SitePoint Sponsor

User Tag List

Page 1 of 3 123 LastLast
Results 1 to 25 of 66
  1. #1
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Building an Advanced Permission System

    I'm building a module-based CMS (it might not be a "real CMS", but I've chosen to call it that) in which I have to be able to give different users different permissions. The thing is, I don't know how to do it... What I need you to help me with is the thinking process - how to construct it so it'll support all the things I require. But what do I require? Well, here goes...

    Let's assume that I have two modules installed - articles and forum. The articles belong to different categories, and each category can have moderators which can moderate all articles under that category. The author of an article should also be able to moderate his article, but regular or anonymous users should only be able to read the article.

    The requirements for a discussion forum are pretty similar. There can be multiple categories, and each category can have multiple forums. A user can be a moderator for a whole category, or only a single forum in a specific category. A regular user can moderate his posts, but he can't do anything to other posts (except report them, but that's another story).

    Another thing that I require is the possibility to assign special roles to users, like system administrator (which can administrate the entire system) or module administrator (which can administrate a certain module, like the forum).

    So, how can this be accomplished? I'm grateful for any suggestions.

    I'm using PHP5 and MySQL 4.0, so please make any code examples compatible with those versions.
    ERIK RIKLUND :: Yes, I've been gone quite a while.

  2. #2
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    c2 article http://www.c2.com/cgi/wiki?AccessControlList seems to be a good starting point for you.

  3. #3
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks, that seems to be what I'm looking for. However, I'm still not sure how to do it... Do you (or anyone else here) have experience of working with ACL?
    ERIK RIKLUND :: Yes, I've been gone quite a while.

  4. #4
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, if you're interested I can tell how it's done in the projekt I'm currently working on.

    - all objects (inclusive users) are stored in a tree structure (nested sets based)
    - when user is granted a specific right X (e.g. "read") for an object Y, an object "Grant_X" with reference to userID is inserted in the tree as a child node of Y.
    - when a right is revoked, a symmetric "Revoke_X" object is inserted
    - when user requests an object, the system searches the tree upwards for "Grant_X" or "Revoke_X", whatever comes first. The corresponding sql statement looks like
    Code:
    -- table tree(ID, LP, RP, PP, klass, ref)
    
    SELECT ancestor.LP, acc.klass
    FROM tree AS ancestor, tree AS acc
    WHERE
       ancestor.LP BETWEEN {object.LP} AND {object.RP}
    AND
       acc.PP = ancestor.ID
    AND
       acc.ref = {user.id}
    AND
       acc.klass IN ('Grant_Read', 'Revoke_Read')
    ORDER BY
       ancestor.LP DESC
    LIMIT 1
    where LP and RP are nested sets' 'left' and 'right' pointers and PP is an ID of parent object.

  5. #5
    SitePoint Addict
    Join Date
    May 2005
    Posts
    255
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have a table which simply contains entries of a starting point, and permissions. All child branches in the tree inherit those permissions from that point down. The table contains 3 values: the usergroup, the branch id, and the permission set (a bit field).

    It's extremely easy to administer, and you can look up permissions quickly if you're tracking what the 'parent' branches of a given branch are.

  6. #6
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Do you think that you can give an example of how it works? The structure of the table, some example data, and some code that checks if a user have permission to perform a certain action. I'd appreciate it very much. Thanks in advance.
    ERIK RIKLUND :: Yes, I've been gone quite a while.

  7. #7
    SitePoint Addict
    Join Date
    May 2005
    Posts
    255
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lilleman
    Do you think that you can give an example of how it works? The structure of the table, some example data, and some code that checks if a user have permission to perform a certain action. I'd appreciate it very much. Thanks in advance.
    The table is like this:
    Code:
    CREATE TABLE `perm` (                                                                                                                                                                                                                                                                                                                                                          
              `permid` int(10) unsigned NOT NULL auto_increment,                                                                                                                                                                                                                                                                                                                           
              `branchid` int(10) unsigned NOT NULL default '0',                                                                                                                                                                                                                                                                                                                            
              `usergroupid` tinyint(3) unsigned NOT NULL default '0',                                                                                                                                                                                                                                                                                                                     
              `perms` tinyint(3) unsigned NOT NULL default '0',                                                                                                                                                                                                                                                                                                                            
              PRIMARY KEY  (`permid`),                                                                                                                                                                                                                                                                                                                                                     
              KEY `usergroupid` (`usergroupid`,`branchid`)                                                                                                                                                                                                                                                                                                                                 
            ) ENGINE=MyISAM ROW_FORMAT=FIXED
    The lookup code would generally go like this (note: this can be optimized considerably, and is in the real code that I used. Illustrated here for clarity)

