diff --git a/app/policies/cart_policy.rb b/app/policies/cart_policy.rb
index 66ca3865d..bfdc32574 100644
--- a/app/policies/cart_policy.rb
+++ b/app/policies/cart_policy.rb
@@ -3,7 +3,7 @@
 # Check the access policies for API::CartController
 class CartPolicy < ApplicationPolicy
   def create?
-    true
+    !Setting.get('store_hidden') || user&.privileged?
   end
 
   %w[add_item remove_item set_quantity refresh_item validate].each do |action|