Home/ Questions/Q 8125499
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T06:50:21+00:00

Let’s say I have User model and Post model. Post model contains field user_id

  • 0

Let’s say I have User model and Post model. Post model contains field user_id.
User has $hasMany on Post and Post has $belongsTo on User.

I have some post edit action: 

PostsController::edit($id) {
    if($this->request->isPost())
    {
        $this->Post->id = $id;
        $this->Post->save();
    }

    $post = $this->Post->read($id);
    $this->set(compact('post'));
}

I use AuthComponent to login users.

How can I prevent user from editing some1 else post? Is there any cake build in function/option to do this? Because some1 can login and post edit action with any id. It’s not even case of saving the post data – let’s say post is private (only owner should see it) – when someone will call posts/edit/some_id it will see the edit form of this post…

The easier way is to just add this at the beginning of edit action:

$this->Post->id = $id;
if($this->Post->readField('user_id') != $this->Auth->user('id')) 
{ //trigger error or redirect }

But I would have to add this at the beginning of each action that updates/reads any data that belongs to some user. So I am looking for more elegant way to do this.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Well there is no way of avoiding adding a line to check if a user is authorized to perform an action. Even if you use ACL (Access Control Lists), which is one of Cake’s most powerful features.

    But as you speak of elegance in general, ACLs will be beauty at its best 🙂 Careful though, they’ve got a steep learning curve. Don’t give up easy, its well worth it.

    You should see ACLs from the Book http://book.cakephp.org/1.3/view/1543/Simple-Acl-controlled-Application

    • 0