatnow') }}</strong>
+                      </b-form-checkbox>
+                    </div>
+                    <div class="d-flex align-items-center">
+                      <b-form-checkbox
+                        v-model="user.can_access_preparedness_v2"
+                        switch
+                        size="lg"
+                        class="mr-3"
+                        :class="{ 'switch-active': user.can_access_preparedness_v2 }"
+                      >
+                        <strong>{{ $t('users.edit.can_access_preparedness_v2') }}</strong>
+                      </b-form-checkbox>
+                    </div>
+                  </b-col>
+                </b-row>
+              </b-card>
+            </b-col>
+         </b-row>
       <hr>
          <b-row class="pl-4 pr-4 pb-4 pt-3 bg-white" v-if="can(authUser, permissions.CONTENT_EDIT)">
             <b-col>
@@ -390,7 +426,9 @@ export default {
         activated: null,
         organisations: [],
         permissions: [],
-        api_used_in: ''
+        api_used_in: '',
+        can_access_legacy_whatnow: false,
+        can_access_preparedness_v2: false
       },
       societies: {
         selectedSoc: null,
@@ -484,7 +522,9 @@ export default {
         const changes = {
           first_name: this.user.first_name,
           last_name: this.user.last_name,
-          organisations: this.user.organisations
+          organisations: this.user.organisations,
+          can_access_legacy_whatnow: this.user.can_access_legacy_whatnow,
+          can_access_preparedness_v2: this.user.can_access_preparedness_v2
         }
 
         if (this.user.api_used_in && this.user.api_used_in.length > 0) {
@@ -544,7 +584,9 @@ export default {
         id: user.id,
         organisations: user.organisations,
         permissions: user.role.permissions,
-        api_used_in: user.user_profile.api_used_in
+        api_used_in: user.user_profile.api_used_in,
+        can_access_legacy_whatnow: !!user.can_access_legacy_whatnow,
+        can_access_preparedness_v2: !!user.can_access_preparedness_v2
       }
     },
     async resendActivation () {
@@ -685,4 +727,9 @@ export default {
   border-radius: 10px;
   padding: 0.5rem;
 }
+
+.switch-active >>> .custom-control-input:checked ~ .custom-control-label::before {
+  background-color: #f6333f;
+  border-color: #f6333f;
+}
 </style>
diff --git a/resources/lang/am.json b/resources/lang/am.json
@@ -379,7 +379,10 @@
       "less": "ያነሰ አሳይ",
       "user_can_do": "ተጠቃሚው ምን የማድረግ ፈቃድ እንዳለው ይመልከቱ:",
       "user_no_permission": "ተጠቃሚው ምንም ፈቃዶች አላገኘም",
-      "soc_already_added": "ይህ ተጠቃሚ አስቀድሞ ለዚህ ማህበር ተመድቧል"
+      "soc_already_added": "ይህ ተጠቃሚ አስቀድሞ ለዚህ ማህበር ተመድቧል",
+      "access_permissions": "የመዳረሻ ፈቃዶች",
+      "can_access_legacy_whatnow": "ቀደምት WhatNow መዳረስ ይችላል",
+      "can_access_preparedness_v2": "Preparedness v2 መዳረስ ይችላል"
     }
   },
   "new_welcome": {

diff --git a/resources/lang/ar.json b/resources/lang/ar.json
@@ -388,7 +388,10 @@
       "less": "عرض أقل",
       "user_can_do": "عرض الصلاحيات الممنوحة للمستخدم:",
       "user_no_permission": "المستخدم ليس لديه أي صلاحيات",
-      "soc_already_added": "تم تعيين هذه الجمعية لهذا المستخدم بالفعل"
+      "soc_already_added": "تم تعيين هذه الجمعية لهذا المستخدم بالفعل",
+      "access_permissions": "أذونات الوصول",
+      "can_access_legacy_whatnow": "يمكن الوصول إلى WhatNow القديم",
+      "can_access_preparedness_v2": "يمكن الوصول إلى Preparedness v2"
     }
   },
   "new_welcome": {