Alternative RBAC model?

[MartijnG]

Hi,

I'm busy making my own CMS, and I have chosen to use a RBAC system for my security and authorization/authentication work. For my system I have worked out this database model;

Code:

## Users
CREATE TABLE users
(
  u_id INT (7) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
  u_name VARCHAR(255) NOT NULL default '',
  u_username VARCHAR(255) NOT NULL default '',
  u_password VARCHAR(32) NOT NULL default '',
  u_email VARCHAR(255) NOT NULL default '',
  u_active ENUM('Y', 'N')
) TYPE=MyISAM;

## Roles
CREATE TABLE roles
(
  r_id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
  r_name VARCHAR(255) NOT NULL default ''
) TYPE=MyISAM;

## Permissions
CREATE TABLE permissions
(
  p_id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
  p_name VARCHAR(255) NOT NULL default ''
) TYPE=MyISAM;

## UserRole
CREATE TABLE user_role
(
  u_id INT(7) UNSIGNED default '0',
  r_id INT(6) UNSIGNED default '0'
) TYPE=MyISAM;

## RolePermission
CREATE TABLE role_permission
(
  r_id INT(6) UNSIGNED default '0',
  p_id INT(6) UNSIGNED default '0'
) TYPE=MyISAM;

Now the point is that, if I want to check e.g. "Has x got permisions to edit this article?", then I must use some kind of code like;

PHP Code:

if ( $user->hasPermission ('editArticle') )
{
    // Edit article
} 


Now the problem is, if I use this method, I should exactly know which permissions I can have, and mak checks for them, otherwise I can't check a permission that isn't defined in the checks (e.g. I can't set revokePermission in my admin panel / database if it isn't checked in the code).

Now my question is, is there an alternative way of linking en role to a permission and a permission OF THAT USER / ROLE to a operation (like CRUD)?

[PS: I've read several topics in this forum containing discussion about RBAC Moddeling and linked things, but I can't come op with anything else like this.]

MartijnG