add authorization requirements

2025-06-03 18:00:07 +03:00 · 2025-06-03 18:00:07 +03:00 · 0508c89c2d
commit 0508c89c2d
parent 120963f3cc
70 changed files with 641 additions and 331 deletions
--- a/src/Application/Addresses/Commands/AddAddress/AddAddressCommandAuthorizer.cs
+++ b/src/Application/Addresses/Commands/AddAddress/AddAddressCommandAuthorizer.cs
@ -22,9 +22,10 @@ public class AddAddressCommandAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            RequiredRoles =
                [IdentityRole.Administrator, IdentityRole.CompanyOwner],
            UserRoles = _sessionUserService.Roles
        });
    }
--- a/src/Application/Addresses/Commands/DeleteAddress/DeleteAddressCommandAuthorizer.cs
+++ b/src/Application/Addresses/Commands/DeleteAddress/DeleteAddressCommandAuthorizer.cs
@ -22,7 +22,7 @@ public class DeleteAddressCommandAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Addresses/Commands/UpdateAddress/UpdateAddressCommandAuthorizer.cs
+++ b/src/Application/Addresses/Commands/UpdateAddress/UpdateAddressCommandAuthorizer.cs
@ -22,7 +22,7 @@ public class UpdateAddressCommandAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Addresses/Queries/GetAddress/GetAddressQueryAuthorizer.cs
+++ b/src/Application/Addresses/Queries/GetAddress/GetAddressQueryAuthorizer.cs
@ -19,12 +19,13 @@ public class GetAddressQueryAuthorizer :
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            RequiredRoles =
                [IdentityRole.Administrator, IdentityRole.CompanyOwner],
            UserRoles = _sessionUserService.Roles
        });
    }
--- a/src/Application/Addresses/Queries/GetAddressesPage/GetAddressesPageQueryAuthorizer.cs
+++ b/src/Application/Addresses/Queries/GetAddressesPage/GetAddressesPageQueryAuthorizer.cs
@ -19,12 +19,13 @@ public class GetAddressesPageQueryAuthorizer :
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            RequiredRoles =
                [IdentityRole.Administrator, IdentityRole.CompanyOwner],
            UserRoles = _sessionUserService.Roles
        });
    }
--- a/src/Application/Aircrafts/Commands/AddAircraft/AddAircraftCommandAuthorizer.cs
+++ b/src/Application/Aircrafts/Commands/AddAircraft/AddAircraftCommandAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Aircrafts.Commands.AddAircraft;
@ -9,23 +9,34 @@ public class AddAircraftCommandAuthorizer :
    AbstractRequestAuthorizer<AddAircraftCommand>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public AddAircraftCommandAuthorizer(SessionUserService sessionUserService)
+    public AddAircraftCommandAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(AddAircraftCommand request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var company = _unitOfWork.CompanyRepository
            .GetOneAsync(
                e => e.Guid == request.CompanyGuid, e => e.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = company?.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Aircrafts/Commands/DeleteAircraft/DeleteAircraftCommandAuthorizer.cs
+++ b/src/Application/Aircrafts/Commands/DeleteAircraft/DeleteAircraftCommandAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Aircrafts.Commands.DeleteAircraft;
@ -9,23 +9,34 @@ public class DeleteAircraftCommandAuthorizer :
    AbstractRequestAuthorizer<DeleteAircraftCommand>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public DeleteAircraftCommandAuthorizer(SessionUserService sessionUserService)
+    public DeleteAircraftCommandAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(DeleteAircraftCommand request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var vehicel = _unitOfWork.VehicleRepository
            .GetOneAsync(
                e => e.Guid == request.Guid, e => e.Company.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = vehicel?.Company.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Aircrafts/Commands/UpdateAircraft/UpdateAircraftCommandAuthorizer.cs
+++ b/src/Application/Aircrafts/Commands/UpdateAircraft/UpdateAircraftCommandAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Aircrafts.Commands.UpdateAircraft;
@ -9,23 +9,34 @@ public class UpdateAircraftCommandAuthorizer :
    AbstractRequestAuthorizer<UpdateAircraftCommand>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public UpdateAircraftCommandAuthorizer(SessionUserService sessionUserService)
+    public UpdateAircraftCommandAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(UpdateAircraftCommand request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var company = _unitOfWork.CompanyRepository
            .GetOneAsync(
                e => e.Guid == request.CompanyGuid, e => e.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = company?.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Aircrafts/Queries/GetAircraft/GetAircraftQueryAuthorizer.cs
+++ b/src/Application/Aircrafts/Queries/GetAircraft/GetAircraftQueryAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Aircrafts.Queries.GetAircraft;
@ -9,23 +9,34 @@ public class GetAircraftQueryAuthorizer :
    AbstractRequestAuthorizer<GetAircraftQuery>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public GetAircraftQueryAuthorizer(SessionUserService sessionUserService)
+    public GetAircraftQueryAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(GetAircraftQuery request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var vehicel = _unitOfWork.VehicleRepository
            .GetOneAsync(
                e => e.Guid == request.Guid, e => e.Company.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = vehicel?.Company.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Aircrafts/Queries/GetAircraftsPage/GetAircraftsPageQueryAuthorizer.cs
+++ b/src/Application/Aircrafts/Queries/GetAircraftsPage/GetAircraftsPageQueryAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Aircrafts.Queries.GetAircraftsPage;
@ -9,23 +9,34 @@ public class GetAircraftsPageQueryAuthorizer :
    AbstractRequestAuthorizer<GetAircraftsPageQuery>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public GetAircraftsPageQueryAuthorizer(SessionUserService sessionUserService)
+    public GetAircraftsPageQueryAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(GetAircraftsPageQuery request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var company = _unitOfWork.CompanyRepository
            .GetOneAsync(
                e => e.Guid == request.CompanyGuid, e => e.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = company?.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Authentication/Commands/RenewAccessToken/RenewAccessTokenCommandAuthorizer.cs
+++ b/src/Application/Authentication/Commands/RenewAccessToken/RenewAccessTokenCommandAuthorizer.cs
@ -1,5 +1,4 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 // using cuqmbr.TravelGuide.Application.Common.Services;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Authenticaion.Commands.RenewAccessToken;
@ -7,19 +6,8 @@ namespace cuqmbr.TravelGuide.Application.Authenticaion.Commands.RenewAccessToken
 public class RenewAccessTokenCommandAuthorizer :
    AbstractRequestAuthorizer<RenewAccessTokenCommand>
 {
    // private readonly SessionUserService _sessionUserService;
    //
    // public RenewAccessTokenCommandAuthorizer(SessionUserService currentUserService)
    // {
    //     _sessionUserService = currentUserService;
    // }
    public override void BuildPolicy(RenewAccessTokenCommand request)
    {
        UseRequirement(new AllowAllRequirement());
        // UseRequirement(new MustBeAuthenticatedRequirement
        // {
        //     IsAuthenticated = _sessionUserService.IsAuthenticated
        // });
    }
 }
--- a/src/Application/Authentication/Commands/RevokeRefreshToken/RevokeRefreshTokenCommandAuthorizer.cs
+++ b/src/Application/Authentication/Commands/RevokeRefreshToken/RevokeRefreshTokenCommandAuthorizer.cs
@ -1,4 +1,5 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Authenticaion.Commands.RevokeRefreshToken;
@ -6,8 +7,18 @@ namespace cuqmbr.TravelGuide.Application.Authenticaion.Commands.RevokeRefreshTok
 public class RevokeRefreshTokenCommandAuthorizer :
    AbstractRequestAuthorizer<RevokeRefreshTokenCommand>
 {
    private readonly SessionUserService _sessionUserService;
    public RevokeRefreshTokenCommandAuthorizer(SessionUserService currentUserService)
    {
        _sessionUserService = currentUserService;
    }
    public override void BuildPolicy(RevokeRefreshTokenCommand request)
    {
-        UseRequirement(new AllowAllRequirement());
+        UseRequirement(new MustBeAuthenticatedRequirement
        {
            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
    }
 }
--- a/src/Application/Buses/Commands/AddBus/AddBusCommandAuthorizer.cs
+++ b/src/Application/Buses/Commands/AddBus/AddBusCommandAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Buses.Commands.AddBus;
@ -9,23 +9,34 @@ public class AddBusCommandAuthorizer :
    AbstractRequestAuthorizer<AddBusCommand>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public AddBusCommandAuthorizer(SessionUserService sessionUserService)
+    public AddBusCommandAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(AddBusCommand request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var company = _unitOfWork.CompanyRepository
            .GetOneAsync(
                e => e.Guid == request.CompanyGuid, e => e.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = company?.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Buses/Commands/DeleteBus/DeleteBusCommandAuthorizer.cs
+++ b/src/Application/Buses/Commands/DeleteBus/DeleteBusCommandAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Buses.Commands.DeleteBus;
@ -9,23 +9,34 @@ public class DeleteBusCommandAuthorizer :
    AbstractRequestAuthorizer<DeleteBusCommand>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public DeleteBusCommandAuthorizer(SessionUserService sessionUserService)
+    public DeleteBusCommandAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(DeleteBusCommand request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var vehicel = _unitOfWork.VehicleRepository
            .GetOneAsync(
                e => e.Guid == request.Guid, e => e.Company.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = vehicel?.Company.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Buses/Commands/UpdateBus/UpdateBusCommandAuthorizer.cs
+++ b/src/Application/Buses/Commands/UpdateBus/UpdateBusCommandAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Buses.Commands.UpdateBus;
@ -9,23 +9,34 @@ public class UpdateBusCommandAuthorizer :
    AbstractRequestAuthorizer<UpdateBusCommand>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public UpdateBusCommandAuthorizer(SessionUserService sessionUserService)
+    public UpdateBusCommandAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(UpdateBusCommand request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var company = _unitOfWork.CompanyRepository
            .GetOneAsync(
                e => e.Guid == request.CompanyGuid, e => e.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = company?.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Buses/Queries/GetBus/GetBusQueryAuthorizer.cs
