Is admin_ prefix a security or just convenient?

2014-01-03 Thread David Deley 
I understand a user can not directly access mysite.com/users/admin_index

Instead they go to mysite.com/admin/users/index

But, is there any automatic security checking? Because anyone can type in
mysite.com/admin/users/index

Is it still up to the UsersController to filter out unauthorized users?
such as have an IsAuthorized setting, or the function admin_index still
needs to check the user's privileges and reject the request if the user
doesn't have admin privs?

In which case I don't see the advantage of using the admin_ prefix. Seems
like a big security problem if every controller function needs to check the
user's privileges. Is there a better way I'm missing?

Can IsAuthorized somehow say only admin users are allowed to run admin
functions?

-- 
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

--- 
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/groups/opt_out.

List of all Users belonging to Company?

2013-12-26 Thread David Deley 
I have a Model of Users,
and a Model of Companies

each User belongs to a Company:
   public $belongsTo = 'Company';

each Company has many Users:
 public $hasMany = 'User';

A user logs in. It's an ordinary user (not an administrator).

I'm in the UsersController.php, function index, and I want to display only
other users that belong to the same company the logged in user belongs to.
How do I fetch that info?

e.g.
$this->set('users', $this->Paginator->paginate());

will display *all* users. Suitable for admin users, not for regular users.
How do I restrict the list of users to only users belonging to the same
company the user belongs to?

-- 
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

--- 
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/groups/opt_out.