我有一个模型“事件”,它拥有自己的数据 + 用户 ID。如何仅向事件所属的用户授予访问权限?
问问题
610 次
1 回答
3
您可以在视图方法的开头添加一个检查,以查看 Authenticated 用户 id 是否与事件的匹配。如果没有,请使用“拒绝访问”闪存消息将它们重定向回来。例如,在您的 EventsController 中添加:
public function view($event_id) {
// Make sure the event exists at all
if (!$this->Event->exists($event_id)) {
throw new NotFoundException(__('No such event.'));
}
// Get the event data
$event = $this->Event->findById($event_id);
// Match the authenticated user with the user_id of the event.
if ($this->Auth->User('id') != $event['Event']['user_id']) {
// No match, redirect the user back to the index action.
$this->Session->setFlash(__('This is not your event!'));
$this->redirect(array('action' => 'index'));
}
/**
* If this point is reached, the user is the owner of the event.
* The rest of your logic goes below this point.
*/
}
于 2013-02-13T10:22:32.380 回答