I am really new in cakephp. I want to know how to restrict the user from opening pages such as Users for example when the user changes the url. Well, I am not good at telling my own problems so here:
for example: the user id is 1 so when he viewed his own details it should be something like users/view/1, but i dont want that user to view user # 2 when he changes the url to users/view/2. I hope you undersand. Thanks in advance!
The solution can be found via google: http://www.dereuromark.de/2011/10/05/common-cakephp-problems-and-solutions/
Basically, you get the current id from session:
$uid = $this->Session->read('Auth.User.id');
And compare it against the record you are displaying/editing. If they don't match, you throw a NotAllowedException().
Protip: Don't append the id for edit/view etc, if it's the user's own profile or if it can only be viewed by the owner. Same way you obtain the ID above for validation, you can also use this session user id to get the correct record in the first place.
Also, don't put the id into the view (forms) - not even as hidden field - but inject it into the data array prior to saving/validating.
You can also see a current CakePHP 2.4 implementation here - which can also be seen/tested live via corresponding website.
assuming you have the current looged in user data store in a session somewhere. the idea is to compare it against the passed id in the url
---- in your UsersController.php
public function view($id){
if($this->Session->read('User.id') != $id ){
// cannot continue...
// possibly redirect....
}
}
