Исправлен NPE в AccountOwner

common/rbac/rules/AccountOwner.php

@@ -30,7 +30,10 @@ class AccountOwner extends Rule {
         }
 
         $identity = Yii::$app->user->findIdentityByAccessToken($accessToken);
-        /** @noinspection NullPointerExceptionInspection это исключено, т.к. уже сработал authManager */
+        if ($identity === null) {
+            return false;
+        }
+
         $account = $identity->getAccount();
         if ($account === null) {
             return false;

tests/codeception/common/unit/rbac/rules/AccountOwnerTest.php

@@ -12,6 +12,16 @@ use const common\LATEST_RULES_VERSION;
 
 class AccountOwnerTest extends TestCase {
 
+    public function testIdentityIsNull() {
+        $component = mock(Component::class . '[findIdentityByAccessToken]', [['secret' => 'secret']]);
+        $component->shouldDeferMissing();
+        $component->shouldReceive('findIdentityByAccessToken')->andReturn(null);
+
+        Yii::$app->set('user', $component);
+
+        $this->assertFalse((new AccountOwner())->execute('some token', new Item(), ['accountId' => 123]));
+    }
+
     public function testExecute() {
         $rule = new AccountOwner();
         $item = new Item();