php complex,PHP復雜的基於角色的訪問控制列表

I have already made the database and the php code needed to implement this customized ACL system. Now I have to 'Authorize' the current user, and that's where I need your advices.

我已經制作了實現這個自定義ACL系統所需的數據庫和php代碼。現在我必須'授權'當前用戶，這就是我需要你的建議的地方。

The system is based on a flexible permission assignment both to the system users and system modules. It has also some predefined, let say user-groups, with the ability to make entirely customized groups also. A global rule could also apply on top of the ACL, but it has the lowest priority over groups or users assigned permissions.

該系統基於對系統用戶和系統模塊的靈活權限分配。它還有一些預定義的，比如用戶組，也可以制作完全自定義的組。全局規則也可以應用於ACL之上，但它優先於組或分配了權限的用戶。

To picture it better:

更好地描繪它：

Predefined Groups:

預定義組：

Limited (No Access)

有限(無法訪問)

Basic User

基本用戶

Power User

高級用戶

Administrator

管理員

Visitors (Sample of a customized group)

訪客(定制組的樣本)

Here are the access levels (name / value pairs):

以下是訪問級別(名稱/值對)：

disallow / 0

不允許/ 0

allow / 1

允許/ 1

deny / 2

否認/ 2

allow if owner / 3

如果擁有者/ 3允許

Note: 'Allow' has the higher priority on 'Disallow', so if you have user X 'Disallowed' on Group A, but 'Allowed' on Group B on a certain access, so he would 'Allowed' finally. On the other hand, if user X has the 'Full Access' by being a member of 'Administrator' Group, but if he just 'Denied' on a certain access, he has not the access at the end, that means 'Deny' has higher priority on 'Allow'.

注意：'允許'在'禁止'上具有更高的優先級，因此如果您在A組上有用戶X'禁止'，但在某個訪問中有B組'允許'，那么他最終會'允許'。另一方面，如果用戶X通過成為“管理員”組的成員而具有“完全訪問權限”，但如果他只是在某個訪問權限上“拒絕”，則他最后沒有訪問權限，這意味着“拒絕”優先於'允許'。

At the top-level you may have something like these:

在頂層你可能有類似這樣的東西：

"Administrator" * "1", which means Administrators have full access on the system

“Administrator”*“1”，表示管理員對系統具有完全訪問權限

"Visitors" * "0", which means Visitors are not allowed on anything

“訪客”*“0”，表示訪客不得進行任何操作

My question is how to process these kind of checks? Imagine we have a simple authorization mechanism. We would have some indexes in our $_SESSION['user'] like $_SESSION['user']['login'] = true; and $_SESSION['user']['id'] = $row['user_id'], right?

我的問題是如何處理這些檢查？想象一下，我們有一個簡單的授權機制。我們在$ _SESSION ['user']中會有一些索引，比如$ _SESSION ['user'] ['login'] = true;和$ _SESSION ['user'] ['id'] = $ row ['user_id']，對嗎？

Now, if you wanted to implement this mechanism on your script, how you're gonna do it?

現在，如果你想在你的腳本上實現這個機制，你將如何做到這一點？

I might check for the global access rules at first. Then I would look if the user has already logged-in or not. If yes, just getting all of his groups, and then looking on the permissions' table to see which permissions are assigned to his groups and his user id, and then storing them on the user session. Then when the module says this is my needed permissions to run, I would look then to see if the user has sufficient access to the requested module or not.

我可能會首先檢查全局訪問規則。然后我會查看用戶是否已登錄。如果是，只需獲取所有組，然后查看權限表以查看為其組分配了哪些權限及其用戶ID，然后將其存儲在用戶會話中。然后，當模塊說這是我需要運行的權限時，我會查看用戶是否有足夠的權限訪問所請求的模塊。

Looks pretty complex! Any helps or advice are highly appreciated! :)

看起來很復雜！任何幫助或建議都非常感謝！ :)

Edit:

編輯：

I'm not using any frameworks. Actually I use, but it's my own. So, there is no pre-made ACL here!

