JS(Angular) Front-End user privileges with PHP + MySQL Back-End

Question

I'm currently building a complex AngularJS based front-end website. The backend is powered with PHP and MySQL.

I have 2 questions, both regarding user privileges.

1. How will you design the db schema for storing the user privileges? In the future I'll want to add pre-defined privileges (several sets) and use them as free/premium account types.

2. How will you manage those privileges in the front-end? When will you fetch/re-fetch the privileges? How will you check them on each methods that requires privileges?

I'm looking for a smart solution that won't limit me in the number of privileges I can define but will also provide a default set of basic privileges if nothing is defined.

About the SQL implementation
The privileges should apply on all users in a specific company.
the db schema is something like this:

• companies (company_id, etc)
• users (user_id, company_id, etc)

From what I understand the privileges schema should look like this:

• privileges(prev_id, prev_name)
• companies_privileges(company_id, prev_id)

User privileges handling
when a user logs in the company privileges are stored with the cookie/session/front-end service.

To verify on the frond-end i use a directive that compares the current user privileges against the required privilege:

data-privilege required=1 user=1

As to the backend part, I'm currently sending a user-token with each request to the server. This token is verified against the database. I can use this to get the user privileges and store them, than check if user can access/use a certain feature.

Besides adding true/false privileges I need support for numerical privileges,
for example: Limit the number of viewable items in a certain list.

Am I thinking right? Am I missing something?

Requirements
- Unlimited privileges per company
- Default privileges should apply on all companies

Answer 1

A quick answer:

1. i designed and implemented a sophisticated privilege mechanism that was role-based, verb-per-object, with inheritance. It was rather powerful and was the basis for numerous features in the whole system. Difference between free and premium users was among the requirement, and it got covered perfectly. So this is a direction you may want to follow. It goes without saying that this is server-side logic.

2. Back then, there was no angular, but generally, in Angular, it is best to do the following: A. have a service that mainly exposes a single call: isAuthorized(privilege-name). B. Have a directive ("needPrivilege='privilege-name') that uses that service and show/hide/disable according to its boolean result. It goes without saying that it uses the isAuthorized. C. Add a logic to the routing that uses that service as well, for limiting access to pages in the UI.

That's my two cents...

Answer 2

The best solution we, at GoDisco, found as right to implement is actually very simple.

Server side: 1. We build a RESTful API 2. This RESTful API always request for access_key, as a simple implemention of OAuth 3. In each request we check if the users have the right permissions to access this data, else its return him "401 ACCESS DENIED"

AngularJS side:

1. We build a "Auth service" module
2. When user logged in we cached in the system his roles
3. Router checking
   1. This service is listen to the $route and the $location services
   2. Each request to route, the our service check if the current logged user have the right roles for the requested route. we simply define the allowed roles in the route configuration.
   3. If the user requested not-allowed route we throw him a error by change his route to our error route.
4. Rest catch
   1. We chose to use Restangular module to handle our RESTful requests
   2. With Restangular we can catch errors by using the requests as promise. If we have any 401 error we handle it.