I've been thinking about the web app I'm about to begin developing and wondering whether my usual approach could be improved.
In my last few apps I've created a table (see below) of roles (such as CREATE POST
, EDIT POST
etc.) which each have a bitfield applied to them so I can simply assign a user certain rights in registration and check them later on (e.g. $user->hasRight(CREATE_POST)
).
I'm wondering if there's a better approach to this. It's certainly confusing when the rights aren't specifically linked to the user (I could have a table where each right is a boolean column but that only sounds like a small improvement) - and what happens if I change some around?
I'm not looking to use standard libraries (the app itself is a learning experience for me: using postgresql, git etc.) although I'm perfectly happy to take inspiration from them to construct my own - so if there's something special you think I should take a look at please say so :)
You could take a look at the documentation of Spring Security (formerly Acegi), which is a widely used Java ACL framework.
The documentation is exhaustive and also describes the various considerations made in the design of bot authentication and authorization. Even without using Java it is worthy reading.
You can view the index page to get an overview and an impression of what Acegi does (and does not) do. You can also skip right to the authorization concepts or even to the database schema.
That's basically the same approach I take in my own web apps (and a bit of trial and error has gone into that for me). The only difference is, I'd probably use a table which has the different permissions as columns, so that if you want to add more permissions later on, you can. Using bits in an integer limits you to a fixed number of permissions, namely as many bits as there are in the integer. Typically that would be 32 which I suppose is probably enough, but I prefer not to limit myself that way.
For what it's worth, that's also the model that phpBB uses (permissions as table columns), and if it's good enough for arguably the most popular PHP web app, it's probably good enough for you ;-)
I'm sure you've found phpgacl already, but here's a link in case you haven't. It can be a little rough to wrap your head around at first, and certainly the library is tricky (time consuming) to implement into a project, but the documentation and demo are EXCELLENT reference points.
PHP Generic Access Control Lists
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With