I know that the title of this question is not intuitive, but let's go to the question.
I've designed a "core system" for all my backend web apps (control panels, systems to manage clientes, balances, etc). This "core" is the start point for developing new modules according to the new system specific needs, but I always keep the "core modules":
Users (to manage user roles)
User type (in distinct systems there are distinct kinds of users, so it's nice to manage them dinamicly)
Modules (to create new modules and add permissions to them)
Dashboard
My main question is for the User module. Since it has the default columns
UserId; Name; Login; e-Mail; Password; isRoot; isPowerUser; UserTypeId
I want to create new control panels and apps, but dont want to change this table to keep the "core" updatable with an easy process in the future. My ideia of design is to create table named User_Extra which will contai all the extra columns for this specific user.
Is this a good approach? I'll also will create a new class named UserExtra.class.php.
If u want to take a look at the project to get the ideia: https://bitbucket.org/alexandrekop/akop-core
Imagine looking at your database schema, and seeing a table named "user_extra" with a bunch of fields that aren't related to each other in any way and each field is related to a different module, does it feel 'right'?
My suggestion is to split the extra fields into relevant tables, possibly per module, or per logical group.
For example, if one module was related to addresses, you would have a table "user_addresses", with things only specific to the address of the user.
Related
I am building an application logic with symfony2 that requires some form of secuirty.
Application logic:
There are "Translations", and "Languages" table some users, should be allowed to edit certain parts of the "Translations" table for example. User1 can edit translations that are in French (fr category). Other user can edit translations that are in Spanish etc... And some user might be edit both of those translations. I also need to make some users to be able assign those "Translations" to other users.
So I guess the most suitable way to achieve this would be ACL system. But there's one thing that is worrying me, there will be a lot of translations - hundreds of thousands, so if I assign ACL to each user and each translation, the ACL table grows really large, what I would like to do is assign category(Language from Language table) instead of translation, so that certain user would be able to edit all translations with assigned category (en, fr, es ... etc..). How could I achieve something like this?
I think I can't get away without ACL, but I think it's not enough, maybe combination of ACL and voters? But I don't how to put everything together.
The context is a educational administration system built on the Zend Framework. We are implementing a RESTful MVC to handle pretty much all data interactions with clients. Relationships between resources are mapped in the database with foreign keys etc.
Example case: a teacher creating a report on a specific student.
We currently have a role-based permissions system that can be tailored to the level of the individual role (using, eg, teacher_5 as the role name). Therefore we can easily restrict access to an already existing report (by generating permissions in the report model that allows edit/put permissions on the report only to the tutor role who created it, say). The problem comes on creation. In order to add a report a user can post to /reports, say, the following data:
{ achievement: "4", performance: "5", student_id: "10" }
The problem is that tutors are only allowed to create new reports on a certain subset of student_ids - those students that they are teaching.
One approach would be to treat this as a validation issue on that field. The issue with this is that we want to protect ourselves from making mistakes, and that is not easy to do with validation (the code would have to know in advance that special validation is expected on certain fields).
The other would be to somehow extend our permissions system to a completely granular one (i.e., there would be a permission for every field in every model), and then extend our current permissions system to responding to paramaterised permissions checks. So if we wanted to know if the current user has permissions to add student_id 10 to a report on creation, we would end up with something like
if ($acl->isAllowed($resource, $role, $action, $field, $value))
where $resource would be a report model, $role would be the teacher teacher_5, $action would be "post", $field would be student_id, and $value would be 10. The acl class would essentially handle a call to the $resource itself.
We are not sure which direction to take, but presumably this is a fairly common issue, so we are wondering what approach other people have taken.
What about having another table containing the student_id's that each teacher tutors. Then you can easily check if the teacher is allowed to do the insertion. Another benefit from that solution would be the ability to extract statistics about the whole class, like average grades, attendance etc
I am a pretty good programmer but I am not great when it comes to designing system architectures. I have a pretty simple inventory system I am making however I would like to know a good way to structure it.