+++ b/src/Application/Buses/Queries/GetBus/GetBusQueryAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Buses.Queries.GetBus;
@ -9,23 +9,34 @@ public class GetBusQueryAuthorizer :
    AbstractRequestAuthorizer<GetBusQuery>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public GetBusQueryAuthorizer(SessionUserService sessionUserService)
+    public GetBusQueryAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(GetBusQuery request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var vehicel = _unitOfWork.VehicleRepository
            .GetOneAsync(
                e => e.Guid == request.Guid, e => e.Company.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = vehicel?.Company.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Buses/Queries/GetBusesPage/GetBusesPageQueryAuthorizer.cs
+++ b/src/Application/Buses/Queries/GetBusesPage/GetBusesPageQueryAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Buses.Queries.GetBusesPage;
@ -9,23 +9,34 @@ public class GetBusesPageQueryAuthorizer :
    AbstractRequestAuthorizer<GetBusesPageQuery>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public GetBusesPageQueryAuthorizer(SessionUserService sessionUserService)
+    public GetBusesPageQueryAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(GetBusesPageQuery request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var company = _unitOfWork.CompanyRepository
            .GetOneAsync(
                e => e.Guid == request.CompanyGuid, e => e.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = company?.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Cities/Commands/AddCity/AddCityCommandAuthorizer.cs
+++ b/src/Application/Cities/Commands/AddCity/AddCityCommandAuthorizer.cs
@ -22,7 +22,7 @@ public class AddCityCommandAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Cities/Commands/DeleteCity/DeleteCityCommandAuthorizer.cs
+++ b/src/Application/Cities/Commands/DeleteCity/DeleteCityCommandAuthorizer.cs
@ -22,7 +22,7 @@ public class DeleteCityCommandAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Cities/Commands/UpdateCity/UpdateCityCommandAuthorizer.cs
+++ b/src/Application/Cities/Commands/UpdateCity/UpdateCityCommandAuthorizer.cs
@ -22,7 +22,7 @@ public class UpdateCityCommandAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Cities/Queries/GetCitiesPage/GetCitiesPageQueryAuthorizer.cs
+++ b/src/Application/Cities/Queries/GetCitiesPage/GetCitiesPageQueryAuthorizer.cs
@ -19,12 +19,13 @@ public class GetCitiesPageQueryAuthorizer :
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            RequiredRoles =
                [IdentityRole.Administrator, IdentityRole.CompanyOwner],
            UserRoles = _sessionUserService.Roles
        });
    }
--- a/src/Application/Cities/Queries/GetCity/GetCityQueryAuthorizer.cs
+++ b/src/Application/Cities/Queries/GetCity/GetCityQueryAuthorizer.cs
@ -19,12 +19,13 @@ public class GetCityQueryAuthorizer :
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            RequiredRoles =
                [IdentityRole.Administrator, IdentityRole.CompanyOwner],
            UserRoles = _sessionUserService.Roles
        });
    }
--- a/src/Application/Common/Authorization/MustBeInAnyOfRolesRequirement.cs
+++ b/src/Application/Common/Authorization/MustBeInAnyOfRolesRequirement.cs
@ -1,31 +1,22 @@
 using MediatR.Behaviors.Authorization;
 using Microsoft.Extensions.Localization;
 using cuqmbr.TravelGuide.Domain.Enums;
 namespace cuqmbr.TravelGuide.Application.Common.Authorization;
-public class MustBeInRolesRequirement : IAuthorizationRequirement
+public class MustBeInAnyOfRolesRequirement : IAuthorizationRequirement
 {
    public ICollection<IdentityRole> UserRoles { get; init; }
    public ICollection<IdentityRole> RequiredRoles { get; init; }
-    class MustBeInRolesRequirementHandler :
+    class MustBeInAnyOfRolesRequirementHandler :
-        IAuthorizationHandler<MustBeInRolesRequirement>
+        IAuthorizationHandler<MustBeInAnyOfRolesRequirement>
    {
        private readonly IStringLocalizer _localizer;
        public MustBeInRolesRequirementHandler(IStringLocalizer localizer)
        {
            _localizer = localizer;
        }
        public Task<AuthorizationResult> Handle(
-            MustBeInRolesRequirement request,
+            MustBeInAnyOfRolesRequirement request,
            CancellationToken cancellationToken)
        {
-            var isUserInRequiredRoles =
+            var isUserInRequiredRoles = request.UserRoles
-                request.UserRoles?.Any(ur => request.RequiredRoles.Contains(ur)) 
+                .Any(ur => request.RequiredRoles.Contains(ur));
                    ?? false;
            if (!isUserInRequiredRoles)
            {
--- a/src/Application/Common/Authorization/MustBeObjectOwnerOrAdminRequirement.cs
+++ b/src/Application/Common/Authorization/MustBeObjectOwnerOrAdminRequirement.cs
@ -0,0 +1,42 @@
 using MediatR.Behaviors.Authorization;
 using cuqmbr.TravelGuide.Domain.Enums;
 namespace cuqmbr.TravelGuide.Application.Common.Authorization;
 public class MustBeObjectOwnerOrAdminRequirement : IAuthorizationRequirement
 {
    public ICollection<IdentityRole>? UserRoles { get; init; }
    public Guid? UserGuid { get; init; }
    public Guid? RequiredGuid { get; init; }
    class MustBeObjectOwnerOrAdminRequirementHandler :
        IAuthorizationHandler<MustBeObjectOwnerOrAdminRequirement>
    {
        public Task<AuthorizationResult> Handle(
            MustBeObjectOwnerOrAdminRequirement request,
            CancellationToken cancellationToken)
        {
            var isAdmin = request?.UserRoles
                ?.Any(ur => ur.Equals(IdentityRole.Administrator)) ??
