How do you set rules for users?

A

Artem00712017-07-20 12:26:58

PHP

Artem0071, 2017-07-20 12:26:58

I looked at this article several times , and I also looked at this
one, as an example, VK api with setting access rights .
As for me, the idea of separating rights into bits is very interesting.
But there is not one BUT.
In the examples from the article on Habré, an example is too simple, and it is not suitable for my project (as it seems to me).
Let's say we have several sections (posts, audio, video, images, personal account, advertising account, admin panel, administrator, and 5 more pieces, let's say)
From posts to images, we can:

look
comments
- look
- add
- delete
- edit
- edit_globally (a la for admins and editors with moderators)
add
delete
edit
edit_globally

And in the personal account and other blocks there will be a lot of actions (for example: on / off for your comments, limits on adding entries, etc.)
This already turns out 10 fields * for 4 sections (posts, pictures, ...) = 40 fields
A the rest will definitely be even larger and it will turn out that there will be about 100 fields for one user group. Of
course, this can be done, but the optimization here will be extremely bad.
The only thing I thought about the bits, for example, a block with comments can be broken like
this
:
2 - can be added
4 - can be edited
8 - can be deleted
16 - can be edited globally
32 - can be deleted globally
and then instead of 6 columns for comments, use 1.
For example, if this is an admin, then he will have access 64 (111111), and for a regular user 15 (1111)
In general, I read those articles 10 times, if not more. I tried to make such tables that I indicated above, but they turned out to be very huge
. You can, of course, break the blocks themselves into blocks (butter oil), but this is a huge number of tables.
I now have 50 of them, I would not want to have the same number of rules alone.
I will be glad to any suggestions or links to articles

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

Stalker_RED, 2017-07-20
@Stalker_RED

You yourself have thought of bit masks, already not bad.
You can bind access to roles. For example, the roles of guest, owner, admin, superadmin, whatever.
And each user has one or more roles. Guest - just watch, owner - watch, edit, delete, add, switch comments, etc., admin - watch, ban users and delete, for example (you know exactly what the admin has).
Or you can have a separate table with roles and a many-to-many relationship table to link roles to users.

X

xfg, 2017-07-20
@xfg

Before RBAC was. The module searched files with controllers for all actions and displayed them as a list. Checkboxes indicated for which actions to generate rights. Further rights were assigned to the role. Roles per user. In the code, before starting any action, there was a hook that checked if the role had a right called "module:controller:action". Is - we carry out. No - 403 Forbidden.
There were a lot of problems. And in general, later we noticed that we assign rights once and no one else changes anything. Because all these rights are the business logic of our application. We do not make cms and we do not need to try to take these rules out of the code into the web interface. Business rules change - code changes. Now everything is easier. We write middleware like authenticated/locked etc. Middlewares are simply hung up on the desired action and transfer control to each other along the chain up to the action itself, and each of the middlewares can kill the request. It turned out to be more flexible, easier and more convenient than poking hundreds of checkboxes in the web interface, because absolutely any code can be written in middleware. Because it doesn’t happen that you need to prohibit comments on photos today, allow them tomorrow, and prohibit them again the day after tomorrow. Even if necessary, we will write the corresponding middleware, we will hang it on an action and roll it out to production, and we will not poke checkboxes every day in an incomprehensible web interface of access rights. Moreover, the customer still did not understand what kind of nonsense it was.NewsModule:NewsController:addActionno matter how much they explain to him that this is the name of the permission to add news, and the notation indicates for which module, controller and action, and the names of the permissions are so miserable, because they are automatically generated from the source code. His head exploded and he said, okay guys, it will be necessary to change, I'll dial you :)