Hi there,
I have a model where everything is associated somehow to a single user (e.g. User->Client->Profile). Now a user should only be allowed to (C)RUD on his data (only a profile's owner should be successful accessing /profile/edit/[hisId]), so on nearly every database operation a condition like "'User.id' => $this->Session->read('Auth.User.id')" should be included. This requires that the model functions (like find) always join "their way through" to the user table (or saving the data owner in multiple tables which does not seem to be a good way of doing this).
How is this done the right way for various models and actions (especially without comparing user IDs in every action)? Might be in the model's callback functions, but right now I do not see a general solution.
This does not seem to be a farfetched scenario so I might be missing a very obvious solution.
Thank you for your assistance!