Php permission algorithm implementation. The permission design includes the following modes: User + group + Role + permission user + group + permission user + Role + permission user recently read others' design methods, permission design is mostly represented by "integers"
There are probably several modes:
User + group + Role + permission
User + group + permission
User + Role + permission
User + permission
I recently read other people's design methods. most of them use "integers" to indicate permission values, such as adding, browsing, deleting, and modifying permissions, they are replaced by integers 1, 2, 4, and 8, respectively. However, each person's practice is different, for example:
1. uses the n power of 2 to form a set of permission values, such as 1, 2, 4, 8, 16 ..., A user's permission value is the sum of integers in its subset, for example, 7 = 1 + 2 + 4, 5 = 1 + 4. If you want to retrieve users with certain permissions from the database, add these permissions First, assume the sum is k, and then select * from table where 1 and the user permission value is 'k '; if you want to determine the permissions of a user, obtain the permission limit k and use k & 1, K & 2, K & 4, k & 16 ..., if it is true, it indicates that you have the right integer with the value equal to "&". for example, if k & 4 is true, this user has the permission that the value in the permission table is equal to 4;
2. use Prime numbers 2, 3, 5, 7, 11... to form a permission set, a user's permissions are the product of the integers in its subset, for example, 210 = 2*3*5*7. I think this method is very interesting and the difficulty is how to break down the prime factor; however, I do not agree with the original author's suggestion that there may be a inclusion relationship between permissions. for example, if a user has the permission to delete a permission, the user must have the permission to browse the permission. Otherwise, the user cannot delete the permission, this is true, but I think it is too complicated and prone to errors. I think permissions should be "Atomic" and do not interfere with each other, in other words, if a user has the delete permission but does not have the browsing permission, the user cannot perform the delete operation because he cannot see anything. the key to solving this problem is to grant permissions to the user, grant the browsing permission to him;
3. instead of integers, we use the "vector table" method (maybe I'm not necessarily right) to sort all possible permissions in a certain order, such as adding, browsing, modifying, and deleting ..., the user's permission value is a string with a fixed length of 100 characters, such as 100010100001 .... 01. each digit from the left corresponds to an operation permission. if this permission is available, the value of this bit is 1. Otherwise, the value is 0, I think the reason why the author fixed the user permission value to 100 bits is to consider the upgrade, but I think this is not scientific enough. I think the length of the user permission value should be less than the number of permissions, example:
Permission arrangement table: add, browse, modify, and delete permission. if user A has the permission to add or browse, the permission limit is 11, if User B has the permission to browse and modify, the permission limit is 0101. if user C has the permission to browse and delete, the permission limit is. the benefits of this design are: when other permissions are added to the permission table, the user table or role table is not affected;
4. in my previous practice, permissions are divided into two categories: topic permissions and Operation permissions. each topic corresponds to a directory, and the operation permissions are divided into browsing, adding, modifying, and deleting, after entering the system, the user first checks whether there are column permissions, and then determines whether there are operation permissions. to determine whether the column permissions are relatively simple, the user first obtains the path for accessing the page and then breaks down the directory, the directory permissions of the corresponding user. if the directory is contained in the directory array that the user has the permission to manage (extracted from the database), the user has the permission to access this directory. otherwise, no, however, it seems a little difficult to judge the operation permission, but it suddenly comes to mind that adding, browsing, modifying, and deleting are basically the same as my file naming rules, but a little different is that, I have merged the add and delete functions into a file. for example, the file name is proAddEdit. fortunately, php realized that there was an additional passing parameter id when modifying the file, so I solved this problem using regular expressions. Today, it seems that this method is outdated, because it does not adapt to the object-oriented idea and uses the framework system to develop the system!
The above is my rough understanding and description. if you have any mistakes, please correct me. I hope you can give me some comments!
Users, groups, roles, authorized users, groups, authorized users, roles, authorized users, and permissions have recently read others' design methods, most of them are expressed as "integers...
