Still having trouble with permissions

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Still having trouble with permissions

Post by Luke »

I have a system where I need to have cascading permissions (acl basically), but all of the libraries I have found for this are WAY overkill. I looked at a few framework system's acl systems, but none I found looked all that easy to port into my system. Does anybody know of any libraries, or perhaps just some insight on this?

My system has three basic groups - users, members, and admins. Then there should be a superadmin who can not be changed or modified by any other admin. admins can be members and users can be members but neither absolutely have to be. Admins should be able to create teams and assign members to them as well as assign team captains, which would have escalated privileges such as the ability to suspend a team member or send out email to their team.

Does anybody have any idea how I should go about this... I already started one thread about bitwise permissions, but after playing with that idea for a while, I found it didn't really seem to be what I'm looking for. Anybody know of a smaller scale php acl system than phpgacl? Anybody know how I could do this without an acl library?
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

why didn't the bitwise permission system work? It's a very simple system and can handle your needs exactly...
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

Maybe now is the time to reconsider:
viewtopic.php?p=339603#339603

also:
Kieran Huggins wrote:As an aside, I've always found every different type of data required it's own security concept in order to be really secure. Not every piece of information in the world can just be "read-only" or "writable". Some need permissions like "can change colour" or "is visible on Tuesdays". To keep your code simple (and your sanity) try to design your security with that in mind. Often defining a default permission for each object and then merging roles and individual permissions (in that order) is a good plan. I think I already covered that in another thread though, so I won't abuse the deceased equine.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

I guess it's really persisting the data that has me confused now that I think about it... so maybe I should have posted this in "databases". I'm having a hard time determining how to persist the data... what my tables should look like and how they should relate to eachother, and then how to best pull that information out.

Right now I'm looking at phpbb2's tables, and I am a little confused as to how they determine permissions... I only see one table that seems to really relate to permissions and it's called "phpbb_auth_access". Then there are these columns in the "phpbb_forums" table. Does anybody know how this works?

Code: Select all

auth_view 	auth_read 	auth_post 	auth_reply 	auth_edit 	auth_delete 	auth_sticky 	auth_announce 	auth_vote 	auth_pollcreate 	auth_attachments
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

if you decide to use bitwise operators, you can do it with constants and a single integer field on the users table.

ie:

Code: Select all

//define your constants
define("CAN_POST",1);
define("CAN_MODERATE",2);
//etc
then on your users table you have another field called permission level.
let's assume user 1 has a permission level of 3

with bitwise operators you can do this:

Code: Select all

if($_SESSION['user_level'] & CAN_POST)
   //allow them to post
user 1 would be able to post and moderate....etc. Take a look back at the thread Kieran posted above if you need a refresher as to how bitwise works.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I am watching this thread intently. I have need of something like this, and I don't to hijack this thread, but I am very interested in where this is going (and I also like Kieran huggins' other post that he linked to, though I am not sure how to implement that for what I want). So Ninja, make sure to ask all the right questions for me so I don't have to take over your thread, ok?
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

I may be biased, but I can't see any disadvantages to my array_merge() permissions system. What are the drawbacks that you guys see?
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Shouldn't this

Code: Select all

if($_SESSION['user_level'] & CAN_POST)
be

Code: Select all

if($_SESSION['user_level'] == CAN_POST)
?

As Everah I'm watching this thread intently as well.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

matthijs wrote:Shouldn't this

Code: Select all

if($_SESSION['user_level'] & CAN_POST)
be

Code: Select all

if($_SESSION['user_level'] == CAN_POST)
?

As Everah I'm watching this thread intently as well.
& is a bitwise operator... read the thread that was posted by kieran huggins, it has a couple very good explanations. :D :D
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

It's OK... You can save some typing and just call me Kieran :wink:
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

The Ninja Space Goat wrote:& is a bitwise operator... read the thread that was posted by kieran huggins, it has a couple very good explanations. Very Happy Very Happy
:oops: indeed, some very good explanations. I understand now. I think :)
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Kieran Huggins wrote:I may be biased, but I can't see any disadvantages to my array_merge() permissions system. What are the drawbacks that you guys see?
I don't see anything wrong with your method, but I think I'm going to use bitwise anyway because it's so nifty and because I want to learn bitwise operations. :D
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

May the fours be with you, NSG!
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

just remember when you're doing your permissions definitions you have to do multiples of 2.

ie
permission 1 = 1
permission 2 = 2
permission 3 = 4
permission 4 = 8
permission 5 = 16
etc.

the users will just have an integer value stored on their row in the users table.

ie
user 1 = 7 (has permissions 1, 2 and 3)
user 2 = 4 (has permissions 3 only)
user 3 = 12 (has permissions 3 and 4)
user 4 = 31 (has all permissions)
etc.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I think when doing your conditionals you need to be watchful also. I just tried this:

Code: Select all

<?php
define('CAN_POST', 1);
define('CAN_MODERATE', 2);
define('CAN_ADMIN', 4);
define('CAN_READ', ;
define('CAN_EDIT', 16);

$visitor = CAN_READ;
$user = $visitor + CAN_POST;
$mediator = $user + CAN_EDIT;
$moderator = $mediator + CAN_MODERATE;
$admin = $moderator + CAN_ADMIN;

$user_level = $mediator;

if ($user_level & CAN_ADMIN)
{
    echo '<p>This user can ADMIN, moderate, post, edit and read!';
}
elseif ($user_level & CAN_MODERATE)
{
    echo '<p>This user can moderate, post, edit and read!';
}
elseif ($user_level & CAN_POST)
{
    echo '<p>This user can post and read!';
}
elseif ($user_level & CAN_EDIT)
{
    echo '<p>This user can post, edit and read!';
}
else
{
    echo '<p>I fart in your general direction. You can only read';
}
?>
Thinking that it would trigger '<p>This user can post, edit and read!' but it actually triggered just above it. I checked in that order because I was wanting to test what happens if the schema changes after it is built. Did I not do that correctly?

PS in this order of conditionals, everything works fine:

Code: Select all

<?php
define('CAN_POST', 1);
define('CAN_MODERATE', 2);
define('CAN_ADMIN', 4);
define('CAN_READ', ;
define('CAN_EDIT', 16);

$visitor = CAN_READ;
$user = $visitor + CAN_POST;
$mediator = $user + CAN_EDIT;
$moderator = $mediator + CAN_MODERATE;
$admin = $moderator + CAN_ADMIN;

$user_level = $mediator;

if ($user_level & CAN_ADMIN)
{
    echo '<p>This user can ADMIN, moderate, post, edit and read!';
}
elseif ($user_level & CAN_MODERATE)
{
    echo '<p>This user can moderate, post, edit and read!';
}
elseif ($user_level & CAN_EDIT)
{
    echo '<p>This user can post, edit and read!';
}
elseif ($user_level & CAN_POST)
{
    echo '<p>This user can post and read!';
}
else
{
    echo '<p>I fart in your general direction. You can only read';
}
?>
Post Reply