                false;
            if (isAdmin)
            {
                return Task.FromResult(AuthorizationResult.Succeed());
            }
            if (request?.UserGuid == null || request?.RequiredGuid == null)
            {
                return Task.FromResult(AuthorizationResult.Fail());
            }
            if (request.UserGuid == request.RequiredGuid)
            {
                return Task.FromResult(AuthorizationResult.Succeed());
            }
            return Task.FromResult(AuthorizationResult.Fail());
        }
    }
 }
--- a/src/Application/Companies/Commands/AddCompany/AddCompanyCommandAuthorizer.cs
+++ b/src/Application/Companies/Commands/AddCompany/AddCompanyCommandAuthorizer.cs
@ -19,10 +19,10 @@ public class AddCompanyCommandAuthorizer :
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Companies/Commands/DeleteCompany/DeleteCompanyCommandAuthorizer.cs
+++ b/src/Application/Companies/Commands/DeleteCompany/DeleteCompanyCommandAuthorizer.cs
@ -19,10 +19,10 @@ public class DeleteCompanyCommandAuthorizer :
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Companies/Commands/UpdateCompany/UpdateCompanyCommandAuthorizer.cs
+++ b/src/Application/Companies/Commands/UpdateCompany/UpdateCompanyCommandAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Companies.Commands.UpdateCompany;
@ -9,23 +9,34 @@ public class UpdateCompanyCommandAuthorizer :
    AbstractRequestAuthorizer<UpdateCompanyCommand>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public UpdateCompanyCommandAuthorizer(SessionUserService sessionUserService)
+    public UpdateCompanyCommandAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(UpdateCompanyCommand request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var company = _unitOfWork.CompanyRepository
            .GetOneAsync(
                e => e.Guid == request.Guid, e => e.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = company?.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Companies/Queries/GetCompaniesPage/GetCompaniesPageQueryAuthorizer.cs
+++ b/src/Application/Companies/Queries/GetCompaniesPage/GetCompaniesPageQueryAuthorizer.cs
@ -1,6 +1,4 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Companies.Queries.GetCompaniesPage;
@ -8,24 +6,8 @@ namespace cuqmbr.TravelGuide.Application.Companies.Queries.GetCompaniesPage;
 public class GetCompaniesPageQueryAuthorizer :
    AbstractRequestAuthorizer<GetCompaniesPageQuery>
 {
    private readonly SessionUserService _sessionUserService;
    public GetCompaniesPageQueryAuthorizer(SessionUserService sessionUserService)
    {
        _sessionUserService = sessionUserService;
    }
    public override void BuildPolicy(GetCompaniesPageQuery request)
    {
-        UseRequirement(new MustBeAuthenticatedRequirement
+        UseRequirement(new AllowAllRequirement());
        {
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
        UseRequirement(new MustBeInRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
        });
    }
 }
--- a/src/Application/Companies/Queries/GetCompany/GetCompanyQueryAuthorizer.cs
+++ b/src/Application/Companies/Queries/GetCompany/GetCompanyQueryAuthorizer.cs
@ -1,6 +1,4 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Companies.Queries.GetCompany;
@ -8,24 +6,8 @@ namespace cuqmbr.TravelGuide.Application.Companies.Queries.GetCompany;
 public class GetCompanyQueryAuthorizer :
    AbstractRequestAuthorizer<GetCompanyQuery>
 {
    private readonly SessionUserService _sessionUserService;
    public GetCompanyQueryAuthorizer(SessionUserService sessionUserService)
    {
        _sessionUserService = sessionUserService;
    }
    public override void BuildPolicy(GetCompanyQuery request)
    {
-        UseRequirement(new MustBeAuthenticatedRequirement
+        UseRequirement(new AllowAllRequirement());
        {
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
        UseRequirement(new MustBeInRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
        });
    }
 }
--- a/src/Application/Countries/Commands/AddCountry/AddCountryCommandAuthorizer.cs
+++ b/src/Application/Countries/Commands/AddCountry/AddCountryCommandAuthorizer.cs
@ -22,7 +22,7 @@ public class AddCountryCommandAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Countries/Commands/DeleteCountry/DeleteCountryCommandAuthorizer.cs
+++ b/src/Application/Countries/Commands/DeleteCountry/DeleteCountryCommandAuthorizer.cs
@ -22,7 +22,7 @@ public class DeleteCountryCommandAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Countries/Commands/UpdateCountry/UpdateCountryCommandAuthorizer.cs
+++ b/src/Application/Countries/Commands/UpdateCountry/UpdateCountryCommandAuthorizer.cs
@ -22,7 +22,7 @@ public class UpdateCountryCommandAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Countries/Queries/GetCountriesPage/GetCountriesPageQueryAuthorizer.cs
+++ b/src/Application/Countries/Queries/GetCountriesPage/GetCountriesPageQueryAuthorizer.cs
@ -19,12 +19,13 @@ public class GetCountriesPageQueryAuthorizer :
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            RequiredRoles =
                [IdentityRole.Administrator, IdentityRole.CompanyOwner],
            UserRoles = _sessionUserService.Roles
        });
    }
--- a/src/Application/Countries/Queries/GetCountry/GetCountryQueryAuthorizer.cs
+++ b/src/Application/Countries/Queries/GetCountry/GetCountryQueryAuthorizer.cs
@ -19,12 +19,13 @@ public class GetCountryQueryAuthorizer :
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            RequiredRoles =
                [IdentityRole.Administrator, IdentityRole.CompanyOwner],
            UserRoles = _sessionUserService.Roles
        });
    }
--- a/src/Application/Employees/Commands/AddEmployee/AddEmployeeCommandAuthorizer.cs
+++ b/src/Application/Employees/Commands/AddEmployee/AddEmployeeCommandAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Employees.Commands.AddEmployee;
@ -9,23 +9,34 @@ public class AddEmployeeCommandAuthorizer :
    AbstractRequestAuthorizer<AddEmployeeCommand>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public AddEmployeeCommandAuthorizer(SessionUserService sessionUserService)
+    public AddEmployeeCommandAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(AddEmployeeCommand request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var company = _unitOfWork.CompanyRepository
