Following on from this, I’ve noticed that any user can simply enter a lead_id in the URL and they see the lead… this is bad!
How can I set it so that if the ‘user_id’ in the record doesnt match your currently logged in ‘id’ (so basically, youre looking at a lead that isnt assigned to you) that it fails/errors/stops you from seeing it…
Hey great, i’ll add that in, but before I do, is there a way I can add this once, rather than in every rulle, for every controller? I will try adding it to the defualt controller first…
also, instead of specifiying the Model name, which actualy will be a problem if i add it to the default one(?) can I say something like “this::model” … so it works for all of them…
thanks - i guess I should go try before asking!
p
update:
It works (for the particular view and controller im testing it on so far!), i tweaked it alittle - as i gave you incorrect info, and the PK isnt ID any more…