Re: Forcing user to access her data only
never mind. I get it! Thanks! On May 18, 12:05 pm, Brian Lee wrote: > But how does this prevent user from accessing a random course? > > such as typing localhost/courses/view/123 > and hoping to see what he gets for course_id 123. > > I know that paginate would restrict what I would like to list; > however, that does not prevent the user from typing the actual url to > access (add, view, delete) the course with some random course number > that he/she did not create. > > On May 18, 10:18 am, "Gabriel A. Gonzalez" > wrote: > > > Hi Brian, i assume that each course have an user_id right? so when you > > list, edit or view the courses just use a condition to search all the > > courses of the current user... ex: > > > $cond = array('Course.user_id' => $Current_user_id); > > $this->set('courses', $this->paginate('Course', $cond)); > > > Brian Lee escribió: > > > > So, here is how my application works: > > > > 1. I have users (just like any other apps) > > > 2. I have courses that each user can create > > > > Upon login, user will view the list of courses that she created. > > > I got that to work. > > > > However, now the problem is, I don't know the simple, neat way to > > > block user from accessing classes that she did not create. For > > > instance, Bob created courses that have IDs of 1, 2, 3. Jane has > > > courses with IDs of 4, 5, 6. How do I stop Bob from doing something > > > like localhost/courses/view/4 (trying to view Jane's course)? and > > > prevent Jane from doing the same for Bob's courses? > > > > I am sure that there is very neat way to do it, because this is a > > > problem often comes up when developing web applications. I just want > > > to know the CakePHP way of doing this. > > > > Thanks! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Forcing user to access her data only
But how does this prevent user from accessing a random course? such as typing localhost/courses/view/123 and hoping to see what he gets for course_id 123. I know that paginate would restrict what I would like to list; however, that does not prevent the user from typing the actual url to access (add, view, delete) the course with some random course number that he/she did not create. On May 18, 10:18 am, "Gabriel A. Gonzalez" wrote: > Hi Brian, i assume that each course have an user_id right? so when you > list, edit or view the courses just use a condition to search all the > courses of the current user... ex: > > $cond = array('Course.user_id' => $Current_user_id); > $this->set('courses', $this->paginate('Course', $cond)); > > Brian Lee escribió: > > > So, here is how my application works: > > > 1. I have users (just like any other apps) > > 2. I have courses that each user can create > > > Upon login, user will view the list of courses that she created. > > I got that to work. > > > However, now the problem is, I don't know the simple, neat way to > > block user from accessing classes that she did not create. For > > instance, Bob created courses that have IDs of 1, 2, 3. Jane has > > courses with IDs of 4, 5, 6. How do I stop Bob from doing something > > like localhost/courses/view/4 (trying to view Jane's course)? and > > prevent Jane from doing the same for Bob's courses? > > > I am sure that there is very neat way to do it, because this is a > > problem often comes up when developing web applications. I just want > > to know the CakePHP way of doing this. > > > Thanks! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Forcing user to access her data only
Hi Brian, i assume that each course have an user_id right? so when you list, edit or view the courses just use a condition to search all the courses of the current user... ex: $cond = array('Course.user_id' => $Current_user_id); $this->set('courses', $this->paginate('Course', $cond)); Brian Lee escribió: > So, here is how my application works: > > 1. I have users (just like any other apps) > 2. I have courses that each user can create > > Upon login, user will view the list of courses that she created. > I got that to work. > > However, now the problem is, I don't know the simple, neat way to > block user from accessing classes that she did not create. For > instance, Bob created courses that have IDs of 1, 2, 3. Jane has > courses with IDs of 4, 5, 6. How do I stop Bob from doing something > like localhost/courses/view/4 (trying to view Jane's course)? and > prevent Jane from doing the same for Bob's courses? > > I am sure that there is very neat way to do it, because this is a > problem often comes up when developing web applications. I just want > to know the CakePHP way of doing this. > > Thanks! > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Forcing user to access her data only
You can either use ACL or, simpler, just check the User.id when fetching the courses. You can either fetch the course by ID, then check its user_id matches $this->Auth->user('id') (if you're using Auth). Or, use find() instead of read() and add another condition: 'Course.id' => $id, 'Course.user_id' => $this->Auth->user('id') On Mon, May 18, 2009 at 1:03 PM, Brian Lee wrote: > > So, here is how my application works: > > 1. I have users (just like any other apps) > 2. I have courses that each user can create > > Upon login, user will view the list of courses that she created. > I got that to work. > > However, now the problem is, I don't know the simple, neat way to > block user from accessing classes that she did not create. For > instance, Bob created courses that have IDs of 1, 2, 3. Jane has > courses with IDs of 4, 5, 6. How do I stop Bob from doing something > like localhost/courses/view/4 (trying to view Jane's course)? and > prevent Jane from doing the same for Bob's courses? > > I am sure that there is very neat way to do it, because this is a > problem often comes up when developing web applications. I just want > to know the CakePHP way of doing this. > > Thanks! > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Forcing user to access her data only
So, here is how my application works: 1. I have users (just like any other apps) 2. I have courses that each user can create Upon login, user will view the list of courses that she created. I got that to work. However, now the problem is, I don't know the simple, neat way to block user from accessing classes that she did not create. For instance, Bob created courses that have IDs of 1, 2, 3. Jane has courses with IDs of 4, 5, 6. How do I stop Bob from doing something like localhost/courses/view/4 (trying to view Jane's course)? and prevent Jane from doing the same for Bob's courses? I am sure that there is very neat way to do it, because this is a problem often comes up when developing web applications. I just want to know the CakePHP way of doing this. Thanks! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---