package org.broadleafcommerce.core.web.controller.account;

import javax.servlet.http.HttpServletRequest;
import org.broadleafcommerce.core.order.domain.Order;
import org.broadleafcommerce.core.order.service.type.OrderStatus;
import org.broadleafcommerce.profile.core.domain.Customer;
import org.broadleafcommerce.profile.web.core.CustomerState;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.ui.Model;

/* loaded from: input_file:org/broadleafcommerce/core/web/controller/account/BroadleafOrderHistoryController.class */
public class BroadleafOrderHistoryController extends AbstractAccountController {

    @Value("${validate.customer.owned.data:true}")
    protected boolean validateCustomerOwnedData;
    protected static String orderHistoryView = "account/orderHistory";
    protected static String orderDetailsView = "account/partials/orderDetails";
    protected static String orderDetailsRedirectView = "account/partials/orderDetails";

    public String viewOrderHistory(HttpServletRequest httpServletRequest, Model model) {
        model.addAttribute("orders", this.orderService.findOrdersForCustomer(CustomerState.getCustomer(), OrderStatus.SUBMITTED));
        return getOrderHistoryView();
    }

    public String viewOrderDetails(HttpServletRequest httpServletRequest, Model model, String str) {
        Order findOrderByOrderNumber = this.orderService.findOrderByOrderNumber(str);
        if (findOrderByOrderNumber == null) {
            throw new IllegalArgumentException("The orderNumber provided is not valid");
        }
        validateCustomerOwnedData(findOrderByOrderNumber);
        model.addAttribute("order", findOrderByOrderNumber);
        return isAjaxRequest(httpServletRequest) ? getOrderDetailsView() : getOrderDetailsRedirectView();
    }

    public String getOrderHistoryView() {
        return orderHistoryView;
    }

    public String getOrderDetailsView() {
        return orderDetailsView;
    }

    public String getOrderDetailsRedirectView() {
        return orderDetailsRedirectView;
    }

    protected void validateCustomerOwnedData(Order order) {
        if (this.validateCustomerOwnedData) {
            Customer customer = CustomerState.getCustomer();
            if (customer != null && !customer.equals(order.getCustomer())) {
                throw new SecurityException("The active customer does not own the object that they are trying to view, edit, or remove.");
            }
            if (customer == null && order.getCustomer() != null) {
                throw new SecurityException("The active customer does not own the object that they are trying to view, edit, or remove.");
            }
        }
    }
}