I have around 20 pieces of equipment that users can [View All | Update | Delete | Add] each of them. However I have different access levels for different equipment (which needs to be dynamic, change who can view or delete what).
For example, one piece of equipment would have?
addPart1.php
removePart1.php
updatePart1.php
index.php (view all parts)
addPart2.php
removePart2.php
updatePart2.php
index.php (view all parts)
For all parts? Im confused on trying to design a good, scalable and efficient structure.
An access control list (ACL) is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed to be performed on given objects. In a typical ACL, each entry in the list specifies a subject and an operation (e.g. the entry (Alice, delete) on the ACL for file WXY gives Alice permission to access file WXY).
Source: WIKI
Please take a look at:
http://dev.juokaz.com/php/acl-made-easy-part-1 (tutorial on ACL)
http://sourceforge.net/projects/tackle/
You could categorize your products table, so each kind of equipment has its own "category" or "group". You can do that by assigning a "group_id" to each product (on a new column on your table). If you have 300 products, some of them will be on group 1, others on group 2, etc.
Then, on your users table (the one that contains usernames/password for each admin), you need to add an additional field called "group_permissions". On that field you have to store a list of "group ids" each user can view. You can store those permissions separated by comma.
$permissions = '1,2,5,9';
Each time a user access one of your PHP files, you get its permissions and do a simple check like this:
SELECT * FROM products WHERE group_id IN($permissions)
That will only return the products that user has permissions to edit or view. This will vary depending of your interface.
I am creating a custom photography CMS system and need to implement a user authentication and permissions system. What are the usual practices in the industry to go about creating such schema.
Basically I need to have users, and users can be of different type. Some users lets say can only create galleries, others can only edit them, or edit only certain galleries, etc. So how should this be structured. I am using MySQL database and I am using PHP to code the CMS.
I tried looking on Google however only found articles which explain how to create users for the actual MySQL database. I will appreciate a link to an article which explains how this sort of stuff should be done.
Thank you in advance.
There are two common approaches to this problem, both involve breaking apart the allowable operations into something discrete that you can name. (Delete posts, create galleries, upgrade the code, dump the database, launch the missiles, open the garage door.) Give each one of these a bitmap in a bitvector (if you intend on having fewer than 32 permissions, this is a nice and compact storage mechanism; if you think it'll grow beyond 32 permissions, the size of a typical integer, then maybe a table in your database..)
So, you can either map users to permissions directly ("I want to grant gallery_create to sarnold") or you can map users and permissions via classes of users ("I want to grant gallery_create to all members of the art_curator class; then I wish to promote user sarnold from docent to art_curator").
If you map users to permissions directly, you may find a hodge-podge of strange permissions in deployment years later. If you map users to classes, you may find yourself with artificial classes of users because you trusted one specific person with a privilege, but not other privileges.
Figuring out the best way to address this mapping is still an open problem; I have written about different types of permission models Modelling a permissions system that may be too much or may be too little information, depending upon how complicated you would like your system to become.
If you would like to just store permissions in bitmaps (e.g., the Linux kernel's implementation of CAPABLE() for CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, and so forth) then you could add new privileges with something very simple:
if (requested_new_permission == "CAP_SYS_ADMIN")
user->permissions |= CAP_SYS_ADMIN;
else if (requested_new_permissions == "CAP_DAC_OVERRIDE")
user->permissions |= CAP_DAC_OVERRIDE;
...
Then when you need to test the capabilities:
if (CAPABLE(user, CAP_SYS_ADMIN))
reboot_server();
and the macro CAPABLE() can look like:
#define CAPABLE(user,cap) ((user)->permissions & (cap))
(Forgive the C, I just don't know php very well; I've been forced to fix far too many php bugs to want to learn it myself.)
