How do I check that the current user can access an ECommerce

Posted by Community Admin on 04-Aug-2018 15:00

How do I check that the current user can access an ECommerce order?

All Replies

Posted by Community Admin on 17-Dec-2013 00:00

I'm developing an MVC module that displays order information and I need to check that the current user is the customer on the order to prevent them from viewing another customer's orders. I've got it working but it seems like a long way around. I've got two questions:
1. How are orders linked to customers and users in the database? There is no foreign key in sf_ec_order but obviously there is a link between them.
2. Is there a better way to verify that the current user is the order customer? Here's what I've got so far:
// orderId is passed to the action
var userId = ClaimsManager.GetCurrentUserId();
var userManager = new UserManager();
var user = userManager.GetUser(userId);
var customerRetriever = new CustomerRetriever();
var customer = customerRetriever.GetCustomerOfUser(user);
var ordersManager = new OrdersManager();
var order = ordersManager.GetOrder(orderId);
if (order.CustomerId != customer.Id)

// return 403

This thread is closed