CakePHP: Prevent users from accessing other user's view and methods

I let users create a profile and use 36 chars profile id's. The users/profile.ctp file was originally the users/view.ctp file baked by Cake.

The url looks like example/users/profile/3213123-12313-12313-4544534

I want to prevent that other users access each others profiles or edit page开发者_Python百科s: e.g. achievements/edit

I block certain actions with ACL, but users are in the same 'group' with the same access rights.

How can I make sure that a user can only access his profile / methods and that users that access other people profiles through the url are redirected to the homepage. Should I do this through advanced ACL or do I miss some simple code here.

when your user is connected, his info stays in session. So in your UsersController you could do something like this:

function profile($user_id){ // let's say that the 36chars is the user's id
    if($user_id !== $this->Auth->user('id')){
        $this->cakeError("error404"); // or redirect to a view saying that he doesn't have access
    }

    // ... do your stuff
}

maybe you'll need to do the same thing in different methods of different controllers. You might create a Component to do this, or add a method in the AppController.

Good Luck!