CakePHP - How do I globally limit (C)RUD operations on data to the owner of that data?

I have a model where everything is associated somehow to a single user (e.g. User->Client->Profile). Now a user should only be allowed to (C)RUD on his data (only a profile's owner should be successful accessing /profile/edit/[hisId]), so on nearly every database operation a condit开发者_运维知识库ion like "'User.id' => $this->Session->read('Auth.User.id')" should be included. This requires that the model functions (like find) always join "their way through" to the user table (or saving the data owner in multiple tables which does not seem to be a good way of doing this).

How is this done the right way for various models and actions (especially without comparing user IDs in every action)? Might be in the model's callback functions, but right now I do not see a general solution.

This does not seem to be a farfetched scenario so I might be missing a very obvious solution.

Thank you for your assistance!

I would create a superclass from which all appropriate Models inherit; and use the model callback methods, such as beforeFind, to check permissions

http://book.cakephp.org/view/76/Callback-Methods