You should check the ACL in the edit controller action before actually doing anything
/thomas On 08 Aug 2014, at 22:33, Steve Thomas <[email protected]> wrote: > All the manager would have to do is change the id in the address bar to > access another user. Possibly a user from a different company which they > shouldn't be able to access. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