If you want to map users to permissions through user classes, then it might be three tables: a users table, a groups or classes table, and a permissions table. classes has columns for user_id and permission_id. When you need to check if a permission can be granted, select the user's class, then select the permission in the class. (It's also been years since I've hand-written SQL; I'm sure a single query can give you a yes or no answer, but I'm not sure if it would be a multiple table join or using subqueries or if it would just be easier to make two queries to the database. :)
Hope this helps.
I'am working on a PHP + MySQL Social Networking application, now i need to setup different access control (read,create,edit,delete) for global (all items) and/or self items (item which created by themselves) for each module to group or specific user.
Does anyone has suggestions in doing this (table structures, etc)?
okay here i provide more detail, currently i have a tbl_module, tbl_user, and tbl_user_role. Each user and role can have different access to specific module.
read
update
create
delete
and devided by global access or self only (own account or records created by themselves).
and my current approach: i create another table to hold the access detail:
acl_uid
mod_id (fk module uid)
target_id (fk user uid or role uid)
acl_type (user/role to identify the target id reference)
acl_read
acl_update
acl_create
acl_delete
acl_read, acl_update, acl_create, acl_delete value ranges:
0 deny
1 allow
2 refer to lower priority check (if user has value 2 then refer to role)
3 self only
i believe that theres more efficient way to solve this, or may an improvement to my current approach.
thanks for your responses.
That's a pretty broad question, so you're likely to only get very broad answers.
Most CMS systems have a table that lists the types of content that can be produced on the system.
Another table describes how each type of content is displayed (on the front page, on individual blog pages, etc).
Another table gives each user one or more "user types" or "groups" such as admin, unregistered, moderator, etc.
A last table is an access table of sorts - it shows what each group has power to do, including the types of content it can create, edit, publish, etc.
I recommend you spend a little time studying the database schemas of other CMS software, such as Slashcode, Drupal, or one of the other millions of CMS systems.
-Adam
It is in fact a very broad question. Assuming you have a clear separation of application tiers (eg, using MVC), then this is the sort of stuff going in the business layer.
Taking your direct requirements, it could be fairly simple. In your users table, have a hasEdit, hasView, etc. For each item, attach a userid to it representing the creator. In the business layer, the rule is they have edit permission if they are the creator, or they have hasEdit = true.
Taking it up a notch, if you have different types, and the hasEdit permission is per-type, you need another entity for that.
userPermission
userPermissionId
userId (FK)
typeId (FK)
hasEdit (boolean)
hasView
etc..
To find out if they have permission to edit, you check if either they're the owner, or look up that items type and the current user in the userPermission table, and check hasEdit. You could make additional rules, like putting a global hasEdit in the user table. Or representing global hasEdit by an entry in userPermissionId with a NULL typeId.
This can get way more complex, using roles and variable numbers of permissions.. it all comes down to your requirements. You need to carefully spec out your business requirements (come up with a bunch of use cases), and then you can design from there. As is, there's really not enough information to come up with anymore than I've outlined here (and even this is probably not exactly what you need).
I like to use a kind of firewall rules approach or similarly a mysql tables rules approach: you can grant users or groups of users certain rights on certain objects or groups of objects. Make each rule be a row in your rules table. When you need to do an action like edit, you can inner join on your rules table for the current user, current user's group, the boolean edit column and the object id or object group. If you get any rows back then the permission is granted.
There are quite a few ways of designing security, and I've liked quite a few for different situations. There's UNIX-style user-group-other. I happen to like PmWiki's security model.
I developed a website which used user-role-permissions structure similar to Apache. With that website, I used a template system that used a header include file and a footer include file to wrap the page contents with the "standard stuff". A page with restricted content could set a variable to the required permission, that the header script looks for, and if set, calls an auth function that checks the user belongs to a role that permission.
The nice thing about using the user-role-permissions model is if most of your users fall into neat categories of authorization, setting the authorization for a user is a simple matter of adding the right role to that user. The permissions are linked to roles, not users directly, so you can adjust the permissions of entire classes of users easily.