Permission design and algorithm (PHPE)

Design | algorithm

Permission Design

There are probably several patterns:
User + Group + roles + permissions
User + Group + permissions
User + role + permissions
User + Permissions

Recently looked at other people's design methods, mostly "integer" to represent the permission values, such as add, browse, delete and modify, with 1, 2, 4, 8 of these integers to replace, however, each person's practice is different, examples are as follows:

1. Use the n power of 2 to form a set of permission values, such as 1, 2, 4, 8, 16 ..., a user's permission value is the sum of integers in its child set, such as 7=1+2+4,5=1+4. If you want to retrieve a user from a database that contains several permissions, you add these values first, assuming and K, then select * from table where 1 and user permission values = ' k '; If you want to determine what permissions a user has, then remove their permission value K, respectively, with K&1,k &2,k&4,k&16., if true, a permission that has a value equal to the right of "&", for example, if K&4 is true, the user has permission in the table with a value equal to 4;

2. Use prime numbers 2, 3, 5, 7, 11. Composition permission set, a user's permission is the product of each integer in its child set, such as 210 = 2*3*5*7, I think this method is very interesting, the difficulty is how to decompose decomposition, but I do not agree with the original author's reference, he believes that there may be a relationship between the rights, If a user has delete permission, it must have browsing rights, otherwise can not delete, the fact is true, but I think this is too complicated, error prone, I think the right is the best "atom", non-interference, that is, a user has to delete permissions without browsing permission is not able to delete operations, because he can not see things , the key to resolve this contradiction is to give the user the right to the browsing authority also assigned to him;

3. No integer, instead of using the "vector table" method (maybe I'm not right), put all the possible permissions in a certain order, such as add, browse, modify, delete ..., the user's permission value is a fixed 100-bit length string, such as 100010100001 .... 01, from the left, each one corresponds to an operation right, if this permission, the value of this bit is 1, on the other hand, 0, the author of the user rights fixed to 100, I think is to consider the upgrade problem, but I think it is not enough science, I think the user's permission value should be less than the number of permissions, for example:
Permission Ranking table: Add, browse, modify, delete, User A has the right to add and browse, then its permission value is 11, User B has permission to browse and modify, the permission value is 011, and the user C has permission value of 0101 to browse and delete, so the benefit of the design is: When additional permissions are added to the permission table, Does not affect user tables or role tables;

4. The way I used to be in the background management of the right to divide into two categories: Column permissions and Operation permissions, each column corresponds to a directory, Operation Rights subdivision for browsing, add, modify and delete, the user entered the system first judge whether the column permissions, and then judge whether the operation of the right to judge the rights of the column relatively simple, First get the path to access the page, and then decompose the directory, directory permissions to the application user, if the directory is contained in an array of directories that users have permission to manage (removed from the database), they have access to this directory, otherwise, no, however, in the judgment of the operation permissions seem to have some trouble, but suddenly thought of adding, browsing , modifications, and deletions are basically corresponding to my file naming conventions, but a little differently, I combine additions and deletions into a single file, For example, the file name is proaddedit.php, fortunately aware of the modification file with a pass parameter ID, so I used to solve the problem, today it seems that this method seems outdated, because it does not adapt to object-oriented thinking and use the framework system to develop the system!

The above is a personal superficial understanding and description, if there is a mistake, please correct me, I hope the expert to give some advice!

Posted By:trooman 2005-12-28 16:02
Why did so deserted, a point of opinion is not?

Posted By:axgle 2005-12-28 16:05
has been collected.

Posted By:donyad 2005-12-28 16:41
1 2 3 thought is the same, but the implementation of the different methods of
and 3 The second half of the landlord's example, forgive me stupid, can not understand

3 of the practice is very C, driver level or system-level programs are very common
Like the file permissions under *nix 0755 0777.

Method 1 is identical to the Method 3 prototype, which is bits, and Method 3 is a string simulation of this
Binary decimal
100 4
+ 1 1
------------
101 5

To flag permissions with each other's individual bits, just for the sake of atomicity, prime numbers also have this property
So derive 2 of the approach, and decompose decomposition, I don't think this will be a problem, because three methods need to check the required permissions
Since it is a check, except for the required prime number can be

and 3, the question of getting longer
1 and 2 are just conceptually avoiding this problem.
In fact, in C with the binary, there is a problem of alignment, is to 8-bit 8-bit application, 8-bit 8-bit, it doesn't matter too long waste
Just like Method 3 there's a waste of using strings to simulate binary
and Method 1 2 in the real save, is also saved into an int, is also a request to come over so many bits of the binary space, does not matter waste

On expansion and elasticity, Method 1 and Method 2 are not affected by
This is a problem for method 3 because method 3 is not well modeled ... Method 3 feel like a pig's nose sticking onions

--------------

Knock more code, the ability to express words may not, I said wrong or not to say that the place to welcome everyone to shoot bricks, 3q

Posted by:lihun21 2005-12-28 19:27
Let's make a mark.
Learn a bit
There's no such deep privilege system yet.
I now have only three rights users, so I haven't considered that much
Super Admin-> General Manager-> Normal user
I think I'm using this pattern.
User + Permissions

Posted by:wwccss 2005-12-28 20:06
Landlord's article is good. Brother Donyad also has a very high level of analysis.

