Right now, i'm using nopCommerce 3.70.
An Customer with vendor role is able to get access (create, update delete) to all products (bypassing the vendorId condition) as described below :
(currently _workContext.CurrentVendor is null)
//a vendor should have access only to his products
if (_workContext.CurrentVendor != null)
model.SearchVendorId = _workContext.CurrentVendor.Id;
As i debug, this issue only occurred to customer account which has been granted vendor role (applying as vendor step)
but with inactive vendor's account (still newly added).
Here is a piece of code where i think is the cause :
(look at the last if condition)
public virtual Vendor CurrentVendor
if (_cachedVendor != null)
var currentCustomer = this.CurrentCustomer;
if (currentCustomer == null)
var vendor = _vendorService.GetVendorById(currentCustomer.VendorId);
if (vendor != null && !vendor.Deleted && vendor.Active)
_cachedVendor = vendor;
This will not occurred once the vendor has been activated.
But still, if an admin forgot to activated the vendor account, the problem will rise.
Haven't try with other conditions (deleted vendor) & (customer (vendor's role) with no vendor account)