Page 1 of 2
Still having trouble with permissions
Posted: Wed Jan 03, 2007 11:13 am
by Luke
I have a system where I need to have cascading permissions (acl basically), but all of the libraries I have found for this are WAY overkill. I looked at a few framework system's acl systems, but none I found looked all that easy to port into my system. Does anybody know of any libraries, or perhaps just some insight on this?
My system has three basic groups - users, members, and admins. Then there should be a superadmin who can not be changed or modified by any other admin. admins can be members and users can be members but neither absolutely have to be. Admins should be able to create teams and assign members to them as well as assign team captains, which would have escalated privileges such as the ability to suspend a team member or send out email to their team.
Does anybody have any idea how I should go about this... I already started one thread about bitwise permissions, but after playing with that idea for a while, I found it didn't really seem to be what I'm looking for. Anybody know of a smaller scale php acl system than phpgacl? Anybody know how I could do this without an acl library?
Posted: Wed Jan 03, 2007 11:16 am
by Burrito
why didn't the bitwise permission system work? It's a very simple system and can handle your needs exactly...
Posted: Wed Jan 03, 2007 11:17 am
by Kieran Huggins
Maybe now is the time to reconsider:
viewtopic.php?p=339603#339603
also:
Kieran Huggins wrote:As an aside, I've always found every different type of data required it's own security concept in order to be really secure. Not every piece of information in the world can just be "read-only" or "writable". Some need permissions like "can change colour" or "is visible on Tuesdays". To keep your code simple (and your sanity) try to design your security with that in mind. Often defining a default permission for each object and then merging roles and individual permissions (in that order) is a good plan. I think I already covered that in another thread though, so I won't abuse the deceased equine.
Posted: Wed Jan 03, 2007 11:31 am
by Luke
I guess it's really persisting the data that has me confused now that I think about it... so maybe I should have posted this in "databases". I'm having a hard time determining how to persist the data... what my tables should look like and how they should relate to eachother, and then how to best pull that information out.
Right now I'm looking at phpbb2's tables, and I am a little confused as to how they determine permissions... I only see one table that seems to really relate to permissions and it's called "phpbb_auth_access". Then there are these columns in the "phpbb_forums" table. Does anybody know how this works?
Code: Select all
auth_view auth_read auth_post auth_reply auth_edit auth_delete auth_sticky auth_announce auth_vote auth_pollcreate auth_attachments
Posted: Wed Jan 03, 2007 11:36 am
by Burrito
if you decide to use bitwise operators, you can do it with constants and a single integer field on the users table.
ie:
Code: Select all
//define your constants
define("CAN_POST",1);
define("CAN_MODERATE",2);
//etc
then on your users table you have another field called permission level.
let's assume user 1 has a permission level of 3
with bitwise operators you can do this:
Code: Select all
if($_SESSION['user_level'] & CAN_POST)
//allow them to post
user 1 would be able to post and moderate....etc. Take a look back at the thread Kieran posted above if you need a refresher as to how bitwise works.
Posted: Wed Jan 03, 2007 12:41 pm
by RobertGonzalez
I am watching this thread intently. I have need of something like this, and I don't to hijack this thread, but I am very interested in where this is going (and I also like Kieran huggins' other post that he linked to, though I am not sure how to implement that for what I want). So Ninja, make sure to ask all the right questions for me so I don't have to take over your thread, ok?
Posted: Wed Jan 03, 2007 1:30 pm
by Kieran Huggins
I may be biased, but I can't see any disadvantages to my array_merge() permissions system. What are the drawbacks that you guys see?
Posted: Wed Jan 03, 2007 1:31 pm
by matthijs
Shouldn't this
Code: Select all
if($_SESSION['user_level'] & CAN_POST)
be
Code: Select all
if($_SESSION['user_level'] == CAN_POST)
?
As Everah I'm watching this thread intently as well.
Posted: Wed Jan 03, 2007 1:54 pm
by Luke
matthijs wrote:Shouldn't this
Code: Select all
if($_SESSION['user_level'] & CAN_POST)
be
Code: Select all
if($_SESSION['user_level'] == CAN_POST)
?
As Everah I'm watching this thread intently as well.
& is a bitwise operator... read the thread that was posted by kieran huggins, it has a couple very good explanations.

Posted: Wed Jan 03, 2007 2:29 pm
by Kieran Huggins
It's OK... You can save some typing and just call me Kieran

Posted: Wed Jan 03, 2007 2:33 pm
by matthijs
The Ninja Space Goat wrote:& is a bitwise operator... read the thread that was posted by kieran huggins, it has a couple very good explanations. Very Happy Very Happy

indeed, some very good explanations. I understand now. I think

Posted: Wed Jan 03, 2007 2:40 pm
by Luke
Kieran Huggins wrote:I may be biased, but I can't see any disadvantages to my array_merge() permissions system. What are the drawbacks that you guys see?
I don't see anything wrong with your method, but I think I'm going to use bitwise anyway because it's so nifty and because I want to learn bitwise operations.

Posted: Wed Jan 03, 2007 2:43 pm
by Kieran Huggins
May the fours be with you, NSG!
Posted: Wed Jan 03, 2007 3:07 pm
by Burrito
just remember when you're doing your permissions definitions you have to do multiples of 2.
ie
permission 1 = 1
permission 2 = 2
permission 3 = 4
permission 4 = 8
permission 5 = 16
etc.
the users will just have an integer value stored on their row in the users table.
ie
user 1 = 7 (has permissions 1, 2 and 3)
user 2 = 4 (has permissions 3 only)
user 3 = 12 (has permissions 3 and 4)
user 4 = 31 (has all permissions)
etc.
Posted: Wed Jan 03, 2007 3:21 pm
by RobertGonzalez
I think when doing your conditionals you need to be watchful also. I just tried this:
Code: Select all
<?php
define('CAN_POST', 1);
define('CAN_MODERATE', 2);
define('CAN_ADMIN', 4);
define('CAN_READ', ;
define('CAN_EDIT', 16);
$visitor = CAN_READ;
$user = $visitor + CAN_POST;
$mediator = $user + CAN_EDIT;
$moderator = $mediator + CAN_MODERATE;
$admin = $moderator + CAN_ADMIN;
$user_level = $mediator;
if ($user_level & CAN_ADMIN)
{
echo '<p>This user can ADMIN, moderate, post, edit and read!';
}
elseif ($user_level & CAN_MODERATE)
{
echo '<p>This user can moderate, post, edit and read!';
}
elseif ($user_level & CAN_POST)
{
echo '<p>This user can post and read!';
}
elseif ($user_level & CAN_EDIT)
{
echo '<p>This user can post, edit and read!';
}
else
{
echo '<p>I fart in your general direction. You can only read';
}
?>
Thinking that it would trigger '<p>This user can post, edit and read!' but it actually triggered just above it. I checked in that order because I was wanting to test what happens if the schema changes after it is built. Did I not do that correctly?
PS in this order of conditionals, everything works fine:
Code: Select all
<?php
define('CAN_POST', 1);
define('CAN_MODERATE', 2);
define('CAN_ADMIN', 4);
define('CAN_READ', ;
define('CAN_EDIT', 16);
$visitor = CAN_READ;
$user = $visitor + CAN_POST;
$mediator = $user + CAN_EDIT;
$moderator = $mediator + CAN_MODERATE;
$admin = $moderator + CAN_ADMIN;
$user_level = $mediator;
if ($user_level & CAN_ADMIN)
{
echo '<p>This user can ADMIN, moderate, post, edit and read!';
}
elseif ($user_level & CAN_MODERATE)
{
echo '<p>This user can moderate, post, edit and read!';
}
elseif ($user_level & CAN_EDIT)
{
echo '<p>This user can post, edit and read!';
}
elseif ($user_level & CAN_POST)
{
echo '<p>This user can post and read!';
}
else
{
echo '<p>I fart in your general direction. You can only read';
}
?>