Editing content and Permissions

[redbullmarky]

Hi All

 

I'm tying up the lose ends of a pretty ambitious project, however I'm getting a little bit stuck dealing with permissions. The framework i'm building the site on is very similar to Cake in terms of its MVC structure, if that helps with the answer.

 

Now - in terms of content, I'll just use Articles and Blogs for the example. Both are two totally seperate items, yet what they have in common is a 'created_by' (corresponding to the user id of the author) and a 'publish' flag, to determine whether it's live on the site. I have a simple list of permissions:

 

define('GP_VIEW', 1); // can view content
define('GP_ADD', 2); // can add new content
define('GP_EDIT_OWN', 4); // can edit, but only if $_SESSION equates to created_by
define('GP_DELETE_OWN', ; // can delete own, as above
define('GP_EDIT', 16); // can edit any
define('GP_DELETE', 32); // can delete any
define('GP_ALL', 2047);

 

i have 4 main methods for Articles and Blogs - list, view, edit and delete. at the moment, each of these methods checks permissions individually - e.g, in my edit methods, something similar to:

 

<?php
if (!$this->checkPerm(GP_EDIT) && !($this->checkPerm(GP_EDIT_OWN) && $_SESSION['user']['id'] == $article['created_by']))
{
   echo 'you cant do this'
}
?>

 

in my list methods, an article/blog is ONLY listed if a) it's published OR b) it belongs to the current user.

 

My question - this seems a bit of a long winded approach and alot of duplicate code, lots of if's and else's, etc. Does anyone have any other methods they use when dealing with content in a multi-user environment? Would you recommend any ways of embedding a permission system INTO the actual CRUD methods, rather than doing the permission system before calling them? ie, like filters?

 

Cheers

[Nameless12]

<?php
if (!$this->checkPerm(GP_EDIT) && !($this->checkPerm(GP_EDIT_OWN) && $_SESSION['user']['id'] == $article['created_by']))
{
   echo 'you cant do this'
}
?>

 

so the question is how you can do this in a way that is more programmer friendly??? I recommend making a series of functions so you can do

 

<?php
if (!is_admin()) 
{
  echo 'you are not an admin';
}
?>

 

or a front controller with the permission system built in, I think a combination of the two works best

 

Ages ago when I was designing a little system I had a permission system where each page had a rank\type\group\owner and groups had admins and moderators the same with types the types were to be used with as well say you have a blog that is one type and a forum is a different type so I could limit administrators to administrate different parts of the site as each ADMIN had a TYPE or a GROUP. The idea was users could have multiple groups and users also had ranks and pages could also have owners.

 

because each page had groups\types\ etc I was able to use a generic set of functions such as

 

is_admin()

is_moderator()

is_user()

is_rank()

is_group()

is_type()

 

and so on, I don't remember everything off the top of my head I am not sure if this is the kind of thing you are asking about but hopefully it will give you an idea or two.

 

[ShogunWarrior]

I've often used an "authenticated" function that checks authentication.

Like

if( is_auth( $user, GP_EDIT | GP_DELETE ) )

Then, your function could check the flags passed to see if the user is authenticated.

The above can produce a very pluggable system. For instance, inside the is_auth function you could have it call auth_hook which would be an optional function would could override the authentication.

 

This would be useful for instance if you were plugging in to an external product's user database or if you wanted to set up a demo version.

 

Alternatively, Nameless's method is very nice because it is the most simplified and it uses memorable function names.