User Permissions

[Kemik]

Hello,

 

I'm creating a fairly complicated user system. A user can be one of the following, with each group given different permissions.

 

Admin Groups

Site Admin (root)

General Admin

News Admin

Competition Admin

Referee

Site User

 

Users and admins can also be a member of a clan (aka team)

 

Clan Permissions

Clan Leader (all clan permissions)

Clan Member

Manage Applications

Manage Fixtures

User awaiting member approval

 

E.g. Bill is clan leader and has access to all clan actions. Bob is a clan member with the ability to manage applications. Fred is a clan member with both manage applications and manage fixtures.

 

As you can see, it's sort of a two tier permission system. A user can only be one of the "Admin Groups" but can also (optionally) be one of the "Clan Permissions".

 

How would I organise all of this? Database side and the pseudo design for the coding.

 

Thanks for your help.

[steelmanronald06]

Have you tried ACL? http://lampgeekz.netgeekz.net/tutorials/index.php?cmd=tutorial&id=13&page=0

[Kemik]

Yes, that's what I'm working off, but I'm not sure how to lay this one out.

 

The user can only be in one admin group, but can also be a member of a clan and then have certain permissions for a clan.

 

How would I layout a database for this? At the moment I have users, clans and clan_members tables.

[dbo]

Here's how I did something similar in the past:

 

users belong to groups, a group has permissions on each page.

 

So its like:

 

User

----------

id

username

password

 

Group

----------

id

groupname

 

User_Group

----------

id

user_id

group_id

 

permissions

-----------

id

page

type (read/write/execute, etc)

 

group_permissions

----------

group_id

permissions_id

 

 

This could use some work and be blown out a bit, but conceptually I think it should get on on the right path.

 

[Liquid Fire]

I have something similar to what dbo posted.  I have a users, user_groups, user_group_permissions and user_permissions tables.  In the user table stores whether or not they are an admin(this is basically a super admin).  Then the user_group_permissions store the permission that user group has.  When you add someone to a user group, the receive all the permission for the user group and that is stored in the user_permission table.  You can then also edit each permission on a per user level.  This allows to give a user a group on permission just by adding them to a user group but also allow people in the same user group to have different permission since they are not locked into the user group permission they are in(since you can change them on a user level.

[Kemik]

Thanks dbo.

 

For querying the permissions would I just Select all group_ids from User_Group where user_id is $user_id. Then Select permission from permissions where group_id = group_id from previous query?

 

If permission = allow then continue, if not show error.

 

How would you handle clashes? E.g. a user is in two groups, one allows access to edit news the other is denied. Really the user should be allowed as they are allowed in at least one group. Not sure how I'd code that though.

 

Finally, how would you store the users permissions in the session, so you dont have to constantly query the database?

[deadimp]

Let the positive rule overrule the negative one. Just use OR to do the logic between multiple groups.

If that doesn't work out in certain situtations, see if there's some sort of priority you can assign to a group/permission... I dunno.