Permission design (2)

See http://tubo.cnblogs.com/archive/2005/09/02/228735.html FOR THE FIRST PART

To address this need, Version 1 is powerless (of course you can also add several features, such as classificationANews drafting and ClassificationBAnd then add this function to the corresponding role, but this should not be our solution, but Version 2 is also based on this idea ).

In fact, a better example than news is the forum Forum moderator.

The solution for version 2 is as follows:

AddedResourcetypeThis field is used to indicate the classification of a resource (such as news). We also simulate it (News classification ).AOfResourcetypeIs:NTA, CategoryBIs:NTB):

Menu:

Functionid	Resourcetype	Functionname
F1	NTA	Drafting news: ClassificationA
F2	NTA	Edit news: CategoryA
F3	NTA	Review News: CategoryA
F4	NTA	Delete news: CategoryA
F1	NTB	Drafting news: ClassificationB
F2	NTB	Edit news: CategoryB
F3	NTB	Review News: CategoryB
F4	NTB	Delete news: CategoryB

Then, add the corresponding role in the role table and add the corresponding function in the role menu.

ObtainFunctionsThe statement is also changed accordingly:

Select functionid+','+ Resourcetype fromRole menuWhere roleid in (select roleid fromUser Role tableWhere userid = 'U 1' )

The judgment of permissions becomes:

Functions. contain ('f1, NTA ');

When a new category is added, corresponding records are also added to the menu (not directly added in the database, but added by function-related functions ).

Using this solution, you can easily control each category of a categorized application (such as a forum system) (for exampleVIPPlate, you can only haveVIPRole users can browse and publish roles, while other sections can be used as long as they are registered users ).

In practical applicationFunctionidIt is not a random string, but an encoding. The encoding contains a module.IDAnd can reflect the parent-child relationship, for example: for the forum system, we give it a moduleIDIs" 30" The Forum features are divided2Class: one is the management class (such as deleting a post), the other is the class (such as posting, replying, browsing a post), and the management class is encoded as follows:01, Using a class encoding:02, We willFunctionidPerform the following encoding:

300101: Delete a post

300201: Post

300202: Reply

300203: Browse posts

For resources (such as a sector1, SectionIDIs:01), We can combine the followingFunctions(Of course, you can separate the combinations by commas. You can use other combinations, but do not use any ambiguity ):

300101,01: Plate1Delete a post

: Plate1Post Function

......

ForRoleidThe encoding method can also reflect the parent-child relationship of a role, and inherit role functions (of course, the list of role functions is obtained ).SQLStatement is not as simple as it is now ). In my current application, role inheritance is not implemented (although the role encoding reflects the role's parent-child relationship ).