Access Control
Posted: Tue Feb 16, 2010 2:10 pm
I'm working on a CMS for my gaming clan, and am working on a new access control scheme. Previously, the access was granted based on the rank of the user. This is good for controlling access to major things such as admin interfaces, moderation, and member-only functions. But if I want to get more detailed and let some people access a certain function, and not others, I would have to create a specialized group which seems too clunky to me.
After some more thinking, I thought that this new scheme could be perfect. The way the site is broken up is basically into modules and pages/actions(can't really think of a good name. Sometimes it's an action, other times its just a page). For example, Forum would be a module, and Thread would be an action. So my access control idea is to use a hierarchical namespace system. Each action would define it's access namespace.
It would be setup like "Module:Page:Action:ID".
So to view a board on the forum, the namespace would be "Forum:Board:View:4". The ID is simply the id of the resource in mysql. It's mainly there to provide more information and really deep control if I want it. Because it's tree, the ID is mostly optional. When the system wants to check access it would simply travel through the namespace to determine access. There are three possible settings for each section: Denied, Accessible, and not set. If a section is set as "not set" then it will rely on the access of the parent section.
My problem is this:
How do I represent this in MySQL? I was considering putting a big TEXT field in the users table, and just have all of that user's specific credentials in there listed by entire namespace, comma separated. I could also have groups setup, so I don't have to go through each user and control their credentials, I could just assign them a group in addition to their personal credentials. If the namespace is contained within this credential field, then access is granted. Otherwise it is blocked. I'm not sure how efficient it would be parsing a big block of text like that would be.
How would I represent the default accessibility? I'm not sure how I would store the default access settings in MySQL. Would I be able to set it up like a tree with parent-child relationships?
After some more thinking, I thought that this new scheme could be perfect. The way the site is broken up is basically into modules and pages/actions(can't really think of a good name. Sometimes it's an action, other times its just a page). For example, Forum would be a module, and Thread would be an action. So my access control idea is to use a hierarchical namespace system. Each action would define it's access namespace.
It would be setup like "Module:Page:Action:ID".
So to view a board on the forum, the namespace would be "Forum:Board:View:4". The ID is simply the id of the resource in mysql. It's mainly there to provide more information and really deep control if I want it. Because it's tree, the ID is mostly optional. When the system wants to check access it would simply travel through the namespace to determine access. There are three possible settings for each section: Denied, Accessible, and not set. If a section is set as "not set" then it will rely on the access of the parent section.
My problem is this:
How do I represent this in MySQL? I was considering putting a big TEXT field in the users table, and just have all of that user's specific credentials in there listed by entire namespace, comma separated. I could also have groups setup, so I don't have to go through each user and control their credentials, I could just assign them a group in addition to their personal credentials. If the namespace is contained within this credential field, then access is granted. Otherwise it is blocked. I'm not sure how efficient it would be parsing a big block of text like that would be.
How would I represent the default accessibility? I'm not sure how I would store the default access settings in MySQL. Would I be able to set it up like a tree with parent-child relationships?