我沒有使用任何框架。其實我用，但這是我自己的。所以，這里沒有預先制作的ACL！

Update:

更新：

Do you have any idea about an efficient way to prioritize (overwrite/replace?) ACLs?

您是否有任何關於優先(覆蓋/替換？)ACL的有效方法的想法？

Deny is highest, then Allow and then Disallow. Also User assigned ACLs are highest, then Group ACLs and finally Global ACLs.

拒絕最高，然后是允許，然后是禁止。用戶分配的ACL也是最高的，然后是組ACL，最后是全局ACL。

Here is what I came up with that finally:

這是我最終提出的：

There is an Array, like this:

有一個數組，像這樣：

$_SESSION['ACL'][$module][$action] = $access_level; // 0, 1, 2, 3

First, I would looking for all the Global Rules *, and will put them on the array:

首先，我會查找所有全局規則*，並將它們放在數組上：

// The current user can see the map, applied by a global rule

$_SESSION['ACL']['map']['render'] = 1;

// All the other permissions are disallowed by default

$_SESSION['ACL']['*']['*'] = 0;

// He can edit his preferences, (Owner)

$_SESSION['ACL']['user']['*'] = 3;

Then, I will look for Group based ACLs:

然后，我將尋找基於組的ACL：

// User could access the Analyze module, all the methods

// with Permission Name "report". Applied by being a member

// of "Moderator" Group

$_SESSION['ACL']['analyze']['report'] = 1;

// User NOT allowed to access "groups" module, let say

// it reserved for "admin" group! - To see the ACLs' Overwriting!

$_SESSION['ACL']['groups']['*'] = 0;

After all, I would looking for User assigned ACLs:

畢竟，我會尋找用戶分配的ACL：

// User have Full Access to the "groups" module.

// It's gonna replace the last ACL, applied by "Moderator" group

// Note that the order of processing ACLs is IMPORTANT!

$_SESSION['ACL']['groups']['*'] = 1;

I guess it would works perfectly, any ideas?

我想它會完美，任何想法？

It Works Pretty Well Now :)

它現在很好用:)

2 个解决方案

#1

2

Here is the way I handle it in an MVC environment, create a table with this structure:

這是我在MVC環境中處理它的方式，創建一個具有以下結構的表：

(id, group_id(int), user_id(int), controller(varchar), action(varchar))

Then I use -1 on group and user_id to represent a wildcard, and a * on the controller and action. So in your example an administrator can do anything (1,4,-1,,). Or lets say Power Users can modify users (2,3,-1,user,*). Or if you want to give a single person (user_id of 34) a permission regardless of what group they are in (3,-1,34,user,update). If you wanted to store your 0-3 for allow, disallow, just add a column. Then you just check which controller and action is being called and find any permissions that apply to the person's group(s) and to them specifically.

然后我在group和user_id上使用-1表示通配符，在控制器和操作上使用*。所以在你的例子中，管理員可以做任何事情(1,4，-1 ,,)。或者讓Power Users可以修改用戶(2,3，-1，用戶，*)。或者，如果您想給一個人(user_id為34)一個權限，無論他們在哪個組(3，-1,34，用戶，更新)。如果您想將0-3存儲為允許，禁止，只需添加一列。然后，您只需檢查正在調用哪個控制器和操作，並找到適用於該人員組及其具體的任何權限。

#2

1

Just create your permissions/ groups table:

只需創建權限/組表：

id, group/permission name

Then, create your many to many table linking groups to users:

然后，為用戶創建多對多的表鏈接組：

id, user_id, group_id

You don't need access levels if you're just using group permissions.

如果您只是使用組權限，則不需要訪問級別。

Then, in your code, just check the user for the group like this:

然后，在您的代碼中，只需檢查組的用戶，如下所示：

function checkAccess($pageLevelRequired)

{

// run query based on current user session id

// run your query to check if the current user belongs to the group required to view this page.

}

Make sense?

合理？