PT-14646: disable anonymous inviteUser (#66)

VirtoCommerce · Dec 4, 2023 · 05916be · 05916be
1 parent 9a05fa2
commit 05916be
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/...irtoCommerce.ProfileExperienceApiModule.Data/Authorization/ProfileAuthorizationHandler.cs b/...irtoCommerce.ProfileExperienceApiModule.Data/Authorization/ProfileAuthorizationHandler.cs
@@ -170,7 +170,16 @@ protected override async Task HandleRequirementAsync(AuthorizationHandlerContext
             else if (context.Resource is InviteUserCommand inviteUserCommand && currentContact != null)
             {
                 var currentUser = await userManager.FindByIdAsync(currentUserId);
-                result = currentContact.Organizations.Contains(inviteUserCommand.OrganizationId) && currentUser.StoreId.EqualsInvariant(inviteUserCommand.StoreId);
+
+                if (!string.IsNullOrEmpty(inviteUserCommand.OrganizationId) && currentContact != null && currentUser != null)
+                {
+                    result = currentContact.Organizations.Contains(inviteUserCommand.OrganizationId)
+                        && currentUser.StoreId.EqualsInvariant(inviteUserCommand.StoreId);
+                }
+                else if (currentUser != null)
+                {
+                    result = currentUser.StoreId.EqualsInvariant(inviteUserCommand.StoreId);
+                }
             }
             else if (context.Resource is LockOrganizationContactCommand lockOrganizationContact)
             {