Implementation of _php algorithm under PHP and its skills

Permission Design

There are probably several patterns:
User + Group + roles + permissions
User + Group + permissions
User + role + permissions
User + Permissions


Recently looked at other people's design methods, mostly "integer" to represent the permission values, such as add, browse, delete and modify, with 1, 2, 4, 8 of these integers to replace, however, each person's practice is different, examples are as follows:

1. Use the n power of 2 to form a set of permission values, such as 1, 2, 4, 8, 16 ..., a user's permission value is the sum of integers in its child set, such as 7=1+2+4,5=1+4. If you want to retrieve a user with a certain number of permissions from the database, add these permissions values, assuming and K, then select * from table where 1 and user permission values = k; If you want to determine what permissions a user has, remove their permission value K, respectively, with K&1,k &2,k&4,k&16., if true, a permission that has a value equal to the right of "&", for example, if K&4 is true, the user has permission in the table with a value equal to 4;

2. Use prime numbers 2, 3, 5, 7, 11. Composition permission set, a user's permission is the product of each integer in its child set, such as 210 = 2*3*5*7, I think this method is very interesting, the difficulty is how to decompose decomposition, but I do not agree with the original author's reference, he believes that there may be a relationship between the rights, If a user has delete permission, it must have browsing rights, otherwise can not delete, the fact is true, but I think this is too complicated, error prone, I think the right is the best "atom", non-interference, that is, a user has to delete permissions without browsing permission is not able to delete operations, because he can not see things , the key to resolve this contradiction is to give the user the right to the browsing authority also assigned to him;

3. No integer, instead of using the "vector table" method (maybe I'm not right), put all the possible permissions in a certain order, such as add, browse, modify, delete ..., the user's permission value is a fixed 100-bit length string, such as 100010100001 .... 01, from the left, each one corresponds to an operation right, if this permission, the value of this bit is 1, on the other hand, 0, the author of the user rights fixed to 100, I think is to consider the upgrade problem, but I think it is not enough science, I think the user's permission value should be less than the number of permissions, for example:
Permission Ranking table: Add, browse, modify, delete, User A has the right to add and browse, then its permission value is 11, User B has permission to browse and modify, the permission value is 011, and the user C has permission value of 0101 to browse and delete, so the benefit of the design is: When additional permissions are added to the permission table, Does not affect user tables or role tables;

4. The way I used to be in the background management of the right to divide into two categories: Column permissions and Operation permissions, each column corresponds to a directory, Operation Rights subdivision for browsing, add, modify and delete, the user entered the system first judge whether the column permissions, and then judge whether the operation of the right to judge the rights of the column relatively simple, First get the path to access the page, and then decompose the directory, directory permissions to the application user, if the directory is contained in an array of directories that users have permission to manage (removed from the database), they have access to this directory, otherwise, no, however, in the judgment of the operation permissions seem to have some trouble, but suddenly thought of adding, browsing , modifications, and deletions are basically corresponding to my file naming conventions, but a little differently, I combine additions and deletions into a single file, For example, the file name is proaddedit.php, fortunately aware of the modification file with a pass parameter ID, so I used to solve the problem, today it seems that this method seems outdated, because it does not adapt to object-oriented thinking and use the framework system to develop the system!

The above is a personal superficial understanding and description, if there is a mistake, please correct me, I hope the expert to give some advice!