Still having trouble with permissions
Moderator: General Moderators
Still having trouble with permissions
I have a system where I need to have cascading permissions (acl basically), but all of the libraries I have found for this are WAY overkill. I looked at a few framework system's acl systems, but none I found looked all that easy to port into my system. Does anybody know of any libraries, or perhaps just some insight on this?
My system has three basic groups - users, members, and admins. Then there should be a superadmin who can not be changed or modified by any other admin. admins can be members and users can be members but neither absolutely have to be. Admins should be able to create teams and assign members to them as well as assign team captains, which would have escalated privileges such as the ability to suspend a team member or send out email to their team.
Does anybody have any idea how I should go about this... I already started one thread about bitwise permissions, but after playing with that idea for a while, I found it didn't really seem to be what I'm looking for. Anybody know of a smaller scale php acl system than phpgacl? Anybody know how I could do this without an acl library?
My system has three basic groups - users, members, and admins. Then there should be a superadmin who can not be changed or modified by any other admin. admins can be members and users can be members but neither absolutely have to be. Admins should be able to create teams and assign members to them as well as assign team captains, which would have escalated privileges such as the ability to suspend a team member or send out email to their team.
Does anybody have any idea how I should go about this... I already started one thread about bitwise permissions, but after playing with that idea for a while, I found it didn't really seem to be what I'm looking for. Anybody know of a smaller scale php acl system than phpgacl? Anybody know how I could do this without an acl library?
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
Maybe now is the time to reconsider:
viewtopic.php?p=339603#339603
also:
viewtopic.php?p=339603#339603
also:
Kieran Huggins wrote:As an aside, I've always found every different type of data required it's own security concept in order to be really secure. Not every piece of information in the world can just be "read-only" or "writable". Some need permissions like "can change colour" or "is visible on Tuesdays". To keep your code simple (and your sanity) try to design your security with that in mind. Often defining a default permission for each object and then merging roles and individual permissions (in that order) is a good plan. I think I already covered that in another thread though, so I won't abuse the deceased equine.
I guess it's really persisting the data that has me confused now that I think about it... so maybe I should have posted this in "databases". I'm having a hard time determining how to persist the data... what my tables should look like and how they should relate to eachother, and then how to best pull that information out.
Right now I'm looking at phpbb2's tables, and I am a little confused as to how they determine permissions... I only see one table that seems to really relate to permissions and it's called "phpbb_auth_access". Then there are these columns in the "phpbb_forums" table. Does anybody know how this works?
Right now I'm looking at phpbb2's tables, and I am a little confused as to how they determine permissions... I only see one table that seems to really relate to permissions and it's called "phpbb_auth_access". Then there are these columns in the "phpbb_forums" table. Does anybody know how this works?
Code: Select all
auth_view auth_read auth_post auth_reply auth_edit auth_delete auth_sticky auth_announce auth_vote auth_pollcreate auth_attachmentsif you decide to use bitwise operators, you can do it with constants and a single integer field on the users table.
ie:
then on your users table you have another field called permission level.
let's assume user 1 has a permission level of 3
with bitwise operators you can do this:
user 1 would be able to post and moderate....etc. Take a look back at the thread Kieran posted above if you need a refresher as to how bitwise works.
ie:
Code: Select all
//define your constants
define("CAN_POST",1);
define("CAN_MODERATE",2);
//etclet's assume user 1 has a permission level of 3
with bitwise operators you can do this:
Code: Select all
if($_SESSION['user_level'] & CAN_POST)
//allow them to post- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
I am watching this thread intently. I have need of something like this, and I don't to hijack this thread, but I am very interested in where this is going (and I also like Kieran huggins' other post that he linked to, though I am not sure how to implement that for what I want). So Ninja, make sure to ask all the right questions for me so I don't have to take over your thread, ok?
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
Shouldn't this
be
?
As Everah I'm watching this thread intently as well.
