Permission design
There are probably the following modes:
User+Group+Role+Permissions
User+Group+Permissions
User+role+permission
User+Permissions
Recently I have seen other people’s design methods. Most of them use “integers” to represent permission values, such as adding, browsing, deleting and modifying, which are replaced by integers 1, 2, 4 and 8 respectively. However, everyone The methods are different, for example:
1. Use the n power of 2 to form a set of permission values, such as 1, 2, 4, 8, 16..., and the permission value of a user is the sum of the integers in the subset, such as 7 =1+2+4, 5=1+4. If you want to retrieve users with certain permissions from the database, first add these permission values, assuming the sum is k, and then select * from table where 1 and user permission value = k; if you want to judge a user Which permissions are there? Take out the permission value k and use k&1, K&2, K&4, k&16... respectively. If it is true, it means that there is a permission whose value is equal to the integer on the right side of "&". For example, if k&4 is true, then this The user has permissions with a value equal to 4 in the permission table;
2. Use prime numbers 2, 3, 5, 7, 11... to form a permission set. The permissions of a user are the products of the integers in the subset, such as 210 = 2*3*5*7, I think this method is very interesting. The difficulty lies in how to decompose prime factors; but I do not agree with the original author's formulation. He believes that there may be an inclusive relationship between permissions. If a user has delete permission, he must have browse permission. Otherwise, there will be no way to delete it. This is indeed the case, but I think this is too complicated and error-prone. I think it is best for permissions to be "atomic" and not interfere with each other. In other words, a user has deletion permission but not browsing permission. Then he cannot perform the deletion operation because he cannot see things. The key to solving this contradiction is to grant browsing permissions to him when empowering the user;
3. Instead of integers, use the "vector table" method (maybe what I said is not necessarily correct) to arrange all possible permissions in a certain order, such as add, browse, modify, delete... ., the user's permission value is a fixed 100-digit string, such as 100010100001....01. Each digit from the left corresponds to an operation permission. If there is such permission, the value of this bit is 1, and vice versa. , then it is 0. The reason why the author fixed the user permission value to 100 digits is because of the upgrade issue, but I think this is not scientific enough. I think the length of the user permission value should be less than the number of permissions. For example:
Permission ranking table: add, browse, modify, delete. User A has the permission to add and browse, so its permission value is 11. User B has the permission to browse and modify, so its permission value is 011. User C has The permission value for browsing and deleting is 0101. The advantage of this design is that when other permissions are added to the permission table, it will not affect the user table or role table;
4. What I have done in the past is to divide the permissions into two categories in the background management: column permissions and operation permissions. Each column corresponds to a directory, and the operation permissions are subdivided into browsing, adding, modifying and deleting. , after the user enters the system, first determine whether there is column permission, and then determine whether there is operation permission. Judging column permission is relatively simple. First, obtain the path path of the access page, and then decompose the directory, corresponding to the directory permissions owned by the user. If this directory contains In the directory array that the user has the right to manage (taken out from the database), he has the permission to enter this directory, otherwise, he does not. However, it seems a little troublesome to judge the operation permissions, but suddenly I thought of adding, browsing, modifying and deleting. My file naming rules are basically the same, but the difference is that I merged the add and delete functions into one file. For example, the file name is proAddEdit.php. Fortunately, I realized that there is an extra parameter to pass when modifying the file. id, so I used regular expressions to solve this problem. Today, this method seems outdated because it does not adapt to object-oriented thinking and the use of framework systems to develop systems!
The above is my rough understanding and description. If there are any mistakes, please correct me. I hope experts can give me some opinions!