Returning 401 on customer details/update actions without being logged in

Sylius · Jul 31, 2019 · c2c28c3 · c2c28c3
1 parent 0afc8bd
commit c2c28c3
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/src/Controller/Customer/LoggedInCustomerDetailsAction.php b/src/Controller/Customer/LoggedInCustomerDetailsAction.php
@@ -35,6 +35,10 @@ public function __construct(
 
     public function __invoke(Request $request): Response
     {
+        if (!$this->loggedInShopUserProvider->isUserLoggedIn()) {
+            return $this->viewHandler->handle(View::create(null, Response::HTTP_UNAUTHORIZED));
+        }
+
         $customer = $this->loggedInShopUserProvider->provide()->getCustomer();
         Assert::notNull($customer);
 

diff --git a/src/Controller/Customer/UpdateCustomerAction.php b/src/Controller/Customer/UpdateCustomerAction.php
@@ -54,6 +54,10 @@ public function __construct(
 
     public function __invoke(Request $request): Response
     {
+        if (!$this->loggedInUserProvider->isUserLoggedIn()) {
+            return $this->viewHandler->handle(View::create(null, Response::HTTP_UNAUTHORIZED));
+        }
+
         $validationResults = $this->updateCustomerCommandProvider->validate($request, null, ['sylius_customer_profile_update']);
         if (0 !== count($validationResults)) {
             return $this->viewHandler->handle(View::create(