From 0378d6fe08dabc0b6dd4b4c62fb3f59fb7c0b35c Mon Sep 17 00:00:00 2001 From: Konstantin Savosteev Date: Mon, 4 Dec 2023 13:00:49 +0200 Subject: [PATCH] PT-14646: disable anonymous inviteUser (#66) --- .../Authorization/ProfileAuthorizationHandler.cs | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/VirtoCommerce.ProfileExperienceApiModule.Data/Authorization/ProfileAuthorizationHandler.cs b/src/VirtoCommerce.ProfileExperienceApiModule.Data/Authorization/ProfileAuthorizationHandler.cs index a4331017..573dbd89 100644 --- a/src/VirtoCommerce.ProfileExperienceApiModule.Data/Authorization/ProfileAuthorizationHandler.cs +++ b/src/VirtoCommerce.ProfileExperienceApiModule.Data/Authorization/ProfileAuthorizationHandler.cs @@ -169,14 +169,16 @@ protected override async Task HandleRequirementAsync(AuthorizationHandlerContext } else if (context.Resource is InviteUserCommand inviteUserCommand) { - if (!string.IsNullOrEmpty(inviteUserCommand.OrganizationId) && currentContact != null) + var currentUser = await userManager.FindByIdAsync(currentUserId); + + if (!string.IsNullOrEmpty(inviteUserCommand.OrganizationId) && currentContact != null && currentUser != null) { - var currentUser = await userManager.FindByIdAsync(currentUserId); - result = currentContact.Organizations.Contains(inviteUserCommand.OrganizationId) && currentUser.StoreId.EqualsInvariant(inviteUserCommand.StoreId); + result = currentContact.Organizations.Contains(inviteUserCommand.OrganizationId) + && currentUser.StoreId.EqualsInvariant(inviteUserCommand.StoreId); } - else + else if (currentUser != null) { - result = true; + result = currentUser.StoreId.EqualsInvariant(inviteUserCommand.StoreId); } } else if (context.Resource is LockOrganizationContactCommand lockOrganizationContact)