User permission system

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
RecoilUK
Forum Commoner
Posts: 30
Joined: Sun Feb 29, 2004 7:13 pm

User permission system

Post by RecoilUK »

Hi guys.

Whats the best way to implement a web based user permission system with PHP?

Let me elobarate on this further.

I have designed a database schema, basically this has a modules table, a permissions table, user, group, usergroup tables and these two...


ModulePermissions
GroupModulePermissions

I hope you can see, the permissions table, is there to list the available permissions for any module, like ...

view menu url
view
edit
delete
edit own
delete own

etc, etc

The modules permission table, then associates a particular module with a particular permission, as not all modules require all permissions.

The GroupModulePermissions then lists from the available permissions in ModulePermissions any permission you want a group to have.

I,m just not sure how to implement this and am looking for any ideas you all may have.

Whilst coding this I do intend to make use of OOP, which I havnt used before.

Does anyone have any tips, suggestions, alternatives etc,etc

Any help would be appreciated.

Thankyou.
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

Seems you are going a long way about this. You can simply have one table that holds both permissions and groups:

Code: Select all

id
name
isGroup
data
Where both groups and individual permissions can be held in this one table. If its a permission you give it a unique ID, and a unique name. Since they have unique names, they will always be unique for different modules. Then to create a group of privledges you set the isGroup field to true and list the ID numbers of all the privledges/groups that it is allowed to the data field. Since this field can hold both prvledges and groups it means you can easily make a new group that has all the privledges of another and then adda few single privledges to it.

Then you assign a user to a group and parse the data field to get an array of the privledge ID's that the user can do, do some recursion on this list incase the id number is a group and holds a list of data itself.

So now you have a list of privledge ID's that a user is allowed to do. Then to check them you create a function that takes a string as a paremter and then checks the database table for the id number that matches that string. Then you check to see if the user has that ID number.

This is good for module systems as you never can know what modules will be installed and so need a dynamic system that can stand up to any mixture of modules being installed. When a new module is loaded into the system you can simply add the privledge names to the table, and so add another possible privledge.
RecoilUK
Forum Commoner
Posts: 30
Joined: Sun Feb 29, 2004 7:13 pm

Post by RecoilUK »

Hi

Thanks for the reply.

I think I understand what you mean, and although its a simpler way, it also breaks every rule for database normalisation that exist.

Now please be aware that I have limited experience of PHP and none of SQL at the moment, so my design may be far to complicated or resoucre intensive to be feasable, and I guess this is the question that needs answering.

Thanks again.
Post Reply