Users can edit or delete only his/her own profile. Admin can edit/delete others users profiles. Public function isAuthorized compares logged-in user’s id with user’s id from the URL. If the ids match, edit and delete buttons work, otherwise do not work. It also checks if user’s role is ‘admin’.
Moreover the edit/delete buttons associated with others users in users view are hidden:
The users view with hidden edit/delete buttons:
If the user wants to bypass the isAuthorized function and hidden edit/delete buttons by typing edit user URL with someone’s else id e.g.:
http://pict.uws.ac.uk/~sss04/cakephp/users/edit/13 (user fred id=14 is typing wilma’s id=13)
the error message ‘You can’t access that page’ appears: