How can I implement forum privileges

StackOverflow https://stackoverflow.com/questions/2937291

Question

I've started developing a forum application in PHP on my MVC Framework and I've got to the stage where I assign permissions to members (for example: READ, WRITE, UPDATE, DELETE).

Now, I know I can add 5 columns under the user table in my database and set them to 1 | 0, but that to me seems like too much if I want to add other rules, like MOVE for example.

And how can I dynamically assign these privileges them to users individually?

I've heard of using a bitmasks, but it would be really good if I could fully understand them before I continue.

Do you have an example of how I might implement this?

Was it helpful?

Solution

The method you described -- individual privileges stored in columns -- is straightforward at the expense of flexibility (as you noticed).

Zuul's method is even more simple and essentially the same as yours, except it avoids the need for any "ALTER TABLE" statements. However, it is not normalized, not easily queryable and not self-documenting.

Another problem with both of these methods is that as your user base grows, you will find it increasingly more of a pain to keep everybody's privileges set properly. You will find yourself with a lot of users who need exactly the same privileges. Yet in order to change a user's privileges, such as to accomodate a new privilege, you will have to go in and add that privilege to each user who needs it individually. Major PITA.

For a forum, it's not likely that you'll need per-user privilege management. More likely you'll have certain classes of users like anonymous users, logged-in users, moderators, administrators, etc. This would make it well-suited for role-based access control (RBAC). In this system you would assign each user to a role, and grant privileges to the role. Privileges would be stored as rows in a "privilege" table. so the simplified database schema would look like:

PRIVILEGE
int id (primary key)
varchar description

ROLE_PRIVILEGE_JOIN
privilege_id (foreign key)
role_id (foreign key)

ROLE
int id (primary key)
varchar description

USER
int id (primary key)
int role_id (foreign key)

This pattern is used in many applications that deal with user privileges. Add every privilege that anyone could possibly have as a row in the privilege table; add every role that any user could possibly have in the role table; and link them appropriately in the role_privilege_join table.

The only real disadvantage is that because a join table is used, the "can user X do Y" query is going to be somewhat slower.

OTHER TIPS

A permissions bitmask is best understood when represented as binary, with each digit representing a permission being on or off. So if permissions X, Y, and Z exist, and I only have access to X and Z, 101 would represent that I have the first and third permissions granted to me, but not the second. The binary number 101 is equivalent to the decimal number 5, so that is what would end up stored in the database. A single, small integer is a much more efficient object to store than a string or several small integers.

EDIT: I realized just how easy it was to leverage existing conversion functions to get a pretty quick implementation going. Here's a sample.

<?php
function bitmask_expand($n) {
  // 9 returns array(1, 0, 0, 1)
  return str_split(base_convert($n, 10, 2));
}

function bitmask_compact($a) {
  // array(1, 0, 0, 1) returns 9
  return (int) base_convert(implode($a), 2, 10);
}

$ns = range(0, 7);
foreach($ns as $n) {
  print_r($b = bitmask_expand($n));
  echo bitmask_compact($b), "\n\n";
}

You might get better performance if you use loops, rather than pulling back to and from strings, but this illustrates the principle pretty clearly.

I would create a Table called "Roles":

CREATE TABLE Roles(
id INT NOT NULL AUTO_INCREMENT PRIMARY KEY(id),
 rolename VARCHAR(30))

Stick whatever permissions you want in there. Then create a Table called "UserRoles" to link users to roles:

CREATE TABLE UserRoles(
id INT NOT NULL AUTO_INCREMENT PRIMARY KEY(id),
 UserId INT,
 RoleID INT)

Lots of flexibility and easy to build upon (ie workflow, rules, etc) (I would add foreign keys as well)

You don't need to complicate that, just use a field "ex: permissions" and do something like:

$permissions = "1;1;0;1";

where in your concern it reads:

READ - 1 (can)

WRITE - 1 (can)

UPDATE - 0 (cannot)

DELETE - 1 (can)

then, when checking, just use "explode" by ";"...

This way, you can always apply more permissions types without changing your table... thus you get your table smaller, and your query faster!

It's an workaround for your problem :)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top