talex wrote:
For example, consider a produce warehouse that sells to local restaurants, or perhaps someone that provides menu placemats or anything to various other businesses (NOT consumers). Those businesses will want to be able to have their employees go to the site and order products from store, but other businesses would not want someone elses employee to be able to order new napkin rings or something that the store doesn't need when they (the current user) aren't even associated with that client/customer.
OK, I think I see where you are coming from.
But I'm still questioning why one would lock Customer to a StoreId. IMO, that is confusing Authentication with Authorization. I'm not going to give a text book definition, but for the sake of this discussion, I'm simply going to write explicitly what that means to me:
Authentication: Who is the user
Authorization: What can the user do
So, to me, Customer is best associated with the Authentication concern. Typically, roles are brought in to handle authorization, and even though that might be a slightly more complex implementation, I would wholeheartedly endorse that as the 'correct' direction for anyone extending NopCommerce to go for these scenarios.
As far as implementation, eing able to add/revoke roles from an admin environment is pretty straightforward, and you could enforce it either by decorating your actions with a RoleAuthorization attribute or intercept them from a plugin using ActionFilters