Page 1 of 1

How do you all implement group systems?

Posted: Tue Sep 16, 2003 8:22 pm
by Recoil UK
Hi guys

Trying to figure out the best way to implement a user/group system using PHP and MySQL, and I was wondering if any of you have any thoughts on the subject.

The way i,m thinking about doing it is as follows.....

Each webpage I design will have a corresponding entry in a module database table and they will be verified using PHP_SELF.

For instance.

When you visit index.php, there will be a function that queries a database against PHP_SELF and looks for index.php to find out if it has any special group privileges (if they can edit something or just view it etc) if there are no group privileges then it will be assumed that everyone can do everything on that particular webpage.

The users groups that he is a member of, will be held in sessions when the user logs on.

What do you think? is this a common way of doing it? is it secure?

Any feedback would be appreciated.

Thx guys

Posted: Wed Sep 17, 2003 8:15 pm
by McGruff
I've never thought about using PHP_SELF. A view article script already "knows" it's an article script for example without having to check its file name: the fact that it's running defines this case.

REQUEST_URL would id a specific page if you want to set access levels for pages individually - or probably GET vars, which is much the same thing.

Are you using some kind of integer system, ie:

registered users access level = 1
editors = 2
admin =3 etc.

.. or are you mapping users to sets of named privileges, per page?

Posted: Fri Sep 19, 2003 4:33 pm
by Recoil UK
Hi

Thanks for the reply.
Are you using some kind of integer system
Yes, there would be an integer system as you describe, and to be honest, i,m not entirely sure how it would work, its just that using PHP_SELF seemed to me, to be an ideal way of implementing such a system.

I havnt actually come up with a method of enforcing privileges with it yet, it may turn out to be more complicated than its worth. Thats why i,m asking what are the most common methods before I start, I just want to design this once, and then use it in other projects.
A view article script already "knows" it's an article script for example without having to check its file name: the fact that it's running defines this case
Yes I agree, but you may want to limit who can view/use this webpage, which is what i,m trying to do.

L8rs

Posted: Fri Sep 19, 2003 7:08 pm
by cybaf
If the content of each "article" is in the database, then you could just add an extra field describing which group has access. (as described above) So there is really no need to check the filename. On each request to view an article just do a controll of the users groupprivilages (perhaps set in a sessionvar) and compare it to the privilages required by the article...

sorry if i've misunderstood your question but hopefully this will help...:)

//cybaf

Posted: Fri Sep 19, 2003 7:17 pm
by McGruff
I think the starting point is db design.

The relationships between users, groups, privileges and resources are aspects of the data model. I'd want to describe that in the db with various join tables and lookups.

Query logic can then be used to filter access to items, for example, a list of boards which the user is allowed to view. You might otherwise have to do that in php scripts.

Other queries could return lists of privileges for a specific resource such as view / post / delete etc in a topics list.

I mentioned integer levels because I see this a lot. It seems like an obvious solution but to my mind it's a bit of hack. Suppose you have a user groups table like this:

group | level
users | 1
editors | 2
admin | 3

.. and throughout your scripts you have checks like:

Code: Select all

<?php
if($user_level > 2)
{
    // create a move topic button (admin only)
}
?>
Integers are being used to define sets of privileges but the privililege sets aren't ever explicitly defined. Instead, that aspect of the data model is scattered throughout the program rather than being stored in the database as it should be. That makes it harder to edit privilege sets. If, say, you were to add a new access level - say a "gold" user account - you'd have to work your way through all the relevant lines in scripts.

Instead, with a privileges table, a privilege sets table, and various joins or lookups connecting everything, it's much easier to make changes. A JOIN query would return an array of privileges for a user, and then in the script a privilege check would go something like:

Code: Select all

<?php
if(hasPrivilege($user_id, 'topic move')
?>
You can fiddle away with privileges and groups in the database but you don't have to change the code.

In general I follow a rule of push everything into the database which I possibly can - although that's maybe a bit simplistic: http://www.martinfowler.com/articles/dblogic.html

Posted: Fri Sep 19, 2003 8:16 pm
by Recoil UK
Hi

Yeah I think your right m8, its a bit tricky but I think i,m getting there.

Here,s what I have so far....

Image

As you can see there,s 5 tables, they are looking a bit simplistic at the moment, but its fine for just working out the workings of it.

Now let me explain.....

The user and group tables are pretty easy to figure out.

The group_members table lists whos a member of what group and they way I learned database design was to make these fields both primary keys, not sure if that is possible in MySQL (maybe you can give me some pointers here).

The module_details table will contain things like forum, members, news etc. These are the different areas of the website.

The auth_module table will control it all. The reason for the userORgroup_id is to cut down on the need for seperate tables for users and groups, whilst still allowing the option, for giving just one user access(but having just though about it, I may change to just group_id and require that a new group be set up).

