>
> Well if its a HABTM on a user, wouldn't it only grab comments by that
> user anyways?
The OP wants to ensure that a person cannot edit other peoples'
comments. An edit action needn't fetch every comment by a particular
User, only the one for the ID that was passed in. Without some check
it would be trivial to edit others' comments by simply adding whatever
ID to the edit URL. The solution is to fetch the Comment data based on
the ID and then compare to the User.id in the session. If it matches,
display the form; if not, do whatever.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment