I’m starting to need an access control for roles in my app.
I don’t know much of this, but I understand how vBulletin works:
I create groups, then give permissions to groups.
I think that what I need is the Role Bases Access Control (RBAC) , but i’m not sure, because I need groups to give permissions instead of single users (Maybe it’s not that complicated to achieve).
Example of what I’m thinking:
Given a post:
Editor's Group has permission to view it before it's published.
Editor's Group has permission to edit its content.
Public Group (Default) has not permission to view it before it's published.
Admin Group has permission to delete the post.
So basically I wan’t orientation about if RBAC is what I need.
And also, how would it be good to store group membership in a user, for example, would be good to have: ID NAME PASSWORD GROUPS (1, MyName, MyPassword, 1/2/3/4/5)
and explode it via PHP or one registry for every Group membership in a table named permissions
, example: USERID, USERGROUP values (1, 1), (1, 2)
Maybe should be the second way because of the formal norms but I didn’t study yet Databases 1 at college.
1
This is a pretty common task and has straight forward practices to follow and implement. You may choose one of the following approached that suits your requirements:
- Level based
- Group based
- Responsibility based
- User based – you already exclude that and it is wise decision
From your description of issue, it sounds like role-based access control would make more sense. Here is a link to a list of a few implementations for PHP projects. I’d suggest glancing through and picking the one that fits your specific needs: RBAC+PHP
In the case, if none of the mentioned above works out, here is a tutorial on how to build your own (complete with source): PHP 5 CMS Framework Development
Allocate permissions to roles and then roles to users.
As for storage personally I’m quite fond of the unix method which uses one numerical value to store the roles. Each role has a numerical value and then all the roles a user has are added together, for example:
Role 1 = 1
Role 2 = 2
Role 1 and 2 = 3
However this is going to get confusing if you have a lot of roles.
The easiest human readable way to implement it is to give each user a unique generated ID number (use this as your primary key) in the user table and the same for each role in the roles table. Then use an intermediate table to match roles to users. NB: This intermediate table should have 2 columns so that a user id would have multiple entries if they have multiple roles.
This is also easier to extent than the previously mentioned method.