Code: Select all
if($_SESSION['user_level'] & CAN_POST)Code: Select all
if($_SESSION['user_level'] == CAN_POST)As Everah I'm watching this thread intently as well.
& is a bitwise operator... read the thread that was posted by kieran huggins, it has a couple very good explanations.matthijs wrote:Shouldn't thisbeCode: Select all
if($_SESSION['user_level'] & CAN_POST)?Code: Select all
if($_SESSION['user_level'] == CAN_POST)
As Everah I'm watching this thread intently as well.
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
I don't see anything wrong with your method, but I think I'm going to use bitwise anyway because it's so nifty and because I want to learn bitwise operations.Kieran Huggins wrote:I may be biased, but I can't see any disadvantages to my array_merge() permissions system. What are the drawbacks that you guys see?
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
just remember when you're doing your permissions definitions you have to do multiples of 2.
ie
permission 1 = 1
permission 2 = 2
permission 3 = 4
permission 4 = 8
permission 5 = 16
etc.
the users will just have an integer value stored on their row in the users table.
ie
user 1 = 7 (has permissions 1, 2 and 3)
user 2 = 4 (has permissions 3 only)
user 3 = 12 (has permissions 3 and 4)
user 4 = 31 (has all permissions)
etc.
ie
permission 1 = 1
permission 2 = 2
permission 3 = 4
permission 4 = 8
permission 5 = 16
etc.
the users will just have an integer value stored on their row in the users table.
ie
user 1 = 7 (has permissions 1, 2 and 3)
user 2 = 4 (has permissions 3 only)
user 3 = 12 (has permissions 3 and 4)
user 4 = 31 (has all permissions)
etc.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
I think when doing your conditionals you need to be watchful also. I just tried this:
Thinking that it would trigger '<p>This user can post, edit and read!' but it actually triggered just above it. I checked in that order because I was wanting to test what happens if the schema changes after it is built. Did I not do that correctly?
PS in this order of conditionals, everything works fine:
Code: Select all
<?php
define('CAN_POST', 1);
define('CAN_MODERATE', 2);
define('CAN_ADMIN', 4);
define('CAN_READ', ;
define('CAN_EDIT', 16);
$visitor = CAN_READ;
$user = $visitor + CAN_POST;
$mediator = $user + CAN_EDIT;
$moderator = $mediator + CAN_MODERATE;
$admin = $moderator + CAN_ADMIN;
$user_level = $mediator;
if ($user_level & CAN_ADMIN)
{
echo '<p>This user can ADMIN, moderate, post, edit and read!';
}
elseif ($user_level & CAN_MODERATE)
{
echo '<p>This user can moderate, post, edit and read!';
}
elseif ($user_level & CAN_POST)
{
echo '<p>This user can post and read!';
}
elseif ($user_level & CAN_EDIT)
{
echo '<p>This user can post, edit and read!';
}
else
{
echo '<p>I fart in your general direction. You can only read';
}
?>PS in this order of conditionals, everything works fine:
Code: Select all
<?php
define('CAN_POST', 1);
define('CAN_MODERATE', 2);
define('CAN_ADMIN', 4);
define('CAN_READ', ;
define('CAN_EDIT', 16);
$visitor = CAN_READ;
$user = $visitor + CAN_POST;
$mediator = $user + CAN_EDIT;
$moderator = $mediator + CAN_MODERATE;
$admin = $moderator + CAN_ADMIN;
$user_level = $mediator;
if ($user_level & CAN_ADMIN)
{
echo '<p>This user can ADMIN, moderate, post, edit and read!';
}
elseif ($user_level & CAN_MODERATE)
{
echo '<p>This user can moderate, post, edit and read!';
}
elseif ($user_level & CAN_EDIT)
{
echo '<p>This user can post, edit and read!';
}
elseif ($user_level & CAN_POST)
{
echo '<p>This user can post and read!';
}
else
{
echo '<p>I fart in your general direction. You can only read';
}
?>