Cakephp’s Auth Component – edit/delete user’s posts

Logged-in users can edit/delete only his/her own posts. Admin can edit/delete others users posts. If the user wants to edit/delete someone’s else post by clicking edit/delete button or by typing edit/delete post URL with someone’s else post’s id e.g.:
http://pict.uws.ac.uk/~sss04/cakephp/posts/edit/43 (fred is typing admin’s post id=43)
the error message ‘You are not authorized’ appears:
post3

Hiding an option from a view does not add authentication restriction to controller functionality. The authentication restriction is added to PostsController.
The edit posts function in PostsController.php compares user’s id who made the post with the user’s id who wants to edit that post. If those ids match or the user role is ‘admin’ then the post is updated. If those ids do not matched, the error message ‘You are not authorized’ appears.
post4

The delete posts function in PostsController.php works similar to the edit posts function. It compares user’s id who made the post with the user’s id who wants to delete that post. If those ids match or the user role is ‘admin’ then the post is deleted. If those ids do not matched, the error message ‘You are not authorized’ appears.
post5

The edit/delete buttons associated with others users posts in posts view are hidden. To hide those buttons, posts index.ctp file should be updated. It compares logged-in user’s id with post’s user id. If the ids match, edit and delete buttons are displayed, otherwise do not. It also checks if user’s role is ‘admin’. If so, the others users edit/delete comment buttons are displayed.
post6

User ‘fred’ can only use edit/delete buttons associated with his own posts:
post7