ansaurus

Question

Answer 1

A:

You don't need to complicate that, just use a field "ex: permissions" and do something like:

$permissions = "1;1;0;1";

where in your concern it reads:

READ - 1 (can)

WRITE - 1 (can)

UPDATE - 0 (cannot)

DELETE - 1 (can)

then, when checking, just use "explode" by ";"...

This way, you can always apply more permissions types without changing your table... thus you get your table smaller, and your query faster!

It's an workaround for your problem :)

Zuul 2010-05-30 02:35:40

The semicolons here seem unnecessary, since each permission bit is just one character anyway. And when you're at the point of storing a string of binary, why not just store it as a decimal, a la the bitmask principle earlier described?

Matchu 2010-05-30 02:36:43

Yes, your right! It was an example, perhaps not the best one, but the value separated by ";" will enable you in the future to add permissions like 1;0;1;1a;0; <- (1a being "can" with level "a"), but again you can use 12 where the "2" would be the sub level...

Zuul 2010-05-30 02:47:35

Answer 2

+2 A:

A permissions bitmask is best understood when represented as binary, with each digit representing a permission being on or off. So if permissions X, Y, and Z exist, and I only have access to X and Z, 101 would represent that I have the first and third permissions granted to me, but not the second. The binary number 101 is equivalent to the decimal number 5, so that is what would end up stored in the database. A single, small integer is a much more efficient object to store than a string or several small integers.

EDIT: I realized just how easy it was to leverage existing conversion functions to get a pretty quick implementation going. Here's a sample.

<?php
function bitmask_expand($n) {
  // 9 returns array(1, 0, 0, 1)
  return str_split(base_convert($n, 10, 2));
}

function bitmask_compact($a) {
  // array(1, 0, 0, 1) returns 9
  return (int) base_convert(implode($a), 2, 10);
}

$ns = range(0, 7);
foreach($ns as $n) {
  print_r($b = bitmask_expand($n));
  echo bitmask_compact($b), "\n\n";
}

You might get better performance if you use loops, rather than pulling back to and from strings, but this illustrates the principle pretty clearly.

Matchu 2010-05-30 02:37:05

Answer 3

A:

I would create a Table called "Roles":

CREATE TABLE Roles(
id INT NOT NULL AUTO_INCREMENT PRIMARY KEY(id),
 rolename VARCHAR(30))

Stick whatever permissions you want in there. Then create a Table called "UserRoles" to link users to roles:

CREATE TABLE UserRoles(
id INT NOT NULL AUTO_INCREMENT PRIMARY KEY(id),
 UserId INT,
 RoleID INT)

Lots of flexibility and easy to build upon (ie workflow, rules, etc) (I would add foreign keys as well)

itchi 2010-05-30 02:38:25

I think this is a bit overkill for what the OP wants. A simple bitmask would do.

musicfreak 2010-05-30 02:43:34

I guess I should have asked about the scope and size of his app. PhpBB implements a similar structure with phpbb_user_group tables..http://www.phpbbdoctor.com/doc_tables.php

itchi 2010-05-30 02:57:09

Answer 4

+2 A:

The method you described -- individual privileges stored in columns -- is straightforward at the expense of flexibility (as you noticed).

Zuul's method is even more simple and essentially the same as yours, except it avoids the need for any "ALTER TABLE" statements. However, it is not normalized, not easily queryable and not self-documenting.

Another problem with both of these methods is that as your user base grows, you will find it increasingly more of a pain to keep everybody's privileges set properly. You will find yourself with a lot of users who need exactly the same privileges. Yet in order to change a user's privileges, such as to accomodate a new privilege, you will have to go in and add that privilege to each user who needs it individually. Major PITA.

For a forum, it's not likely that you'll need per-user privilege management. More likely you'll have certain classes of users like anonymous users, logged-in users, moderators, administrators, etc. This would make it well-suited for role-based access control (RBAC). In this system you would assign each user to a role, and grant privileges to the role. Privileges would be stored as rows in a "privilege" table. so the simplified database schema would look like:

PRIVILEGE
int id (primary key)
varchar description

ROLE_PRIVILEGE_JOIN
privilege_id (foreign key)
role_id (foreign key)

ROLE
int id (primary key)
varchar description

USER
int id (primary key)
int role_id (foreign key)

This pattern is used in many applications that deal with user privileges. Add every privilege that anyone could possibly have as a row in the privilege table; add every role that any user could possibly have in the role table; and link them appropriately in the role_privilege_join table.

The only real disadvantage is that because a join table is used, the "can user X do Y" query is going to be somewhat slower.

alexantd 2010-05-30 02:55:24

Good description on the pitfalls of bitmasks and magic strings.

itchi 2010-05-30 03:05:05

Thankyou for this, I was thinking of bit-masks because its something im not fully to grips with yet and i assumed that i should know exactly what they are and how they work before i make a solid decision on how the permission system would work, but now you put it in context like that there is no need for a bit-mask as it just complexes a simple task within the application, Plus this allows ease of sorting when it comes to the privs management in ACP. Thanks

RobertPitt 2010-05-30 13:45:34

ansaurus

tags:

views:

answers:

How can I implement forum privileges

related questions