Merge pull request PrestaShop#35530 from Hlavtox/fix-invoice-download

Fix invoice download for non logged in customer

controllers/front/PdfInvoiceController.php

@@ -41,10 +41,12 @@ class PdfInvoiceControllerCore extends FrontController
 
     public function postProcess()
     {
+        // If the customer is not logged in AND no secure key was passed
         if (!$this->context->customer->isLogged() && !Tools::getValue('secure_key')) {
             Tools::redirect('index.php?controller=authentication&back=pdf-invoice');
         }
 
+        // If built-in invoicing is disabled
         if (!(int) Configuration::get('PS_INVOICE')) {
             die($this->trans('Invoices are disabled in this shop.', [], 'Shop.Notifications.Error'));
         }
@@ -54,11 +56,14 @@ public function postProcess()
             $order = new Order((int) $id_order);
         }
 
+        // If the order doesn't exist
         if (!isset($order) || !Validate::isLoadedObject($order)) {
             die($this->trans('The invoice was not found.', [], 'Shop.Notifications.Error'));
         }
 
-        if ((isset($this->context->customer->id) && $order->id_customer != $this->context->customer->id) || (Tools::isSubmit('secure_key') && $order->secure_key != Tools::getValue('secure_key'))) {
+        // Check if the user is not trying to download an invoice of an order of different customer
+        // Either the ID of the customer in context must match the customer in order OR a secure_key matching the one on the order must be provided
+        if ((isset($this->context->customer->id) && $order->id_customer != $this->context->customer->id) && (Tools::isSubmit('secure_key') && $order->secure_key != Tools::getValue('secure_key'))) {
             die($this->trans('The invoice was not found.', [], 'Shop.Notifications.Error'));
         }