Re: Forcing user to access her data only

2009-05-18 Thread brian 

You can either use ACL or, simpler, just check the User.id when
fetching the courses. You can either fetch the course by ID, then
check its user_id matches $this-Auth-user('id') (if you're using
Auth). Or, use find() instead of read() and add another condition:

'Course.id' = $id,
'Course.user_id' = $this-Auth-user('id')



On Mon, May 18, 2009 at 1:03 PM, Brian Lee brianleeu...@gmail.com wrote:

 So, here is how my application works:

 1. I have users (just like any other apps)
 2. I have courses that each user can create

 Upon login, user will view the list of courses that she created.
 I got that to work.

 However, now the problem is, I don't know the simple, neat way to
 block user from accessing classes that she did not create. For
 instance, Bob created courses that have IDs of 1, 2, 3. Jane has
 courses with IDs of 4, 5, 6. How do I stop Bob from doing something
 like localhost/courses/view/4 (trying to view Jane's course)? and
 prevent Jane from doing the same for Bob's courses?

 I am sure that there is very neat way to do it, because this is a
 problem often comes up when developing web applications. I just want
 to know the CakePHP way of doing this.

 Thanks!
 


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Re: Forcing user to access her data only

2009-05-18 Thread Gabriel A. Gonzalez 

Hi Brian, i assume that each course have an user_id right? so when you 
list, edit or view the courses just use a condition to search all the 
courses of the current user... ex:

$cond = array('Course.user_id' = $Current_user_id);
$this-set('courses', $this-paginate('Course', $cond));

Brian Lee escribió:
 So, here is how my application works:

 1. I have users (just like any other apps)
 2. I have courses that each user can create

 Upon login, user will view the list of courses that she created.
 I got that to work.

 However, now the problem is, I don't know the simple, neat way to
 block user from accessing classes that she did not create. For
 instance, Bob created courses that have IDs of 1, 2, 3. Jane has
 courses with IDs of 4, 5, 6. How do I stop Bob from doing something
 like localhost/courses/view/4 (trying to view Jane's course)? and
 prevent Jane from doing the same for Bob's courses?

 I am sure that there is very neat way to do it, because this is a
 problem often comes up when developing web applications. I just want
 to know the CakePHP way of doing this.

 Thanks!
 

   


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Re: Forcing user to access her data only

2009-05-18 Thread Brian Lee 

But how does this prevent user from accessing a random course?

such as typing localhost/courses/view/123
and hoping to see what he gets for course_id 123.

I know that paginate would restrict what I would like to list;
however, that does not prevent the user from typing the actual url to
access (add, view, delete) the course with some random course number
that he/she did not create.

On May 18, 10:18 am, Gabriel A. Gonzalez gabriel...@gmail.com
wrote:
 Hi Brian, i assume that each course have an user_id right? so when you
 list, edit or view the courses just use a condition to search all the
 courses of the current user... ex:

 $cond = array('Course.user_id' = $Current_user_id);
 $this-set('courses', $this-paginate('Course', $cond));

 Brian Lee escribió:

  So, here is how my application works:

  1. I have users (just like any other apps)
  2. I have courses that each user can create

  Upon login, user will view the list of courses that she created.
  I got that to work.

  However, now the problem is, I don't know the simple, neat way to
  block user from accessing classes that she did not create. For
  instance, Bob created courses that have IDs of 1, 2, 3. Jane has
  courses with IDs of 4, 5, 6. How do I stop Bob from doing something
  like localhost/courses/view/4 (trying to view Jane's course)? and
  prevent Jane from doing the same for Bob's courses?

  I am sure that there is very neat way to do it, because this is a
  problem often comes up when developing web applications. I just want
  to know the CakePHP way of doing this.

  Thanks!
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Re: Forcing user to access her data only

2009-05-18 Thread Brian Lee 

never mind. I get it!

Thanks!

On May 18, 12:05 pm, Brian Lee brianleeu...@gmail.com wrote:
 But how does this prevent user from accessing a random course?

 such as typing localhost/courses/view/123
 and hoping to see what he gets for course_id 123.

 I know that paginate would restrict what I would like to list;
 however, that does not prevent the user from typing the actual url to
 access (add, view, delete) the course with some random course number
 that he/she did not create.

 On May 18, 10:18 am, Gabriel A. Gonzalez gabriel...@gmail.com
 wrote:

  Hi Brian, i assume that each course have an user_id right? so when you
  list, edit or view the courses just use a condition to search all the
  courses of the current user... ex:

  $cond = array('Course.user_id' = $Current_user_id);
  $this-set('courses', $this-paginate('Course', $cond));

  Brian Lee escribió:

   So, here is how my application works:

   1. I have users (just like any other apps)
   2. I have courses that each user can create

   Upon login, user will view the list of courses that she created.
   I got that to work.

   However, now the problem is, I don't know the simple, neat way to
   block user from accessing classes that she did not create. For
   instance, Bob created courses that have IDs of 1, 2, 3. Jane has
   courses with IDs of 4, 5, 6. How do I stop Bob from doing something
   like localhost/courses/view/4 (trying to view Jane's course)? and
   prevent Jane from doing the same for Bob's courses?

   I am sure that there is very neat way to do it, because this is a
   problem often comes up when developing web applications. I just want
   to know the CakePHP way of doing this.

   Thanks!
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---