    PHP Code:
    class CMS
    {
       const 
    PERM_VIEW 1;
       const 
    PERM_EDIT 2;
       const 
    PERM_ADD  4;
       const 
    PERM_DELETE 8:
       const 
    PERM_FORK    16;  

       ...

       public function 
    CheckPerms($BranchID$Perm)
       {
            if(
    $BranchID == 0)
           {
                return 
    false;
           }

            if(
    $Perms $this->DB->FetchFirst('SELECT perms FROM perm WHERE branchid = '.intval($BranchID)))
           {
               return 
    $Perms['perm'] & $Perm;     
           }

           if(
    $Parent $this->DB->FetchFirst('SELECT parentid FROM perm WHERE  branchid = '.intval($BranchID)))
           {
               return 
    $this->CheckPerms($Parent['parentid'],$Perm);
           }
           return 
    false;        
       }
    }

    $CMS = new CMS();

    if(!
    $CMS->CheckPerms(1,CMS::PERM_DELETE)
    {
       echo 
    'You may not delete this branch';

    I typically use exceptions to handle things in my code, and there aren't nearly as many DB queries going on (my structure is quite a bit different), but that's the basic pattern.

  8. #8
    SitePoint Enthusiast
    Join Date
    Oct 2003
    Location
    norway
    Posts
    92
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'd take a look at LiveUser..

  9. #9
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Aphenitry
    I'd take a look at LiveUser..
    Thanks for the suggestion, but I'd rather use something I've written myself.
    ERIK RIKLUND :: Yes, I've been gone quite a while.

  10. #10
    SitePoint Enthusiast
    Join Date
    Oct 2003
    Location
    norway
    Posts
    92
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lilleman
    Thanks for the suggestion, but I'd rather use something I've written myself.
    Heh, I'm sorry, but that's just so stereotypical newcomer-php arrogance. Just because it isn't in PHP itself doesn't mean it's not even worth a look.

    And if you can't because this is part of some school-assignment, I'm sorry for being so harsh.

  11. #11
    SitePoint Guru 33degrees's Avatar
    Join Date
    May 2005
    Posts
    707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Aphenitry
    Heh, I'm sorry, but that's just so stereotypical newcomer-php arrogance. Just because it isn't in PHP itself doesn't mean it's not even worth a look.

    And if you can't because this is part of some school-assignment, I'm sorry for being so harsh.
    Most experienced PHP developers seem to have an aversion to PEAR as well. Besides, I think it's generally preferable to roll your own solutions if you have the time.

  12. #12
    SitePoint Guru
    Join Date
    May 2005
    Location
    Finland
    Posts
    608
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Aphenitry
    Heh, I'm sorry, but that's just so stereotypical newcomer-php arrogance. Just because it isn't in PHP itself doesn't mean it's not even worth a look.
    Not wanting to use a PEAR package is arrogance? Ehm, right. I'd feel uncomfortable using a library if I wasn't at least somewhat aware of the principles working behind the implementation. I bet there are loads of other valid reasons not to use PEAR, the least of which probably isn't the need to use something customised for your needs.

  13. #13
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)

    other code

    I certainly wouldn't want to use code written by someone else. That's why I've written my own OS, and programming language from "scratch" and I never never never ask anyone to show me an example of their code.

  14. #14
    SitePoint Enthusiast
    Join Date
    Oct 2003
    Location
    norway
    Posts
    92
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by 33degrees
    Most experienced PHP developers seem to have an aversion to PEAR as well.
    Yes, though a few of them works fine now.. You also have other resources. My point was not against PEAR itself, but the reluctance to use any external libraries. I was mearly pointing out why PHP has tons of mediocre/bad CMS'es, templating solutions, validators etc..
    Quote Originally Posted by 33degrees
    Besides, I think it's generally preferable to roll your own solutions if you have the time.
    Personally, I prefer using something that's being actively developed, customize it as I want, and get free updates all the time using vendor branches. A forum is a good example of this. I wouldn't have my employees waste time and money working on a new one which is sure to somewhat mimic everything else anyway (not to mention meintenance-costs to keep up with the rest).

