fix: remove explicit org check in instancesController

src/Storage/Altinn.Platform.Storage.csproj

@@ -18,7 +18,7 @@
     <PackageReference Include="Azure.Identity" Version="1.13.1" />
     <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.7.0" />
     <PackageReference Include="Azure.Storage.Blobs" Version="12.23.0" />
-    <PackageReference Include="Altinn.Common.PEP" Version="4.1.1" />
+    <PackageReference Include="Altinn.Common.PEP" Version="4.1.2" />
     <PackageReference Include="Azure.Storage.Queues" Version="12.21.0" />
 
     <PackageReference Include="JWTCookieAuthentication" Version="3.0.1" />

src/Storage/Controllers/InstancesController.cs

@@ -118,12 +118,25 @@ public async Task<ActionResult<QueryResponse<Instance>>> GetInstances(InstanceQu
                 {
                     queryParameters.Org = queryParameters.AppId.Split('/')[0];
                 }
-
+                
                 if (!orgClaim.Equals(queryParameters.Org, StringComparison.InvariantCultureIgnoreCase))
                 {
-                    return Forbid();
-                }
-
+                    if (string.IsNullOrEmpty(queryParameters.AppId))
+                    {
+                        return BadRequest("AppId must be defined.");
+                    }
+
+                    var appId = ValidateAppId(queryParameters.AppId).Split("/")[1];
+
+                    XacmlJsonRequestRoot request = DecisionHelper.CreateDecisionRequest(queryParameters.Org, appId, HttpContext.User, "read");
+                    XacmlJsonResponse response = await _authorizationService.GetDecisionForRequest(request);
+
+                    if (!DecisionHelper.ValidatePdpDecision(response?.Response, HttpContext.User))
+                    {
+                        return Forbid();
+                    }
+                } 
+
                 appOwnerRequestingInstances = true;
             }
             else if (userId != null)