Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

(Ovid) Re: Application Access Control

by Ovid (Cardinal)
on Sep 24, 2001 at 05:32 UTC ( [id://114232]=note: print w/replies, xml ) Need Help??


in reply to Application Access Control

For one application, I created a permission system that restricts access per user per section. I designed a database schema that was comprised of six tables. They're as follows (with many fields eliminated for clarity):

users ------------ userID userCompany userAllCompanyPerms permissions ------------ userID subSectionID permissionTypeID permission (bit) permissionType ------------ permissionTypeID permissionType (Add, Edit, Delete, View) section ------------ sectionID sectionName subSection ------------ subSectionID sectionID subSectionName permissionTypeSubSection ------------ permissionTypeID subSectionID

Of course, you'd need appropriate foreign key constraints and a several other details that I've left out. To get permissions for a user for a Section, I'd use the following SQL:

SELECT sb.subSectionID, pt.PermissionTypeID, p.Permission FROM permissions p INNER JOIN SubSection sb ON p.subSectionID = sb.subSectionID INNER JOIN PermissionTypes pt ON p.permissionTypeID = pt.permissionTyp +eID INNER JOIN Section st ON st.SectionID = sb.SectionID WHERE (p.userID = $userID)

To be perfectly fair, I've simplified this quite a bit and I munged it to change some features that I really don't care to share. If it's not entirely accurate, it's because I did that on the fly. Of course, you'll want to use $dbh->quote or a placeholder for the userID or else you wind up with a huge hole in your security.

Basically, for the "Corporate" section, you may have subsections such as "Company", "Contacts", "Branch Offices", etc. This schema allows me to individually control all Add, Edit, Delete, and View permissions for each subsection.

One change I'm planning on making to this in the future: I want to change the permission in the permission table to an integer, with the values of -1, 0 and 1. The benefit of this will be in group creation. You can add a couple of tables, add some fields to the above tables and then assign permissions to a group. Group permission will only be 0 or 1. When you add a user to a group, they inherit the permissions, but have none explicitly set on their own. However, you go to the users permission screen and, if you want to add a permission the group doesn't have, check the permission and their permission is set as a 1. If you don't want them to have the group permission, uncheck the permission and their permission is set as a -1. Later, when determining their actual permissions, you add their personal permissions to the group permission and they only have a particular permission if their sum permission total is greater than zero. This allows you to inherit group permissions, yet still customize their individual permissions any way you wish.

Cheers,
Ovid

Vote for paco!

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Replies are listed 'Best First'.
Re: (Ovid) Re: Application Access Control
by mandog (Curate) on Sep 24, 2001 at 06:08 UTC
    Thanks for posting these snippets. They've moved my own thinking on this subject along....

    Ovid wrote here:
    One change I'm planning on making to this in the future: I want to change the permission in the permission table to an integer, with the values of -1, 0 and 1. The benefit of this will be in group creation.

    I may not understand your algorithm. You might run into problems if somebody is in multiple groups with a permission granted.

    01 group one 01 group two -1 user ---- 1
    update: added attribution to quote from Ovid



    --mandog

      mandog wrote:

      You might run into problems if somebody is in multiple groups with a permission granted.

      That's a good point. In this case, for the application I'm going to port it to, I don't mean "groups" in the Unix sense. I mean "employee type". Users of the system will be a particular type of employee, so it's a one-to-many relationship, rather than the many-to-many scenario you can have on Unix. If I needed to go that route, I would probably do a bitwise OR on the group permissions and then add the user permission.

      perl -e 'print ((1 | 1) - 1)'

      That will print 0 (zero). However, at that point, it's probably better to move that process into a stored procedure, rather than calculate it in Perl.

      Cheers,
      Ovid

      Vote for paco!

      Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://114232]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others about the Monastery: (5)
As of 2024-03-29 01:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found