user id associated with it.
i usually would deny access with the Auth component to the action that
i don't want a non logged in user to use.
simple acl to check if the record belongs to current logged in user:
put some kind of check in your action to read the user_id of the
record you are about to load....if it fails use cakes' redirect
function redirect the user to a location of some kind. if it passes
allow the record to be displayed.
i.e.
function read ($id = null)
{
$this->Model->id = $id; //gets id of item from url parameter
$auth_id = $this->Auth->user('id'); //make sure your controller is
using Auth or this wont work)
$this->Model->read(); // reads record
On Mar 27, 9:05 pm, Aurelius <aurel...@temporaryinbox.com> wrote:
> I'm working about 2 month with Cake, but its my first bigger app.
> I want to write my own security function which would check before each
> save() if the save model is associated to the logged in user, what
> would be the best way to do that?
>
> My Ideas till now:
> a beforeSave() function in Appmodel:
> + DRY
> + relative secure
> - if I use more than one save() its inefficient (I have up till 8 on
> one page)
> - I don't have a clue how I can check newly created ones with no id
>
> a beforeSave(9 in each Modell:
> - even more crappy than above
>
> a validation-function in the controller
> - not DRY
> - more code
> + could work with allready readed data
>
> I believe that there must be more peaple out there with the same
> problem, are there any finished solutions?
>
> Any Ideas or thoughts are welcome!
>
> thx
> Aurelius
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment