PT-14646: disable anonymous inviteUser (#66)

VirtoCommerce · Dec 4, 2023 · 0378d6f · 0378d6f
1 parent 880283e
commit 0378d6f
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/...irtoCommerce.ProfileExperienceApiModule.Data/Authorization/ProfileAuthorizationHandler.cs b/...irtoCommerce.ProfileExperienceApiModule.Data/Authorization/ProfileAuthorizationHandler.cs
@@ -169,14 +169,16 @@ protected override async Task HandleRequirementAsync(AuthorizationHandlerContext
             }
             else if (context.Resource is InviteUserCommand inviteUserCommand)
             {
-                if (!string.IsNullOrEmpty(inviteUserCommand.OrganizationId) && currentContact != null)
+                var currentUser = await userManager.FindByIdAsync(currentUserId);
+
+                if (!string.IsNullOrEmpty(inviteUserCommand.OrganizationId) && currentContact != null && currentUser != null)
                 {
-                    var currentUser = await userManager.FindByIdAsync(currentUserId);
-                    result = currentContact.Organizations.Contains(inviteUserCommand.OrganizationId) && currentUser.StoreId.EqualsInvariant(inviteUserCommand.StoreId);
+                    result = currentContact.Organizations.Contains(inviteUserCommand.OrganizationId)
+                        && currentUser.StoreId.EqualsInvariant(inviteUserCommand.StoreId);
                 }
-                else
+                else if (currentUser != null)
                 {
-                    result = true;
+                    result = currentUser.StoreId.EqualsInvariant(inviteUserCommand.StoreId);
                 }
             }
             else if (context.Resource is LockOrganizationContactCommand lockOrganizationContact)