SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    Don't eat yellow snow spaceman's Avatar
    Join Date
    Mar 2001
    Location
    Melbourne, Australia
    Posts
    1,039
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi all,

    Has anyone seen a good article on the theory (if not the practice) behind the development of user and group access privileges for the admin section of a web site?

    To expand a little: I want be able to develop a web site where lots of users can login to a password-protected area. Depending on what 'group' of users they belong to (eg. group A, B, or C) then they will have access to perform certain functions as defined by the settings for their group. I'd like also to consider such complexities as
    1. A user belonging to more than 1 group
    2. A user having individual permission that allow them to override their group settings
    3. The possibility of sub-dividing functions down to the update/delete/add level, thus for example 1 group may have privileges to add to (but not update/delete) some records, and another group may have privileges to do all three.

    I've developed this sort of application before, but not in a particularly systematic way (ie. I bolted it together as I went along).

    I want to use PHP and MySQL (but of course!), but the sort of article I'm looking for could quite easily be language/database independent.

    My feeling is that this is a big subject, maybe even a book in it's own right?

    Thanks for any pointers anyone can give me.

  2. #2
    SitePoint Zealot HotDog's Avatar
    Join Date
    May 2000
    Location
    Salt Lake City, UT
    Posts
    108
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've been programming an Intranet for the company I work for, and have run into a very similar situation. I really don't know of any articles on how to accomplish this, but I can share with you what I have done.

    I have setup a user profile table in the database. Within this profile table I have setup "groups" a person could belong to, such as if they belong to the "Administration" group, or the "Marketing" group, or the "GOD" group. I then created a simple form in the administrative page where you could access a user profile and assign them to different groups. The different groups have rights to access or do different things on the Intranet. For example, you need to be part of the marketing group to access that part of the intranet. You have to be part of the administrative group to access the administrative pages or post administrative notes. If you have GOD rights, you can go anywhere and change anyones stuff you want.

    I also set it up so that page menus display differently according to what group you may belong to. For example, marketing people have access to the administrative page, but only the menus that pertain to their group show up in the menu. People with general admin rights would see more menus to do more things. I set this up by using an include page with the different menus coded on it. I have the different menus in switch statements that are picked according to what page I'm on and what group the user belongs to.

    So far it has worked very good. The only problem is that you have to hard code the groups before hand. You can't make new groups on the fly. But so far it really hasn't been a big factor.

    Don't know if this helps any, but it's an example I've been using. I'd be interested to know how other people have been doing the same thing.
    Last edited by HotDog; Apr 9, 2001 at 08:32.
    Joe Eliason
    Just a dog learnin' PHP from cat.

  3. #3
    SitePoint Addict mgkimsal's Avatar
    Join Date
    Sep 1999
    Posts
    209
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    most

    We've got a lot of this in a proprietary framework we use for projects. The key was to abstract a lot of things. Don't put any stock in the label 'edit' for example, beyond treating it as a text string primarily. Only in your applications do you test for 'edit' and perform code. This isn't coming across very well, I know...

    We treat everything primarily as just a text label - an arbitrary string. We then created a framework which interprets relationships between those strings. The strings can be added and deleted on an ad-hoc basis. Doesn't matter if we have 1 group or 1000 groups - they're just text entries in a database.

    Same thing for actions - 'read', 'edit', etc. aren't hardcoded anywhere. They are just strings which get assigned to a user - we can add or delete them as needed.

    This is not coming across how I wanted it to... but you need to put a lot of thought into this before you jump in, if you plan to expand this at all. If it's just a quick hack - fine. If you need to support/maintain/expand this 6 months from now - plan, plan, plan.

    BTW, we didn't put user overrides in - you can't assign permissions down to the individual level. If you NEED to do this in our system, you create another group with that one user in it, and assign specific rights to that group.

    HTH
    Michael Kimsal
    =============================
    groovymag.com - for groovy/grails developers
    jsmag.com - for javascript developers

  4. #4
    Don't eat yellow snow spaceman's Avatar
    Join Date
    Mar 2001
    Location
    Melbourne, Australia
    Posts
    1,039
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks very much Michael and HotDog for taking the time to add your comments. It's good to know I'm not the only one mulling over this issue.

    Point of interest: this vBulletin forum software has user and group privileges (maybe I should be trying to reverse-engineer their code...). It looks pretty sophisticated (from a admin point of view), with the only thing 'missing' from an admin point of view that I can see is that a user can't belong to more than 1 group - although this approach probably helps to stop the thing getting hideously complex (from an admin AND a programming point of view).

    Michael - I agree with your decision not to include functionality to allow individual user overrides. I mean, in a system with many different users logging in, how many truly 'unique' users can there truly be? Your solution to create another group in this eventually looks like a good approach to me.

    Michael said "but you need to put a lot of thought into this before you jump in", which is exactly why I started this thread - because I definitely want to! I may have a more pressing business need to use this stuff in a web site in a few weeks/months time, so I'm just doing some research at this stage.

    If you have time, M, I would be interested to learn a little more about how your 'abstraction' technique works in practice, and of course from anyone else with their own experiences or articles to share. I still think that this subject has the capacity to be it's own chapter in a book, or even a book in it's own right.

    Thanks again.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •