Preventing users updating records other than their own.
At the moment I have a site where users can register, and add properties that belong to them, in a standard one to many relationship.
But I currently have a loophole where someone logged in can update another users property, by changing the ID at the end of the URL.
Its mostly working - on the product details page, changing the ID in the URL doesn't work, and changing the ID in the update page URL doesn't display the details. But if the ID in the URL is changed, and the person were to click the update button, then that does overwrite the current record.
Does that make sense?
I've attached a copy of the page as it currently is.