Using CakePHP 2.2, I am building an application in which each client has it’s own “realm” of data and none of the other data is visible to them. For example, a client has his set of users, courses, contractors and jobs. Groups are shared among clients, but they cannot perform actions on groups. All clients can do with groups is assign them to users. So, an administrator (using ACL) can only manage data from the same client id.

All my objects (except groups, of course) have the client_id key.

Now, I know one way to get this done and actually having it working well, but it seems a bit dirty and I’m wondering if there is a better way. Being early in the project and new to CakePHP, I’m eager to get it right.

This is how I’m doing it now :

1- A user logs in. His client_id is written to session according to the data from the user’s table.

$user = $this->User->read(null, $this->Auth->user('id'));
$this->Session->write('User.client_id', $user['User']['client_id']);

2- In AppController, I have a protected function that compares that session id to a given parameter.

protected function clientCheck($client_id) {
    if ($this->Session->read('User.client_id') == $client_id) {
        return true;
    } else {
        $this->Session->setFlash(__('Invalid object or view.'));
        $this->redirect(array('controller' => 'user', 'action' => 'home'));
    }
}

3- Im my different index actions (each index, each relevant controller), I check the client_id using a paginate condition.

public function index() {
    $this->User->recursive = 0;
    $this->paginate = array(
         'conditions' => array('User.client_id' => $this->Session->read('User.client_id'))
    );
    $this->set('users', $this->paginate());
}

4- In other actions, I check the client_id before checking the HTTP request type this way.

$user = $this->User->read(null, $id);
$this->clientCheck($user['User']['client_id']);
$this->set('user', $user);