Let me answer your question in two-fold
1. constraining to current user; this can be done using Xpath. Where you constrain the orderlines, to those which are related to orders of the customer. For example:
This constrained can be added on two locations
- At page (list widget) => constrains only the displayed orderlines, not really secure
- At security (access rule) => constrains all requests, really secure
2. Secondly, I shouldn't use the orderline entity directly for the shopping chart. I would model it as a "shadow" entity. a copy of order-orderline -> shopingchart-shoppingchartline
That separates the process of shopping from actually placing an order.
As example the following domain model