Restrict access to orders page on Marketpress

Marketpress displays the order status and shipping information to anyone, even to people who are not logged in.

http://www.theubercloud.com:8880/store/order-status/d047654815af/

How do I secure this link so that:
1. If you are not logged in you simply get a message saying you need to log in.
2. If you are logged in, you can only see the orders that are yours.

Thank you.

  • Vinod Dalvi

    Hi @Burak,

    I hope you are well today and thank you for your question.

    1. If you are not logged in you simply get a message saying you need to log in.

    2. If you are logged in, you can only see the orders that are yours.

    To achieve this try adding following code in the functions.php file of your child theme.

    function custom_mp_order_status($content, $order){
    
    	if( ! is_user_logged_in() ){
    		return "You must be logged in to view this page.";
    	}
    
    	$user_id = get_current_user_id();
    
    	if ( $user_id ) {
    
    		global $wp_query;
    		$order_id = isset($wp_query->query_vars['order_id']) ? $wp_query->query_vars['order_id'] : (isset($_GET['order_id']) ? $_GET['order_id'] : '');
    
    		if( !empty($order_id) ){
    			if (is_multisite()) {
    					global $blog_id;
    					$meta_id = 'mp_order_history_' . $blog_id;
    			} else {
    					$meta_id = 'mp_order_history';
    			}
    			$orders = get_user_meta($user_id, $meta_id, true);
    
    			$is_cuurent_user_order = false;
    			foreach ($orders as $order) {
    				if($order['id'] == $order_id){
    					$is_cuurent_user_order = true;
    					break;
    				}
    			}
    
    			if( !$is_cuurent_user_order ){
    				return "You can only search your own orders.";
    			}
    		}
    	} else{
    		return "Error in getting current user ID.";
    	}
    
    	return $content;
    }
    add_filter('mp_order_status', 'custom_mp_order_status', 10, 2);

    Cheers,
    Vinod Dalvi

  • Burak

    Works very well. You are a magician :slight_smile:

    One quick comment and this only is useful for newbies. I saw your response through my email client. Being super excited and not careful, I copied the code from my email and updated by functions.php with it. Well you guessed it right, my email client applied encoding to all special characters and as a result I crashed the whole site.

    Luckily I am experienced enough to know I need to do this sort of thing only on my test site, and I know how to use VI to get out of this problem in 15 seconds. But a newbie would be in panic if he crashed his site like I did. Could you include a comment somewhere on the forums to alert people not to use code through emails and always return to the forum to copy the code. You have it nicely formatted here on the forum and there is no chance of screwing it up.

    Thanks!

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.