From 1f0c08ee2ae92bc370a79970b15ba65534f68bdf Mon Sep 17 00:00:00 2001
From: James Cross <james@jmcross.uk>
Date: Tue, 27 Jan 2026 14:43:25 +0000
Subject: [PATCH] fix(auth): allow POST method for organisation-specific access
 checks

---
 src/middleware/authMiddleware.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/middleware/authMiddleware.ts b/src/middleware/authMiddleware.ts
index fdcb957..c70d0d5 100644
--- a/src/middleware/authMiddleware.ts
+++ b/src/middleware/authMiddleware.ts
@@ -396,7 +396,7 @@ export const requireOrganisationAccess = asyncHandler(async (req: Request, res:
 
   // For operations on specific organisations, check access based on role
   const organisationId = req.params.id;
-  if (organisationId && (req.method === HTTP_METHODS.GET || req.method === HTTP_METHODS.PUT || req.method === HTTP_METHODS.PATCH || req.method === HTTP_METHODS.DELETE)) {
+  if (organisationId && (req.method === HTTP_METHODS.GET || req.method === HTTP_METHODS.POST || req.method === HTTP_METHODS.PUT || req.method === HTTP_METHODS.PATCH || req.method === HTTP_METHODS.DELETE)) {
     const organisation = await Organisation.findById(organisationId).lean();
     
     if (!organisation) {