Posted By:cozo 2005-12-28 20:10
This kind of thing as long as one method is OK.
I'll just use the first one.

Posted BY:BITQ 2005-12-28 21:47
This method I have seen ~ ~ ~

Use binary to represent permissions, do not affect each other, expect to do a project involving this

Master is a Master ~ ~ '

Posted By:binzywu 2005-12-28 22:01
Specifically how to mark permissions this is more indifferent
The general system
RBAC is already sufficient.

There are 3 kinds of general access controller
User based
Group based
Role based

RBAC has a mature theoretical basis, you can search the following, can be found a lot of papers.

However, if it is not a general application system, then the permission system may need to be more special design. There is only universal theory and there may not be a universal approach.

Posted By:terpomo 2005-12-29 00:31
Learn the

Posted By:bleakwind 2005-12-29 01:14
I am relatively backward, I am a person's permissions composed of an array of serialization into the database ...
Load page initialization every time ...

Posted by:nameless 2005-12-29 08:51
I've seen a permission judge with Method 3, and it's easy and flexible.

Column permissions used directly to the column identification with the definition of the connection, the operation to determine whether the logo, simple, the number of columns and too many operators when the database efficiency should not be high (if the operator can exceed 10W), hehe

Posted By:trooman 2005-12-29 11:18
QUOTE (nameless @ 2005-12-29 08:51)
I've seen a permission judge with Method 3, and it's easy and flexible.

Column permissions used directly to the column identification with the definition of the connection, the operation to determine whether the logo, simple, the number of columns and too many operators when the database efficiency should not be high (if the operator can exceed 10W), hehe

Yes, I also think the method 3 will not be less efficient than the binary, in the specific use of like,str_replace, etc., can also simulate the binary.

The so-called "column" authority management, is now outdated, but the idea can still be used, such as "corresponding column" changed to "corresponding module", but the implementation of the way has been very different!

Posted By:sean.zhuo 2005-12-29 13:51
Which eldest brother can give me the concept of "role"? Don't know what a character is.

Posted By:knighte 2005-12-29 14:50
1 and 3, the essence is the same.
1 has the advantage of saving space. LZ mentions 100 permissions to upgrade. However, I have encountered a system with more than 100 permission categories, and more user trees. So it was then pressed into a 16-in-store (the same as it was), which is similar to the 1 approach.
However, the 3 biggest benefit should be intuitive (in fact, if a lot of permission items, also not intuitive, hehe).

Personally, the "right to store and judge the method" is not actually "permission to design" the focus and difficulties. We also need to consider other things. such as the choice of the authority's design structure (RBAC/GBAC/UBAC), such as the use of permissions in the application system ...

I Gbac (group based permission control) more. The general logic is:

Make up the tree structure, the user and the group node.

Determines the permissions, starting from the group root directory to the user's group for traversal. Start permission is "no"

When traversing, the subgroup permissions override the start permission until the user.

The last user right overrides the start permission. Get the final permission code.

Although it seems a bit complicated, but more flexible.

Second, talk about the use of authority. The usual approach (or at least I do) is to judge a user by the logic above to "pass" relative to a permission when "needed", for example (to say, just to indicate that it is needed to be judged):
CODE

When someone posts a new topic
if ($access _controller->check ($user, ' post '))
{
Access passed
$user->post ($content);
}
Else
{
Access Denied
$sys->accessdenied ();
}

And what I've always wanted to try is a privilege usage: that when the $user instance comes out, the permissions he has is assembled (check once, run anywhere), for example:
CODE

Class User
{
var $sid;
var $name;
var $passwd;
var $email;
// ...

function __call ()
{
It must be a ACCESS DENIED the process here
Die (' no permission ');
}

Maybe no other methods ...
}

We need overload the User class in PHP4
For the __call Magic method
Overload (' User ');
$user = new User ();

We need a accessinject to inject accesses into user object
$access _controller->access_inject ($user)
Then, the user object includes its access methods ...

OK, we use the user ' s method directly
$user->post ($content);
If the user object includes the Post method, it has the right permission ...

Casually wrote a point, did not very carefully consider the structure and naming, hope to express my meaning.
A ...

Posted By:luciferstar 2005-12-29 17:40
Make a form that uses 1 and 3 to save multiple-selection form data.

Posted By:james.liu 2006-01-05 17:10
If it is object oriented, the idea of tending to little K

When the user logs in, if the username, password, and everything is right, allow him to log in, instantiate the user information, including permissions

Posted By:gudai 2006-01-11 16:06
Permission design. Headache problem.

Source: http://club.phpe.net/index.php?act=Print&client=printer&f=2&t=11828