SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Member dynedain's Avatar
    Join Date
    Dec 2004
    Location
    Los Angeles
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Users<->Groups<->Permissions<->Files Design Patterns

    I've already done a search on this, and am approaching a big stumbling block.


    I'm trying to develop a permissions system


    I can't use a simple hierarchy or user level because this sytem will have many users with almost as many groups as users.

    So, in a MySQL database I have a users table, a users<->groups table, a groups<-> permissions table and a permissions table. Now this is all fine and dandy untill I start to think about the different kinds of data and types of access all over the site, and my brain explodes.

    Lets take the file downloads as a simple example. I'm hiding the files behind a download.php that I intend on having check the permissions of the user. So I have a files table in the database (file_id,file_name). I guess it would work to add 2 permissions for every file (FILExxxDOWNLOAD and FILExxxDELETE) for every file, and then modify the groups<->permissions appropriately, but this doesn't seem efficient when it comes to lookup, and would result in 2 permissions for every file on top of all the other permissions! And this would only solve the issue for files, but I'd have to do it all over again for each kind of content on the site!

    Please help my shattered mind. I'm looking more at this point on how to structure things, code examples can wait just a bit.

  2. #2
    SitePoint Evangelist jplush76's Avatar
    Join Date
    Nov 2003
    Location
    Los Angeles, CA
    Posts
    460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    instead of ID'ing each file you could have each file categorized

    so readme.pdf has an access category of ALL (I like text descriptors for this instead of 1,2,4,5,6, etc, easier to follow what the heck is really happening )

    specialtext.pdf has an access category or ADMIN (can view&delete) or ADMIN_VIEW_ONLY (cannot delete)


    you could also set levels for each category IE ALL has a level of 10 ADMIN_VIEW_ONLY has a level of 20 and ADMIN has a level of 30

    so then if someone wants to view an admin file you say is their user level > 20?

    if they want to delete a file they'd have to have a user level > 30

    permissions is a hairy topic
    My-Bic - Easiest AJAX/PHP Framework Around
    Now Debug PHP scripts with Firebug!

  3. #3
    SitePoint Enthusiast
    Join Date
    Mar 2005
    Posts
    82
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you can use master--detail tables for permission control,
    master == type and reference for every item
    detail == the groups and available action on the master item

    you can different you type as "FILE", "FORM" or any other things

    the action can be "R"ead, "W"rite, "D"elete, or anything else
    by this way, your 1 action column can hole for multiple permission / actions

    reference can be physical file path / html / php form or anything you "ID" it
    and the self description for additional note.


    master permission:
    CREATE TABLE `masterPerm` (
    `UID` BIGINT NOT NULL AUTO_INCREMENT ,
    `TYPE` VARCHAR( 10 ) NOT NULL ,
    `REFERENCE` VARCHAR( 100 ) NOT NULL ,
    `DESCRIPTION` VARCHAR( 100 ) NOT NULL,
    PRIMARY KEY ( `UID` )
    );



    CREATE TABLE `childPerm` (
    `UID` BIGINT NOT NULL AUTO_INCREMENT ,
    `masterUID` BIGINT DEFAULT '0' NOT NULL ,
    `GROUPID` VARCHAR( 10 ) NOT NULL ,
    `ACTION` VARCHAR( 10 ) NOT NULL ,
    PRIMARY KEY ( `UID` )
    );

  4. #4
    SitePoint Enthusiast
    Join Date
    Mar 2005
    Posts
    82
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    when you query:

    SELECT * FROM masterPerm LEFT JOIN childPerm ON masterPerm.UID = childPerm.masterUID WHERE childPerm.GROUPID='Group A';

  5. #5
    SitePoint Member dynedain's Avatar
    Join Date
    Dec 2004
    Location
    Los Angeles
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the suggestions,

    JPlush: an access level system won't work in this case because files are not intended to be accessable to all users with a certain access level (ie public, clients, staff, admins) but rather only to certain people at certain access levles (all staff and admins, but not all clients). People at the client level can see only what is available to the groups they belong to, but not everything at the client level.

    Flash: what you described sounds like what I was proposing, a groups<->permissions and a permissions<->files. And this ends up with a really big permissions table with one or more entries for each file or other secured item. Am I interpretting you correctly? If not, please explain. I was hoping to solve this without too big of a table in the interest of speed, which isn't critical, but I dont want it to become a problem either.

  6. #6
    Non-Member
    Join Date
    Jan 2003
    Posts
    5,748
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    And this ends up with a really big permissions table with one or more entries for each file or other secured item.
    That is correct, as there is no other real way around it. Just be sure that you make all the table columns in a permissions table the PK

  7. #7
    SitePoint Member dynedain's Avatar
    Join Date
    Dec 2004
    Location
    Los Angeles
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I just had a meeting with the client, and found out the need is much much less sophisticated than I originally believed.


    Now its pretty simple, only staff and admins can post files. Files are always associated with groups. And general users get assigned to groups. Much simpler, and the lookup tables don't get so huge.

  8. #8
    SitePoint Enthusiast
    Join Date
    Mar 2005
    Posts
    82
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    the permission can be anything, example: 1 record for 1 file or may be 1 folder

    as what you said, if you REALLY want to control every permission for every single file, or you just want to control for whole folder...

    it is very depend on what you want and how you control.
    as what you said customer only need simple permission
    some customer they need detail permission even in every single textbox ...


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •