From 6851198cd6805c60490328a295a91d2be04e46fa Mon Sep 17 00:00:00 2001
From: Konstantin Savosteev <Konstantin.Savosteev@virtoway.com>
Date: Mon, 4 Dec 2023 13:00:49 +0200
Subject: [PATCH] PT-14646: disable anonymous inviteUser (#66)

---
 .../Authorization/ProfileAuthorizationHandler.cs      | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/VirtoCommerce.ProfileExperienceApiModule.Data/Authorization/ProfileAuthorizationHandler.cs b/src/VirtoCommerce.ProfileExperienceApiModule.Data/Authorization/ProfileAuthorizationHandler.cs
index af7122f0..1ad1303b 100644
--- a/src/VirtoCommerce.ProfileExperienceApiModule.Data/Authorization/ProfileAuthorizationHandler.cs
+++ b/src/VirtoCommerce.ProfileExperienceApiModule.Data/Authorization/ProfileAuthorizationHandler.cs
@@ -170,7 +170,16 @@ protected override async Task HandleRequirementAsync(AuthorizationHandlerContext
             else if (context.Resource is InviteUserCommand inviteUserCommand && currentContact != null)
             {
                 var currentUser = await userManager.FindByIdAsync(currentUserId);
-                result = currentContact.Organizations.Contains(inviteUserCommand.OrganizationId) && currentUser.StoreId.EqualsInvariant(inviteUserCommand.StoreId);
+
+                if (!string.IsNullOrEmpty(inviteUserCommand.OrganizationId) && currentContact != null && currentUser != null)
+                {
+                    result = currentContact.Organizations.Contains(inviteUserCommand.OrganizationId)
+                        && currentUser.StoreId.EqualsInvariant(inviteUserCommand.StoreId);
+                }
+                else if (currentUser != null)
+                {
+                    result = currentUser.StoreId.EqualsInvariant(inviteUserCommand.StoreId);
+                }
             }
             else if (context.Resource is LockOrganizationContactCommand lockOrganizationContact)
             {