Permission Design
There are probably several modes:
User + Group + role + permissions
User + Group + permissions
User + role + permissions
User + Permissions
Recently looked at other people's design methods, most of the "integer" to represent the authority value, such as adding, browsing, deletion and modification, respectively, 1, 2, 4, 8 of these integers to replace, however, each person's approach is different, for example, as follows:
1. A set of permission values, such as 1, 2, 4, 8, 16, with a power of 2 n powers, for which a user's permission value is the sum of integers in its sub-set, such as 7=1+2+4,5=1+4. If you want to retrieve a user with a certain number of permissions from the database, first add these permissions values, assuming and K, then select * from table where 1 and user permission value = ' k '; If you want to determine what permissions a user has, then take out their permission value K, respectively, with K&1,k &2,k&4,k&16 ..., if true, indicates a permission that has a value equal to the "&" right integer, for example, if K&4 is true, then this user has permission to have a value equal to 4 in the permission table;
2. Use prime numbers 2, 3, 5, 7, 11 ... a collection of permissions, a user's permission is the product of the integers in its sub-set, such as 210 = 2*3*5*7, I think this method is very interesting, the difficulty is how to decompose the factorization; but I disagree with the original author, and he thinks that there may be a containment relationship, If a user has delete permission, then it must have browse permission, otherwise it can not be deleted, the fact is true, but I think this is too complex, prone to error, I think the authority is the best "atom", non-interference, that is, a user has delete permissions and no browsing permissions it can not delete operations, because he can't see things , the key to solve this contradiction is to give the user the right to assign permission to browse to him;
3. Instead of integers, use the "Vector table" method (perhaps I'm not necessarily right) and put all possible permissions in a certain order, such as add, browse, modify, delete ..., the user's permission value is a fixed 100-bit length string, such as 100010100001 .... 01, from the left to each one of the operation permissions, if there is this permission, then the value of this bit is 1, and vice versa, then 0, the author has fixed the user rights to 100-bit, I think it is not scientific, but I think this is not enough science, I think the user's permission value length should be less than the number of permissions,
List of permissions: Add, browse, modify, delete, User A has added and browsed permissions, then its permission value is 11, User B has browse and modify permissions to its permission value is 011, User C has browse and delete permission value is 0101, so the advantage of the design is: when the permission table to add other permissions, Does not affect user tables or role tables;
4. I used to practice, in the background management to divide the authority into two categories: column permissions and operation rights, each column corresponding to a directory, the operation of the permissions are broken down to browse, add, modify and delete, the user entered the system first to determine if there is no column permissions, and then determine whether there is permission to determine the column permissions relatively simple, First get access to the path of the page, and then the directory, to the user-owned directory permissions, if this directory is included in the directory array that users have permission to manage (from the database), it has access to this directory, otherwise, however, in judging the operation permissions seems to be some trouble, but suddenly think of adding, browsing , modification and deletion are basically the same as my file naming rules, but a bit different is that I have added and removed features into a file, For example, the file name is proaddedit.php, fortunately aware of the change in the file with a pass parameter ID, so I used the regular to solve the problem, today, this method seems to be outdated, because it does not adapt to the object-oriented thinking and framework system to develop the system!
Above is a personal superficial understanding and description, if there are errors, please correct me, I hope the expert to give some advice!
http://www.bkjia.com/PHPjc/318345.html www.bkjia.com true http://www.bkjia.com/PHPjc/318345.html techarticle permission Design probably has these kinds of modes: User + group + role + rights user + Group + rights user + role + rights user + permissions recently saw someone else's design method, mostly with "integer" to represent ...
