Jump to content

Recommended Posts

Hi,

I’m going to create an advanced user right system for my CMS. First I thought I just could create a table were every field is a user right: example id, title, add_news, edit_news, del_news etc. But I’ve heard this is not that good idea. So I want do this on the best way possible, the quickest, secured and most flexible way! Please link to scripts, tutorials etc or just explain a good method :D.

Thanks! :)
Link to comment
https://forums.phpfreaks.com/topic/31010-create-advanced-user-rights/
Share on other sites

You could have three tables:
1. users
2. permissions
3. user_permissions

The users table is self-explanatory. The permissions table holds all the different kind of permission flags a user can have and the user_permissions table is the chain between the two other tables. The user_permissions table consists of two fields: uid and pid - user id and permission id, respectively and the two other tables all have an id field as well.
I base my permissions system on that of Unix. Where every user has a list of groups that they belong to, and every record in my database has an owner, group and permissions.

For instance, If a record had the permissions of...

[code]
owner  group          permissions

foo    blog_admin    -rw-rw-r--
[/code]

And I [i]thorpe[/i] belonged to the group [i]blog_admin[/i], I would have permissions to read and write (edit) this record. So would user [i]foo[/i] however everyone not in this group could only read the record.

I don't actually use the x (execute) permission as yet as I haven't really found a need for it but it is in place anyway.

If you want more infomation on how permissions work in Unix (Linux), Id'e suggest you google it. However, unless your used to working with it, the concept might be a little over the top.
Well, I’m a little unsure. Thorpe, the way you’re doing it, is that fast? Because I feel I have to parse a lot to get the answer, could be just me who’s not thinking straight. The way I wanted to do it in the beginning may be stupid, but isn’t a little faster than the way you’re doing it? I’ve googled a lot after this subject, and I it isn’t much to find.

I’m thinking of this syntax when it comes to actually check if the person has access:

[CODE]if ($auth->checkAccess('add_news')) {
redirect('error_page.html');
}[/CODE]

PHP will then look for the add_news in the table permissions. That’s something we all agree in? But the way further I’m very curious about.

Please come with more suggestions! :)

Thank you!
When using a permission system as Thrope suggested you usually represent the permissions internally as a bitstring where 'rw-rw-r--' is represented by '110110100' (base2) or '664'(base8).  Anyway, the permissions can be handled efficiently using bitwise operations so no extravagant parsing scheme is necessary.
The UNIX-esque permissions exist at a low level.  So you are free to bestow these permission on anything, consider the following trivial forum example:

[code]

ForumPost Abstrct Class
  - modify()
  - move()
  - delete()

[/code]

...In a db somewhere let ForumPerms be in the form modify|move|delete (keep in mind you can make thse whatever you want, they don't have to be rwx)...

[code]

Type            ForumPerms
User            500
Admin        777

[/code]

Then when you render a forum post you can print the available options like:

[code]

<?PHP
...
if (ForumPermsssions::canModify($user)){
  // TODO
}
... etc
?>

[/code]
I think it comes down to a way of scalling your permissions. For instance, a forum. Your public forums would all be child records of the [i]publicforum[/i] node. This node would have the perms....

root forums -rwxrw-r--

Meaning any one belonging to the group [i]forums[/i] could read and write child nodes below this node. When a user creates a node (or thread) its permissions would be....

owner forummod -rwxrwxr--

Meaning the owner and mods could read and edit this node (thread).

Now, if you wanted to setup a mod only forum you would simply make a new perent node (record) [i]modforum[/i] with the permissions of....

root forummod -rwxrw----

This locks everyone that isn't in the forummod group out of this forum. Any threads within this forum would have the perms....

owner forummod -rwxrw----

You could just as easily have these threads with the perms....

owner forummod -rwxrw-r--

and because they are contained within the [i]modforum[/i] tree normal users still couldn't gain read access.

This comes in real handy because within the [i]publicforum[/i] mods could also create threads with the perms....

owner forummod -rwxrw----

amongst normal users threads and normal users can't see them. This way mods could talk about a specific thread within the thread itself without any normal user seeing them.

Of course this all comes down to database design.. and in fact the relationship between records. I use nested sets quite extensively. Every record is related to another in a tree like fashion. I don't think this system would be half as scalable without it.

The nested sets concepts lets you create allmost a filesystem type hierarchy. some nodes in my tree are just containers (like directorires) created to hold other nodes.
A simple example that you may find useful:

[code]<?php
define('READ_RIGHTS',1);
define('EDIT_RIGHTS',2);
define('MOVE_RIGHTS',4);
define('DELETE_RIGHTS',8);

//bitvalue 11
$perm = READ_RIGHTS | EDIT_RIGHTS | DELETE_RIGHTS;

//bitvalue 11 doesn't include bitvalue 4.
if($perm & MOVE_RIGHTS){
echo 'Yes, permission to move. ';
}
else {
echo'Permission to move deinied. ';
}

//bitvalue 11 does include bitvalue 8.
if($perm & DELETE_RIGHTS){
echo 'Yes, permission to delete.';
}
else {
echo'Permission to delete deinied. ';
}

?>[/code]

Above $perm could simply be stored in a database as "11", instead of "READ_RIGHTS, EDIT_RIGHTS, DELETE_RIGHTS". See the benefit in that?
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.