I think you are confusing a few things here. GET/POST has nothing to do with what pages you can acess. You should use role (preferred) or row based access control to those forms and non-public actions.
The type is revelant for what type of action you take. GET if it does not alter the database (view, index, add/edit for display of form) POST to alter the database (add/edit upon save, delete) mark Am Freitag, 8. August 2014 17:55:10 UTC+2 schrieb Steve Thomas: > > I'm wondering what everyone is doing about the default links. I'm setting > up an application that has multiple companies with multiple employees. One > company can't see another companies employees. > However, if a manager can display a list of all their employees and edit > them via GET, they can simply change the id in the address bar to pull up > any arbitrary employee from their company or any other company. > > If I use a postLink, then the edit page opens blank because > the setFlash(__('The user could not be saved. Please, try again.) is > triggered before the find('list') can fill out the form. > I'm only a couple weeks new to cakephp and am under the impression cakephp > won't allow a is() to validate a particular post name so I can create > actions based on which post is being submitted; self or a view. > > I tried to leave the link as GET and encrypt/decrypt, but that continued > to fail. > Please, any suggestions would be great. I can't imagine this security hole > doesn't have an easy fix. I just haven't seen it yet. > > Thanks > Steve > > -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.