Now everypage will have a variable in it, showing what module it is a member of. I can write code to either show different parts of the webpage or not. For instance....

Say I had a group called NEWS EDITORS, then if the person viewing the page was a member of that group, he/she would be able to edit news articles, becuase the edit button would be visible.

I could also use it for generating the navigation menu, based on the auth_view field.

What do you think?

L8rs

Posted: Fri Sep 19, 2003 10:24 pm
by McGruff
Recoil UK wrote: The group_members table lists whos a member of what group and they way I learned database design was to make these fields both primary keys, not sure if that is possible in MySQL (maybe you can give me some pointers here).
Rgr: auto-increment, integer, primary keys are used to link to other tables. Stick an index on the cols in a join table.
Recoil UK wrote: The auth_module table will control it all. The reason for the userORgroup_id is to cut down on the need for seperate tables for users and groups, whilst still allowing the option, for giving just one user access(but having just though about it, I may change to just group_id and require that a new group be set up).
Yes - I'd definitely do that. A user could have the same id as a group. It's always best to properly normalise the db design. You're likely to regret it later if you don't take time to do a good job now. Good refresher here - a bit less dense than that last link. http://www.oreilly.de/catalog/javadtabp ... r/ch02.pdf
Say I had a group called NEWS EDITORS, then if the person viewing the page was a member of that group, he/she would be able to edit news articles, becuase the edit button would be visible.
Since access levels are nested sets (ie admin has all the privileges of an ordinary user plus some more) I think you'll need a many-to-many relationship between group_details and auth_module to define the hierarchies.

I'd maybe have just one table to store privileges for all modules. Consolidating into groups reduces the total number of table rows (the join tables get much smaller) but that might not really matter.

Posted: Fri Sep 19, 2003 10:36 pm
by Recoil UK
Hi
Since access levels are nested sets (ie admin has all the privileges of an ordinary user plus some more) I think you'll need a many-to-many relationship between group_details and auth_module to define the hierarchies.

I'd maybe have just one table to store privileges for all modules. Consolidating into groups reduces the total number of table rows (the join tables get much smaller) but that might not really matter.
Could you please elaborate on the above 2 statements as I,m not sure exactly what your saying.

Thx

Posted: Sat Sep 20, 2003 1:17 am
by Recoil UK
Hi again

Forget that last message, I get what you mean, and having thought about it, I really dont want a nested privilege system.

What I want is to be able to edit each groups privileges indepent of the others, the process would consist of choosing which group to edit, then when your on that groups screen, down the left would be a complete list of modules with each option running horizontally from it (view, read, edit, post, delete and reply).Each of these would have a tick box to indicate yes or no.

I know your thinking that this is going to get complicated when you have a lot of modules, but if neccessary there would be a function to group modules dependant on its function to limit the screen data you see at any given time.

Hope that makes sense to you.

L8rs

Posted: Sat Sep 20, 2003 11:43 am
by McGruff
Possibly it makes more sense to have the separate module privilges tables rather than the single one I suggested. Since groups exist as a "pattern" in the data, that probably should be reflected in the model.

I think you're on the right track.

Posted: Sat Sep 20, 2003 9:20 pm
by Recoil UK
Hi again

Just thought I would update you on what I have so far.

Here,s the database......

Image

Primary keys are red, and what indicates a foreign key is orange, I know MySQL doesnt support them and from what you said before, I should make these an index.

Now there are two files which will be included in everpage, these are..

sessions.inc.php
authmodule.inc.php

I,ll post them below, they are just comments for now, I find it easier to work this way, actually setting out what you need to do.

Image

Image

You see this is my first project, and I just want to get someones input and to check that i,m doing it right, because there is a lot that can go wrong and i,m a beginner in both PHP and MySQL.

Thx for your input so far, its appreciated.

L8rs

Posted: Sun Sep 21, 2003 8:48 am
by jason
You see this is my first project, and I just want to get someones input and to check that i,m doing it right, because there is a lot that can go wrong and i,m a beginner in both PHP and MySQL.
I can remember oh so long ago when I first started PHP. I was really bad at it. I mean, I would do some stupid things. Some really stupid things. The thing that helped me learn the most was doing those stupid things.

Now, I do stupid things less often...when writing PHP code at least.

The best advice I can offer is to not quit, and constantly seek to learn more. If you want to do something, learn how to do it. Look at other code, look around.

Also, help other people. One of the biggest learning experiences has been when I help other people. If I have to go through and help you debug your code, it means I have to know what your doing. When your still new at this stuff, it usually means you have to go through some extra steps to try and learn what they are doing. So by helping other people out, you are learning yourself.