The system I've worked with so far has only either had one editor or a few editors whom I've know well and who have all had global access. Now, I'm working on a project which will have to deal with a relatively large number of editors with differentiated access. So far, I've worked on the theory, but would like some input on what I have before I proceed.
The site I'm working on will have a (hopefully large) number of guests, a fairly large number of limited editors (all pre-approved) and a few global editors. The inividual editors will most likely work infrequently from a shared computer, so the access will be session-based only.
When a person first visits the site, a session will be assigned, an a database entry will be created. The database will contain the username (the IP address will be used for guests) and the IP address. I'm not sure whether to use a timestamp to time out the session, as some of the contents will take a long time to write, and I don't want people to loose their work.
If the guest logs in, the session and database entry will be removed, and a new session and database entry will be made with the real username. Whenever a page is opened, the session will be checked against the database, to ensure the IP of the session holder matches the IP that logged in using that username.
Whenever the user visits a page, a seperate table will be checked to see if the user has access to edit that page.