+1-888-365-2779
Try Now
More in this section

Forums / Developing with Sitefinity / How do I check that the current user can access an ECommerce order?

How do I check that the current user can access an ECommerce order?

1 posts, 0 answered
  1. Jamie
    Jamie avatar
    25 posts
    Registered:
    07 Aug 2012
    17 Dec 2013
    Link to this post
    I'm developing an MVC module that displays order information and I need to check that the current user is the customer on the order to prevent them from viewing another customer's orders. I've got it working but it seems like a long way around. I've got two questions:
    1. How are orders linked to customers and users in the database? There is no foreign key in sf_ec_order but obviously there is a link between them.
    2. Is there a better way to verify that the current user is the order customer? Here's what I've got so far:
    // orderId is passed to the action
    var userId = ClaimsManager.GetCurrentUserId();
    var userManager = new UserManager();
    var user = userManager.GetUser(userId);
    var customerRetriever = new CustomerRetriever();
    var customer = customerRetriever.GetCustomerOfUser(user);
    var ordersManager = new OrdersManager();
    var order = ordersManager.GetOrder(orderId);
    if (order.CustomerId != customer.Id)
    {
    // return 403
    }
1 posts, 0 answered