You can disable this edit route and create your ow route without user id. And in the action retrieve logged user id from the session.
On 3 dub, 00:49, comb <sa...@gmx.net> wrote: > Hey > > (symfony 1.4 + Doctrine) > > In the backend I have a list of members where each member is connected > to a sfGuardUser. . > Now I want that every Member can only edit his own profil, but not the > ones of others. > > For the list-view I already got a solution with the table_methode > where I can specify a $q->andWhere(): > > //Member.class.php > [...] > public function retrieveBackendMember(Doctrine_Query $q) > { > try { > // not-admin-users may only edit their own profiles > $user = sfContext::getInstance()->getUser(); > $user_id = $user->getGuardUser()->getId(); > if (!$user->hasCredential('admin')) > { > $rootAlias = $q->getRootAlias(); > $q->andWhere($rootAlias.'.sf_guard_user_id = ?', > $user_id); > } > } catch (Exception $e) { > // show none... > $q->andWhere('false'); > } > > return $q; > } > [...] > > But if I change the id in the URL I can edit others, too.. > ../backend_dev.php/members/23/edit > -> ../backend_dev.php/members/24/edit *WORKS, BUT I WANT A "NEED-AUTH"- > MESSAGE* > > How can I do that? > > Thanks! > comb > ... who is tired from symfony-google-maraton :-( -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to symfony-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en To unsubscribe, reply using "remove me" as the subject.