I want to avoid that some user can change the id of the url and he can edit another Book. For example: this is the original url:
https://www.myurl/books/edit/1
The user can change the number 1:
https://www.myurl/books/edit/41
I wanna the user only can edit his books from his country
This is my original Edit from my BooksController
public function edit($id = null)
{
$country_id= $this->Auth->User()['country_id'];
$book= $this->Books->get($id, [
'contain' => []
]);
if ($this->request->is(['patch', 'book', 'put'])) {
$book= $this->Books->patchEntity($book, $this->request->data);
if ($this->Books->save($book)) {
$this->Flash->success(__('Success.'));
return $this->redirect(['action' => 'index']);
} else {
$this->Flash->error(__('Error'));
}
}
$this->set('_serialize', ['book']);
}
I tried to change this part of code:
$country_id= $this->Auth->User()['country_id'];
$book= $this->Books->get($id, [
'contain' => []
]);
for that:
$country_id= $this -> Auth -> User()['country_id'];
$book = $this->Books->get($id, [
'contain' => ['City'],
'conditions' => ['City.country_id' => $country_id]
]);
So, only the user can show the book from the same country. But I have an error: "Record not found in table "book""
If I put the original edit function works perfect, but the user can change the id. If I make above change the user can't edit any book id
If the get operation does not find any results a Cake\Datasource\Exception\RecordNotFoundException will be raised. You can either catch this exception yourself, or allow CakePHP to convert it into a 404 error.
Check Documentation Here
Alternatively uou can check with find() method with result of first()
$book = $this->Books->find([
'contain' => ['City'],
'conditions' => ['City.country_id' => $country_id,'Books.id'=>$id]
])->first();
http://book.cakephp.org/3.0/en/orm/retrieving-data-and-resultsets.html#getting-the-first-result