You are here:
Block Unauthorized Access to Orders
The Order Preferences Storefront Order Access Allowlist, released in 24.5 in test mode, is fully functional and available to your storefront in Production. When enabled, storefront access to orders without a matching customer ID is now blocked unless the accessing controller is included on the Allowlist. If you aren’t yet limiting Storefront Order Access at all, enable the Allowlist feature on the Limit Storefront Order Access setting.
When: Starting with B2C Commerce 24.8 release.
Why: This feature enhances security, ensuring that the customer ID of the current session is identical with the customer ID used for the creation of the order being accessed.
How: In . Set the Limit Storefront Order Access dropdown to Allowlist. Enter the allowed storefront controllers as a comma-separated list. Attempts to fetch order information by controllers or hooks that aren’t on the Allowlist are blocked from storefront access, if the customer ID of the current session isn’t identical to the customer ID used for the creation of the order. Controllers and hooks not listed on the Allowlist are blocked from storefront order access. If you don’t change the Limit Storefront Order Access setting to Allowlist, you won’t experience any change from this feature.