            .GetOneAsync(
                e => e.Guid == request.CompanyGuid, e => e.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = company?.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Employees/Commands/DeleteEmployee/DeleteEmployeeCommandAuthorizer.cs
+++ b/src/Application/Employees/Commands/DeleteEmployee/DeleteEmployeeCommandAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Employees.Commands.DeleteEmployee;
@ -9,23 +9,34 @@ public class DeleteEmployeeCommandAuthorizer :
    AbstractRequestAuthorizer<DeleteEmployeeCommand>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public DeleteEmployeeCommandAuthorizer(SessionUserService sessionUserService)
+    public DeleteEmployeeCommandAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(DeleteEmployeeCommand request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var employee = _unitOfWork.EmployeeRepository
            .GetOneAsync(
                e => e.Guid == request.Guid, e => e.Company.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = employee?.Company.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Employees/Commands/UpdateEmployee/UpdateEmployeeCommandAuthorizer.cs
+++ b/src/Application/Employees/Commands/UpdateEmployee/UpdateEmployeeCommandAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Employees.Commands.UpdateEmployee;
@ -9,23 +9,34 @@ public class UpdateEmployeeCommandAuthorizer :
    AbstractRequestAuthorizer<UpdateEmployeeCommand>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public UpdateEmployeeCommandAuthorizer(SessionUserService sessionUserService)
+    public UpdateEmployeeCommandAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(UpdateEmployeeCommand request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var company = _unitOfWork.CompanyRepository
            .GetOneAsync(
                e => e.Guid == request.CompanyGuid, e => e.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = company?.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Employees/Queries/GetEmployee/GetEmployeeQueryAuthorizer.cs
+++ b/src/Application/Employees/Queries/GetEmployee/GetEmployeeQueryAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Employees.Queries.GetEmployee;
@ -9,23 +9,34 @@ public class GetEmployeeQueryAuthorizer :
    AbstractRequestAuthorizer<GetEmployeeQuery>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public GetEmployeeQueryAuthorizer(SessionUserService sessionUserService)
+    public GetEmployeeQueryAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(GetEmployeeQuery request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var employee = _unitOfWork.EmployeeRepository
            .GetOneAsync(
                e => e.Guid == request.Guid, e => e.Company.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = employee?.Company.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Employees/Queries/GetEmployeesPage/GetEmployeesPageQueryAuthorizer.cs
+++ b/src/Application/Employees/Queries/GetEmployeesPage/GetEmployeesPageQueryAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Employees.Queries.GetEmployeesPage;
@ -9,23 +9,34 @@ public class GetEmployeesPageQueryAuthorizer :
    AbstractRequestAuthorizer<GetEmployeesPageQuery>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public GetEmployeesPageQueryAuthorizer(SessionUserService sessionUserService)
+    public GetEmployeesPageQueryAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(GetEmployeesPageQuery request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var company = _unitOfWork.CompanyRepository
            .GetOneAsync(
                e => e.Guid == request.CompanyGuid, e => e.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = company?.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Identity/Accounts/Commands/AddAccount/AddAccountCommandAuthorizer.cs
+++ b/src/Application/Identity/Accounts/Commands/AddAccount/AddAccountCommandAuthorizer.cs
@ -23,7 +23,7 @@ public class AddAccountCommandAuthorizer :
            IsAuthenticated= _sessionAccountService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionAccountService.Roles
--- a/src/Application/Identity/Accounts/Commands/DeleteAccount/DeleteAccountCommandAuthorizer.cs
+++ b/src/Application/Identity/Accounts/Commands/DeleteAccount/DeleteAccountCommandAuthorizer.cs
@ -23,7 +23,7 @@ public class DeleteAccountCommandAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Identity/Accounts/Commands/UpdateAccount/UpdateAccountCommandAuthorizer.cs
+++ b/src/Application/Identity/Accounts/Commands/UpdateAccount/UpdateAccountCommandAuthorizer.cs
@ -22,7 +22,7 @@ public class UpdateAccountCommandAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Identity/Accounts/Queries/GetAccount/GetAccountQueryAuthorizer.cs
+++ b/src/Application/Identity/Accounts/Queries/GetAccount/GetAccountQueryAuthorizer.cs
@ -22,7 +22,7 @@ public class GetAccountQueryAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Identity/Accounts/Queries/GetAccountsPage/GetAccountsPageQueryAuthorizer.cs
+++ b/src/Application/Identity/Accounts/Queries/GetAccountsPage/GetAccountsPageQueryAuthorizer.cs
@ -22,7 +22,7 @@ public class GetAccountsPageQueryAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Identity/Roles/Queries/GetRolesPage/GetRolesPageQueryAuthorizer.cs
+++ b/src/Application/Identity/Roles/Queries/GetRolesPage/GetRolesPageQueryAuthorizer.cs
@ -22,7 +22,7 @@ public class GetRolesPageQueryAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Regions/Commands/AddRegion/AddRegionCommandAuthorizer.cs
+++ b/src/Application/Regions/Commands/AddRegion/AddRegionCommandAuthorizer.cs
@ -22,7 +22,7 @@ public class AddRegionCommandAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Regions/Commands/DeleteRegion/DeleteRegionCommandAuthorizer.cs
+++ b/src/Application/Regions/Commands/DeleteRegion/DeleteRegionCommandAuthorizer.cs
@ -22,7 +22,7 @@ public class DeleteRegionCommandAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Regions/Commands/UpdateRegion/UpdateRegionCommandAuthorizer.cs
+++ b/src/Application/Regions/Commands/UpdateRegion/UpdateRegionCommandAuthorizer.cs
