0

I am fairly new to CakePHP, I am trying to only allow those users who created an event to be able to edit or delete an event, so I am comparing the current user id, with the 'user_id' field of the event the current event (saved when a user creates an event). Any help would be appreciated thanks, my code(Andrew Perk) is as follows:

public function isAuthorized($user) {
        $this->loadModel('User');
        if ($user['role'] == 'admin') {
            return true;
        }
        if (in_array($this->action, array('edit', 'delete'))) {
            if ($user['id'] != $this->request->data['Event']['user_id']) { ///THIS IS THE LINE I FEEL IS WRONG - PLEASE ADVISE
                //echo debug($event['user_id']);
                //$this->Session->setFlash(__('You are not allowed to edit someones event'));
                return false;
            }
        }
        return true;
    }
Joshua
  • 371
  • 2
  • 6
  • 23
  • 1
    This question should give you the info you need: http://stackoverflow.com/questions/13259937/best-way-to-filter-access-to-controller-actions-according-to-a-specific-client-i/13260534#13260534 In your case, the user id of your event should be available in $this->request->data['Event']['user_id'] – joshua.paling Nov 18 '12 at 00:07

1 Answers1

0

There are a few ways you can accomplish this. The one I have found that usually works best is to put a callback in the model that will set the user_id for the record you are trying to modify. Then it doesn't have to get all mixed up in controller everywhere you are trying to CRUD a record.

You can read more about limiting user data here: http://blogchuck.com/2010/06/limit-data-by-user-with-cakephp/

This will also apply to deleting data.

Hope it helps. Happy coding!

Chuck Burgess
  • 11,600
  • 5
  • 41
  • 74