2
I am developing an administrative panel where I have some users and these should have different permissions levels.
At the same time, it must be something "dynamic" for there to be control of basic actions, such as: read, edit, add and remove. And this segmented by area.
For example:
Users
- Joao - Administrator
- Carlos - Clerk
Area
- News:
- John: Total control
- Carlos: Total control
- Support
- John: Total control
- Carlos: Read, Modify
This control must be stored in the database (MySql & PHP) so that there is permission control also in the backend. To achieve this goal, I thought of 2 modes, but I don’t know what the advantages of using one or the other.
Model 1
Create a permissions management table, example:
id(PK) | id_usuario(int) | area(string) | permissao(string)
1 | 12 | noticia | tudo
2 | 14 | noticia | ler
3 | 14 | noticia | editar
So, for each area and each desired action, just insert or remove a new record in the database.
Model 2
Create just one more field in the users table, e.x. permissao and save a JSON object for future validation. Something like this:
permissao: {
noticia: {
ler: true,
editar: true,
adicionar: true,
remover: false
},
suporte: {
ler: true,
editar: false,
adicionar: false,
remover: false
}
}
And to enter in the bank, just use the serialize of PHP.
The second method seems to me more practical, because it facilitates the use in frontend and seems to be better manageable including for the backend.
However, as I have not developed anything of the kind so far, I do not know if I am ignoring any important point, since this involves security in information, because I need to manage which users control certain areas.
Can ( and probably will also be done) use another field to allow access to that area, e.x. acesso: true to allow the user to access a page before they can even edit the content.
The most secure and dynamic method is the database, depends on the complexity of permissions you want to set. A user-related table, or user group seems to me a good method. The ideal solution would be something around your 2 methods, it would be easier to add new modules and new permissions if needed. In the system I developed I use 3 tables, one of modules, one of custom permissions, and one of user group relationship, besides I use an accessLevel that is responsible for separating different users, admins, devs, and user level layers.
– LeonanCarvalho
There are also other implications regarding javascript permission, calls to permission data structures should always be "synchronous", preventing the "protected" part from running in parallel with the permission check.
– LeonanCarvalho
I forgot to comment, that in my accessLevel ACL model I still have "anonymity" and "public", in anonymity are the screens that only users not logged in can access (login, password recovery, etc) and public are screens that do not require any authentication.
– LeonanCarvalho