laziness, impatience, and hubris | |
PerlMonks |
(Ovid) Re: Application Access Controlby Ovid (Cardinal) |
on Sep 24, 2001 at 05:32 UTC ( [id://114232]=note: print w/replies, xml ) | Need Help?? |
For one application, I created a permission system that restricts access per user per section. I designed a database schema that was comprised of six tables. They're as follows (with many fields eliminated for clarity):
Of course, you'd need appropriate foreign key constraints and a several other details that I've left out. To get permissions for a user for a Section, I'd use the following SQL:
To be perfectly fair, I've simplified this quite a bit and I munged it to change some features that I really don't care to share. If it's not entirely accurate, it's because I did that on the fly. Of course, you'll want to use $dbh->quote or a placeholder for the userID or else you wind up with a huge hole in your security. Basically, for the "Corporate" section, you may have subsections such as "Company", "Contacts", "Branch Offices", etc. This schema allows me to individually control all Add, Edit, Delete, and View permissions for each subsection. One change I'm planning on making to this in the future: I want to change the permission in the permission table to an integer, with the values of -1, 0 and 1. The benefit of this will be in group creation. You can add a couple of tables, add some fields to the above tables and then assign permissions to a group. Group permission will only be 0 or 1. When you add a user to a group, they inherit the permissions, but have none explicitly set on their own. However, you go to the users permission screen and, if you want to add a permission the group doesn't have, check the permission and their permission is set as a 1. If you don't want them to have the group permission, uncheck the permission and their permission is set as a -1. Later, when determining their actual permissions, you add their personal permissions to the group permission and they only have a particular permission if their sum permission total is greater than zero. This allows you to inherit group permissions, yet still customize their individual permissions any way you wish. Cheers, Vote for paco! Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.
In Section
Seekers of Perl Wisdom
|
|