5

Current project I am working on is a web application, that has to be delivered to multiple customers on their own servers. The website needs a permission control system, that will manage areas and features users can or can not use.
As for know, I'm designing a database-driven permissions system, with permissions stored in database. Every user has a role. The role defines the list permissions available. The schema looks like this:

users table
1. user_id
2. name
3. role_id

roles table
1. role_id
2. name

permissions table
1. permission_id
2. name

roles_permissions table:
1. role_id
2. permission_id

In the code I would fetch logged users role and permissions, and check if the user is able to perform action or see area like so: 

if($user->hasPermission('Edit HR')) {
  // let user see the editing HR section
}

The hasPermission would check if user has a permission with a name 'Edit HR' and will return the needed result. The problem I see is the database table has to have the permission record with a name being exactly 'Edit HR', not 'Edit_hr' or 'HR Editing'. So I have to make sure the data for the permissions system is the same for every database the applications are using. Which kind of makes me think this is a flawed design and needs to be re-designed. Creating new sections and features would also require to update all the databases, which also makes me a sad panda.

So, basically, the question is: what is the best way to design the database driven permission system and keep the database integrity on multiple databases?

4

2 回答 2

3

The scheme you've come up with looks fine. The only thing I would add to that is on the permissions table I would add a field called tag or similar.

The permission tag would be something like EDIT_HR, and you would use this as the reference in your code instead of its name. Use the name just for display purposes for example HR Editing. This way the name can vary as required, and it won't affect your code.

于 2012-06-05T16:45:29.297 回答
0

我正在使用的解决方案是拥有一个全局 $current_user 对象,该对象在创建时读取权限表并存储对其有效的所有权限操作。每当您需要检查操作时,就会搜索此数组。它节省了数据库查询,尽管如果将此类数据存储在全局对象中存在安全隐患,我还没有找到它。

只需要 1 个 db 表(示例):

user_id | user_role | user_action
---------------------------------
0       |   10      |   view_dashboard
0       |   1       |   view_users

用户角色对应于最低用户类型(管理员、编辑、访问者等),因此所有具有 user_role >= $current_user 角色的操作都可用。user_id 列允许您覆盖特定用户的某些级别。

通过这种设置,也很容易拥有一个列出所有权限的页面,并允许用户通过简单的下拉菜单修改值(但要确保不是每个用户都可以这样做)。

于 2013-04-16T16:36:25.663 回答