Vendor's account can access all product unfiltered

4 years ago
I searched and i think this topic hasn't been posted.
Right now, i'm using nopCommerce 3.70.

Description:
An Customer with vendor role is able to get access (create, update delete) to all products (bypassing the vendorId condition) as described below :
(currently _workContext.CurrentVendor is null)

//a vendor should have access only to his products
            
if (_workContext.CurrentVendor != null)
            {
                model.SearchVendorId = _workContext.CurrentVendor.Id;
            }


As i debug, this issue only occurred to customer account which has been granted vendor role (applying as vendor step)
but with inactive vendor's account (still newly added).
Here is a piece of code where i think is the cause :
(look at the last if condition)

At WebWorkContext.cs
public virtual Vendor CurrentVendor
        {
            get
            {
                if (_cachedVendor != null)
                    return _cachedVendor;

                var currentCustomer = this.CurrentCustomer;
                if (currentCustomer == null)
                    return null;

                var vendor = _vendorService.GetVendorById(currentCustomer.VendorId);

                //validation
                if (vendor != null && !vendor.Deleted && vendor.Active)
                    _cachedVendor = vendor;

                return _cachedVendor;
            }
        }


This will not occurred once the vendor has been activated.
But still, if an admin forgot to activated the vendor account, the problem will rise.
Haven't try with other conditions (deleted vendor) & (customer (vendor's role) with no vendor account)
4 years ago
waltz4dmoon wrote:
As i debug, this issue only occurred to customer account which has been granted vendor role (applying as vendor step) ...

I presume you've customized your solution to do it. But a customer is NOT added to a vendor customer role when applying to a vendor account out of the box.
4 years ago
No, I haven't modified the solution before.

My understanding of the [apply for vendor account] workflow is :
1. A customer apply for vendor
2. Then an admin will approve the application by assigning the customer with the vendor role
3. And then activated the newly associate vendor account in customer > vendor
CMIIW

This issue happen not after the customer apply for the vendor account (step 1),
but rather after the admin approving the application by assign the customer with the vendor role (step 2) but forgot to activated the vendor account (step 3).
4 years ago
waltz4dmoon wrote:
but forgot to activated the vendor account (step 3).

I see now. A store owner should not forget to activate a vendor account!

But I got you. It'll require some investigation to find out a better solution. I've just created a work item. Thanks!
3 years ago
Fixed. Please see this commit
3 years ago
thanks