How to structure user permissions for a cms

Question

I am creating a custom photography CMS system and need to implement a user authentication and permissions system. What are the usual practices in the industry to go about creating such schema.

Basically I need to have users, and users can be of different type. Some users lets say can only create galleries, others can only edit them, or edit only certain galleries, etc. So how should this be structured. I am using MySQL database and I am using PHP to code the CMS.

I tried looking on Google however only found articles which explain how to create users for the actual MySQL database. I will appreciate a link to an article which explains how this sort of stuff should be done.

Thank you in advance.

Answer 1

There are two common approaches to this problem, both involve breaking apart the allowable operations into something discrete that you can name. (Delete posts, create galleries, upgrade the code, dump the database, launch the missiles, open the garage door.) Give each one of these a bitmap in a bitvector (if you intend on having fewer than 32 permissions, this is a nice and compact storage mechanism; if you think it'll grow beyond 32 permissions, the size of a typical integer, then maybe a table in your database..)

So, you can either map users to permissions directly ("I want to grant gallery_create to sarnold") or you can map users and permissions via classes of users ("I want to grant gallery_create to all members of the art_curator class; then I wish to promote user sarnold from docent to art_curator").

If you map users to permissions directly, you may find a hodge-podge of strange permissions in deployment years later. If you map users to classes, you may find yourself with artificial classes of users because you trusted one specific person with a privilege, but not other privileges.

Figuring out the best way to address this mapping is still an open problem; I have written about different types of permission models Modelling a permissions system that may be too much or may be too little information, depending upon how complicated you would like your system to become.

If you would like to just store permissions in bitmaps (e.g., the Linux kernel's implementation of CAPABLE() for CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, and so forth) then you could add new privileges with something very simple:

if (requested_new_permission == "CAP_SYS_ADMIN")
  user->permissions |= CAP_SYS_ADMIN;
else if (requested_new_permissions == "CAP_DAC_OVERRIDE")
  user->permissions |= CAP_DAC_OVERRIDE;

...

Then when you need to test the capabilities:

if (CAPABLE(user, CAP_SYS_ADMIN))
  reboot_server();

and the macro CAPABLE() can look like:

#define CAPABLE(user,cap) ((user)->permissions & (cap))

(Forgive the C, I just don't know php very well; I've been forced to fix far too many php bugs to want to learn it myself.)

If you want to map users to permissions through user classes, then it might be three tables: a users table, a groups or classes table, and a permissions table. classes has columns for user_id and permission_id. When you need to check if a permission can be granted, select the user's class, then select the permission in the class. (It's also been years since I've hand-written SQL; I'm sure a single query can give you a yes or no answer, but I'm not sure if it would be a multiple table join or using subqueries or if it would just be easier to make two queries to the database. :)

Hope this helps.