php - CakePHP 3 - ownership authorisation for associated tables -

in cakephp 3 blog tutorial, users conditionally authorized use actions edit , delete based on ownership following code:

public function isauthorized($user) {     // registered users can add articles     if ($this->request->getparam('action') === 'add') {         return true;     }      // owner of article can edit , delete     if (in_array($this->request->getparam('action'), ['edit', 'delete'])) {         $articleid = (int)$this->request->getparam('pass.0');         if ($this->articles->isownedby($articleid, $user['id'])) {             return true;         }     }      return parent::isauthorized($user); }  public function isownedby($articleid, $userid) {     return $this->exists(['id' => $articleid, 'user_id' => $userid]); } 

i've been attempting implement similar own tables. example, have payments table, linked users through several different tables follows:

• users->customers->bookings->payments.

foreign keys each:

• user_id in customers table = users->id (user hasone customer)
• customer_id in bookings table = customers->id (customer hasmany bookings)
• booking_id in payments table = bookings->id(booking hasmany payments)

my appcontroller's initialize function:

public function initialize()     {         parent::initialize();          $this->loadcomponent('requesthandler');         $this->loadcomponent('flash');         $this->loadcomponent('auth',[             'authorize' => 'controller',         ]);          $this->auth->allow(['display']); //primarily pagescontroller, other actions across various controllers deny access default     } 

in paymentscontroller, have following

public function initialize()     {         parent::initialize();      }  public function isauthorized($user)     {                 if (in_array($this->request->action,['view', 'edit', 'index', 'add']             return (bool)($user['role_id'] === 1); //admin functions         }          if (in_array($this->request->action,['cart'])) {             return (bool)($user['role_id'] === 2) //customer function         }          if (in_array($this->request->action, ['cart'])) {             $bookingid = (int)$this->request->getparam('pass.0');             if ($this->payments->isownedby($bookingid, $user['id'])) {                 return true;             }         }          return parent::isauthorized($user);     }      public function isownedby($bookingid, $userid)     {         return $this->exists(['id' => $bookingid, 'user_id' => $userid]);     } 

i'm unsure how link through different tables determine ownership.

• currently if customer paying booking #123 change url paying booking #111, provided booking exists in database.
• additionally, booking id passed cart function (since customers paying specific booking). example: if customer paying booking #123, url = localhost/project/payments/cart/123. upon submitting cart, new payment entry created.

also, regarding getparam , isownedby methods, hovering on them in editor shows this:

• method 'getparam' not found in \cake\network\request
• method 'isownedby' not found in app\model\table\paymentstable

however, i've gone through entire blogtutorial , can't find anywhere else getparam or isownedby used or set in model.

in isauthorized function in paymentscontroller:

if (in_array($this->request->action, ['cart'])) {     $id = $this->request->getparam('pass'); //use $this->request->param('pass') cakephp 3.3.x , below.     $booking = $this->payments->bookings->get($id,[         'contain' => ['artists']     ]);     if ($booking->artist->user_id == $user['id']) {         return true;     } }