contorller- this is part where i am trying to figure out /form/edit/315 but i as a user can change to form/edit/316 and will see another users data. if anyone can that would be much appreciated!
if ($this->success === true) {
$this->Form->set($this->request->data);
if ($this->Session->id('id')!= $id) {
$this->redirect(array('controller' =>
'form', 'action' => 'home'));
$this->Session->setFlash(__('Not allowed'));
} else {
}
for user not allow to access other users data by changing id in the url
Figured it out !
Had to set form.id = user.id, so only the owner can see the task they created otherwise will send elsewhere
if ($this->success === true) {
$Form = ClassRegistry::init('Form'); # Instantiation
$existingTask = $Form->find('first', array(
'conditions' => array(
'Form.id'=> $id,
'Form.user_id' => $this->Auth->user('id')
),
'recursive' => -1
));
if (empty($existingTask)){
$this->redirect(array('controller' => 'form', 'action' => 'home'));
$this->Flash->set('id not found');
}
}