From ddd199ac5c02cdc24bfb8ae851376291dd23919e Mon Sep 17 00:00:00 2001
From: Edwin Obando <edwin.obando@vtex.com.br>
Date: Tue, 21 May 2024 20:14:19 -0500
Subject: [PATCH] fix: only admin users, cross-account token and empty response

---
 dotnet/GraphQL/Query.cs                 | 28 +++++++++++++++++++++----
 dotnet/Models/ValidatedUser.cs          |  3 +++
 dotnet/Services/ProductReviewService.cs |  2 +-
 3 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/dotnet/GraphQL/Query.cs b/dotnet/GraphQL/Query.cs
index c323e15e..337172be 100644
--- a/dotnet/GraphQL/Query.cs
+++ b/dotnet/GraphQL/Query.cs
@@ -49,11 +49,31 @@ public Query(IProductReviewService productReviewService)
                     string orderBy = context.GetArgument<string>("orderBy");
                     string status = context.GetArgument<string>("status");
 
-                    HttpStatusCode isAdminAuthUser = await productReviewService.IsAdminAuthUser();
-
-                    if (isAdminAuthUser != HttpStatusCode.OK)
+                    if (string.IsNullOrEmpty(status) || (!string.IsNullOrEmpty(status) && status.Equals("false")))
                     {
-                        status = "true";
+                        HttpStatusCode isAdminAuthUser = await productReviewService.IsAdminAuthUser();
+
+                        if (isAdminAuthUser != HttpStatusCode.OK)
+                        {
+                            if (string.IsNullOrEmpty(status))
+                            {
+                                status = "true";
+                            }
+                            else
+                            {
+                                return new SearchResponse
+                                {
+                                    Data = new DataElement { data = new List<Review>() },
+                                    Range = new SearchRange
+                                    {
+                                        Total = 0,
+                                        From = 0,
+                                        To = 0
+                                    }
+                                };
+                            }
+
+                        }
                     }
                     
                     var searchResult = await productReviewService.GetReviews(searchTerm, from, to, orderBy, status);
diff --git a/dotnet/Models/ValidatedUser.cs b/dotnet/Models/ValidatedUser.cs
index ca61fd83..4aee43c2 100644
--- a/dotnet/Models/ValidatedUser.cs
+++ b/dotnet/Models/ValidatedUser.cs
@@ -9,5 +9,8 @@ public class ValidatedUser
         public string AuthStatus { get; set; }
         public string Id { get; set; }
         public string User { get; set; }    // email
+        public string Account { get; set; }
+        public string Audience { get; set; }
+        public string TokenType { get; set; }
     }
 }
diff --git a/dotnet/Services/ProductReviewService.cs b/dotnet/Services/ProductReviewService.cs
index baf1c4a1..4a39ce59 100644
--- a/dotnet/Services/ProductReviewService.cs
+++ b/dotnet/Services/ProductReviewService.cs
@@ -709,7 +709,7 @@ public async Task<HttpStatusCode> IsAdminAuthUser()
                 return HttpStatusCode.BadRequest;
             }
 
-            bool hasAdminPermission = validatedAdminUser != null && validatedAdminUser.AuthStatus.Equals("Success");
+            bool hasAdminPermission = validatedAdminUser != null && validatedAdminUser.AuthStatus.Equals("Success") && validatedAdminUser.Account.Equals(_context.Vtex.Account) && validatedAdminUser.Audience.Equals("admin");
             
             if (!hasAdminPermission)
             {