My application uses ACL and Auth. Every user should be able to edit
his own profile. For this I check on every request whether the
currently logged in user is the same as the one who's ID was submitted
in the URL (users/edit/123).
The following method existed in the app since early CakePHP 1.2.x
days...
function _userIsSelfOrSuperuser() {
if ($this->isSuperuser()) {
return true;
} else {
$this->User->read();
if (!empty($this->User->data)) {
$user = $this->Auth->user();
return $user['User']['id'] == $this->User->data['User']['id'];
} else {
return false;
}
}
}
Sadly, it doesn't work anymore on CakePHP 1.3.5 (I don't know if it
*ever* worked, it's not my app).
I guess the problem is the $this->User->read() line: this one does
absolutely nothing, because $this->User->id is not set. Maybe in
earlier version this ID was set automatially when an ID was submit
throught the URL (123)?
My question: how should I fix this? I could do
$this->User->id = $this->params['passed][0];
because the user's ID should usually be the first unnamed passed
parameter... but this looks very awkward to me, and when requesting
users/index the param isn't even populated.
So I guess there's a cleaner way to solve this? Maybe there's
something like
$this->User->id = $this->idOfTheObjectThatWasSubmitForEditOrAdd();
or something...? ;-)
Thanks a lot for your help, guys!
Josh
Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
No comments:
Post a Comment