@ -22,7 +22,7 @@ public class UpdateRegionCommandAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Regions/Queries/GetRegion/GetRegionQueryAuthorizer.cs
+++ b/src/Application/Regions/Queries/GetRegion/GetRegionQueryAuthorizer.cs
@ -22,9 +22,10 @@ public class GetRegionQueryAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            RequiredRoles =
                [IdentityRole.Administrator, IdentityRole.CompanyOwner],
            UserRoles = _sessionUserService.Roles
        });
    }
--- a/src/Application/Regions/Queries/GetRegionsPage/GetRegionsPageQueryAuthorizer.cs
+++ b/src/Application/Regions/Queries/GetRegionsPage/GetRegionsPageQueryAuthorizer.cs
@ -22,9 +22,10 @@ public class GetRegionsPageQueryAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            RequiredRoles =
                [IdentityRole.Administrator, IdentityRole.CompanyOwner],
            UserRoles = _sessionUserService.Roles
        });
    }
--- a/src/Application/Routes/Commands/AddRoute/AddRouteCommandAuthorizer.cs
+++ b/src/Application/Routes/Commands/AddRoute/AddRouteCommandAuthorizer.cs
@ -19,12 +19,13 @@ public class AddRouteCommandAuthorizer :
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            RequiredRoles =
                [IdentityRole.Administrator, IdentityRole.CompanyOwner],
            UserRoles = _sessionUserService.Roles
        });
    }
--- a/src/Application/Routes/Commands/DeleteRoute/DeleteRouteCommandAuthorizer.cs
+++ b/src/Application/Routes/Commands/DeleteRoute/DeleteRouteCommandAuthorizer.cs
@ -22,7 +22,7 @@ public class DeleteRouteCommandAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Routes/Commands/UpdateRoute/UpdateRouteCommandAuthorizer.cs
+++ b/src/Application/Routes/Commands/UpdateRoute/UpdateRouteCommandAuthorizer.cs
@ -22,7 +22,7 @@ public class UpdateRouteCommandAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/Routes/Queries/GetRoute/GetRouteQueryAuthorizer.cs
+++ b/src/Application/Routes/Queries/GetRoute/GetRouteQueryAuthorizer.cs
@ -19,12 +19,13 @@ public class GetRouteQueryAuthorizer :
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            RequiredRoles =
                [IdentityRole.Administrator, IdentityRole.CompanyOwner],
            UserRoles = _sessionUserService.Roles
        });
    }
--- a/src/Application/Routes/Queries/GetRoutesPage/GetRoutesPageQueryAuthorizer.cs
+++ b/src/Application/Routes/Queries/GetRoutesPage/GetRoutesPageQueryAuthorizer.cs
@ -22,9 +22,10 @@ public class GetRoutesPageQueryAuthorizer :
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            RequiredRoles =
                [IdentityRole.Administrator, IdentityRole.CompanyOwner],
            UserRoles = _sessionUserService.Roles
        });
    }
--- a/src/Application/TicketGroups/Commands/AddTicketGroup/AddTicketGroupCommandAuthorizer.cs
+++ b/src/Application/TicketGroups/Commands/AddTicketGroup/AddTicketGroupCommandAuthorizer.cs
@ -19,10 +19,10 @@ public class AddTicketGroupCommandAuthorizer :
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        UseRequirement(new MustBeInAnyOfRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
--- a/src/Application/TicketGroups/Queries/GetTicketGroup/GetTicketGroupQueryAuthorizer.cs
+++ b/src/Application/TicketGroups/Queries/GetTicketGroup/GetTicketGroupQueryAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.TicketGroups.Queries.GetTicketGroup;
@ -9,23 +9,34 @@ public class GetTicketGroupQueryAuthorizer :
    AbstractRequestAuthorizer<GetTicketGroupQuery>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public GetTicketGroupQueryAuthorizer(SessionUserService sessionUserService)
+    public GetTicketGroupQueryAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(GetTicketGroupQuery request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var ticketGroup = _unitOfWork.TicketGroupRepository
            .GetOneAsync(
                e => e.Guid == request.Guid, e => e.Account!,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = ticketGroup?.Account?.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/TicketGroups/Queries/GetTicketGroupsPage/GetTicketGroupsPageQueryAuthorizer.cs
+++ b/src/Application/TicketGroups/Queries/GetTicketGroupsPage/GetTicketGroupsPageQueryAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.TicketGroups.Queries.GetTicketGroupsPage;
@ -9,23 +9,33 @@ public class GetTicketGroupsPageQueryAuthorizer :
    AbstractRequestAuthorizer<GetTicketGroupsPageQuery>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public GetTicketGroupsPageQueryAuthorizer(SessionUserService sessionUserService)
+    public GetTicketGroupsPageQueryAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(GetTicketGroupsPageQuery request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var account = _unitOfWork.AccountRepository
            .GetOneAsync(
                e => e.Guid == request.AccountGuid, CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = account?.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Trains/Commands/AddTrain/AddTrainCommandAuthorizer.cs
+++ b/src/Application/Trains/Commands/AddTrain/AddTrainCommandAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Trains.Commands.AddTrain;
@ -9,23 +9,34 @@ public class AddTrainCommandAuthorizer :
    AbstractRequestAuthorizer<AddTrainCommand>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public AddTrainCommandAuthorizer(SessionUserService sessionUserService)
+    public AddTrainCommandAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(AddTrainCommand request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var company = _unitOfWork.CompanyRepository
            .GetOneAsync(
                e => e.Guid == request.CompanyGuid, e => e.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = company?.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Trains/Commands/DeleteTrain/DeleteTrainCommandAuthorizer.cs
+++ b/src/Application/Trains/Commands/DeleteTrain/DeleteTrainCommandAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Trains.Commands.DeleteTrain;
@ -9,23 +9,34 @@ public class DeleteTrainCommandAuthorizer :
    AbstractRequestAuthorizer<DeleteTrainCommand>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public DeleteTrainCommandAuthorizer(SessionUserService sessionUserService)
+    public DeleteTrainCommandAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(DeleteTrainCommand request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var vehicel = _unitOfWork.VehicleRepository
            .GetOneAsync(
                e => e.Guid == request.Guid, e => e.Company.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = vehicel?.Company.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Trains/Commands/UpdateTrain/UpdateTrainCommandAuthorizer.cs
+++ b/src/Application/Trains/Commands/UpdateTrain/UpdateTrainCommandAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Trains.Commands.UpdateTrain;
@ -9,23 +9,34 @@ public class UpdateTrainCommandAuthorizer :
    AbstractRequestAuthorizer<UpdateTrainCommand>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public UpdateTrainCommandAuthorizer(SessionUserService sessionUserService)
+    public UpdateTrainCommandAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(UpdateTrainCommand request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var company = _unitOfWork.CompanyRepository
            .GetOneAsync(
                e => e.Guid == request.CompanyGuid, e => e.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = company?.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Trains/Queries/GetTrain/GetTrainQueryAuthorizer.cs
+++ b/src/Application/Trains/Queries/GetTrain/GetTrainQueryAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Trains.Queries.GetTrain;
@ -9,23 +9,34 @@ public class GetTrainQueryAuthorizer :
    AbstractRequestAuthorizer<GetTrainQuery>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public GetTrainQueryAuthorizer(SessionUserService sessionUserService)
+    public GetTrainQueryAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(GetTrainQuery request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var vehicel = _unitOfWork.VehicleRepository
            .GetOneAsync(
                e => e.Guid == request.Guid, e => e.Company.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = vehicel?.Company.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/Trains/Queries/GetTrainsPage/GetTrainsPageQueryAuthorizer.cs
+++ b/src/Application/Trains/Queries/GetTrainsPage/GetTrainsPageQueryAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.Trains.Queries.GetTrainsPage;
@ -9,23 +9,34 @@ public class GetTrainsPageQueryAuthorizer :
    AbstractRequestAuthorizer<GetTrainsPageQuery>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public GetTrainsPageQueryAuthorizer(SessionUserService sessionUserService)
+    public GetTrainsPageQueryAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(GetTrainsPageQuery request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var company = _unitOfWork.CompanyRepository
            .GetOneAsync(
                e => e.Guid == request.CompanyGuid, e => e.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = company?.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/VehicleEnrollmentSearch/Queries/SearchAll/SearchAllQueryAuthorizer.cs
+++ b/src/Application/VehicleEnrollmentSearch/Queries/SearchAll/SearchAllQueryAuthorizer.cs
@ -1,6 +1,4 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application
@ -9,25 +7,8 @@ namespace cuqmbr.TravelGuide.Application
 public class SearchAllQueryAuthorizer :
    AbstractRequestAuthorizer<SearchAllQuery>
 {
    private readonly SessionUserService _sessionUserService;
    public SearchAllQueryAuthorizer(
        SessionUserService sessionUserService)
    {
        _sessionUserService = sessionUserService;
    }
    public override void BuildPolicy(SearchAllQuery request)
    {
-        UseRequirement(new MustBeAuthenticatedRequirement
+        UseRequirement(new AllowAllRequirement());
        {
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
        UseRequirement(new MustBeInRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
        });
    }
 }
--- a/src/Application/VehicleEnrollmentSearch/Queries/SearchShortest/SearchShortestQueryAuthorizer.cs
+++ b/src/Application/VehicleEnrollmentSearch/Queries/SearchShortest/SearchShortestQueryAuthorizer.cs
@ -1,6 +1,4 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application
@ -9,25 +7,8 @@ namespace cuqmbr.TravelGuide.Application
 public class SearchShortestQueryAuthorizer :
    AbstractRequestAuthorizer<SearchShortestQuery>
 {
    private readonly SessionUserService _sessionUserService;
    public SearchShortestQueryAuthorizer(
        SessionUserService sessionUserService)
    {
        _sessionUserService = sessionUserService;
    }
    public override void BuildPolicy(SearchShortestQuery request)
    {
-        UseRequirement(new MustBeAuthenticatedRequirement
+        UseRequirement(new AllowAllRequirement());
        {
            IsAuthenticated= _sessionUserService.IsAuthenticated
        });
        UseRequirement(new MustBeInRolesRequirement
        {
            RequiredRoles = [IdentityRole.Administrator],
            UserRoles = _sessionUserService.Roles
        });
    }
 }
--- a/src/Application/VehicleEnrollments/Commands/AddVehicleEnrollment/AddVehicleEnrollmentCommandAuthorizer.cs
+++ b/src/Application/VehicleEnrollments/Commands/AddVehicleEnrollment/AddVehicleEnrollmentCommandAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.VehicleEnrollments
@ -10,23 +10,51 @@ public class AddVehicleEnrollmentCommandAuthorizer :
    AbstractRequestAuthorizer<AddVehicleEnrollmentCommand>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public AddVehicleEnrollmentCommandAuthorizer(SessionUserService sessionUserService)
+    public AddVehicleEnrollmentCommandAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(AddVehicleEnrollmentCommand request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var vehicle = _unitOfWork.VehicleRepository
            .GetOneAsync(
                e => e.Guid == request.VehicleGuid, e => e.Company.Account,
                CancellationToken.None)
            .Result;
        var employees = _unitOfWork.EmployeeRepository
            .GetPageAsync(
                e => request.EmployeeGuids.Contains(e.Guid),
                e => e.Company.Account,
                1, request.EmployeeGuids.Count, CancellationToken.None)
            .Result.Items;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = vehicle?.Company.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
        foreach (var employee in employees)
        {
            UseRequirement(new MustBeObjectOwnerOrAdminRequirement
            {
                UserRoles = _sessionUserService.Roles,
                RequiredGuid = employee.Company.Account.Guid,
                UserGuid = _sessionUserService.Guid
            });
        }
    }
 }
--- a/src/Application/VehicleEnrollments/Commands/DeleteVehicleEnrollment/DeleteVehicleEnrollmentCommandAuthorizer.cs
+++ b/src/Application/VehicleEnrollments/Commands/DeleteVehicleEnrollment/DeleteVehicleEnrollmentCommandAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.VehicleEnrollments.Commands.DeleteVehicleEnrollment;
@ -9,23 +9,34 @@ public class DeleteVehicleEnrollmentCommandAuthorizer :
    AbstractRequestAuthorizer<DeleteVehicleEnrollmentCommand>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public DeleteVehicleEnrollmentCommandAuthorizer(SessionUserService sessionUserService)
+    public DeleteVehicleEnrollmentCommandAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(DeleteVehicleEnrollmentCommand request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var vehicelEnrollment = _unitOfWork.VehicleEnrollmentRepository
            .GetOneAsync(
                e => e.Guid == request.Guid, e => e.Vehicle.Company.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = vehicelEnrollment?.Vehicle.Company.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/VehicleEnrollments/Commands/UpdateVehicleEnrollment/UpdateVehicleEnrollmentCommandAuthorizer.cs
+++ b/src/Application/VehicleEnrollments/Commands/UpdateVehicleEnrollment/UpdateVehicleEnrollmentCommandAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.VehicleEnrollments
@ -10,24 +10,51 @@ public class UpdateVehicleEnrollmentCommandAuthorizer :
    AbstractRequestAuthorizer<UpdateVehicleEnrollmentCommand>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
    public UpdateVehicleEnrollmentCommandAuthorizer(
-        SessionUserService sessionUserService)
+        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(UpdateVehicleEnrollmentCommand request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var vehicleEnrollment = _unitOfWork.VehicleEnrollmentRepository
            .GetOneAsync(
                e => e.Guid == request.Guid, e => e.Vehicle.Company.Account,
                CancellationToken.None)
            .Result;
        var employees = _unitOfWork.EmployeeRepository
            .GetPageAsync(
                e => request.EmployeeGuids.Contains(e.Guid),
                e => e.Company.Account,
                1, request.EmployeeGuids.Count, CancellationToken.None)
            .Result.Items;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = vehicleEnrollment?.Vehicle.Company.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
        foreach (var employee in employees)
        {
            UseRequirement(new MustBeObjectOwnerOrAdminRequirement
            {
                UserRoles = _sessionUserService.Roles,
                RequiredGuid = employee.Company.Account.Guid,
                UserGuid = _sessionUserService.Guid
            });
        }
    }
 }
--- a/src/Application/VehicleEnrollments/Queries/GetVehicleEnrollment/GetVehicleEnrollmentQueryAuthorizer.cs
+++ b/src/Application/VehicleEnrollments/Queries/GetVehicleEnrollment/GetVehicleEnrollmentQueryAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.VehicleEnrollments
@ -10,23 +10,34 @@ public class GetVehicleEnrollmentQueryAuthorizer :
    AbstractRequestAuthorizer<GetVehicleEnrollmentQuery>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public GetVehicleEnrollmentQueryAuthorizer(SessionUserService sessionUserService)
+    public GetVehicleEnrollmentQueryAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(GetVehicleEnrollmentQuery request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var vehicelEnrollment = _unitOfWork.VehicleEnrollmentRepository
            .GetOneAsync(
                e => e.Guid == request.Guid, e => e.Vehicle.Company.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = vehicelEnrollment?.Vehicle.Company.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }
--- a/src/Application/VehicleEnrollments/Queries/GetVehicleEnrollmentsPage/GetVehicleEnrollmentsPageQueryAuthorizer.cs
+++ b/src/Application/VehicleEnrollments/Queries/GetVehicleEnrollmentsPage/GetVehicleEnrollmentsPageQueryAuthorizer.cs
@ -1,6 +1,6 @@
 using cuqmbr.TravelGuide.Application.Common.Authorization;
 using cuqmbr.TravelGuide.Application.Common.Persistence;
 using cuqmbr.TravelGuide.Application.Common.Services;
 using cuqmbr.TravelGuide.Domain.Enums;
 using MediatR.Behaviors.Authorization;
 namespace cuqmbr.TravelGuide.Application.VehicleEnrollments.Queries.GetVehicleEnrollmentsPage;
@ -9,23 +9,34 @@ public class GetVehicleEnrollmentsPageQueryAuthorizer :
    AbstractRequestAuthorizer<GetVehicleEnrollmentsPageQuery>
 {
    private readonly SessionUserService _sessionUserService;
    private readonly UnitOfWork _unitOfWork;
-    public GetVehicleEnrollmentsPageQueryAuthorizer(SessionUserService sessionUserService)
+    public GetVehicleEnrollmentsPageQueryAuthorizer(
        SessionUserService sessionUserService,
        UnitOfWork unitOfWork)
    {
        _sessionUserService = sessionUserService;
        _unitOfWork = unitOfWork;
    }
    public override void BuildPolicy(GetVehicleEnrollmentsPageQuery request)
    {
        UseRequirement(new MustBeAuthenticatedRequirement
        {
-            IsAuthenticated= _sessionUserService.IsAuthenticated
+            IsAuthenticated = _sessionUserService.IsAuthenticated
        });
-        UseRequirement(new MustBeInRolesRequirement
+        var vehicles = _unitOfWork.VehicleRepository
            .GetOneAsync(
                e => e.Guid == request.VehicleGuid, e => e.Company.Account,
                CancellationToken.None)
            .Result;
        UseRequirement(new MustBeObjectOwnerOrAdminRequirement
        {
-            RequiredRoles = [IdentityRole.Administrator],
+            UserRoles = _sessionUserService.Roles,
-            UserRoles = _sessionUserService.Roles
+            RequiredGuid = vehicles?.Company.Account.Guid,
            UserGuid = _sessionUserService.Guid
        });
    }
 }