避免用户可以在Cakephp上更改网址ID

Question

我想避免某些用户可以更改网址的ID，并且他可以编辑另一本书。 例如：这是原始地址：

https://www.myurl/books/edit/1 

用户可以更改为数字1：

https://www.myurl/books/edit/41 

我想用户只有可以从他的国家修改了他的书

这是我的原创编辑从我的BooksController

public function edit($id = null) 
{ 
    $country_id= $this->Auth->User()['country_id']; 

    $book= $this->Books->get($id, [ 
     'contain' => [] 
    ]); 
    if ($this->request->is(['patch', 'book', 'put'])) { 
     $book= $this->Books->patchEntity($book, $this->request->data); 
     if ($this->Books->save($book)) { 
      $this->Flash->success(__('Success.')); 
      return $this->redirect(['action' => 'index']); 
     } else { 
      $this->Flash->error(__('Error')); 
     } 
    } 


    $this->set('_serialize', ['book']); 
} 

我试图改变这部分代码：

$country_id= $this->Auth->User()['country_id']; 
$book= $this->Books->get($id, [ 
     'contain' => [] 
    ]); 

为：

$country_id= $this -> Auth -> User()['country_id']; 
$book = $this->Books->get($id, [ 
     'contain' => ['City'], 
     'conditions' => ['City.country_id' => $country_id] 
    ]); 

所以，只有用户可以显示来自同一个国家的书。 但是我有一个错误：“记录不是在表中找到‘书’”

如果我把原来的编辑功能可以完美运行，但用户可以更改其ID。 如果我做出上述更改的用户不能编辑任何书籍ID

Answer 1

If the get operation does not find any results a Cake\Datasource\Exception\RecordNotFoundException will be raised. You can either catch this exception yourself, or allow CakePHP to convert it into a 404 error.

检查d ocumentation Here

或者uou可以find()法的first()

$book = $this->Books->find([ 
     'contain' => ['City'], 
     'conditions' => ['City.country_id' => $country_id,'Books.id'=>$id] 
    ])->first(); 

http://book.cakephp.org/3.0/en/orm/retrieving-data-and-resultsets.html#getting-the-first-result

结果查询