    Quote Originally Posted by 33degrees
    Not wanting to use a PEAR package is arrogance?
    Avoiding everything there like the plague (including docs and resources)? IMHO, yes. So HTML_AJAX isn't perfect yet. Do I make my own instead, maintaining it as things pop up? I don't think so dude..

    But this is off-topic, and I said "worth a look", not necessarily use it.. A few url's from the site: http://pear.limbourg.com/20.html and http://pear.php.net/manual/en/packag...er-summary.php

  15. #15
    SitePoint Guru dbevfat's Avatar
    Join Date
    Dec 2004
    Location
    ljubljana, slovenia
    Posts
    684
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Ezku
    ... I bet there are loads of other valid reasons not to use PEAR, the least of which probably isn't the need to use something customised for your needs.
    I also avoid PEAR due to a few bad experiences with inflexibility and code-bloat, but I always wanted to know what are the exact reasons for that (as written by 33degrees) "Most experienced PHP developers seem to have an aversion to PEAR as well."

    Anyone care to point me to a valid resource that explains this or at least list some reasons?

    Regards

  16. #16
    SitePoint Enthusiast
    Join Date
    Oct 2003
    Location
    norway
    Posts
    92
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague
    I certainly wouldn't want to use code written by someone else. That's why I've written my own OS, and programming language from "scratch" and I never never never ask anyone to show me an example of their code.
    Don't forget the editor/ide! And God forbid if it's written in (evil omnious organ play) procedual C! (thunder strikes)

  17. #17
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Please move your discussion to a thread of it's own. I want this one to stick to the topic.

    Aphenitry, I did take a quick look at LiveUser, before I decided not to use it.
    ERIK RIKLUND :: Yes, I've been gone quite a while.

  18. #18
    SitePoint Guru 33degrees's Avatar
    Join Date
    May 2005
    Posts
    707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Aphenitry
    Personally, I prefer using something that's being actively developed, customize it as I want, and get free updates all the time using vendor branches. A forum is a good example of this. I wouldn't have my employees waste time and money working on a new one which is sure to somewhat mimic everything else anyway (not to mention meintenance-costs to keep up with the rest).
    Note that I said "if you have the time". A custom solution is always preferable because you know exactly how it works and it's perfectly suited to your needs, but you have to weigh those advantages against the time spent coding it.

  19. #19
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This thread is meant for discussing my problem. Please stick to the topic.
    ERIK RIKLUND :: Yes, I've been gone quite a while.

  20. #20
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)

    thread problem

    Quote Originally Posted by lilleman
    ... This thread is meant for discussing my problem. Please stick to the topic. ...
    As I understand it the "problem" is not that you are trying to "re-invent the wheel", or get ideas as to how to write the app, or simply looking for something that "will work", but that you want to understand the CMS development process, in particular mulptiple authorization levels.
    I guess you have touble looking at other application's code and understanding the logic that went into their development, and you are looking for plain-language explanations. Don't feel bad, many people have difficulty following other people's code. What I often do is similar to what you have already started to do in the thread's first post. Determine the goals and needs of the application. I often use pen and paper for this phase so that I can draw boxes and arrows and emphasize freely. This helps me to grasp the "big picture". Then I break down the application into manageable sized portions and begin developing code.
    So anyway guys, Stick to the topic. He doesn't want solutions, he wants theory. Anyone know a good tutorial on multi-level authorization?

  21. #21
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague
    He doesn't want solutions, he wants theory.
    Exactly. It seems like ACL might be what I'm looking for, but I'm still looking for more information about how it really works. The article that sterefrog suggested covered the basics and gave me an idea of how it works, but I need more than that.
    ERIK RIKLUND :: Yes, I've been gone quite a while.

  22. #22
    simple tester McGruff's Avatar
    Join Date
    Sep 2003
    Location
    Glasgow
    Posts
    1,690
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Want to try creating something using test-driven design?

  23. #23
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah, that would be interesting. I've never done it before, so I'd probably need some help to grasp the concept, but I guess you gotta start somewhere.
    ERIK RIKLUND :: Yes, I've been gone quite a while.

  24. #24
    simple tester McGruff's Avatar
    Join Date
    Sep 2003
    Location
    Glasgow
    Posts
    1,690
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How experienced are you with OOP?

  25. #25
    Tranceoholic lilleman's Avatar
    Join Date
    Feb 2004
    Location
    Írebro, Sweden
    Posts
    2,716
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, I'm no expert, but I don't see myself as a newbie either.
    ERIK RIKLUND :: Yes, I've been gone quite a while.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •