Users can edit or delete only his/her own comments. Admin can edit/delete others users comments. If the user wants to edit/delete someone’s else comment by clicking edit/delete button or by typing edit/delete comment URL with someone’s else comment’s id e.g.:
http://pict.uws.ac.uk/~sss04/cakephp/comments/edit/12 (fred is typing admin’s comment id=12)
the error message ‘You are not authorized’ appears:
There is no point to display edit/delete buttons associated with others users comments in comments view. To hide those buttons, comments index.ctp file should be updated. It compares logged-in user’s id with comment’s user id. If the ids match, edit and delete buttons are displayed, otherwise do not. It also checks if user’s role is ‘admin’. If so, the others users edit/delete comment buttons are displayed.
User ‘fred’ can only use edit/delete buttons associated with his own comments: