You can disable this edit route and create your ow route without user
id. And in the action retrieve logged user id from the session.
On 3 dub, 00:49, comb <sa...@gmx.net> wrote:
> Hey
>
> (symfony 1.4 + Doctrine)
>
> In the backend I have a list of members where each member is connected
> to a sfGuardUser. .
> Now I want that every Member can only edit his own profil, but not the
> ones of others.
>
> For the list-view I already got a solution with the table_methode
> where I can specify a $q->andWhere():
>
> //Member.class.php
> [...]
> public function retrieveBackendMember(Doctrine_Query $q)
> {
> try {
> // not-admin-users may only edit their own profiles
> $user = sfContext::getInstance()->getUser();
> $user_id = $user->getGuardUser()->getId();
> if (!$user->hasCredential('admin'))
> {
> $rootAlias = $q->getRootAlias();
> $q->andWhere($rootAlias.'.sf_guard_user_id = ?',
> $user_id);
> }
> } catch (Exception $e) {
> // show none...
> $q->andWhere('false');
> }
>
> return $q;
> }
> [...]
>
> But if I change the id in the URL I can edit others, too..
> ../backend_dev.php/members/23/edit
> -> ../backend_dev.php/members/24/edit *WORKS, BUT I WANT A "NEED-AUTH"-
> MESSAGE*
>
> How can I do that?
>
> Thanks!
> comb
> ... who is tired from symfony-google-maraton :-(
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
To unsubscribe, reply using "remove me" as the subject.
