I am still pretty new to Magento, and I was wondering how Magento is checking if a user is logged in in the magento/index.php/sales/order/view/order_id/102/ page.
For example if a user who is not related to this order try to go there, he will be redirected to his own order history page. But I can't see this function neither in info.php nor in info.phtml in the sales/order directories (template and block).
I am asking this because I would like to use this feature as well.
The verification is done in the controller. The controller responsible for order details page is Mage_Sales_OrderController that extends Mage_Sales_Controller_Abstract. And in Mage_Sales_Controller_Abstract there is this method _canViewOrder that checks if the order has a visible status and if the order customer is the same as the logged in customer
protected function _canViewOrder($order)
{
$customerId = Mage::getSingleton('customer/session')->getCustomerId();
$availableStates = Mage::getSingleton('sales/order_config')->getVisibleOnFrontStates();
if ($order->getId() && $order->getCustomerId() && ($order->getCustomerId() == $customerId)
&& in_array($order->getState(), $availableStates, $strict = true)
) {
return true;
}
return false;
}
